| |
|
Alert Type: | Updated * |
Bug Id: | CSCux46883 | Title: | Non-disruptive issu Oslo cored diagmgr and dhclient |
|
Status: | Open |
|
Severity: | 1 Catastrophic |
Description: | Symptom:
System crashed with non-disruptive issu
Conditions:
NA
Workaround:
NA
Further Problem Description:
|
|
Last Modified: | 29-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I3(0.175) |
|
Known Fixed Releases: * | 7.0(3)I3(0.288), 7.0(3)I3(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux99581 | Title: | ifav41 - cannot trigger config export |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
After deletion / creation of an export policy with the same name, subsequent triggering of export does not work.
Conditions:
This can happen if an export policy is deleted / recreated during a small window of time.
Workaround:
If this problem occurs, create an export policy with a different name.
Further Problem Description:
|
|
Last Modified: | 31-JAN-2016 |
|
Known Affected Releases: | 1.2(1l) |
|
Known Fixed Releases: * | 1.2(1.188) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux42376 | Title: | Packets entering on NS-PO ports encapped with inner dot1q |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Conditions:
When we have L2 packets subject to VxLAN encap enter through a ALE port-channel either a ALE port-channel or ALE VPC, encapsulated packet carries inner dot1q tag.
This will break end-to-end communication if other side is not running 7.0(3)I2(x) or above as the decap end may not strip off the inner dot1q tag in the encapsulated packet and hence end host may drop the packet with extra tag
Workaround:
Don't use port-channel on ALE ports for end-hosts or upgrade all VTEPs to 7.0(3)I2(x) and not some.
Further Problem Description:
|
|
Last Modified: | 22-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I2(2.15) |
|
Known Fixed Releases: * | /bin/sh:, 7.0(3)I2(2.16), 7.0(3)I2(2.59), 7.0(3)I2(3), 7.0(3)I3(0.243), 7.0(3)I3(1), 7.0(3)IDP3(1.89), 7.0(3)IDP3(2), 7.0(3)ITM3(0), 7.0(3)ITM3(0.25) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus57525 | Title: | ELTM crash when deleting VlanID (shared bet FEX-Vlan and Vxlan) |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
ELTM Hap reset on a Nexus 9k
Conditions:
VN Segment configured on a VLAN, that VLAN is shared with a FEX, and then that VLAN is unconfigured.
Workaround:
Unknown
Further Problem Description:
|
|
Last Modified: | 26-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I1(0.259) |
|
Known Fixed Releases: * | 6.1(2)I3(3.56), 6.1(2)I3(4), 7.0(3)I1(0.264), 7.0(3)I1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus65299 | Title: | Module reload due to bcm-usd process crash (hap-reset) |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Module reload due to bcm_usd crash (hap-reset)
Service "bcm_usd" (PID xxxx) hasn't caught signal 6 (core will be saved).
%MODULE-2-MOD_DIAG_FAIL: Module x (Serial number: XXXXXXXXXXX) reported failure due to Service on linecard had a hap-reset in device DEV_SYSMGR
Conditions:
Workaround:
No Workaround
Further Problem Description:
|
|
Last Modified: | 26-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I1(0.261) |
|
Known Fixed Releases: * | 7.0(3)I1(1.83), 7.0(3)I1(2) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur84729 | Title: | N9K: No entries in stpxSMSTInstanceTable when instance-0 has vlans |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
When mst instance 0 does not map to any vlans, mibwalk on stpxSMSTInstanceTable does not populate an entries.
Conditions:
Perform mibwalk on stpxSMSTInstanceTable with all the vlans mapping to mst instance other than 0.
Workaround:
None.
Further Problem Description:
This issue has been fixed in 6.1(2)I3(3) and later releases.
|
|
Last Modified: | 26-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I1(0.156) |
|
Known Fixed Releases: * | 6.1(2)I3(2.22), 6.1(2)I3(3), 6.1(2)I3(3.16), 6.1(2)I3(4), 7.0(3)I1(0.159), 7.0(3)I1(0.160), 7.0(3)I1(1), 7.0(3)I2(0.54), 7.0(3)I2(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut81254 | Title: | Scale: Max-host mode - many LPM routes are not programmed on FM |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Conditions:
It has to be max-host mode with scale
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 26-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I1(1.173), 7.0(3)I1(1.187) |
|
Known Fixed Releases: * | 6.1(2)I3(4.6), 6.1(2)I3(5), 7.0(3)I1(1.201), 7.0(3)I1(2) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv37825 | Title: | arp packets looped back through vpc leg of peer |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
ARP packets might get looped back through vpc leg of peer when mac address table churn, in turn causing mac move events in the L2 network.
Conditions:
TCN/clear mac address-table manually.
Workaround:
n/a
Further Problem Description:
|
|
Last Modified: | 26-JAN-2016 |
|
Known Affected Releases: | 6.1(2)I3(4b), 7.0(3)I1(2) |
|
Known Fixed Releases: * | 7.0(3)I1(2.11), 7.0(3)I1(3), 7.0(3)I2(0.523), 7.0(3)I2(1), 7.0(3)ITI2(1), 7.0(3)ITI2(1.36), 8.3(0)CV(0.123) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus62828 | Title: | bcm_usd service crashed during PoC sub-IF configuration |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Module reload due to bcm_usd crash (hap-reset)
Service "bcm_usd" (PID xxxx) hasn't caught signal 6 (core will be saved).
%MODULE-2-MOD_DIAG_FAIL: Module x (Serial number: XXXXXXXXXXX) reported failure due to Service on linecard had a hap-reset in device DEV_SYSMGR
Conditions:
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 26-JAN-2016 |
|
Known Affected Releases: | 6.1(2)I3(3) |
|
Known Fixed Releases: * | 6.1(2)I3(3.79), 6.1(2)I3(3.80), 6.1(2)I3(4) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur88628 | Title: | mgmt port force shtdwn after enable/disable of cfcFeatureCtrlAction.200 |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Management port is "shudtwon force" after enable/disable set of cfcFeatureCtrlAction.200.
Conditions:
Only happens when enabling/disabling the corresponding feature via cfcFeatureCtrlAction.200.
Workaround:
Use CLI to enable/disable the corresponding feature instead of SNMP.
Further Problem Description:
|
|
Last Modified: | 26-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I1(0.156) |
|
Known Fixed Releases: * | 6.1(2)I3(2.24), 6.1(2)I3(3), 7.0(3)I1(0.160), 7.0(3)I1(0.161), 7.0(3)I1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCul50659 | Title: | TOR: 40G link does not come up with QSFP-40G-CR4 CISCO cable |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Link stays in "not connected" state when using QSFP-40G-CR4 cable
Conditions:
Using QSFP-40G-CR4 cable
Workaround:
Hardcode "speed 40000" on the interface
Further Problem Description:
|
|
Last Modified: | 28-JAN-2016 |
|
Known Affected Releases: | 6.1(2)I2(0.50) |
|
Known Fixed Releases: * | 6.1(2)I1(2.30) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw87620 | Title: | N9K Kernel Panic watchdog timeout - issue seen on CPU2 |
|
Status: | Other |
|
Severity: | 2 Severe |
Description: | Symptom:
A Nexus 9k switch may experience a kernel panic due to a high volume of interrupt events, and the device is overwhelmed with processing interrupts.
Conditions:
High amount of interrupts are being sent to one of the switch's CPUs.
Workaround:
NA
Further Problem Description:
|
|
Last Modified: | 29-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I1(1a) |
|
Known Fixed Releases: * | 7.0(3)F1(0.168), 7.0(3)I2(1.83), 7.0(3)I2(2), 7.0(3)I3(0.205), 7.0(3)I3(1), 7.0(3)IDP3(1.62), 7.0(3)IDP3(2) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCut45882 | Title: | MARCH 2015 OpenSSL Vulnerabilities |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
This product includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0292, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288
This bug has been opened to address the potential impact on this product.
Conditions:
Exposure is not configuration dependent.
Workaround:
Not available.
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the
time of evaluation are: 7.1/6.9
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
|
|
Last Modified: | 29-JAN-2016 |
|
Known Affected Releases: | 11.0(1d) |
|
Known Fixed Releases: | 11.0(3.930), 11.1(0.198) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux22173 | Title: | NVRAM Error causing system crash |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
When the nvram is getting corrupted repeatedly - due to bad nvram battery etc. The nvram driver gets into a deadlock. This is very rare.
Conditions:
The CMOS/NVRAM battery was in a bad state. Essentially bad hardware
Workaround:
Replace the CMOS battery or replace the hardware.
Further Problem Description:
|
|
Last Modified: | 30-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I1(2) |
|
Known Fixed Releases: * | /bin/sh:, 7.0(3)I2(2b), 7.0(3)I3(0.182), 7.0(3)I3(0.189), 7.0(3)I3(1), 7.0(3)IAB3(0), 7.0(3)IAB3(0.53), 7.0(3)IDP3(1.50), 7.0(3)IDP3(2), command |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux72575 | Title: | Maintenance mode profile config lost after reload |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
The configure maintenance profile commands are lost in the startup config.
Conditions:
The following sequence will cause this to happen after the configure maintenance profiles have been set.
1. show startup-config or show startup-config mmode
2. copy running-config startup-config
3. Change any mmode configuration
4. copy running-config startup-config
Workaround:
If configure maintenance profile is empty in show startup-config but exists in show running-config.
Do the following to restore contents to startup-config
1. Show maintenance profile - save maintenance profile contents.
2. no configure maintenance profile
3. configure maintenance profile
4. enter saved profile contents
5. Repeat for all profiles
6. copy running-config startup-config
Further Problem Description:
None
|
|
Last Modified: | 30-JAN-2016 |
|
Known Affected Releases: | 7.0(3)IAB3(0.69), 7.0(3)IAB3(0.71) |
|
Known Fixed Releases: * | 7.0(3)I3(0.238), 7.0(3)I3(1), 7.0(3)IAB3(0), 7.0(3)IAB3(0.72), 7.0(3)IAB3(0.73), 7.0(3)IAB3(1), 7.0(3)IDP3(1.78), 7.0(3)IDP3(2), 7.0(3)ITM3(0), 7.0(3)ITM3(0.7) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux71293 | Title: | Tracked local HMM IPv6 route is not going down if learned as remote rout |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
IPv6 route tracking using HMM shows track state UP even when the route is learned remotely and not via HMM
Conditions:
p1leaf13# sh ipv6 route 2010:5a:1::250/128 vrf srv-group9
IPv6 Routing Table for VRF "srv-group9"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
2010:5a:1::250/128, ubest/mbest: 1/0
*via ::ffff:200.200.200.119%default:IPv4, [200/0], 00:00:50, bgp-65001, inte
rnal, tag 65001 (evpn)segid 33009 tunnel: 0xc8c8c877 encap: VXLAN
track 3 ipv6 route 2010:5a:1::250/128 reachability hmm
vrf member srv-group9
p1leaf13# sh track
Track 3
IPv6 Route 2010:5a:1::250/128 Reachability
Reachability is UP <====================
6 changes, last change 00:00:34
Workaround:
Further Problem Description:
|
|
Last Modified: | 30-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I2(2a) |
|
Known Fixed Releases: * | 7.0(3)I2(2.59), 7.0(3)I2(2b), 7.0(3)I2(3), 7.0(3)I3(0.244), 7.0(3)I3(1), 7.0(3)IDP3(1.89), 7.0(3)IDP3(2), 7.0(3)ITM3(0), 7.0(3)ITM3(0.25) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw61081 | Title: | Migration of uSeg EPG VM failed |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Live migration of a VM initiated from SCVMM might fail, if there is a compliance check failure on the VM Network
Conditions:
VM network is showing compliance check failure at SCVMM
Workaround:
Perform the live migration using HyperV Cluster manager, or deploy Microsoft UR9 release.
Further Problem Description:
This issue is planned to be addressed in Microsoft UR9 release. A modified Microsoft ACI agent package will be released to support the Microsoft UR9 release expected in Q1'2016.
|
|
Last Modified: | 31-JAN-2016 |
|
Known Affected Releases: | 1.2(0.139k) |
|
Known Fixed Releases: * | 1.2(1.95), 2.0(0.154) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux49938 | Title: | event_mgr is crashing on switches after upgrade to 1.2(1i) |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
After upgrading to 1.2(1i), switches are reloading and event_mgr is crashing
Conditions:
an upgrade was performed to 1.2(1i)
Workaround:
There is an outgoing SMTP server configure in Callhome/Syslog/SNMP that is causing the issue. You need to change the hostname of this server to be an IP address. This will prevent the crash.
Navigate to Admin --> External Data Collectors --> Monitoring Destinations --> Callhome --> --> change SMTP server to use IP instead of hostname
Follow the same for SNMP and Syslog.
Further Problem Description:
|
|
Last Modified: | 31-JAN-2016 |
|
Known Affected Releases: | 1.2(1i) |
|
Known Fixed Releases: * | 1.2(1j), 2.0(0.154) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux31389 | Title: | Security checks not done when importing signed certificate |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
1- When importing signed Certificate it does not check with the selected CA.
2 - The certificate can be modified and submitted and it does not check with the selected CA if the certificate is valid.
Conditions:
1 - Create CSR using one certificate authority for example CA1
2- Get signed certificate
3- Change certificate authority to CA2
4- Import signed certificate
Workaround:
Further Problem Description:
|
|
Last Modified: | 05-JAN-2016 |
|
Known Affected Releases: | 1.1(1s), 1.1(4f), 1.2(0.224) |
|
Known Fixed Releases: * | 1.2(1.78), 1.2(1.84), 1.2(1b), 1.2(1i), 2.0(0.118) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCut21755 | Title: | Peer ISSU to Bronte Image - pixm errors, ipfib & aclqos crashes |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
pixm errors, ipfib & aclqos service crashes on Nexus switches
Conditions:
routing table updates being written to the database resulting in errors/crash
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 14-JAN-2016 |
|
Known Affected Releases: | 6.1(2)I3(3a), 7.0(3)I1(1.156) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux37088 | Title: | Policy is missing on interfaces after upgrade to 1.1(3f) |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
after an upgrade, you notice that some interfaces are out of service.
Conditions:
an upgrade was performed
Workaround:
delete and re-add the policy for that particular interface
Further Problem Description:
|
|
Last Modified: | 05-JAN-2016 |
|
Known Affected Releases: | 1.1(3f) |
|
Known Fixed Releases: * | 1.2(1.78), 2.0(0.118) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux27456 | Title: | should be able to reset bgp password from simple gui |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
no way to reset bgp password
Conditions:
no way to reset bgp password
Workaround:
Further Problem Description:
no way to reset bgp password
|
|
Last Modified: | 05-JAN-2016 |
|
Known Affected Releases: | 1.2(0.270b) |
|
Known Fixed Releases: * | 1.2(0.280), 1.2(1.74), 1.2(1i), 2.0(0.118) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux63686 | Title: | Wording of CSR / Subject field is not clear - needs reword |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
KB for Custom Ceritifcate for Cisco ACI HTTPS access instructions were confusing.
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_Configuring_Custom_Certificate_for_ACI_HTTPS_Access.html
Conditions:
Customer needs to generate Certificate Request. Step 4 of the instructions contains unclear information regarding "Subject" field
Workaround:
It should state that the Subject field to contain FQDN of the APIC controllers - which should also be the same as the Subject in the SSL certificate
Further Problem Description:
|
|
Last Modified: | 05-JAN-2016 |
|
Known Affected Releases: | 1.0(1e) |
|
Known Fixed Releases: * | 1.2(1.86) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw46142 | Title: | Cisco APIC Installation Image Verification Vulnerability |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptoms:
A vulnerability in the image installer process of the Cisco Application Policy Infrastructure Controller could allow an authenticated, local,
attacker to
create an image containing arbitrary code that can run before the image is verified.
The vulnerability is due to insufficient installer image verification. An attacker could exploit this vulnerability by modifying the code that is
included in the image installer process of the APIC.
Conditions:
An affected version of the software running with the default configuration.
Workaround:
This defect has been verified as being fixed in release 1.2(0.268a).
Further Problem Description:
None.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 1.5/1.3:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:M/Au:S/C:N/I:P/A:N/E:U/RL:U/RC:C&version=2.0
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 05-JAN-2016 |
|
Known Affected Releases: | 1.2(0.109a) |
|
Known Fixed Releases: * | 1.2(0.245), 1.2(0.264), 1.2(0.268a), 1.2(0.270b), 1.2(0.273b), 1.2(0.276), 1.2(1.53a), 1.2(1.55a), 1.2(1.57a), 1.2(1.65) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw46003 | Title: | Image verification only verifies image signing, not signer |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
A vulnerability in the installation process of the Application Policy Infrastructure Controller (APIC) could allow an authenticated, local
attacker to sign an image with their own arbitrary key-pair.
The vulnerability is due to improper image signing. An attacker could exploit this vulnerability by signing the image with their own key-pair.
Conditions:
Device running a default configuration with an affected version of software.
Workaround:
None.
Further Problem Description:
None.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 1.9/1.4:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C&version=2.0
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 05-JAN-2016 |
|
Known Affected Releases: | 1.2(0.109a) |
|
Known Fixed Releases: * | 1.2(0.245), 1.2(0.264), 1.2(0.268a), 1.2(0.270b), 1.2(0.273b), 1.2(0.276), 1.2(1.53a), 1.2(1.55a), 1.2(1.57a), 1.2(1.65) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux43480 | Title: | External-l3 config for l4l7 route peering cannot be created through CLI. |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: |
Symptom:External-L3 EPG and routing (BGP, OSPF) configuration created through CLI cannot be used for L4L7 Route Peering.
Conditions:In the l4l7 graph connector, l4l7-peer command can point only to external-l3 Outside (l3extOut) created through API. In the command, "l4l7-peer tenant out epg " , l4l7 peer name has to a point to a API created l3extOut.
Workaround:Create the l3extOut for the route-peering through API and then connect the l3Out to the graph through the l4l7-peer command in the CLI. Once the l3extOut is created through API, the external-l3 configuration can be modified by CLI. The configuration that are modifiable through CLI are External-l3/prefix EPG, BGP peer update, interface configuration modfication and updating route-map entries.
|
|
Last Modified: | 05-JAN-2016 |
|
Known Affected Releases: | 1.2(1f) |
|
Known Fixed Releases: * | 1.2(1.84), 2.0(0.118) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCux41323 | Title: | Evaluation of fabric-sw for OpenSSL December 2015 vulnerabilities |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
Cisco Nexus 9000 (ACI/Fabric Switch) includes a version of OpenSSL that is affected by the vulnerability identified by one or more of the following Common Vulnerability and Exposures (CVE) IDs:
CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 and CVE-2015-1794
And disclosed in http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151204-openssl
This bug has been opened to address the potential impact on this product.
Conditions:
Exposure is not configuration dependent.
Cisco has reviewed and concluded that this product is affected by one or more of these vulnerabilities.
Cisco Nexus 9000 (ACI/Fabric Switch) is affected by:
CVE-2015-3194 and CVE-2015-3195
Cisco Nexus 9000 (ACI/Fabric Switch) is not affected by:
CVE-2015-3193, CVE-2015-3196 and CVE-2015-1794
Workaround:
Not available.
Further Problem Description:
Additional details about those vulnerabilities can be found at http://cve.mitre.org/cve/cve.html
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 4.3/3.4
http://tools.cisco.com/security/center/cvssCalculator.x?version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
|
|
Last Modified: | 05-JAN-2016 |
|
Known Affected Releases: | 11.2(1.173) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux42653 | Title: | prefix epg delete/add gives error for API l3out |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
In CLI, modifying an existing external-l3 epg could fail if the epg was created by REST API and all its subnets do not have "import-security" flag ON.
Conditions:
The following conditions have to be met:
1. The VRF was configured solely by REST APIs
2. The EPG was created by REST API
3. The EPG has subnets configured. All the subnets do not have "import-security" flag ON.
Workaround:
Through GUI, either remove all the subnets from the EPG or set "import-security" flag on at least one of the subnets.
Further Problem Description:
|
|
Last Modified: | 05-JAN-2016 |
|
Known Affected Releases: | 1.2(1c) |
|
Known Fixed Releases: * | 1.2(1.78), 2.0(0.118) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux23432 | Title: | DQ: NO record shows for tenant SPAN destination |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptom:
Usage information for SPAN destination group does not include the SPAN destinations.
Conditions:
N/A
Workaround:
Find SPAN destination ports or IP address configured via show monitor CLI or GUI to check usage information for SPAN configuration changes.
Further Problem Description:
|
|
Last Modified: | 05-JAN-2016 |
|
Known Affected Releases: | 1.2(0.257a) |
|
Known Fixed Releases: * | 1.2(1.71b), 1.2(1.74), 2.0(0.118) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux39365 | Title: | Unable to associate L2 port-channel (>31 char name) to ext SVI interface |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
DN Validation error while trying to associate L2 Port-Channel interface to SVI
Conditions:
The problem can occur if:
1) L2 Port-Channel name is >31 characters
and
2) Port-Channel is associated to SVI using Simple GUI or CLI
Workaround:
Reduce the name of the port-channel to <= 31 characters
Further Problem Description:
|
|
Last Modified: | 05-JAN-2016 |
|
Known Affected Releases: | 1.2(1c) |
|
Known Fixed Releases: * | 1.2(1.78), 2.0(0.118) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux37343 | Title: | L3 Transit traffic is not flowing; no ToEPg between two InstPs |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
L3 Transit traffic does not work if configuration is done in an earlier release that 1.1.0, even after upgrade.
Conditions:
L3 Transit was supported only starting in release 1.1. If contracts are configured between L3 Out in an earlier release, it's a no-op
Workaround:
Change description on the contract to retrigger processing
Further Problem Description:
|
|
Last Modified: | 05-JAN-2016 |
|
Known Affected Releases: | 1.2(0.286) |
|
Known Fixed Releases: * | 1.2(1.76), 1.2(1.78), 2.0(0.118) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCux56319 | Title: | "ntp authenticate" and related documentation inaccurate on Nexus 9k |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptoms:
This is a documentation issue ntp authenticate does not enforce authentication, it enables it. There are interdependent commands which
must also be enable to create authenticated NTP sessions.
e.g.
ntp server ip-address key key-id
ntp peer ip-address key key-id
ntp passive
ntp broadcast client
ntp multicast client
Conditions:
Documentation bug
Workaround:
Not applicable or available.
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I2(2.9), 7.0(3)I2(2a) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux49692 | Title: | ACI: Local span becomes Rx, if a source EPG is set on top of the path |
|
Status: | Terminated |
|
Severity: | 3 Moderate |
Description: * | Symptom:
For local span sessions with source being a port-channel member, configuring an EPG as a filter will cause the span session to become Rx only. Tx traffic won't be captured
Conditions:
Span source being a port-channel member and span destination being an leaf physical interface.
Workaround:
Use the port-channel instead of the physical interface as a source.
Use ERSPAN instead local SPAN
Further Problem Description:
|
|
Last Modified: | 07-JAN-2016 |
|
Known Affected Releases: | 1.1(3f) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux79204 | Title: | [apic ui callhome] Missing "-" & "+" on Create Destination Group Wizard |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: * | Symptom:
The "Create Callhome Destination" wizard on Step 2 Destinations page is missing "-" & "+" for Creating a Callhome Destination.
Conditions:
The symptom of the "Create Callhome Destination" wizard on Step 2 Destinations page is missing "-" & "+" for Creating a Callhome Destination, is seen when using the Safari Web Browser for the APIC Admin GUI. The Problem is not seen running the Chrome Web Browser.
Workaround:
Use the Chrome Web Browser for access to the APIC Admin GUI.
Further Problem Description:
|
|
Last Modified: | 11-JAN-2016 |
|
Known Affected Releases: | 1.2(1.131b), 1.2(1k) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux79170 | Title: | Need support for TCP flag masking on N9K and 3164 |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: * | Symptom:
Enhancement request to have TCP flag mask options in ACL
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 13-JAN-2016 |
|
Known Affected Releases: | 6.1(2)I3(4b) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCup85711 | Title: | tab autocompletion doesn't work when ":" character present |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Tab completion for a CLI may not work when ":" is present in the word
Conditions:
When trying to do tab completion of a CLI, it may not auto-complete if ":" is present in the cli
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 15-JAN-2016 |
|
Known Affected Releases: | 1.0 |
|
Known Fixed Releases: * | 1.0(1.102b) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCux20758 | Title: | S/G routes don't expire if igmp/Source traffic originate from same IP |
|
Status: | Terminated |
|
Severity: | 3 Moderate |
Description: | Symptom:
Dub/LD:S,G routes dont expire along the source tree if LHR also FHR
Conditions:
When host sends joins and data traffic and say data traffic is stopped from this host. SG's dont get expired.
Workaround:
If data traffic is stopped from the host and say if the host has sent joins as well for those groups, stop those joins as well after the data traffic is stopped.
Further Problem Description:
This is to track an issue where, s,g routes dont expire when traffic is stopped. It is observed that these s,g routes dont expire because there are igmp joins coming from the same host. Basically s,g routes stays all over the network devices along the source path tree if a particular host is receiver and also sending source (LHR/FHR) traffic which is very likely in multicast environments, but when source traffic stopped, this results in stale s,g entries.
example:
HOST1-----------DUT1-------DUT2----DUT3
Here HOST1 is a receiver of g1 and also source for group g1.
DUT3 is RP. In this case, Host1 started sending source traffic for 'n' number of groups and also receiver for n number of groups , intended to receive multicast data from other sources in the network. But Host1 stopped source traffic and these n number of s,g that were created by Host1's source traffic will never expire on this device DUT1 and all devices in the network on the source tree.
|
|
Last Modified: | 14-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I3(0.136) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCux85390 | Title: | Need support for different ACLs on different ERSPAN sessions |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
Enhancement request to be able to apply different ACLs on same set of source interfaces in different ERSPAN sessions
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 14-JAN-2016 |
|
Known Affected Releases: | 6.1(2)I3(4) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCup41392 | Title: | clear counters doesn't work with range,multi range,or sub-intf separator |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Interfaces with spaces are not accepted.
Conditions:
Workaround:
Don't include spaces for an interface name.
Instead of ethernet 1/1, type ethernet1/1
Further Problem Description:
|
|
Last Modified: | 15-JAN-2016 |
|
Known Affected Releases: | 1.0 |
|
Known Fixed Releases: * | 1.0(1.226a) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCux80604 | Title: | Memleak in CLI (CLI_MTRACK_ANY and libraries) with autopull on/off |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Memory leakage in process 'clis' as seen with
# show cli internal mem-stats detail | i libobsim.so|libcliaccess.so|CLI_MTRACK_ANY
Conditions:
Configuring (and unconfiguring) configuration that process 'clis' is responsible for. For examples, BGP, IP/IPv6 addresses, ICMP.
Workaround:
None.
Further Problem Description:
|
|
Last Modified: | 15-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I3(0.243) |
|
Known Fixed Releases: | 7.0(3)I3(0.253), 7.0(3)I3(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut14162 | Title: | [F5] Unhandled Exception Adding Device Route |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
When configuring a static route for a concrete device, a fault message similar to the following is seen:
Faults: [('', 10, 'Unhandled Exception: Traceback (most recent call last):\n File "/install/DeviceScript.py", line 69, in deviceAudit\n return Device(device).audit(interfaces, configuration)\n File "/install/common/logger.py", line 81, in wrapper\n return method(*args, **kwargs)\n File "/install/apic/device.py", line 85, in audit\n return self.modify(interfaces, configuration)\n File "/install/common/logger.py", line 81, in wrapper\n return method(*args, **kwargs)\n File "/install/apic/device.py", line 196, in modify\n self._validate_configuration(config)\n File "/install/apic/device.py", line 1266, in _validate_configuration\n config, folder, faults, gw_selfips, route_gw)\n File "/install/apic/device.py", line 1189, in _validate_cfg_route\n route_gw[route_gw] = route_gw_path\nTypeError: \'str\' object does not support item assignment\n')]
Conditions:
- F5 device package integration
- Configuring a static route under the concrete device
Workaround:
None.
Further Problem Description:
|
|
Last Modified: | 19-JAN-2016 |
|
Known Affected Releases: | 1.0(3f) |
|
Known Fixed Releases: * | 2.0(0.288) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw93034 | Title: | ACI: Firmware Browser Upload leaves stale file when it was cancelled |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
When we use Browser Upload to upload the image to APIC from our local machine and cancel it on the way, stale image file remains in /firmware/fwrepos/fwrepo.Uploads/.
admin@apic1:~> ll -ah /firmware/fwrepos/fwrepo.Uploads/
total 2.2G
drwxr-xr-x. 2 root root 4.0K Oct 27 14:24 .
drwxr-xr-x. 6 root root 4.0K Oct 14 18:58 ..
-rw------- 1 root root 66M Oct 27 14:24 0000000006
-rw------- 1 root root 2.1G Oct 27 14:28 0000000007
Conditions:
When we use Browser Upload to upload the image to APIC from our local machine and cancel it on the way
Workaround:
To delete stale files under fwrepo.Uploads, complete a file upload successfully. It takes care of deleting unwanted files automatically.
Further Problem Description:
|
|
Last Modified: | 20-JAN-2016 |
|
Known Affected Releases: | 1.1(3f) |
|
Known Fixed Releases: * | 1.1(4b), 1.1(4f), 1.2(0.212a), 1.2(0.217), 1.2(1.38), 1.2(1.81), 1.2(1.84), 2.0(0.118), 2.0(0.95) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux09693 | Title: | Oslo+ rear sensor failure at -3C |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Rear sensor failure at -3C during EDVT
Conditions:
nxos.7.0.3.I2.0.596.bin
nxos.7.0.3.I2.1.9.bin
-3C
Workaround:
Further Problem Description:
|
|
Last Modified: | 22-JAN-2016 |
|
Known Affected Releases: | 7.0(3)IX1(1.99) |
|
Known Fixed Releases: * | 7.0(3)I2(2.75), 7.0(3)I2(3) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux56954 | Title: | ACI: showconfig doesn't work as expected |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
showconfig command may fail due to CERTIFICATE_VERIFY_FAILED.
Conditions:
This symptom is observed when showconfig command is issued on APIC.
It occurs on 1.2(x), but is not on 1.1(x).
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 22-JAN-2016 |
|
Known Affected Releases: | 1.2(1i) |
|
Known Fixed Releases: * | 1.2(1.102a), 1.2(1.105a), 1.2(1.107), 1.2(1l) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCux86984 | Title: | Memleak in CLI (CLI_MTRACK_ANY) with autopull on/off (part 2) |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Memory leakages in process 'clis'.
Conditions:
Configure (and unconfigure) configuration that involves process 'clis' such as BGP, ICMP, and ND.
Workaround:
None.
Further Problem Description:
|
|
Last Modified: | 24-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I3(0.253) |
|
Known Fixed Releases: | 7.0(3)I3(0.276), 7.0(3)I3(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux42966 | Title: | vPC hostfacing user LAG shows active even though the interface is down |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptom:
An interface is operationally inactive on the switch but still shows as active on the NFM
Conditions:
When the interface is operationally inactive on the switch due to LACP (Host standby in bundle)
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 25-JAN-2016 |
|
Known Affected Releases: | 1.0(0.621) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux43012 | Title: | Changing interface personality does not revert to BPDU guard default |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptom:
Change "Interface mode" from "Switched (L2)" to "Routed (L3)" and then back to "Switched (L2)" for host facing does not enable BPDU guard on that interface / port channel.
Conditions:
Interface/port channel role remains "Host facing" during layer transitions.
Workaround:
Change "Role" of interface / port channel to "Switch Facing" / Uplink / "vPC peer link" and then change the "Role" back to "Host facing" with leaving "Interface mode" as "Switched (L2)".
Further Problem Description:
|
|
Last Modified: | 25-JAN-2016 |
|
Known Affected Releases: | 1.0(0.310) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux43006 | Title: | Broadcast domains do not take VLANs in certain circumstances |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptom:
A broadcast-domain has no VLAN or VNID and the reason is that there are none available.
Conditions:
The broadcast-domain was added to a switchpool while the switchpoolWideVlan range had no available VLANs, or it was added to a switchpool while the global VNID pool had no VNIDs available.
Workaround:
Remove the broadcast-domain from the switchpool and add it again, or provide a VLAN / VNID manually, or delete and recreate the broadcast-domain through the UI.
After a VLAN/VNID is provided manually, it can be nulled so that automatic allocation takes place in the future.
Further Problem Description:
|
|
Last Modified: | 25-JAN-2016 |
|
Known Affected Releases: | 1.0(0.596) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur42587 | Title: | Need a knob like no negotiate auto in 3k to disable auto-neg |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
1) For base-T ports, for 1000-base-T, 10G-base-T, auto-neg can not be turned off
2) For base-X ports, auto-neg can be disabled, but we dont have a way to configure fixed speed leaves auto-neg on
Conditions:
All
Workaround:
Turn on auto-neg on both sides of the link
Further Problem Description:
After upgrading to supported version 6.1(2)I3(4), you can disable autonegotiation on 100-base-T ports by first configuring 'speed 100' then 'no negotiate auto'. You must configure speed 100 first, like the following:
N9K# conf
Enter configuration commands, one per line. End with CNTL/Z.
N9K(config)# int eth1/2
N9K(config-if)# speed 100
N9K(config-if)# no negotiate auto
|
|
Last Modified: | 26-JAN-2016 |
|
Known Affected Releases: | 6.1(2)I2(1), 6.1(2)I3(1), 6.1(2)I3(3.74) |
|
Known Fixed Releases: * | 6.1(2)I3(3.74), 6.1(2)I3(3.75), 6.1(2)I3(4), 7.0(3)I1(0.228), 7.0(3)I1(1), 7.0(3)I1(1.65), 7.0(3)I1(2) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuq41073 | Title: | Sending high rate of DHCP discover packets causes core |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
This core is seen when copp policing is increased for DHCP as to not police the pps sent. 50,000 DHCP discover messages are sent to N3164 where it is configured as a dhcp relay. After around 5 minutes the CPU is low (around 30-40%) and a core is seen which reloads the device.
Conditions:
This core is seen when copp policing is increased for DHCP as to not police the pps sent. 50,000 DHCP discover messages are sent to N3164 where it is configured as a dhcp relay. After around 5 minutes the CPU is low (around 30-40%) and a core is seen which reloads the device.
Workaround:
The default COPP policy would prevent this as it will police the DHCP packets and drop them at the specified rate. This issue is seen when copp policy is changed by increasing policing rate so the N3164 will no drop any of the 50,000pps sent.
Further Problem Description:
|
|
Last Modified: | 26-JAN-2016 |
|
Known Affected Releases: | 6.1(2)I2(2b) |
|
Known Fixed Releases: * | 6.1(2)I1(3.4), 6.1(2)I1(3.5), 6.1(2)I1(4), 6.1(2)I3(0.154), 6.1(2)I3(0.165), 6.1(2)I3(0.186), 6.1(2)I3(1), 6.1(2)I3(2.30), 6.1(2)I3(3), 6.1(2)I3(3.16) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuq48061 | Title: | "show [inventory|mod] fex" not having PS and fan info |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
** Following CLI shows are not updated with SN or FEX type etc
show module fex xxx
show inventory fex xxx
Example:
N9K-2# sh module fex 101
FEX Mod Ports Card Type Model Status.
--- --- ----- ---------------------------------- ------------------ -----------
101 1 48 Unknown Module N2K-C2248TP-1GE ok
show inventory fex 101
NAME: "FEX 101 CHASSIS", DESCR: "GE CHASSIS"
PID: GE , VID: , SN:
NAME: "FEX 101 Module 1", DESCR: " Supervisor"
PID: GE , VID: , SN:
Conditions:
When FEX is connected to Nexus 9300 switch
Workaround:
N/A
Further Problem Description:
Cosmetic issue
|
|
Last Modified: | 26-JAN-2016 |
|
Known Affected Releases: | 6.1(2)I3(0.160) |
|
Known Fixed Releases: * | 6.1(2)I3(1.28), 6.1(2)I3(1.29), 6.1(2)I3(1.30), 6.1(2)I3(2), 6.1(2)I3(2.5), 6.1(2)I3(3), 7.0(3)I1(0.145), 7.0(3)I1(1), 7.0(3)I1(1.8), 7.0(3)I1(2) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus51107 | Title: | static mac table not show on l2fm after l2fm restart |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
After l2fm process restart static mac configured against NVE interface is missing in software
Conditions:
l2fm process restart with static mac configuration present against NVE (VxLAN config only)
Workaround:
Reconfigure static macs
Further Problem Description:
|
|
Last Modified: | 26-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I1(1.116), 7.0(3)I1(1.61) |
|
Known Fixed Releases: * | 7.0(3)I2(0.409), 7.0(3)I2(0.410), 7.0(3)I2(1), 7.0(3)ITI2(1), 7.0(3)ITI2(1.36), 8.3(0)CV(0.72) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCur45122 | Title: | N9K: SNMP set on ifAlias for tunnel inter, not synced with CLI |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
SNMP set ifAlias for a tunnel interface didn't sync to "show running-config interface tunnel".
Problem exists in 6.1.2.I1.1.
Fix had been integrated into 6.1.2.I3.2.
Conditions:
Only tunnel interface.
Workaround:
CLI config t -> interface tunnel x -> description
Further Problem Description:
|
|
Last Modified: | 26-JAN-2016 |
|
Known Affected Releases: | 6.1(2)I3(1.33) |
|
Known Fixed Releases: | 6.1(2)I3(2.5), 6.1(2)I3(3), 7.0(3)I1(0.126), 7.0(3)I1(1), 7.0(3)I1(1.8), 7.0(3)I1(2), 7.0(3)I2(0.39), 7.0(3)I2(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCup98293 | Title: | BAD-AUTH msg on neighbor pswrd mismatch requires increase in log level |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
When a password mismatch is present on a BGP session, no bad authentication logs are displayed with the default netstack logging level of 3 configured. These logs can be seen by increasing netstack logging level to 6.
Conditions:
When a password mismatch is present on a BGP session, no bad authentication logs are displayed with the default netstack logging level of 3 configured. These logs can be seen by increasing netstack logging level to 6.
Workaround:
Increase netstack logging level to 6 using the "logging level netstack 6" command
Further Problem Description:
|
|
Last Modified: | 26-JAN-2016 |
|
Known Affected Releases: | 6.1(2)I1(2.49) |
|
Known Fixed Releases: * | 6.1(2)I1(2.55), 6.1(2)I1(3) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw67332 | Title: | Mac Address flapp in Vlan 1 between Admin Shut down ports -Nexus9000 |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
MAC address flapping only in Vlan 1 between random ports and some of the ports are in "Admin shut"
Conditions:
vPC and system configured to operate in spanning tree MST mode and receiving FcOE FIP Vlan request frame.
Workaround:
None
Further Problem Description:
No production impact
|
|
Last Modified: | 26-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I1(2) |
|
Known Fixed Releases: * | 7.0(3)I2(1.51), 7.0(3)I2(1.52), 7.0(3)I2(2), 8.3(0)CV(0.248), 8.3(0)KMS(0.31) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw88302 | Title: * | n9k&n7k: Localized key validaiton missing during snmp-server user config |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
While configuring snmp-server user in n9k - localized key validation ismissing
Conditions:
During snmp-server user configuration
Workaround:
NA
Further Problem Description:
As mentioned in ddts description
|
|
Last Modified: | 27-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I3(0.62) |
|
Known Fixed Releases: | 7.0(3)I3(0.124), 7.0(3)I3(1), 7.0(3)IDP3(1.12), 7.0(3)IDP3(2) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuy02211 | Title: | ACI: N9K some diag tests are Untested after upgrading switch software |
|
Status: | Terminated |
|
Severity: | 3 Moderate |
Description: | Symptom:
ACI: N9K some diag tests are Untested after upgrading switch software
Conditions:
set Diagnostics Policies objects at FULL as following steps.
1. Fabric > Fabric Policies > Monitoring Policies > Diagnostics Policies
2. Fabric > Access Policies > Monitoring Policies > Diagnostics Policies
after upgrading switch software, check "show diagnostic result module all"
"complete bootup level diag tests" are seen as Untested.
Workaround:
reload or power-cycle again.
Further Problem Description:
all tests are Pass correctly after reload or power-cycle
|
|
Last Modified: | 28-JAN-2016 |
|
Known Affected Releases: | 11.1(1j), 11.2(1i), 11.2(1k) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus41278 | Title: | pim dr-delay works with a different behavior |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
When DR delay is specified and once the original DR boots up, it will keep sending PIM hello with DR Priority Option = 0, so the PIM neighborship will be formed but the original DR won't take over the DR role during the dr-delay timer.
Conditions:
none
Workaround:
none
Further Problem Description:
none
|
|
Last Modified: | 29-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I1(0.233) |
|
Known Fixed Releases: * | 7.0(3)F1(0.168), 7.0(3)I2(1.51), 7.0(3)I2(2) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw34696 | Title: | SNMPwalk - OID not incrementing for rip2IfStatAddress w/ multiple IP |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Mibwalk rip2IfStatAddres, observed OID not incrementing, keep looping.
Conditions:
when HSRP or multiple IP's are configured under RIP enabled interface.
Workaround:
None.
Further Problem Description:
|
|
Last Modified: | 29-JAN-2016 |
|
Known Affected Releases: | 7.0(3)IX1(1.229) |
|
Known Fixed Releases: * | 7.0(3)F1(0.168), 7.0(3)I2(1.19), 7.0(3)I2(2), 7.1(0)I3(0.19), 7.1(0)I3(1), 8.3(0)CV(0.248), 8.3(0)KMS(0.31) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw01873 | Title: | sh tech plcmgr detail return mts_print traceback on console |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
With a large OpenFlow configuration (32,000 L2 flows and 3,000 L3 flows) applied, attempts to run the command "show tech plcmgr detail" may result in the following failure:
%KERN-2-SYSTEM_MSG: [19232.955952] "show tech plcmgr detail" in sap 6907, uuid 0 send_opc 7679, pid 7741, proc_name plcmgr - kernel
mts_acquire_q_space() failing - no space in sap ... - kernel
mts_is_q_space_available_haslock_old(): NO SPACE ...
Conditions:
Only occurs when a large OpenFlow configuration is applied.
Workaround:
Save the log/show_tech to a file in bootflash:
show tech plcmgr detail > xxx.txt
In this way, CLI no crash.
Further Problem Description:
After installing 35,000 flows, the switch will have many PPF nodes. The "show tech plcmgr detail" command was simply trying to print all thesey PPF nodes at once and this fills up the MTS buffers and fails the command.
Our fix is to print the nodes in multiple loops.
|
|
Last Modified: | 29-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I2(0.568), 7.0(3)I2(0.585) |
|
Known Fixed Releases: * | 7.0(3)F1(0.168), 7.0(3)I2(1.7), 7.0(3)I2(2), 7.0(3)I3(0.128), 7.0(3)I3(1), 7.0(3)IDP3(1.12), 7.0(3)IDP3(2), 8.3(0)CV(0.248), 8.3(0)KMS(0.31) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux90264 | Title: * | Drops. ECMP routing. One of the routes points inside the fabric |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Some (seemingly random) of the hosts outside of the fabric are not reachable.
Conditions:
L3Out configured and there are ECMP routes installed on Border leaf. One of the ECMP routes is pointing inside the fabric while another one is pointing outside.
Workaround:
Remove conditions which creates that pointing inside the fabric route. There shouldn't be any L3Out ECMP routes installed on border leaf that one is pointing inside and another outside of the fabric.
Further Problem Description:
|
|
Last Modified: | 30-JAN-2016 |
|
Known Affected Releases: | 11.2(1k) |
|
Known Fixed Releases: * | 11.2(1.187) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuy04021 | Title: | "set extcommunity" not working on egress route-map for BGP neighbor |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
Set extcommunity command in an outbound route-map is not working.
Conditions:
No conditions.
Workaround:
On the remote box, configure an inbound route-map setting the extcommunity for the selected routes.
Further Problem Description:
|
|
Last Modified: | 30-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I2(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux20639 | Title: | N9k enabling remote-span on a L2 vlan disables mac learning. |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
L2 vlan no longer learning mac addresses after remote-span configuration.
Conditions:
When remote-span is configured on a L2 vlan and then removed, mac addresses are no longer learned on that vlan.
Workaround:
Remove and re-add the L2 vlan OR reload the N9k.
Further Problem Description:
remote-span is not supported in N9k.
Removed the config which is not supposed to appear in N9k.
|
|
Last Modified: | 30-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I1(2), 7.0(3)I2(2) |
|
Known Fixed Releases: * | 7.0(3)I2(2.61), 7.0(3)I2(2b), 7.0(3)I2(3), 7.0(3)I3(0.143), 7.0(3)I3(1), 7.0(3)IAB3(0), 7.0(3)IAB3(0.10), 7.0(3)IDP3(1.19), 7.0(3)IDP3(2) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw96342 | Title: | After IPinIP decap inner TTL is not decremented on 9500 |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
TTL for inner packet after decap is not decremented when decap is done on 9500
Conditions:
This happens when 9500 has decap any and the IPinIP decap is done on 9500
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 30-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I2(1) |
|
Known Fixed Releases: * | 7.0(3)I2(2.56), 7.0(3)I2(2b), 7.0(3)I2(3), 7.0(3)I3(0.106), 7.0(3)I3(1), 7.0(3)IDP3(1.12), 7.0(3)IDP3(2), 7.0(3)IMS2(1.2) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux43024 | Title: | Configure vrf filter for fabrc SPAN source errors out in CLI |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Configuration of VRF or context filter for SPAN-ing fabric ports via CLI is not successful.
Conditions:
None.
Workaround:
Configure either a BD-filter or configure the context filter via GUI or REST API.
Further Problem Description:
|
|
Last Modified: | 31-JAN-2016 |
|
Known Affected Releases: | 1.2(1e) |
|
Known Fixed Releases: * | 1.2(1.109), 1.2(1.84), 2.0(0.154) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux51883 | Title: | LLDP is enabled on bond1 after upgrade to 1.2(1i) |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
after an upgrade to 1.2(1i), you see packet loss when pinging the oobmgmt port. You notice that the oobmgmt mac is flapping between ports on the switch upstream.
Conditions:
You notice that the oobmgmt mac is flapping between ports on the switch upstream.
Workaround:
shutdown one of the interfaces on the upstream switch.
Further Problem Description:
|
|
Last Modified: | 31-JAN-2016 |
|
Known Affected Releases: | 1.2(1i) |
|
Known Fixed Releases: * | 1.2(1.95), 1.2(1j), 2.0(0.154) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv43018 | Title: | aclqos crash after heartbeat failure |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptom:
"aclqos" crashed following a heartbeat failure
Conditions:
When an application makes an RPC call (request), a lock is held, and if for any reason the response does not have the right RPC sequence number, the lock is not released, potentially leading to heartbeat miss. To prevent this, the lock is held for a small finite time instead of holding lock infinitely.
Workaround:
To prevent this, the lock is held for a small finite time instead of holding lock infinitely.
Further Problem Description:
|
|
Last Modified: | 31-JAN-2016 |
|
Known Affected Releases: | 6.1(2)I1(3.4) |
|
Known Fixed Releases: | /bin/sh:, 7.0(3)I2(2.58), 7.0(3)I2(3), 7.0(3)I3(0.197), 7.0(3)I3(1), 7.0(3)IAB3(0), 7.0(3)IAB3(0.53), 7.0(3)IDP3(1.62), 7.0(3)IDP3(2), command |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux40663 | Title: | SNMP Community fault clearing when fault should still be present |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Fault F1305 clears when the community profile for "A" tenant has been configured in the SNMP policy, even though a second community profile has not been configured for "mgmt" tenant that affects those same Leaf nodes.
Conditions:
Configure community profile under SNMP Context on "A" tenant and "mgmt" tenant.
In the SNMP policy under Pod Policies, add only the community profile for "A" tenant.
Workaround:
N/A.
Further Problem Description:
Expected behavior is that the fault should still be raised on the Leaf nodes since the community profile for "mgmt" tenant has not been added to the SNMP policy.
|
|
Last Modified: | 31-JAN-2016 |
|
Known Affected Releases: | 1.1(3f) |
|
Known Fixed Releases: * | 1.2(1.93), 2.0(0.154) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux86553 | Title: | N9k - Client Failed TIMEZONE_DETAIL |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
N9k may observe the following error while configuring clock settings:
%MODULE-4-MOD_WARNING: Module # (Serial number: XXXXXXXXX) reported warning due to Client Failed TIMEZONE_DETAIL Operation in device DEV_LINECARD (device error 0x0)
Conditions:
Configuring clock/timezone, example:
clock timezone EET 2 0
Workaround:
None.
Further Problem Description:
|
|
Last Modified: | 31-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I2(2), 7.0(3)I2(2a) |
|
Known Fixed Releases: * | 7.0(3)I2(2.85), 7.0(3)I2(3), 7.0(3)I3(0.287), 7.0(3)I3(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux50198 | Title: | switch logs tech support contains db and cli tech support |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
The tech support that contains ACI Switch logs also contains ACI switch database and CLI tech supports.
Conditions:
This occurs on 11.1 version of ACI Switch software when a non-local tech support is collected.
Workaround:
None
Further Problem Description:
None
|
|
Last Modified: | 31-JAN-2016 |
|
Known Affected Releases: | 11.1(3f) |
|
Known Fixed Releases: * | 1.2(1.117), 2.0(0.154) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux52183 | Title: | after failed issu/impact check, run out of free space /var/volatile/tmp |
|
Status: | Other |
|
Severity: | 3 Moderate |
Description: * | Symptom:
Install may fail with following message on Nexus 9500 switches , if previous
install attempts were aborted.
sys03-eor1(config)# install all nxos bootflash:nxos.7.0.3.I2.2a.bin parallel
Installer will perform compatibility check first. Please wait.
Installer is forced disruptive
Pre-upgrade check failed. Return code 0x40930062 (free space in the filesystem is below threshold).
sys03-eor1(config)#
sys03-eor1(config)#
Conditions:
If installer is terminated (by doing 'n' during install or other reasons), the space occupied
by installer in /var/volatile/temp is not properly cleaned up, leading to no space causing
future installs to fail.
A sample log below:
switch(config)# install all nxos bootflash:nxos.7.0.3.I2.2a.bin parallel
Installer will perform compatibility check first. Please wait.
Installer is forced disruptive
Verifying image bootflash:/nxos.7.0.3.I2.2a.bin for boot variable "nxos".
[####################] 100% -- SUCCESS
....
Do you want to continue with the installation (y/n)? [n]
sys03-eor1(config)# 2015 Dec 11 12:16:48 sys03-eor1 %$ VDC-1 %$ %VMAN-2-ACTIVATION_STATE: Successfully activated virtual service 'guestshell+'
sys03-eor1(config)#
switch(config)# show system inter flash | grep volatile
none 51200 4768 46432 10% /var/volatile/log
none 307200 222300 84900 73% /var/volatile/tmp
none 614400 0 614400 0% /volatile
switch(config)# install all nxos bootflash:nxos.7.0.3.I2.2a.bin parallel
Installer will perform compatibility check first. Please wait.
Installer is forced disruptive
Pre-upgrade check failed. Return code 0x40930062 (free space in the filesystem is below threshold).
Workaround:
delete the bin and bin.gz files from /var/volatile/tmp manually from bash prompt.
First enable 'feature bash'
and then 'run bash' to get to bash prompt.
eg output:
(config)# show system inter flash | grep volatile
none 51200 4756 46444 10% /var/volatile/log
none 307200 199868 107332 66% /var/volatile/tmp <<< ====
none 614400 0 614400 0% /volatile
(config)#
bash-4.2# rm *bin
bash-4.2#
bash-4.2# ls -l | grep bin
-rw-rw-rw- 1 root root 8388608 Dec 11 10:28 bios-x86n-np.bin.gz
-rw-rw-rw- 1 root root 8388608 Dec 11 10:28 bios-x86n-np-cr.bin.gz
....
-rw-rw-rw- 1 root root 8388608 Dec 11 10:28 bios-x86n-qz2.bin.gz
-rw-rw-rw- 1 root root 8388608 Dec 11 10:28 bios-x86n-qz.bin.gz
bash-4.2# rm *bin.gz
bash-4.2# ls -l | grep bin
bash-4.2# exit
none 51200 4756 46444 10% /var/volatile/log
none 5120 12 5108 1% /var/home
none 307200 19676 287524 7% /var/volatile/tmp <<< ====
Further Problem Description:
|
|
Last Modified: | 31-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I2(2), 7.0(3)I2(2a), 7.0(3)I3(0.123), 7.0(3)I3(0.143), 7.0(3)I3(0.76) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux11617 | Title: | ARP Supression reflects ARP on same interface it is received |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:ARP supression may cause some ARP packets to be reflected back on the same interface they were received. This can create connectivity issues if there are L2 switches attached to the VXLAN fabric due to the MAC moves that will result from the reflection.
Conditions:ARP supression is enabled on the ToR switch.
Workaround:Disable ARP supression. However after disabling ARP suppression a shut/no-shut of the SVI is required for traffic to flow through.
More Info:
|
|
Last Modified: | 31-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I2(2) |
|
Known Fixed Releases: * | 7.0(3)I2(2.18), 7.0(3)I2(2a), 7.0(3)I2(2b), 7.0(3)I2(3), 7.0(3)I3(0.286), 7.0(3)I3(0.292), 7.0(3)I3(1) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuy06302 | Title: | Stale VLANs programmed on interfaces causes vPC configuration failure |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
VLANs for VMM domain are deployed on leaf even though the EPG for that VLAN has no VMM domain configuration. This can cause a programming failure when adding those interfaces to a port channel due to a vlan mismatch.
Conditions:
Configuring vPC after previously configuring and removing VMM domain assocation.
Workaround:
Wipe the leaf and reload or use different interfaces for the vPC
Further Problem Description:
|
|
Last Modified: | 01-FEB-2016 |
|
Known Affected Releases: | 1.1(3f) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux10348 | Title: | UI: SNMP Security Field should not be mandatory |
|
Status: | Terminated |
|
Severity: | 4 Minor |
Description: | Symptom:
The "Security Name" (secName) property is currently a mandatory field when creating a SNMP trap destination.
Conditions:
All APIC versions up and including 1.1(4)
Workaround:
NA. Populate this field with a 'dummy' value. This field value will be change to optional in a future release.
Further Problem Description:
|
|
Last Modified: | 04-JAN-2016 |
|
Known Affected Releases: | 1.1(3f), 1.1(4e), 1.2(0.139l) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu33640 | Title: | ITD - ITD feature shows in "No Shut" state with "deny" in exclude ACL |
|
Status: | Open |
|
Severity: | 4 Minor |
Description: * | Symptom:
An ITD policy is shown in "no shut" state. However, no policy is actually applied to the ingress policy if an invalid ACL is used for "exclude."
Conditions:
ITD attempts to apply an invalid ACL to a PBR and gives a console error, but the running configuration still shows the ITD policy in "no shut" state even though the ITD ingress interface does not have the ITD build policy attached.
Workaround:
Make sure that any "exclude" ACL used for ITD does not have any "deny" statements in it prior to applying it to an "exclude" statement of an ITD policy.
Further Problem Description:
|
|
Last Modified: | 04-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I1(1.239) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux65992 | Title: | ACI: Advanced GUI should not auto create "__ui_po_" policy for vswitch |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
When we create vCenter Domain for DVS from Advanced GUI, there are check boxes for vSwitch policy such as CDP, LLDP from 1.2(1i) release.
If we check those boxes and submit vCenter domain, each policies are automatically created with name "__ui_po_xxxxx" even though it's Advanced GUI.
Those policy with "__ui_po_" prefix is basically for Basic GUI or NX-OS style CLI and cannot be directly modified or deleted because those config mode is for users who wouldn't like to care about policy objects.
So undeletable/unmodifiable policy with name "__ui_po_xxxxx" should not be automatically created from Advanced GUI mode which mode is for users who understand ACI object model.
Conditions:
When using Advanced GUI in ACI which is implemented from 1.2(1i)
Workaround:
+ How to avoid "__ui_po_xxxxx" policy to be created.
Step1. Leave the check boxes unchecked and submit vCenter domain policy
Step2. Create each policies(LLDP, CDP etc...) manually
Step3. Then associate each policies to vSwitch policy in that vCenter domain
+ how to delete "__ui_po_xxxxx" policy
Step1. Login to APIC CLI
Step2. Go to that object model directory
Step3. Do "modelete " and "moconfig commit"
Ex.)
apic1# cd /aci/fabric/access-policies/interface-policies/policies/cdp-interface
apic1# ls
CDP-Disabled CDP-Enable __ui_po_test default summary
apic1# modelete __ui_po_test
apic1# moconfig commit
Committing mo 'fabric/access-policies/interface-policies/policies/cdp-interface/__ui_po_test'
All mos committed successfully.
apic1#
apic1# ls
CDP-Disabled CDP-Enable default summary
apic1#
Further Problem Description:
If the policy couldn't be found in aci directory, you can also check mit directory.
|
|
Last Modified: | 31-JAN-2016 |
|
Known Affected Releases: | 1.2(1.85a), 1.2(1i) |
|
Known Fixed Releases: * | 1.2(1.113a), 1.2(1.115), 1.2(1l), 2.0(0.154) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux66774 | Title: | EPG show L3ext domain when under AP creation wizard |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
Dropdown has options for L2 and L3 domains when creating an EPG under the "Create Application Profile" wizard
Conditions:
Creating an EPG under the Create Application Profile wizard
Workaround:
Further Problem Description:
|
|
Last Modified: | 31-JAN-2016 |
|
Known Affected Releases: | 1.2(1k) |
|
Known Fixed Releases: * | 1.2(1.118), 2.0(0.154) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux66793 | Title: | EPG Static Path for FEX under Create Application Profile wizard |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
No suggestions on how to configure a FEX static path
Conditions:
Creating an EPG from the "Create Application Profile" wizard
Workaround:
Further Problem Description:
|
|
Last Modified: | 31-JAN-2016 |
|
Known Affected Releases: | 1.2(1k) |
|
Known Fixed Releases: * | 1.2(1.118), 2.0(0.154) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux14919 | Title: | ACI - VMM Domain Security Policies cannot be modified from APIC |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
Whenever the need arises for Policy Settings to be changed, APIC doesn't have the option to change the settings for (Allow Promiscuous, Forged Transmits, or MAC changes).
Only way to change them is through vCenter, however, this triggers a Major fault shows up on the APIC:
Fault F0135
Unsupported remote operation detected on EPG: uni/tn/ap/epg detected in Controller: X.X.X.X with name NAME in datacenter DATACENTER in domain VMM_DOMAIN , error: [Portgroup MAC Changes security policy has been changed on external VMM controller].
Conditions:
Workaround:
Remove VMM Domain name, and add it again under the EPG, and while adding it, manually change the Security Policies.
Further Problem Description:
|
|
Last Modified: | 28-JAN-2016 |
|
Known Affected Releases: | 1.2(0.239a) |
|
Known Fixed Releases: * | 1.2(0.250b), 1.2(0.254), 1.2(1.65), 1.2(1i) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus13433 | Title: | N9K: Packets Destined to SVI MAC Are Dropped When Transparent Bridging |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: * | Symptom:
Packets destined to SVI MAC address are dropped in Layer 2 only VLAN when transiting the Nexus 9000 which owns the destination mac address on another SVI.
If traffic is destined to peer IP SVI mac address, Nexus 9k1 that receives the packet bypasses bridging, punts it to CPU, routes L2 packet to peer SVI.
Conditions:
Traffic received on L2 only vlan, destined to its own mac address of another SVI that this box owns.
Likely scenarios to see this condition include:
- transparent firewall bridging
- hair pinning traffic
- L2 load balancers
Workaround:
Configure user defined BIA on the SVI
Further Problem Description:
This behavior is due to a platform limitation.
|
|
Last Modified: | 27-JAN-2016 |
|
Known Affected Releases: | 6.1(2)I3(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux78364 | Title: | "Getting Started with the Cisco APIC Python API" AAA Login Syntax |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
The Python SDK documentation doesn't provide the username syntax for AAA Login.
Conditions:
N/A.
Workaround:
AAA Login username syntax is:
apic:domain\\username
See http://cobra.readthedocs.org/en/latest/getting-started.html
Further Problem Description:
|
|
Last Modified: | 26-JAN-2016 |
|
Known Affected Releases: | 1.1(4e) |
|
Known Fixed Releases: * | 1.2(1.169) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut25866 | Title: | N9K - Logging Needed For When 512 TCAM Slice Is Allocated Instead Of 256 |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
Total TCAM allocated to available features is less than that of the documented total, However the system reports that there is no available TCAM space o be allocated to other features.
Conditions:
Modifying the TCAM region carvings for the available features
Workaround:
Re-carve the TCAM allocations per feature to not assign 512 size slices to features in less than 512 size slices
Further Problem Description:
When a 512 size slice is taken away from a feature and only part of this 512 size slice is allocated to a feature, say 256, then the remaining 256 of that slice is unusable for other features. Currently this is only able to be determined by viewing the output of show system internal access-list globals:
N9396-1(config)# sh system internal access-list globals | no-more
[snip]
----------------------------------------------------------------------
* - allocated 512 entry slice due to unavailability of 256 entry slices
----------------------------------------------------------------------
[snip]
This enhancement is being filed to report to the user when this condition is met via a syslog and CLI parser prompt. The possibility of this condition is made known to the user in the ACL configuration guide by the following line:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_chapter_01010.html#concept_846AE66E9B2C4E0EAA3E54FBE51C4A87
"A slice can be allocated to one region only. For example, a 512-size slice cannot be used to configure two features of size 256 each. Similarly, a 256-size slice cannot be used to configure two features of size 128 each."
|
|
Last Modified: | 26-JAN-2016 |
|
Known Affected Releases: | 6.1(2)I3(4), 7.0(3)I1(1) |
|
Known Fixed Releases: * | 7.0(3)I1(1.191), 7.0(3)I1(2) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCup92180 | Title: | N9K: snmpget on udpEndpointProcess returns incorrect index |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
udpEndpointProcess, the last index (udpEndpointInstance) of the returned instance is dispalyed as 0 which should be 1
Problem exists in 6.1.2.I1.1
Fix had been integrated into 6.1.2.I3.2
Conditions:
Always
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 26-JAN-2016 |
|
Known Affected Releases: | 6.1(2)I1(3.99), 6.1(2)I2(2a) |
|
Known Fixed Releases: * | 6.1(2)I3(1.3), 6.1(2)I3(1.4), 6.1(2)I3(2) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux20106 | Title: | ACI HW guide to specify OOB ports can't be used for CIMC |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
Application Centric Infrastructure Fabric Hardware Installation Guide states Out-of-band management ports can be used for CIMC, which is incorrect. With APIC, Out-of-band management ports can ONLY be used for Out-of-band management and CIMC is used only from dedicated port.
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 25-JAN-2016 |
|
Known Affected Releases: | 1.1(3f), 1.2(0.139l) |
|
Known Fixed Releases: * | 1.2(1k) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux54052 | Title: | Stale configuration flapping from access port to PC/vPC for VMM |
|
Status: | Other |
|
Severity: | 4 Minor |
Description: * | Symptom:
F0467 "Invalid Path Configuraton; Port is member of Port Channel" for a fex port inside a vPC policy for a VMM domain.
Conditions:
Port was previously configured with an Access port policy and that was deleted to be used inside a vPC for a VMM domain. Inside the leaf CLI, we ran 'moquery -c fvDyPathAtt | grep 1/10" and found the dn: uni/epp/fv-[uni/tn-tnYRC/ap-NetSvc/epg-DNS/node-104/dyatt-[topology/pod-1/paths-104/extpaths-101/pathep-[eth1/10]]
Inside our lab environment, we created a similar environment where a fex port was inside a PC and used for VMM. We deleted switched the PC policy over to an access policy for the port and after we switched it back, the fault 0467 for invalid path configuration; port member of port channel is thrown.
Workaround:
Currently, there's no work around for this in this version. If one is found, this will be updated accordingly.
Further Problem Description:
|
|
Last Modified: | 21-JAN-2016 |
|
Known Affected Releases: * | 1.1(1j), 1.1(4e), 1.2(1i) |
|
Known Fixed Releases: * | 1.2(1.38), 1.2(1.48), 1.2(1.78), 2.0(0.118), 2.0(0.95) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux80924 | Title: | "F1690 terminal node is missing a terminal" raised after Mo is deleted |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
faults F1690 in service graph with Error "configuration is invalid due to terminal node is missing a terminal" while vns.RsTermToEPg does exist.
Conditions:
none
Workaround:
To Be Updated.
Further Problem Description:
|
|
Last Modified: | 15-JAN-2016 |
|
Known Affected Releases: | 1.1(1r) |
|
Known Fixed Releases: * | 1.2(1.149b), 1.2(1.152) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux52554 | Title: | L4-7 Device Package Supported Protocols not displaying in APIC GUI |
|
Status: | Fixed |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
The correct Rest HTTP get is being sent and the "supportedProtocols" response is correctly received however the browser does not display the contents. Expecting to see "bgp,bgpv6,ospf,ospfv3" in the GUI for the below example as a result of this call.
method: GET
url: https://10.66.80.242/api/node/mo/uni/infra/mDev-CISCO-ASA-1.2/mClusterCfg.json?query-target=children&target-subtree-class=vnsRoutingCfg&subscription=yes
response: {"totalCount":"1","subscriptionId":"72057628415557641","imdata":[{"vnsRoutingCfg":{"attributes":{"childAction":"","dn":"uni/infra/mDev-CISCO-ASA-1.2/mClusterCfg/mRoutingCfg","lcOwn":"local","modTs":"2015-12-12T16:11:48.091+11:00","name":"","status":"","supportedProtocols":"bgp,bgpv6,ospf,ospfv3"}}}]}
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 31-JAN-2016 |
|
Known Affected Releases: | 1.2(1i) |
|
Known Fixed Releases: * | 1.2(1.91a), 1.2(1.93), 2.0(0.154) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux42484 | Title: | UI: Remove unsupported trunking modes from l3extRsPathL3OutAtt |
|
Status: | Fixed |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
When creating a Logical Interface Profile for an external L3 Out connection, there are three supported interface types:
1) Routed Interface
2) Routed Sub-Interface
3) SVI
Only the SVI supports multiple options for trunking mode (Regular, Untagged & 802.1p native). The other two options are restricted only to a single mode.
After the Route Interface has been added to the Logical Interface Profile, the Mode property allows three options, regardless of Interface type which it should not.
Conditions:
APIC software 1.2(1) and earlier
Workaround:
NA. This is a cosmetic bug only. The system enforces that only the correct trunking mode is configured, and the unsupported modes will be removed in a future software release.
Further Problem Description:
|
|
Last Modified: | 31-JAN-2016 |
|
Known Affected Releases: | 1.1(3f), 1.1(4f), 1.2(1d) |
|
Known Fixed Releases: * | 1.2(1.84), 2.0(0.154) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux94890 | Title: | APIC GUI: FAN Trays info not show vendor , serial |
|
Status: | Fixed |
|
Severity: | 5 Cosmetic |
Description: * | Symptom:
APIC GUI doesn't show FAN Tray's vendor , serial info in
Fabric -> Inventory -> Pod1 -> leaf/spineX -> Chassis -> Fan Trays.
Conditions:
ACI 1.2(1k)
Nexus9500
Workaround:
serial and vendor of the FAN Tray is displayed in FAN info under Fan Trays show instead.
Fabric -> Inventory -> Pod1 -> leaf/spineX -> Chassis -> Fan Trays -> [FAN Tray number] -> [FAN number]
Further Problem Description:
|
|
Last Modified: | 28-JAN-2016 |
|
Known Affected Releases: | 7.3(0)ZN(0.99) |
|
Known Fixed Releases: * | 11.2(1.187) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuy01595 | Title: | Message "!This field is required" is getting cut off |
|
Status: | Open |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
Message ?!This field is required? is getting cut off
Conditions:
While creating a route control profile under the Create Subnet section for external EPG
Workaround:
None this is cosmetic.
Further Problem Description:
|
|
Last Modified: | 28-JAN-2016 |
|
Known Affected Releases: | 1.2(1k) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux94684 | Title: * | N9300 show hardware shows wrong Fan information when removing a Fan |
|
Status: | Fixed |
|
Severity: | 5 Cosmetic |
Description: * | Symptom:
When removing any Fan on Nexus9300 switch, "show hardware" shows the last Fan is removed. Following is an example for N9372PX:
*** When removing Fan1***
leaf1# show hardware | grep -A 10 Fan
Chassis has 3 Fans
---------------------------------------
Fan1(sys_fan1)(fan_model:N9K-C9300-FAN2) is inserted but info is not available
Fan2(sys_fan2)(fan_model:N9K-C9300-FAN2) is inserted but info is not available
Conditions:
When any Fan removed from the chassis.
Workaround:
none. This is cosmetic issue.
Further Problem Description:
|
|
Last Modified: | 29-JAN-2016 |
|
Known Affected Releases: | 11.2(1k) |
|
Known Fixed Releases: | 1.2(1.177) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux84460 | Title: | Window size is too small when configuring Secondary IP under L3Out |
|
Status: | Fixed |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
When configuring a secondary IP under an L3Out, the configuration window is too small to view the entire configuration area.
Conditions:
Configuring an L3Out in the APIC User Interface
Workaround:
None at this time. This defect does not prevent the user from configuring the feature.
Further Problem Description:
|
|
Last Modified: | 21-JAN-2016 |
|
Known Affected Releases: | 1.2(1i) |
|
Known Fixed Releases: * | 1.2(1.65) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv36696 | Title: | CDP information is not shown by VCENTER for AVS though it is seen by VEM |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
CDP information is not visible in vCenter for vmnics assigned to an AVS switch. Normal DVS works fine for those vmnics.
Conditions:
AVS is installed.
Workaround:
n/a
Further Problem Description:
|
|
Last Modified: | 31-JAN-2016 |
|
Known Affected Releases: | 1.2(0.92a) |
|
Known Fixed Releases: * | 1.2(1.122), 1.2(1.137), 2.0(0.154) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux52176 | Title: | Changing LooseNode Mgmt IP address causes blackhole of traffic |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
After changing UCS FI OOB management address, VMM connectivity is broken. When checking "moquery -c fvDyPathAtt" you will see the entries as zero.
Conditions:
UCS FI
ACI
Workaround:
"Trigger inventory sync" on APIC for corresponding vCenter controller.
Further Problem Description:
|
|
Last Modified: | 31-JAN-2016 |
|
Known Affected Releases: | 1.1(3f), 1.2(1i) |
|
Known Fixed Releases: * | 1.2(1.102a), 1.2(1.105a), 1.2(1.107), 1.2(1.97c), 1.2(1j), 2.0(0.154) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus39683 | Title: | ACI: Server I/F should be down until FTAG enabled |
|
Status: * | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
When a leaf switch rebooted, traffic going across ACI Fabric goes down from when a front-panel port on that leaf became up again to when FTAG tree is established again. That down time will be around 90 sec. It can be more or less.
Conditions:
When leaf switch rebooted.
This behavior is not an issue when servers are connected to a single leaf as single-homed.
It comes to an issue when servers are connected to 2 leafs via priority-based Active-Standby NIC as dual-homed.
Workaround:
Use vPC on ACI side when servers are connected to two leafs as dual-homed.
Further Problem Description:
This traffic down is due to FTAG sync b/w rebooted leaf and spines, which is expected behavior. It is done after front-panel port becomes available.
This defect is an enhancement request to reduce down time due to FTAG sync.
+ The reason why only dual-homed is a problem
When a leaf rebooted, dual-homed servers can still communicate with other device by switching active NIC. The problem is that the server will switch back the active NIC when the front-panel port on the leaf becomes up again. At this time, traffic which uses FTAG will be black-holed on this leaf since FTAG sync is not done yet.
|
|
Last Modified: | 26-JAN-2016 |
|
Known Affected Releases: | 11.0(2m) |
|
Known Fixed Releases: | 11.1(0.143) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux40946 | Title: | New BDs are not added to 'default' route-map automatically |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
The public subnets of some of the bridge-domains (BDs) are not advertised to external networks, although protocols (BGP, OSPF, EIGRP) are configured with 'default' route-map in direction 'out'.
Conditions:
1. The route-map 'default' has already been created ('default' route-map is created on first usage of it).
2. Either a new BD with one or more public subnets is added to the same tenant and VRF or an existing BD, which didn't have any public subnet earlier, is configured to have one or more public subnets.
Workaround:
The BDs, missing from 'default' route-map can be easily figured out by dumping 'default' route-map using 'show running-config'. These missing BDs i.e. BDs, with public subnets, that were added after creation of 'default' route-map can be added manually to 'default' route-map using the route-map command 'match bridge-domain'.
Further Problem Description:
|
|
Last Modified: | 26-JAN-2016 |
|
Known Affected Releases: | 1.2(1c) |
|
Known Fixed Releases: * | 1.2(1.177) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus39418 | Title: | Need kernel panic logs from standby sup included in techsupport |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Cisco C9508 running in ACI mode does not include kernel panic log files from the standby supervisor module.
Conditions:
If a kernel panic occurs, an "oops" kernel panic file is generated to provide critical information about the source of the crash. This information normally is present in the techsupport output but if after the crash the supervisor which was active during the crash becomes the standby supervisor, these files will not be present.
Workaround:
Access the standby supervisor via console and gather the file content output from the /mnt/pstore directory.
Further Problem Description:
|
|
Last Modified: | 31-JAN-2016 |
|
Known Affected Releases: | 11.0(2j) |
|
Known Fixed Releases: * | 11.2(1.170), 11.2(1.191) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCux99771 | Title: | Raise fault when network is not configured for L2 & L3Out |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
External Bridged Networks and External Routed Networks are not working after initial configuration due to a missing Network. Due to this the L2Out or L3Out is not deployed on the Leaf.
Conditions:
Network for L2/L3Out not configured
Workaround:
Configure the L2 or L3 Network Object. (l2extInstP or l3extInstP)
Further Problem Description:
To improve ease of use for customers a fault should be raised to alert them to the missing Network Object
|
|
Last Modified: | 27-JAN-2016 |
|
Known Affected Releases: | 1.2(1k) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu42155 | Title: | Need LACP vSwitch override policy which configures "Physical NIC Load" |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
ACI Unable to configure Physical NIC Load option for VMM port groups.
Conditions:
Missing option under LACP vSwitch override policy.
Workaround:
Leave LACP vSwitch override policy as default and manually configure "Physical NIC Load" option under port groups on vCenter.
Further Problem Description:
|
|
Last Modified: | 31-JAN-2016 |
|
Known Affected Releases: | 1.0(4h) |
|
Known Fixed Releases: * | 1.2(1.95), 2.0(0.154) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw40457 | Title: | dhcp relay does not add mod/port to dhcp request |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
The Nexus 9k as dhcp relay only adds the Circuit ID and Vlan sub option in Option 82, not the Port and Slot information.
Conditions:
The Nexus 9k is a configured as a dhcp relay
Workaround:
There is no workaround
Further Problem Description:
|
|
Last Modified: | 28-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I1(1a) |
|
Known Fixed Releases: * | 7.0(3)I3(0.239), 7.0(3)I3(1), 7.0(3)IDP3(1.78), 7.0(3)IDP3(2), 7.0(3)ITM3(0), 7.0(3)ITM3(0.7), 7.0(3)IX1(1.244), 7.0(3)IX1(2) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu03257 | Title: | EPM and EPMC changes for MAC/IP based EPG feature |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
- IP/MAC Ckt EP configuration not supported in combination with static EP configurations
- IP/MAC Ckt EP configuration not supported with L2-only BDs (config will not be blocked, it just won't take effect as there is
no L3 learning in these BDs)
- IP/MAC Ckt EP configuration not supported with external and Infra BDs (again because there is no L3 learning in these BDs)
- IP/MAC Ckt EP configuration not supported with shared services provider config (same or overlapping prefix cannot be used for shared services provider and IP Ckt EP). However, this config can be applied in BDs having shared services consumer EPGs.
- IP/MAC Ckt EP configuration not supported with dynamic EPGs. Only static EPGs are supported
- No fault will be raised if the IP/MAC Ckt EP prefix configured is outside BD subnet range. This is because user can configure BD subnet and IP/MAC Ckt EP in any order and so this is not error condition. If the final configuration is such that IP/MAC Ckt EP prefix configured is outside all BD subnets, the config has no impact and is not an error condition.
- Dynamic deployment of contracts based on instrImmedcy set to onDemand/lazy not supported, only immediate mode is supported.
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 29-JAN-2016 |
|
Known Affected Releases: | 11.0(3.928), 12.0(0.1) |
|
Known Fixed Releases: * | 1.2(0.31), 1.2(1.17), 1.2(1.48), 2.0(0.136c), 2.0(0.140b), 2.0(0.145a), 2.0(0.147), 2.0(0.95) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus75315 | Title: | Fault should be thrown when Per feature container fails to collect |
|
Status: * | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
files are not created in the per feature container when the on demand tech support is run.
Conditions:
This is because the path or command was entered incorrectly and no fault was thrown indicating an issue.
Workaround:
n/a. Have to check the tech support and notice the file was not created.
Further Problem Description:
|
|
Last Modified: | 14-JAN-2016 |
|
Known Affected Releases: | 1.0(2m) |
|
Known Fixed Releases: * | 1.2(1.147) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur21515 | Title: | Add VM name in description of fault generated including oid |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
When using VMM and setting up monitoring stats you may see a fault that shows the affected object as an Object ID rather than the VM name.
Conditions:
Workaround:
You will need to go into Visore and look under the compVm class for the affected object then you should see the VM name as a property.
Further Problem Description:
|
|
Last Modified: | 13-JAN-2016 |
|
Known Affected Releases: | 1.0(1k) |
|
Known Fixed Releases: * | 1.2(1k) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux72082 | Title: | Add Tenant and VRF column under to vrf > operational |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
If there are two or more EPGs use same VRF but different application profile, by going to vrf > operational, the same EPGs are displayed there but we are not able to differentiate the EPG directly.
Therefore we need add extra column like vrf and application profile to that page to differentiate the EPGs.
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 13-JAN-2016 |
|
Known Affected Releases: | 1.1(4e), 1.2(1i) |
|
Known Fixed Releases: * | 1.2(1.138) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCut23815 | Title: | LEAF: epm doesnt clear ip.addr after ip.change keeps both IPs for ep-MAC |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
The APIC GUI and the CLI commands not the APIC and Switch will display two IPs for a single endpoint.
Conditions:
An endpoint is learned and associated an IP to MAC. Then, Change the IP and then the ACI system learns the new IP and now two IPs are associated to the same MAC. It never clears.
Workaround:
the CLI command "clear system internal epm endpoint key vrf ip will clear the EP information for that specific IP.
"clear system internal epm endpoint all" will clear EP information for all of the EP's in the fabric.
Do this in a maintenance window as this will affect fabric forwarding of the EP's being cleared until we re-learn the Endpoint information in the fabric.
Further Problem Description:
|
|
Last Modified: | 11-JAN-2016 |
|
Known Affected Releases: | 11.0(3f) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCux76705 | Title: | Enhancement: iBGP should support "local-as" per VRF like standalone NXOS |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Enhancement. ACI iBGP should support VRF AS number different than the MP-BGP Route Reflector number.
Conditions:
Configuring iBGP
Workaround:
Use the "local-as" command on the remote side
Further Problem Description:
|
|
Last Modified: | 08-JAN-2016 |
|
Known Affected Releases: | 1.2(1k) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCux75049 | Title: | Unable to use special characters as part of the username field in NX-OS |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Error message when attempting to create username with special character in it:
Conditions:
(config)# username cisco!123
^
% String failed to match token pattern at '^' marker.
Workaround:
Configure an username without special characters
Further Problem Description:
|
|
Last Modified: | 06-JAN-2016 |
|
Known Affected Releases: | 7.0(3) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux43224 | Title: | GUI "Fault Properties" Window |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Fault code should show under "Properties"
Conditions:
Workaround:
Expand "Details" and the Fault code shows up there
Further Problem Description:
|
|
Last Modified: | 05-JAN-2016 |
|
Known Affected Releases: | 1.1(3f) |
|
Known Fixed Releases: * | 1.2(1.78), 2.0(0.118) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux19711 | Title: | MSFT ACI: optimize vm network deletion |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
CSCux19708When delete EPG from APIC, it will try to delete the VM network on the SCVMM.
If the VM network has any VM attached, the deletion will fail. Currently APIC try the deletion forever and retry at very short interval, which flood the SCVMM log with this deletion operation.
Conditions:
Deleted EPG on APIC while its corresponding VM network still has VM attached.
Workaround:
Detach the VM to let the deletion complete.
Further Problem Description:
|
|
Last Modified: | 05-JAN-2016 |
|
Known Affected Releases: | 1.1(3f) |
|
Known Fixed Releases: * | 1.2(0.280), 1.2(1.71b), 1.2(1.74), 1.2(1i), 2.0(0.118) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux06308 | Title: | Import check for Route Control Enforcement should be disabled by default |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
When configuring an External Routed Network (L3 Out) and selecting BGP as the protocol, Import option will be selected by default on GUI
Conditions:
BGP is the L3 Out Protocol
Workaround:
uncheck Import for Route Control Enforcement
Further Problem Description:
|
|
Last Modified: | 05-JAN-2016 |
|
Known Affected Releases: | 1.1(3f), 1.2(0.139i) |
|
Known Fixed Releases: * | 1.2(1.78), 1.2(1.84), 1.2(1b), 1.2(1i), 2.0(0.118) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux19708 | Title: | MSFT ACI: Support 64bit Agent |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Not a bug. For MSFT integration, ACI agent only has 32bit version. This is to track the enhancement to support 64 bit.
Conditions:
N/A
Workaround:
Further Problem Description:
|
|
Last Modified: | 05-JAN-2016 |
|
Known Affected Releases: | 1.1(3f), 1.2(0.139l), 1.2(0.264) |
|
Known Fixed Releases: * | 1.2(1.71b), 1.2(1.74) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCux71165 | Title: | SSTE: n9k & n7k not in sync while configuring community name with acl |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
n9k & n7k not in sync while configuring community name with acl
Conditions:
snmp config
Workaround:
NA
Further Problem Description:
|
|
Last Modified: | 04-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I3(0.170) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu65947 | Title: | Tunnel Manager needs to handle tunnel Modify |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
If we are detaching the hosts and adding it back to the AVS we might have stale/duplicate tunnels so we have to wait 5 mins before adding the hosts back to the AVS so that tunnels are cleaned up on opflex channel timeout.
Conditions:
Detach and Attach of the Hosts to the AVS .
Workaround:
Wait for 5 mins before reattaching the host to AVS which cleans up the old tunnels .
Further Problem Description:
|
|
Last Modified: | 25-JAN-2016 |
|
Known Affected Releases: | 11.1(0.229) |
|
Known Fixed Releases: * | 11.1(2.290), 11.2(0.63) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv32540 | Title: | N9000 is missing pim snooping support |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Router may get mcast traffic on L3 enabled Vlan even if there is no receiver attached to it.
Conditions:
more than one multicast routers on Vlan.
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 23-JAN-2016 |
|
Known Affected Releases: | 7.0(3)I1(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux93959 | Title: | N3K/N9K: Add Source IP Address (Only) L3 ECMP Hash Option |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: * | Symptom:
This is a new CLI option (source) to add a source IP only option to the existing layer-3 ECMP hash options.
CLI Configuration:
N3K(config)# ip load-sharing address source
CLI Verification:
N3K# show ip load-sharing
IPv4/IPv6 ECMP load sharing:
Universal-id (Random Seed): 728
Load-share mode : address source
Conditions:
This new CLI is useful if you want to manually change the L3 ECMP hash option to use the source layer-3 IP address.
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 22-JAN-2016 |
|
Known Affected Releases: | 7.0(3) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux66950 | Title: | L3out Static Routes not advertised between route processes on same leaf |
|
Status: | Open |
|
Severity: * | 6 Enhancement |
Description: | Symptom:
The local static routes for each routing process are not included with the use "0.0.0.0/0" with Aggregate Export on the External Network EPG configuration.
Conditions:
Static Routes are configured for two different route processes on the SAME Leaf Node. The External EPG is configured to use "0.0.0.0/0" with Aggregate Export.
Workaround:
The workaround is to manually configure the static routes that are not being advertised individually to the External Network EPG configuration. This is in addition to the "0.0.0.0/0" with Aggregate Export. Once you individually add the routes necessary, the "exc-ext-inferred-exportDST" prefix list is created and the static route prefixes are added. This should all be handled by the "0.0.0.0/0" with Aggregate Export.
Further Problem Description:
|
|
Last Modified: | 20-JAN-2016 |
|
Known Affected Releases: | 11.1(4e), 11.2(1i), 11.2(1k) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux61962 | Title: | Adj gets deleted when the host is in a disconnected state |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
VM's lose connectivity through ACI while a Host is disconnected to vCenter
Conditions:
Issue Summary:
1. ESXi host loses connectivity to vCenter
2. If ACI performs an inventory sync during this time, the host adjacency gets deleted
3. As a result, the policy is removed from the corresponding leaves
Workaround:
1) Set the effected EPGs to use Pre-Provision for the VMM_Domain
2) Or, Restore connectivity from ESXi to vCenter
Further Problem Description:
|
|
Last Modified: | 31-JAN-2016 |
|
Known Affected Releases: | 1.1(3f) |
|
Known Fixed Releases: * | 1.2(1.122), 2.0(0.154) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu71147 | Title: | APIC directly connected subnets don't get advertised in OSPF |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: * | Symptom:
With current Bputra FCS release, APIC doesn't advertise directly connected subnets in OSPF even if it is specified in rtctrl-export.
Conditions:
In an ASA and F5 Service design, one F5 is configured thru L3Out peer routing in their PCI Compliance context/segment with static routes for F5 VIP and SNAT subnets.
Both of the external and internal interfaces of the ASA firewall between the regular data context and Compliance context are configured as L3Out peer routing with OSPF.
The F5 connected subnet including its selfIP and float IP cannot be advertised thru OSPF with current Bputra release.
Workaround:
configure a static route that covers the connected subnet and the static route will be advertised thru OSPF
Further Problem Description:
|
|
Last Modified: | 14-JAN-2016 |
|
Known Affected Releases: | 1.1(0.936d), 1.1(1o) |
|
Known Fixed Releases: | 1.1(2h), 1.2(0.1), 1.2(1.17), 2.0(0.95) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv39937 | Title: | Weak CBC mode and weak ciphers should be disabled in N9K |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Cisco Nexus devices running Cisco NX-OS may be flagged by security scanners due to the inclusion of SSH Ciphers and HMAC algorithms that are
considered to be weak.
These may be identified as 'SSH Server CBC Mode Ciphers Enabled' and 'SSH Server weak MAC Algorithms Enabled' or similar. These are valid
findings and are not false positives.
Conditions:
Cisco Nexus devices running an affected version of Cisco NX-OS software.
The NX-OS SSH is enabled
Workaround:
None
Further Problem Description:
This defect was filed as an enhancement to have legacy weak Ciphers and MAC algorithms disabled in the product or to be user configurable, but
off by default.
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal
resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 29-JAN-2016 |
|
Known Affected Releases: * | 6.1(2)I3(2), 7.0(3)I3(0.285) |
|
Known Fixed Releases: | 7.0(3)I2(0.490), 7.0(3)I2(1), 7.0(3)I3(0.257), 7.0(3)I3(1), 7.0(3)IDP3(1.89), 7.0(3)IDP3(2), 7.0(3)IMK2(1), 7.0(3)IMK2(1.15), 7.0(3)ITI2(1), 7.0(3)ITI2(1.36) |
|
|
| |
2015 Cisco and/or its affiliates. All rights reserved. 
没有评论:
发表评论