Cisco IOS Release 15.9(3)M2 - Release Notes for Cisco IR800 Industrial Integrated Services Routers and Cisco CGR1000 Series Connected Grid Routers

Available Languages

Download Options

  • PDF     (470.4 KB)
    View with Adobe Reader on a variety of devices

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Table of Contents

Cisco IOS Release 15.9(3)M2 - Release Notes for Cisco IR800 Industrial Integrated Services Routers and Cisco CGR1000 Series Connected Grid Routers

Contents

PSIRT ADVISORY

IMPORTANT INFORMATION - PLEASE READ!

Image Information and Supported Platforms

IR8x9

IR807

CGR1K

Software Downloads

IR800 Series

IR807

IR809

IR829

CGR1K Series

Warning about Installing the Image

Known Limitations

Major Enhancements

AT&T FirstNet Support for the IR829

Verifying the enable secret Prompt

No Service Password Recovery on the IR809 and IR829

Enabling no service password-recovery

Disabling no service password-recovery

Known Limitations

Related Documentation

Caveats

Cisco IOS Release 15.9(3)M2

Open Caveats

Resolved Caveats

Cisco IOS Release 15.9(3)M2 - Release Notes for Cisco IR800 Industrial Integrated Services Routers and Cisco CGR1000 Series Connected Grid Routers

The following release notes support the Cisco IOS 15.9(3)M2 release. These release notes are updated to describe new features, limitations, troubleshooting, recommended configurations, caveats, and provide information on how to obtain support and documentation.

Revised: July 30, 2021

Contents

This publication consists of the following sections:

blank.gif PSIRT ADVISORY

blank.gif Image Information and Supported Platforms

blank.gifSoftware Downloads

blank.gifKnown Limitations

blank.gifMajor Enhancements

blank.gifRelated Documentation

blank.gif Caveats

PSIRT ADVISORY

IMPORTANT INFORMATION - PLEASE READ!

FPGA and BIOS have been signed and updated to new versions.

For the 15.9 Release Train, this image (15.9-3.M) is considered as the baseline. Downgrade is STRICTLY UNSUPPORTED and bundle install to previous releases will cause an error and fail if attempted. Any manual downgrade [non bundle operations] will impair router functionality thereafter.

Note : After upgrading to this release, make sure to delete any old image files that may still be in flash:. This will prevent an unintended IOS downgrade.

For additional information on the PSIRT see the following:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot

Image Information and Supported Platforms

Note : You must have a Cisco.com account to download the software.

Cisco IOS Release 15.9(3)M2 includes the following Cisco IOS images:

IR8x9

blank.gifSystem Bundled Image: ir800-universalk9-bundle.SPA.159-3.M2

This bundle contains the following components:

blank.gifIOS: ir800-universalk9-mz.SPA.159-3.M2

blank.gifGuest Operating System: ir800-ref-gos.img.1.11.0.5.gz

blank.gifHypervisor: ir800-hv.srp.SPA.3.1.6

blank.gifFPGA: 2.B.0

blank.gifBIOS: 26

blank.gifMCU Application: 34

IR807

blank.gifIOS Image: ir800l-universalk9-mz.SPA.159-3-M2

CGR1K

blank.gifSystem Bundled image: cgr1000-universalk9-bundle.SPA.159-3-M2

blank.gifIOS Version: cgr1000-universalk9-mz.SPA.159-3-M2

blank.gifGuest Operating System: cgr1000-ref-gos.img.1.8.2.7.gz

blank.gifHypervisor: cgr1000-hv.srp.SPA.3.0.59

blank.gifFPGA: 2.E.0

blank.gifBIOS: 18

Software Downloads

IR800 Series

The latest image files for the IR800 product family can be found here:

https://software.cisco.com/download/navigator.html?mdfid=286287045&flowid=75322

Click on the 807, 809 or 829 link to take you to the specific software you are looking for.

Caution : MANUAL [non-bundle] DOWNGRADE IS STRICTLY PROHIBITED. For newer releases with the PSIRT fix - while bundle downgrade to 158-3.M2/157-3.M4b/156-3.M6b is supported, manual downgrade is unsupported.

IR807

The IR807 link shows the following entries:

blank.gifir800l-universalk9-mz.SPA. <version>.bin

blank.gifir800l-universalk9_npe-mz.SPA. <version>.bin

IR809

The IR809 link shows the following entries:

blank.gifIOS Software

blank.gifir800-universalk9-bundle. <version>.bin

blank.gifir800-universalk9_npe-bundle. <version>.bin

blank.gifIOx Cartridges

blank.gifYocto 1.7.2 Base Rootfs (ir800_yocto-1.7.2.tar)

blank.gifPython 2.7.3 Language Runtime (ir800_yocto-1.7.2_python-2.7.3.tar)

blank.gifAzul Java 1.7 EJRE (ir800_yocto-1.7.2_zre1.7.0_65.7.6.0.7.tar)

blank.gifAzul Java 1.8 Compact Profile 3 (ir800_yocto-1.7.2_zre1.8.0_65.8.10.0.1.tar)

IR829

The IR829 link shows the following entries:

Software on Chassis

blank.gifIOS Software

blank.gifir800-universalk9-bundle. <version>.bin

blank.gifir800-universalk9_npe-bundle. <version>.bin

blank.gifIOx Cartridges

blank.gifYocto 1.7.2 Base Rootfs (ir800_yocto-1.7.2.tar)

blank.gifPython 2.7.3 Language Runtime (ir800_yocto-1.7.2_python-2.7.3.tar)

blank.gifAzul Java 1.7 EJRE (ir800_yocto-1.7.2_zre1.7.0_65.7.6.0.7.tar)

blank.gifAzul Java 1.8 Compact Profile 3 (ir800_yocto-1.7.2_zre1.8.0_65.8.10.0.1.tar)

AP803 Access Point Module

blank.gif Autonomous AP IOS Software

blank.gifWIRELESS LAN (ap1g3-k9w7-tar.153-3.JH1.tar)

blank.gif Lightweight AP IOS Software

blank.gifWIRELESS LAN (ap1g3-k9w8-tar.153-3.JH1.tar)

blank.gifWIRELESS LAN LWAPP RECOVERY (ap1g3-rcvk9w8-tar.153-3.JH1.tar)

Note : On the IR8x9 devices, the ir800-universalk9-bundle.SPA.158-3.M bundle can be copied via Trivial File Transfer Protocol (TFTP) or SCP to the IR800, and then installed using the bundle install flash: <image name> command. The ir800-universalk9-bundle.SPA.158-3.M.bin file can NOT be directly booted using the boot system flash:/image_name. Detailed instructions are found in the Cisco IR800 Integrated Services Router Software Configuration Guide.

Note : On the IR8x9 devices, the cipher dhe-aes-256-cbc-sha (which is used with the commands ip http client secure-ciphersuite and ip http secure-ciphersuite) is no longer available in IOS 15.6(3)M and later as part of the weak cipher removal process. This cipher was flagged as a security vulnerability.

CGR1K Series

The latest image file for the CGR 1000 Series Cisco IOS image is:

https://software.cisco.com/download/navigator.html?mdfid=284165761&flowid=75122

For details on the CGR1000 installation, please see:

http://www.cisco.com/c/en/us/td/docs/routers/connectedgrid/cgr1000/ios/release/notes/OL-31148-05.html#pgfId-9

Warning about Installing the Image

Note : The bundle can be copied via Trivial File Transfer Protocol (TFTP) or SCP to the device, and then installed using the bundle install flash: <image name> command. The bin file can NOT be directly booted using the boot system flash:/image_name.

Caution : MANUAL [non-bundle] DOWNGRADE IS STRICTLY PROHIBITED.

Known Limitations

This release has the following limitations or deviations from expected behavior:

Please ensure there is a minimum 30MB additional space in the flash: file system before attempting an upgrade or downgrade between releases. Otherwise, the FPGA/BIOS will not have enough space to store files and perform the upgrade. In these current releases, the bundle installation will not display a warning, but future releases from September 2019 going forward will have a warning.

blank.gif CSCvq88011 - IR809, IR829

Bundle install should internally handle “firmware downgrade enable” check

Symptoms : If you manually downgrade hypervisor and IOS only from releases (159-3.M+, 158-3.M3+, 156-3.M7+, 157-3.M5+) to the releases (158-3.M2a, 157-3.M4b, 156-3.M6b), the router will be stuck in a boot loop.

Workaround : If you use the recommended 'bundle install' to downgrade, the process will run correctly.

blank.gif SSH access to GuestOS disabled:

From 15.9(3)M1, access to GuestOS through SSH is completely disabled to address vulnerabilities in IOS - GuestOS communication.

However, to access GuestOS, reverse telnet to the GuestOS shell with this command:

router#telnet <GOS interface IP> 2070
 

Note : Only privilege 15 user will be able to do reverse telnet to GuestOS.

Major Enhancements

This section provides details on new features and functionality available in this release. Each new feature is proceeded by the platform which it applies to.

AT&T FirstNet Support for the IR829

FirstNet is a spectrum set aside by the US government for first responders (fire, police, & ambulance crews).

For the new IR829 PID, the user is prompted to configure strong enable secret after factory default boot up, along with the below default security features.

blank.gifTelnet and HTTP - Disabled by Default

blank.gifSSH and HTTPS - Enabled by Default

blank.gifTo configure SSH, refer to the following:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01001.html#d43017e591a1635

blank.gifTo configure HTTPS, refer to the following:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/https/configuration/15-mt/https-15-mt-book/nm-https-sc-ssl3.html#GUID-3501A644-E52A-40F4-A5D2-E7D4853B96B7

blank.gifLogin delay and login block - Enabled by Default. See the following table:

Command
Description
login delay <seconds>

Example:

login delay 3
When the user authentication fails in Telnet/SSH/HTTP, the next login prompt will appear to the user after a specified amount of time in seconds.

The feature is enabled after factory default boot up. The default value is 3 seconds.

login block-for <seconds> attempts <tries> within <seconds>

Example:

login block-for 60 attempts 3 within 30
When the user authentication fails in Telnet/SSH/HTTPS for a specific number of attempts within a period a time in seconds, then further connection attempts are refused for a particular amount of time.

The feature is enabled after factory default boot up. The default behavior is when the user authentication fails in SSH/Telnet/HTTP for 3 attempts within 30 seconds, then the connection request to that service is blocked for 60 seconds.

blank.gifWhen the router boots up in factory default mode, the user is prompted to configure a strong enable secret with the following strength checks:

blank.gifMinimum length of 10 characters

blank.gifHave at least one lower case, one upper case and one numerical digit

blank.gifShould not contain the word cisco

If the user ignores the Initial configuration dialog box by entering NO, or presses CTRL+C at the dialog box to quit, the enable secret configuration is displayed until the user configures the strong enable secret.

Verifying the enable secret Prompt

--- System Configuration Dialog ---
 
Would you like to enter the initial configuration dialog? [yes/no]: yes
 
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
 
Basic management setup configures only enough connectivity
for management of the system, extended setup will ask you
to configure each interface on the system
 
Would you like to enter basic management setup? [yes/no]: yes
Configuring global parameters:
 
Enter host name [IR800]: IR800
The enable secret is a password used to protect
access to privileged EXEC and configuration modes.
This password, after entered, becomes encrypted in
the configuration.
 
-------------------------------------------------
secret should be of minimum 10 characters with
at least 1 upper case, 1 lower case, 1 digit and
should not contain [cisco]
-------------------------------------------------
Enter enable secret: ***********
Confirm enable secret: ***********
 
The enable password is used when you do not specify an
enable secret password, with some older software versions, and
some boot images.
 
Enter enable password: <password>
 
 
The virtual terminal password is used to protect
access to the router over a network interface.
 
Enter virtual terminal password: <password>
The iox hypervisor password is used to protect access to
the VDS. This password will be ENCRYPTED.
Enter VDS root password []:
 
Current interface summary
 
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0 unassigned YES unset administratively down down
GigabitEthernet1 unassigned YES unset down down
GigabitEthernet2 unassigned YES unset down down
GigabitEthernet3 unassigned YES unset down down
GigabitEthernet4 unassigned YES unset down down
Wlan-GigabitEthernet0 unassigned YES unset up up
Async0 unassigned YES unset up down
Async1 unassigned YES unset up down
GigabitEthernet5 unassigned YES unset administratively down down
Cellular0/0 unassigned YES TFTP down down
 
[0] Go to the IOS command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration to nvram and exit.
 
Enter your selection [2]: 2
Building configuration...
 

Verifying the Status of SSH

IR800#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
 

Verifying the Status of HTTP

IR800#show ip http server status
HTTP secure server status: Enabled
HTTP secure server port: 443
 

No Service Password Recovery on the IR809 and IR829

The No Service Password-Recovery feature is a security enhancement, that when enabled, prevents anyone with console access from using a break sequence (Control+C) during bootup to enter into rommon.

The following events will cause the router will go into rommon mode as standard behavior:

blank.gifThere is a corrupt or missing IOS image in the flash

blank.gifManual boot setting was done in IOS mode

blank.gifIOS bootup was disrupted 20 consecutive times

In an upcoming release, Cisco will lock the environment variable to prevent file access in rommon mode, to further secure the device.

Enabling no service password-recovery

Prerequisites: Ensure bundle install process is used to upgrade to this image. Same as with all other features.

Refer to the following table for steps to enable the feature:

 

 
Command or Action
Description
1
enable

Example:

IR800> enable

Enables privileged EXEC mode. Enter your password if prompted.
2
show version

Example:

IR800# show version
Displays information about the system software, including configuration register settings.
3
configure terminal

Example:

IR800# configure terminal
Enters global configuration mode.
4
config-register <value>

Example:

IR800(config)# config-register 0x102
(Optional) Changes the configuration register setting.

If necessary, change the configuration register settings on the router to set to autoboot.
5

no service password-recovery

Example:

IR800(config)# no service password-recovery
Disables password-recovery capability at the system console.
6
exit

Example:

IR800(config)# exit

Exits global configuration mode and returns to EXEC mode.
7
write memory

Example:

IR800# write memory

Save the configuration in NVRAM

Disabling no service password-recovery

Disable the no service password-recovery feature by configuring service password-recovery

IR800(config)#service password-recovery

Known Limitations

Always disable the feature (execute service password-recovery) before downgrading to an image that does not support this feature.

Related Documentation

The following documentation is available:

blank.gifCisco IOS 15.9M cross-platform release notes:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/15-9m/release/notes/15-9-3-m-rel-notes.html

blank.gifAll of the Cisco IR800 Industrial Integrated Services Router documentation can be found here:

http://www.cisco.com/c/en/us/support/routers/800-series-industrial-routers/tsd-products-support-series-home.html

blank.gifAll of the Cisco CGR 1000 Series Connected Grid Routers documentation can be found here:

http://www.cisco.com/c/en/us/support/routers/1000-series-connected-grid-routers/tsd-products-support-series-home.html

blank.gifIoT Field Network Director

https://www.cisco.com/c/en/us/support/cloud-systems-management/iot-field-network-director/products-installation-and-configuration-guides-list.html

blank.gifCisco IOx Documentation is found here:

https://www.cisco.com/c/en/us/support/cloud-systems-management/iox/tsd-products-support-series-home.html

blank.gifCisco IOx Developer information is found here:

https://developer.cisco.com/docs/iox/

Caveats

Caveats describe unexpected behavior in Cisco IOS releases. Caveats listed as open in a prior release are carried forward to the next release as either open or resolved.

Note : You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account.

For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.

Cisco IOS Release 15.9(3)M2

The following sections list caveats for Cisco IOS Release 15.9(3)M2:

Open Caveats

blank.gif CSCvs77133 - CGR1120, CGR1240

LPMR reason is displayed incorrectly. The correct result should be off if the radio is turned off by the user. Instead it shows Low power

Symptoms : When User initiates an lte radio off command under the controller cellular 3/1, the reason displayed should be OFF when the sh cellular 3/1 radio command is executed. It displays as Low Power. No functionality impact. Only a Display issue.

Workaround : None

blank.gif CSCvu74786

Lock the nvram variables to be unconfigurable in rommon mode during no service password recovery.

Symptoms : During no service password recovery configuration, if an IOS image is not present or corrupt in flash:,or manual boot environmental variable is set in IOS mode, or if IOS bootup was disrupted 20 consecutive times, the router will get into rommon-2. Plan to lock the nvram variables configuration in the rommon prompts. This caveat will be resolved in next release.

Workaround : Not Applicable

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products