Release Notes for Cisco CSR 1000v Series, Cisco IOS XE 3S
Cisco CSR 1000v Series Cloud Services Routers Overview
Hardware Requirements (Cisco IOS XE 3.10S and Later)
Hardware Requirements (Cisco IOS XE 3.8S and 3.9S)
Cisco CSR 1000v Evaluation Licenses
Cisco CSR 1000v Software Licenses
Software Image Nomenclature for OVA Installation File
Limitations and Restrictions in Cisco CSR 1000v Series Cloud Services Routers
Limitations and Restrictions in Cisco IOS XE 3.13S
Limitations and Restrictions in Cisco IOS XE 3.12S
Limitations and Restrictions in Cisco IOS XE 3.10S
Limitations and Restrictions in Cisco IOS XE 3.9S
Features and Notes: Release 3.17S
REST API: IP SLA Resource Expanded
Red Hat Enterprise Linux Support
Launching Cisco CSR 1000v in Red Hat Enterprise Linux: Host Mode
Features and Notes: Release 3.16S
Features and Notes: Release 3.15S
Access to REST API and PNSC via TLS
Features and Notes: Release 3.14S
Access to REST API and PNSC via TLS
New Platform Features in Cisco IOS XE 3.14.0S
NAT, FW Box to Box Redundancy for Cisco CSR1000v Routers
New or Modified REST API Support
Features and Notes: Release 3.13S
Access to REST API and PNSC via TLS
New Platform Features in Cisco IOS XE 3.13.0S
Broadband Network Gateway Support
Intelligent Services Gateway Support
PfR Master Controller support for Cisco CSR 1000v
Platform Hardware Throughput Monitor
Shared Management Interface for REST API Support
Support for Single Root I/O Virtualization (SR-IOV) on VMware ESXi and Microsoft Hyper-V
New or Modified REST API Support
New Cisco IOS XE Software Features in Cisco IOS XE 3.13.0S
Features and Notes: Release 3.12S
New Platform Features in Cisco IOS XE 3.12.1S
New Technology Package Licenses
Support for Single Root I/O Virtualization (SR-IOV)
New Platform Features in Cisco IOS XE 3.12.0S
New Higher Throughput-Based Licenses
Support for Microsoft Hyper-V Hypervisor
Support for KVM Using OpenStack
Cisco CSR 1000v 8vCPU Configuration
Router Management Using Cisco Configuration Professional
New and Modified REST API Support
New Cisco IOS XE Software Features in Cisco IOS XE 3.12.0S
Features and Notes: Release 3.11S
New Platform Features in Cisco IOS XE 3.11S
Cisco CSR 1000v 2vCPU Configuration
Deployment of the Cisco CSR 1000v on an Amazon Machine Image (AMI)
VxLAN Layer 2 and Layer 3 Gateway Support on the Cisco CSR 1000v
New and Modified REST API Support
Support for Remote Management by Cisco Prime Network Services Controller
New Cisco IOS XE Software Features in Cisco IOS XE 3.11S
New Cisco IOS XE Software Feature in Cisco IOS XE 3.11.1S
New Cisco IOS XE Software Features in Cisco IOS XE 3.11.0S
Features and Notes: Release 3.10S
New Platform Features in Cisco IOS XE 3.10S
New Higher Throughput-Based Licenses
Cisco CSR1000v Low Footprint (1vCPU, 2.5Gb memory)
Support for Citrix XenServer Hypervisor
Support for Kernel Virtual Module (KVM)-Based Hypervisors
Additional VMware ESXi 5.0 Features Supported in Cisco IOS XE 3.10S
REST API Support for the Cisco CSR 1000v
Additional Cisco IOS XE Technologies Supported in Cisco IOS XE 3.10S
New Cisco IOS XE Software Features in Cisco IOS XE 3.10S
New Cisco IOS XE Software Feature in Cisco IOS XE 3.10.2S
New Cisco IOS XE Software Features in Cisco IOS XE 3.10.0S
Features and Notes: Release 3.9S
New Platform Features in Cisco IOS XE 3.9S
Additional Cisco IOS XE Technologies Supported in Cisco IOS XE 3.9S
Additional VMware ESXi 5.0 Features Supported in Cisco IOS XE 3.9S
New Cisco IOS XE Software Features in Cisco IOS XE 3.9S
LISP Host Mobility Extended Subnet
LISP SHA-2 Support for Site Registration
Compute and export QoS metrics to FNF records
Enable NBAR URI extraction for HTTP transactions for persistent connections
Flexible NetFlow: MPLS Support
NAT - Paired Address Pooling Support
Export PfR MC-id and class-id to FNF record
Caveats—Cisco IOS XE Release 3.17S
Resolved Caveats—Cisco IOS XE Release 3.17.4S
Resolved Caveats—Cisco IOS XE Release 3.17S
Open Caveats—Cisco IOS XE Release 3.17S
Caveats—CiscoIOSXE Releases 3.14S to 3.16S
Resolved Caveats—Cisco IOS XE Release 3.16.9S
Resolved Caveats— Cisco IOS XE Release 3.16.9S
Resolved Caveats—Cisco IOS XE Release 3.16.8S
Open Caveats—Cisco IOS XE Release 3.16.8S
Resolved Caveats—Cisco IOS XE Release 3.16.7bS
Resolved Caveats—Cisco IOS XE Release 3.16.7S
Open Caveats—Cisco IOS XE Release 3.16.7S
Resolved Caveats—Cisco IOS XE Release 3.16.5S
Open Caveats—Cisco IOS XE Release 3.16.5S
Resolved Caveats—Cisco IOS XE Release 3.16.4aS
Open Caveats—Cisco IOS XE Release 3.16.4aS
Resolved Caveats—Cisco IOS XE Release 3.16.3S
Open Caveats—Cisco IOS XE Release 3.16.3S
Caveats—Cisco IOS XE Release 3.14 to 3.16.2S
Caveats—CiscoIOSXE Release 3.13S
Resolved Caveats—Cisco IOS XE Release 3.13.9S
Open Caveats—Cisco IOS XE Release 3.13.8S
Resolved Caveats—CiscoIOSXE Release 3.13.0S
Open Caveats—CiscoIOSXE Release 3.13.0S
Caveats—CiscoIOSXE Release 3.12S
Resolved Caveats—CiscoIOSXE Release 3.12.1S
Open Caveats—Cisco IOS XE Release 3.12.1S
Resolved Caveats—CiscoIOSXE Release 3.12.0S
Open Caveats—CiscoIOSXE Release 3.12.0S
Caveats—CiscoIOSXE Release 3.11S
Resolved Caveats—CiscoIOSXE Release 3.11.2S
Resolved Caveats—CiscoIOSXE Release 3.11.1S
Open Caveats—CiscoIOSXE Release 3.11.1S
Resolved Caveats—CiscoIOSXE Release 3.11.0S
Open Caveats—CiscoIOSXE Release 3.11.0S
Caveats—CiscoIOSXE Release 3.10S
Resolved Caveats—CiscoIOSXE Release 3.10.3S
Resolved Caveats—CiscoIOSXE Release 3.10.2S
Resolved Caveats—CiscoIOSXE Release 3.10.1S
Resolved Caveats—CiscoIOSXE Release 3.10.0S
Open Caveats—CiscoIOSXE Release 3.10.0S
Caveats—CiscoIOSXE Release 3.9S
Resolved Caveats—CiscoIOSXE Release 3.9.2S
Resolved Caveats—CiscoIOSXE Release 3.9.1S
Open Caveats—CiscoIOSXE Release 3.9.0aS
Resolved Caveats—CiscoIOSXE Release 3.9.0aS
These release notes provide information about Cisco CSR 1000v Series Cloud Services Routers, for Cisco IOS XE 3S releases—through Cisco IOS XE 3.17S.
The Cisco CSR 1000v Cloud Services Router provides a cloud-based virtual router that is deployed on a virtual machine (VM) instance on x86 server hardware. The Cisco CSR 1000v router is a virtual platform that provides selected Cisco IOS XE security and switching features on a virtualization platform.
When the Cisco CSR 1000v virtual IOS XE software is deployed on a VM, the Cisco IOS software functions just as if it were deployed on a traditional Cisco hardware platform. You can configure different features depending on the supported Cisco IOS XE software image. The Cisco CSR 1000v supports a subset of Cisco IOS XE software features and technologies.
The Cisco CSR 1000v provides secure connectivity from the enterprise premise (such as a branch office or data center) to the public or private cloud.
Cisco IOS XE 3S Releases and Cisco IOS Release Number Mapping
The Cisco CSR 1000 Series Cloud Services Routers releases correspond to the Cisco IOS XE releases. For example, Cisco IOS XE Release 3.13(0) is the software release for Cisco CSR 1000v Series Cloud Services Routers Release 3.13.0S.
Table 1 lists the mappings between the Cisco IOS XE 3S releases and their associated Cisco IOS releases.
The following sections describe the system requirements for the Cisco CSR 1000v Series Cloud Services Routers.
For installation and hardware requirements, see the Cisco CSR 1000v Series Cloud Services Router Software Configuration Guide.
The Cisco CSR 1000v router is a virtual machine, and can be supported on selected x86 hardware.
The following are the minimum requirements for the Cisco IOS XE 3.8S and 3.9S releases.
– CPU: Intel Nehalem or later is required.
– Hardware Compatibility: Must be listed as supported on the VMware Hardware Compatibility List.
The Cisco CSR 1000v is supported on all Cisco UCS servers. Table 2 lists the Cisco UCS and non-Cisco servers that have been tested for compatibility.
Note Cisco UCS B230-M2, B440-M2, C260-M2, and C460-M2 servers with Intel Westmere-EX CPUs require UCS release 2.0(4) or later.
– Network Cards: 1 Gbps (3 or higher)
– The minimum clock rate supported is 1.9 Ghz
Note The Cisco CSR 1000v router supports a maximum of 10 vNICs (the maximum supported by ESXi 5.0)
Beginning with Cisco IOS XE Release 3.15S, the Cisco CSR 1000v supports activation using Cisco Smart Licensing. To use Cisco Smart Licensing, you must first configure the Call Home feature and obtain Cisco Smart Call Home Services. For more information, see the Cisco CSR 1000v Cloud Services Router Software Configuration Guide.
Evaluation license availability depends on the software version:
For instructions on activating the evaluation license, see the “Installing Evaluation Licenses for Cisco IOS XE 3.12S and Earlier” section of the Cisco CSR 1000v Software Configuration Guide.
The following evaluation licenses are available:
– AX technology package license with 50 Mbps maximum throughput
– APPX technology package license with 10 Gbps maximum throughput
If you need an evaluation license for the Security technology package, or for an AX technology package with higher throughput, contact your Cisco service representative.
For instructions on obtaining and installing evaluation licenses, see the “Installing Evaluation Licenses for Cisco IOS XE 3.13S and Later” section of the Cisco CSR 1000v Software Configuration Guide.
Cisco CSR 1000v software licenses are divided into feature set licenses. Supported feature licenses depend on the release.
Three legacy technology packages— Standard, Advanced, and Premium —were replaced in Cisco IOS XE Release 3.13 with the IPBase, Security, and AX technology packages.
The following feature sets are supported in Cisco IOS XE 3.12S and earlier:
The following feature sets are supported beginning in Cisco IOS XE 3.12.1S:
The IPBase package replaces the Standard package (legacy).
The Security package replaces the Advanced package (legacy).
The AX package replaces the Premium package (legacy).
Note Cisco recommends using the IPBase, Security, or AX technology packages for compatibility with future releases. All technology packages support the same throughput maximums as the similar feature sets in earlier releases.
The following feature set is supported beginning with Cisco IOS XE 3.13S:
Features Supported by License Packages
For more information about the Cisco IOS XE technologies supported in the feature set packages, see the overview chapter of the Cisco CSR 1000v Cloud Services Router Software Configuration Guide.
The Cisco CSR 1000v router provides both perpetual licenses and term subscription licenses that support the feature set packages for the following maximum throughput levels:
Throughput levels are supported for different feature set packages in each version. For more information about how the maximum throughput levels are regulated on the router, see the Cisco CSR 1000v Cloud Services Router Software Configuration Guide.
Beginning with Cisco IOS XE 3.11S, a memory upgrade license is available to add memory to the Cisco CSR 1000v. This license is available only for selected technology packages.
Additional Information about Licenses and Activation
For more information about each software license, including part numbers, see the Cisco CSR 1000v Router Datasheet. For more information about the standard Cisco IOS XE software activation procedure, see the Software Activation Configuration Guide, Cisco IOS XE Release 3S.
The Cisco CSR 1000v.ova installation file nomenclature provides information about a given release. The following are examples of filenames for.ova installation files:
csr1000v-universalk9.03.15.00.S.155-2.S-std.ova
csr1000v-universalk9.03.16.00.S.155-3.S-ext.ova
Table 3 lists the attributes and the release properties indicated.
This section lists limitations and restrictions on the Cisco CSR 1000v Series Cloud Services Router in Cisco IOS XE 3.12S.
– If the server is set to perform ungraceful failover, there is no workaround.
– If the server is set to perform graceful failover or restart, enter the clear platform software vnic-if nvtable command before executing the failover or restart.
This issue is not seen if the maximum number of interfaces is configured.
http://support.citrix.com/article/CTX137843
Verify that the proper drivers are installed using the following command:
show platform software vnic-if interface-mapping
The driver listed should be vif if the correct drivers are in use.
This section lists limitations and restrictions on the Cisco CSR 1000v Series Cloud Services Router in Cisco IOS XE 3.10S.
– If the memory Hot-Add option is enabled, and the Cisco CSR 1000v is powered on with 2.5GB initial memory, then the RAM allocation can only increase to a maximum of 3 GB. The system does not allow upgrading to more than 3GB of RAM allocation. The Virtual Machine Properties windows shows “Maximum Hot-Add Memory for this Power is 3 GB”.
– If the Cisco CSR 1000v is powered on with 3GB initial RAM allocation, then the Hot-Add memory option doesn't work, and the option to select memory remains greyed out with the same message on the Properties windows, “Maximum Hot-Add Memory for this Power is 3 GB”.
– If the Cisco CSR 1000v is powered up with 4GB initial RAM allocation, then the Hot-Add option works and you are able to add up to 64 GB of memory.
This section lists limitations and restrictions on the Cisco CSR 1000v Series Cloud Services Router.
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2018891
For up-to-date information, see:
Cisco CSR 1000v Cloud Services Router Software Configuration Guide
Several new APIs have been added to the IP SLA resource of the REST API. See Cisco IOS XE REST API Management Reference Guide for details.
Added support for VMware ESXi 6.0.
Note Cisco IOS XE 3.16.1S and later also support VMware ESXi 6.0.
Due to an issue specific to Red Hat Enterprise Linux, when launching the Cisco CSR1000v in a Red Hat Enterprise Linux environment using virt-install, set the host mode as follows:
For additional information about deployment in a KVM environment, see Installing the Cisco CSR 1000v in KVM Environments in in Cisco CSR 1000v Cloud Services Router Software Configuration Guide.
When installing the Cisco CSR1000v software image, the default setting is to use is the Virtual VGA console. In some previous releases, the default setting was Automatic Console Detection. See Accessing the Cisco CSR 1000v Console in Cisco CSR 1000v Cloud Services Router Software Configuration Guide.
For up-to-date information, see:
Cisco CSR 1000v Cloud Services Router Software Configuration Guide
Beginning with Cisco IOS XE Releases 3.16S, the Cisco CSR 1000v supports Connectionless Network Service (CLNS). Requires the IPBase license package. For information, see the Cisco CSR 1000v Cloud Services Router Software Configuration Guide.
Beginning with Cisco IOS XE Releases 3.16S, the CSR supports several modes of communication between vNICs and the physical hardware:
For information, see the Cisco CSR 1000v Cloud Services Router Software Configuration Guide.
For up-to-date feature information, see the Cisco CSR 1000v Cloud Services Router Software Configuration Guide.
Beginning with Cisco IOS XE Release 3.15S, the Cisco CSR 1000v supports activation using Cisco Smart Licensing. To use Cisco Smart Licensing, you must first configure the Call Home feature and obtain Cisco Smart Call Home Services. For more information, see the Cisco CSR 1000v Cloud Services Router Software Configuration Guide.
Beginning with Cisco IOS XE Releases 3.13.2, 3.14.1, and 3.15, REST API and Cisco Prime Network Services Controller (PNSC) support is limited to TLS.
Beginning with Cisco IOS XE Releases 3.13.2, 3.14.1, and 3.15, REST API and Cisco Prime Network Services Controller (PNSC) support is limited to TLS.
This section describes the new features supported on the Cisco CSR 1000v Series Cloud Services Router in Cisco IOS XE 3.14.0S that are specific to this platform. For more information, see the Cisco CSR 1000v Cloud Services Router Software Configuration Guide.
This section describes the new features supported on the Cisco CSR 1000v Series Cloud Services Router in Cisco IOS XE 3.13.0S that are specific to this platform. For more information about these features, see the Cisco CSR 1000v Cloud Services Router Software Configuration Guide.
Beginning with Cisco IOS XE 3.13.0S, the APPX license package provides support for the feature set supported in the Standard or IPBase license package, plus the feature set available in the AX package, but does not include support for security features (IPSec VPN, DMVPN, GETVPN, EZVPN, FlexVPN, SSLVPN).
Beginning with Cisco IOS XE 3.13.0S, the Cisco CSR 1000v supports the Broadband Network Gateway feature set. This feature requires the L-CSR-BB-1K= feature add-on license. For more information, see the Broadband Access Aggregation and DSL Configuration Guide, Cisco IOS XE Release 3S.
Ethernet-based deployments only (PPPoE and IPoE) are supported. Note that the following features are not supported in this release:
Beginning with Cisco IOS XE 3.13.0S, the Cisco CSR 1000v supports the Intelligent Services Gateway feature set. This feature requires the L-CSR-BB-1K= feature add-on license. Initial support will be for Wireless deployments in Hospitality environments. For more information, see the Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S .
Beginning with Cisco IOS XE 3.13.0S, the Common OVF Tool (COT) is bundled with the Cisco CSR 1000v. The Common OVF Tool is an open-source tool for editing Open Virtualization Format (.ovf,.ova) virtual appliances such as the Cisco CSR 1000v. For more information, see the tool documentation at: https://github.com/glennmatthews/cot.
Beginning with Cisco IOS XE 3.13.0S, the Cisco CSR 1000v can perform as a Performance Router Master Controller. For more information, see the Performance Routing Configuration Guide, Cisco IOS XE Release 3S
Beginning with Cisco IOS XE 3.13.0S, the platform hardware throughput monitor can be used to monitor the platforms current throughput and receive a notification when the maximum allowable throughput level is close to being reached. The set platform hardware throughput-monitor command configures the percentage of throughput at which you are notified, and the interval for how often the router checks the throughput rate.
Beginning with Cisco IOS XE 3.13.0S, the management virtual services container used for REST API support can share the same IP address as the router’s management interface. In previous releases, a separate IP address had to allocated specifically for the virtual services container. In this release, this feature is supported for the virtual services container when used for REST API, but is not supported when the virtual services container is used for Cisco Prime Network Services Controller (PNSC) support.
Beginning with Cisco IOS XE 3.13.0S, the Cisco CSR 1000v supports Single Root I/O virtualization (SR-IOV) on VMware ESXi and Microsoft Hyper-V. No additional configuration is required on the Cisco CSR 1000v, but the host hardware must support the Intel VT-d or AMD IOMMU specification.
Beginning with Cisco IOS XE 3.13.0S, the Cisco CSR 1000v supports new or modified REST APIs in the following functional areas:
For more information, see the Cisco IOS XE REST API Management Reference Guide.
This section describes new features in Cisco IOS XE 3.13.0S that are supported on the Cisco CSR 1000v Series Cloud Services Router and on other platforms.
For detailed information, see the following documentation:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bbdsl/configuration/xe-3s/bba-xe-3s-book/bba-pppoe-client-xe.html
For detailed information, see the following Cisco site:
http://www.cisco.com/c/en/us/td/docs/routers/access/4400/appnav/csr-asr/apnavcsr.html
For detailed information, see the following Cisco site:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/15-mt/sec-usr-cts-15-mt-book/cts-fnf.html
For detailed information, see the following Cisco site:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_getvpn/configuration/xe-3s/sec-get-vpn-xe-3s-book/sec-get-vpn.html
For detailed information, see the following Cisco site:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_lisp/configuration/xe-3s/irl-xe-3s-book/irl-lisp-multicast.html
For detailed information, see the following Cisco site:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_nbar/prot_lib/config_library/pp900/nbar-prot-pack600.html
This section describes the new features supported on the Cisco CSR 1000v Series Cloud Services Router in Cisco IOS XE 3.12.1S. For more information about these features, see the Cisco CSR 1000v Cloud Services Router Software Configuration Guide.
Beginning with Cisco IOS XE 3.12.1S, the following technology package licenses are supported:
For more information, see the “Cisco CSR 1000v Software Licenses” section.
Beginning with Cisco IOS XE 3.12.1S, the Cisco CSR 1000v supports SSL VPN. For more information, see the SSL VPN Configuration Guide, Cisco IOS XE Release 3S.
The Cisco IOS XE SSL VPN Support feature is only supported on the Cisco CSR 1000v in this release.
Beginning with Cisco IOS XE 3.12.1S, the Cisco CSR 1000v supports Single Root I/O virtualization (SR-IOV) to provide improved throughput for selected hypervisors. In this release, SR-IOV is supported for Citrix XenServer and KVM only. No additional configuration is required on the Cisco CSR 1000v, but the host hardware must support the Intel VT-d or AMD IOMMU specification.
This section describes the new features supported on the Cisco CSR 1000v Series Cloud Services Router in Cisco IOS XE 3.12S that are specific to this platform. For more information about these features, see the Cisco CSR 1000v Cloud Services Router Software Configuration Guide.
Beginning with Cisco IOS XE 3.12S, Cisco CSR 1000v licenses based on higher maximum supported throughput levels are available. You can purchase licenses to support maximum throughput levels of 2.5 Gbps and 5 Gbps. For more information, see the “Cisco CSR 1000v Software Licenses” section and the Cisco CSR 1000v Cloud Services Router Software Configuration Guide.
Beginning with Cisco IOS XE 3.12S, the Cisco CSR 1000v supports installation on the Microsoft Hyper-V hypervisor. The supported hypervisor version is Windows Server 2012 R2.
Beginning with Cisco IOS XE 3.12S, the Cisco CSR 1000v supports installation on VMware ESXi 5.5.
Note VMware ESXi 5.5 update 3 is not supported at this time.
Beginning with Cisco IOS XE 3.12S, the Cisco CSR 1000v supports installation of a KVM instance on OpenStack.
Beginning with Cisco IOS XE 3.12S, the Cisco CSR 1000v offers a configuration option that uses 8 virtual CPUs (vCPUs) for VMware ESXi only.
Beginning with Cisco IOS XE Release 3.12S, the Cisco CSR 1000v supports managing the router using Cisco Configuration Professional. The minimum version required is Cisco Configuration Professional 2.8. For more information, see the Cisco Configuration Professional documentation.
Beginning with Cisco IOS XE 3.12S, the Cisco CSR 1000v REST API supports the following APIs:
For more information, see the Cisco IOS XE REST API Management Reference Guide.
This section describes new features in Cisco IOS XE 3.12S that are supported on the Cisco CSR 1000v Series Cloud Services Router and on other platforms.
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book/sec-zbf-ogacl.html
For detailed information, see the following Cisco site:
https://developer.cisco.com/web/onepk/home
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_classn/configuration/xe-3s/qos-classn-xe-3s-book/qos-classn-ntwk-trfc.html
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/xe-3s/sec-flex-vpn-xe-3s-book/sec-cfg-ikev2-flex.html
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/sec-usr-cts-xe-3s-book.html
This section describes the new features supported on the Cisco CSR 1000v Series Cloud Services Router in Cisco IOS XE 3.11S that are specific to this platform. For more information about these features, see the Cisco CSR 1000v Cloud Services Router Software Configuration Guide.
Beginning with Cisco IOS XE 3.11S, the Cisco CSR 1000v offers a configuration option that uses 2 virtual CPUs (vCPUs).
Beginning with Cisco IOS XE 3.11S, the Cisco CSR 1000v provides a memory upgrade license to add up to 8 GB memory with route reflector support for the 500 Mbps maximum Premium package. For more information, see the “Cisco CSR 1000v Software Licenses” section.
Beginning with Cisco IOS XE 3.11S, the Cisco CSR 1000v supports deployment on an Amazon Machine Image (AMI). You can deploy a Bring Your Own License (BYOL) AMI using a license purchased from Cisco. For more information, see the Cisco CSR 1000v Series Cloud Services Router Deployment Guide for Amazon Web Services.
This release provides VxLAN (Virtual eXtensible Local Area Network) Layer 2 and Layer 3 support on the Cisco CSR 1000v. VxLAN is a technology that provides a Layer-2 overlay network, allowing for network isolation. The standard 802.1q VLAN implementation limits the number of tags to 4,096. However, cloud service providers may want to operate more than 4,096 virtual networks. VxLAN uses a 24-bit network ID, which allows for a much larger number of individual identified networks to be operated.
For more information, see the Cisco CSR 1000v VxLAN Support document.
Beginning with Cisco IOS XE 3.11S, the Cisco IOS XE REST API (formerly called the Cisco CSR 1000v REST API) supports the following technologies:
The following REST APIs have been modified in this release:
For more information, see the Cisco IOS XE REST API Management Reference Guide.
Beginning with Cisco IOS XE 3.11S, the Cisco CSR 1000v supports remote management of the router using Cisco Prime Network Services Controller. For more information, see the Cisco CSR 1000v Cloud Services Router Software Configuration Guide. and the Cisco Prime Network Services Controller documentation.
This section describes new features in Cisco IOS XE 3.11S that are supported on the Cisco CSR 1000v Series Cloud Services Router and on other platforms.
The following feature has been updated in the Cisco IOS XE 3.11.1 release.
For AppNav Controller Group (ACG) scenarios, a new CLI ( service-insertion acg-reload-delay) provides a time delay before enabling WAN traffic for a router that has just rebooted. During the delay, the router drops all TCP packets passing through the WAN interface. This enables the router to synchronize flows before traffic is enabled, preventing unintended resetting of connections.
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/routers/access/4400/appnav/csr-asr/apnavcsr.html
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/avc/ios_15-4_1T_ios_xe3_11/avc_user_guide_ios_15-4_1T_iosxe3_11.html
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_lisp/configuration/xe-3s/irl-xe-3s-book/irl-lisp-support-for-disjoint-rloc-domains.html
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book/zbf-enable-alg-aic.html
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fnetflow/configuration/xe-3s/fnf-xe-3s-book/fnf-xe-3s-book_chapter_010000.html
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-mt/sec-flex-vpn-15-mt-book/sec-cfg-recon-flex.html
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/interface/configuration/xe-3s/ir-xe-3s-book/ir-tunls-gre-entropy-xe.html
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-book/sec-ip4-acl-chng-sup.html
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_isis/configuration/15-s/irs-15-s-book/irs-rmte-lfa-frr.html
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_lisp/configuration/xe-3s/irl-xe-3s-book/irl-lisp-esm-multihop-mobility.html
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/interface/configuration/xe-3s/ir-xe-3s-book/ir-mpls-vpnomgre-xe.html
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_nbar/prot_lib/config_library/pp600/nbar-prot-pack600.html
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-3s/iro-xe-3s-book/iro-ipfrr-lfa.html
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-3s/sec-conn-dmvpn-xe-3s-book/sec-conn-dmvpn-per-tunnel-qos.html
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/configuration/xe-3s/iap-xe-3s-book/iap-tcp.html
This section describes the new features supported on the Cisco CSR 1000v Series Cloud Services Router in Cisco IOS XE 3.10S that are specific to this platform. For more information about these features, see the Cisco CSR 1000v Cloud Services Router Software Configuration Guide.
Beginning with Cisco IOS XE 3.10S, Cisco CSR 1000v licenses based on higher maximum supported throughput levels are available. You can purchase licenses to support a maximum throughput level of 100 Mbps, 250 Mbps, 500 Mbps, or 1 Gbps. The maximum throughput licenses for 10 Mbps and 50 Mbps introduced in Cisco IOS XE 3.9S are still supported; the throughput licenses for 25 Mbps are no longer supported. For more information, see the “Cisco CSR 1000v Software Licenses” section and the Cisco CSR 1000v Cloud Services Router Software Configuration Guide.
Beginning with Cisco IOS XE 3.10S, the Cisco CSR 1000v offers a low footprint configuration option that requires only 1 virtual CPU (vCPU) and 2.5 Gb memory. This option is only supported on VMware ESXi.
Beginning with Cisco IOS XE 3.10S, the Cisco CSR 1000v supports installation on the Citrix XenServer hypervisor, version 6.02.
Beginning with Cisco IOS XE 3.10S, the Cisco CSR 1000v supports installation on the following KVM-based hypervisors:
Beginning with Cisco IOS XE 3.10S, the following VMware ESXi 5.0 features are supported on the Cisco CSR 1000v Cloud Services Router:
Beginning with Cisco IOS XE 3.10S, the Cisco CSR 1000v supports VMware ESXi 5.1.
Beginning with Cisco IOS XE 3.10S, the Cisco CSR 1000v provides support for RESTful APIs as an alternative to configuring the router using the Cisco IOS XE CLI. The REST API support is limited to the following technologies:
Note that IPV6 is not currently supported for the REST API. The Cisco CSR 1000v only supports the REST APIs over an HTTPS connection.
For more information, see the Cisco IOS XE REST API Management Reference Guide.
The following Cisco IOS XE technologies are supported on the Cisco CSR 1000v Series Cloud Services Router beginning in Cisco IOS XE 3.10S:
This section describes new features in Cisco IOS XE 3.10S that are supported on the Cisco CSR 1000v Series Cloud Services Router and on other platforms.
The following feature has been updated in the Cisco IOS XE 3.10.2 release.
For AppNav Controller Group (ACG) scenarios, a new CLI ( service-insertion acg-reload-delay) provides a time delay before enabling WAN traffic for a router that has just rebooted. During the delay, the router drops all TCP packets passing through the WAN interface. This enables the router to synchronize flows before traffic is enabled, preventing unintended resetting of connections.
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/routers/access/4400/appnav/csr-asr/apnavcsr.html
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/avc/ios_xe3_10/avc_user_guide_iosxe3_10.html
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/sec-usr-cts-xe-3s-book/cts-sgt-handling-imp-fwd.html
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipswitch_cef/configuration/xe-3s/asr1000/isw-cef-xe-3s-asr1000-book/isw-cef-load-balancing.html
The following sections list the new features that are supported by the Cisco CSR 1000v Cloud Services Routers for Cisco IOS XE 3.9S.
This section describes the new features supported on the Cisco CSR 1000v Series Cloud Services Router in Cisco IOS XE 3.9S that are specific to this platform. For more information about these features, see the Cisco CSR 1000v Cloud Services Router Software Configuration Guide.
Beginning with Cisco IOS XE 3.9S, Cisco CSR 1000v licenses are based on the maximum supported throughput level. You can purchase licenses to support a maximum throughput level of 10 Mbps, 25 Mbps, or 50 Mbps. For more information, see Cisco CSR 1000v Software Licenses and the Cisco CSR 1000v Cloud Services Router Software Configuration Guide.
The following Cisco IOS XE technologies are supported on the Cisco CSR 1000v Series Cloud Services Router beginning in Cisco IOS XE 3.9S:
The following VMware ESXi 5.0 features are supported on the Cisco CSR 1000v Cloud Services Router beginning in Cisco IOS XE 3.9S:
The following CLI commands specific to the Cisco CSR 1000v have been added in Cisco IOS XE 3.9S:
The following CLI command specific to the Cisco CSR 1000v has been deprecated in Cisco IOS XE 3.9S:
This section describes new features in Cisco IOS XE 3.9S that are supported on the Cisco CSR 1000v Series Cloud Services Router and on other platforms.
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_lisp/configuration/xe-3s/irl-xe-3s-book/irl-host-mob.html
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_lisp/configuration/xe-3s/irl-xe-3s-book/irl-overview.html
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/avc/ios_xe3_9/avc_soln_guide_iosxe3_9/avc_config.html
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/avc/ios_xe3_9/avc_soln_guide_iosxe3_9/avc_config.html
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fnetflow/configuration/xe-3s/fnf-xe-3s-book/fnf-mpls-support.html
For detailed information, see the following Cisco document:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/iadna t-addr-pool.html
For detailed information, see the following Cisco documents:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/avc/configuration/xe-3s/avc-xe-3s-book.html
http://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/avc/ios_xe3_9/avc_soln_guide_iosxe3_9/avc_config.html
This section provides information about the caveats in Cisco CSR 1000v Series Cloud Services Routers Release 3S. Caveats describe unexpected behavior. Severity 1 caveats are the most serious caveats. Severity 2 caveats are less serious. Severity 3 caveats are moderate caveats. This section includes severity 1, severity 2, and selected severity 3 caveats.
We recommend that you view the field notices for the current release to determine whether your software or hardware platforms are affected. You can access the field notices from the following location:
http://www.cisco.com/c/en/US/support/tsd_products_field_notice_summary.html
In this section, the following information is provided for each caveat:
Note If you have an account on Cisco.com, you can also use the Bug Search Tool (BST) to find select caveats of any severity. To reach the Bug Search Tool, log in to Cisco.com and go to https://tools.cisco.com/bugsearch/search. (If the defect that you have requested cannot be displayed, this may be due to one or more of the following reasons: the defect number does not exist, the defect does not have a customer-visible description yet, or the defect has been marked Cisco Confidential.)
For Best Bug Search Tool Results
For best results when using the Bug Search Tool:
The tool provides autofill while you type in these fields to assist in entering valid values.
Releases beginning with 3.x have an equivalent release number beginning with 15.x, as shown in the following table. Include the 15.x equivalent to ensure that all relevant caveat results are displayed.
You can use the Bug Search Tool to view new and updated caveats: https://tools.cisco.com/bugsearch/search.
For Best Bug Search Tool Results
For best results when using the Bug Search Tool:
The tool provides autofill while you type in these fields to assist in entering valid values.
Releases beginning with 3.x have an equivalent release number beginning with 15.x, as shown in the following table. Include the 15.x equivalent to ensure that all relevant caveat results are displayed.
Note To view details of the caveats for releases from 3.14 up to 3.16.2, use the Bug Search Tool as explained below in “Caveats—Cisco IOS XE Release 3.14 to 3.16.2S” section.
All resolved bugs for this release are available in the Cisco Bug Search Tool through the Resolved bug search. This search uses the following search criteria and filters:
All resolved bugs for this release are available in the Cisco Bug Search Tool through the Resolved bug search. This search uses the following search criteria and filters:
For Cisco IOS XE releases 3.14 to 3.16.2S, use the Bug Search Tool to view new and updated caveats: https://tools.cisco.com/bugsearch/search.
Symptom: A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
The vulnerability is due to a failure to process certain types of HTTP requests. To exploit the vulnerability, an attacker could submit crafted requests designed to consume memory to an affected device. An exploit could allow the attacker to consume and fragment memory on the affected device. This may cause reduced performance, a failure of certain processes, or a restart of the affected device.
Cisco has released free software updates that address these vulnerabilities.
There are no workarounds to mitigate this vulnerability.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn
Note: The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication.
Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html
Conditions: See published Cisco Security Advisory
Workaround: See published Cisco Security Advisory
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2014-2112 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptom: When a Peer sends a certificate with no CDP, the IOS PKI client will try to retrieve the CRL through SCEP [GetCRL] directed to CA, based on enrollment url value, however in case of enrollment profile [with a valid enrollment url], it complains that the enrollment url is not present.
Conditions: IOS PKI Client configured with an Enrollment profile, which has enrollment url and authentication url to communicate with the CA using SCEP.
a) configure the enrollment URL under the trustpoint directly instead of using it through enrollment profile
b) configure the CA to embed a CDP in the client certificates [an HTTP Server or SCEP URL]. Peer will need to be reenrolled afresh.
cdp-url http://10.106.72.139/cgi-bin/pkiclient.exe?operation=GetCRL
[Note: Before typing in ? next to pkiclient.exe in the URL above, type Ctrl+V]
Symptom: No counter to show the ATM VC IFM call out and response
Symptom: Group override does not take effect for interface-config strings. Actual ordering of interface config strings on cloned V-Access does not correspond to the expected order based on AAA settings in IKEv2 profile.
Conditions: User & group authorization configured in IKEv2 profile.
Workaround: Move all config-string attributes to a single authorization source (user or group).
Conditions: SIP ALG traffic with FW and NAT
Symptom: IOSd crash when show platform condition after remove the corresponding interface
Conditions: With "debug platform software cond-debug verbose" enabled, and after delete the interface show platform condition will trigger this crash.
Symptom: Crypto sessions get stuck in UP-IDLE state in scale scenario on a Cisco CSR platform.
Conditions: This symptom occurs on a Cisco CSR platform in Cisco IOS XE Release 3.11.
Workaround: Bring the sessions up in very small increments, for example, 40 sessions at a time initially and keep monitoring. When the sessions stop coming up for 40 sessions at a time, switch to a smaller number like 20.
Symptom: IOSD crash at ipv6_intf_mtu on flexvpn client
Conditions: Flapping flexvpn client configured with ipv6 on tunnel interface.
Symptom: Traffic which needs to be send between appnav-controllers will get lost.
Received inter-appnav-controller packets will get assigned to the shutdown tunnel interface.
As a result, no flows will be synchronized between this appnav-controller and appnav-controllers in the same appnav-controller-group. Asymmetrically routed packet will also fail due to lack of flow and unable to query flow from other appnav-controller.
Conditions: Having a shutdown tunnel interface configured with tunnel source equals to the local appnav-controller IP and tunnel destination equals to the IP of another appnav-controller in the appnav-controller-group (i.e. another ASR router).
To detect this problem the following counter will go up for every dropped packet:
show platform hardware qfp active statistics drop | i Disabled
alternatively you can use a packet-trace feature on 3.10.2 and above to check for the dropped reply getting send to the shutdown tunnel interface.
Workaround: Remove the shutdown tunnel from configuration or un-shutdown it.
Further Problem Description: The received packet shares the same source and destination IP of an existing GRE tunnel before matching AppNav tunnel. And since the tunnel interface is disabled, the packet is dropped before reaching AppNav's handler.
Symptom: A vulnerability in IKE module of Cisco IOS and Cisco IOS XE could allow an unauthenticated, remote attacker to affect already established Security Associations (SA). The vulnerability is due to a wrong handling of rogue IKE Main Mode packets. An attacker could exploit this vulnerability by sending a crafted Main Mode packet to an affected device. An exploit could allow the attacker to cause dropping of valid, established IKE Security Associations on an affected device.
Conditions: Device configured to process IKE request that already has a number of established security associations.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C
CVE ID CVE-2014-2143 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2143
Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptom: Debug platform condition matches traffic that is not included in the condition.
Conditions: Use of packet tracer / conditional debugger.
Workaround: Clear platform condition all and re enable.
Symptom: Sometimes an error log is seen when tracing packets with 'debug platform packet-trace' or some of the data seems inconsistent.
Conditions: Tracing multicast packets with packet-trace in IOS-XE 3.11.0 or IOS-XE3.12.0 using circular buffering:
debug platform packet-trace <num-pkts> circular
debug platform packet-trace drop [code <code-num>]
Workaround: Avoid the commands above when using.
Symptom: CSR1000v router running XE3.11 (15.4(1)S) working as Route Reflector. The route-reflector is advertising prefixes with incorrect subnet masks to ibgp peers and route-reflector clients. The incorrect prefixes are not present in the bgp table of the route-reflector itself, however they do get installed in the bgp table of the router receiving the update.
Conditions: This symptom is observed when BGP route reflector uses the additional paths feature.
Workaround: Disable additional path feature either globally under address-family or per neighbor.
Symptom: IPsec configured router sees unauthenticated router in INIT stage of ospfv3
Conditions: Configure one router with ospfv3 auth and other router with no authentication
Symptom: Crash occurs when IKEv2 attempts to clean up its contexts when it times-out waiting for received Certificate to be Validated by PKI component.
Conditions: Authentication with certificates and PKI component's response to certificate validation is delayed.
Workaround: There is no workaround.
Symptom: Content sensitive help from CLI lists only three protocols instead of the full list. This is valid for securityk9 license when configuring class map:
Conditions: Tested on 4451-X, could be also happening on ASR1K
Workaround: Use appx license instead of securityk9
Symptom: RP crash due to %SYS-2-CHUNKBADMAGIC in checkheaps in chunk MallocLite
Symptom: An error is seen while enabling "auto negotiation".
Conditions: This symptom is observed when "auto negotiation" is configured on an interface.
Workaround: There is no workaround.
1) "crypto isakmp aggressive-mode disable" is in "show run all" by default.
In spite of the disable command, IKE aggressive mode is enabled by default.
2) The command remains in "show run all" output.
"no crypto isakmp aggressive-mode disable" command cannot remove it from "show run all", and that change ("no" form) does not show up in "show run" output.
The command works properly if it is configured explicitly.
Conditions: Cisco IOS 15.1 or later
- See "show run" output to check if this feature is disabled or not.
- To disable IKE aggressive mode, set "crypto isakmp aggressive-mode disable" explicitly.
Symptom: SADB Peer Chunk leak seen.
Conditions: DmVPN Hub with 2000 simulated spokes in stress/scale scenario.
Symptom: A FlexVPN client router may report alignment errors and experience high cpu utilization in IKEv2 FlexVPN process.
Conditions: The tunnel interface in use with the FlexVPN client configuration must flap while the client is processing an IKEv2 redirect. The high cpu utilization is seen only if the client is configured to auto connect.
Workaround: Remove and reconfigure the IKEv2 client configuration block.
Symptom: A Cisco router or switch may crash when issuing the show logging command.
Conditions: Open one session to the device and issue show logging. Let the output of the show logging command sit at the more prompt in the Trap logging session. While changing the logging host commands in a different session resume the output of the show logging command. There is a chance that both actions at the same time will make the device crash.
Workaround: Do not make changes to the logging host command while the show logging command output is still outstanding.
Symptom: FlexVPN - IKEv2 authorization policy config gets deleted after reboot under some conditions.
Conditions: If route set interface is configured for loopback interface
Conditions:This issue occurred after a switchover from Active RP to Standby RP was done. The device had 1000 PPPoA sessions on the device. Call Admission Control (CAC) is also configured.
Workaround:Remove the CAC configurations. For example, the following would have to be removed:
Symptom: ASR using ZBFW may not properly classify traffic when class-maps of type inspect reference an ACL that uses a service-type object-group.
Conditions: A sample configuration that does not work:
ip access-list extended ICMP_ACL
permit object-group ICMP_OG any any
class-map type inspect match-all ICMP_CMAP
match access-group name ICMP_ACL
policy-map type inspect ICMP_PMAP
zone-pair security INSIDE2OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect ICMP_PMAP
Workaround: Applying the ACL to the interface, then reapplying it to the class-map sometimes resolves the issue. Once the issue is resolved, reloading the ASA will cause the original classification problem to reoccur.
Symptom: Some Cisco Internetwork Operating System (IOS) releases may be affected by the following vulnerabilities:
These products include a version of openssl that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2014-0195 - DTLS invalid fragment vulnerability
CVE-2014-0221 - DTLS recursion flaw
CVE-2014-0224 - SSL/TLS MITM vulnerability
This bug has been opened to address the potential impact on this product.
Conditions: Devices running an affected version of Cisco IOS and utilizing an affected configuration.
One of more of these vulnerabilities affect all versions of IOS prior to the versions listed in the Integrated In field of this defect.
Workaround :None currently available.
More Info: Known affected releases*
*if just the base version is given then all the rebuilds and maintenance releases are impacted.
All Cisco IOS services that provide a form of TLS or SSL encryption are affected by this vulnerability. This includes features such as the HTTPS Web Management interface.
Cisco IOS devices that support SSLVPN (AnyConnect) and have the feature configured and enabled are affected by this vulnerability.
Cisco IOS devices that support SSLVPN (AnyConnect) and have the feature configured and enabled are affected by this vulnerability.
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 10/9.5:
https://intellishield.cisco.com/security/alertmanager/cvss?target=new&version=2.0&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: Large multicast packets are not reaching the receiver.
Conditions:Using IPv6 VFR with multicast.
Symptom: AVC coarse grain configuration, while running the debug command show platform hardware qfp active feature nbar function sui_lut_remove_all_links the router crashed.
Conditions: Since the command is debug should not happen on customers.
Symptom: The CLI show the overlap ip in its configuration but when using the GUI to admin down/up the interface, it will resulting "failed-to-apply".
Conditions: When apply overlapping ip address between gigabitEthernet and tunnel interface
Symptom: When Gig1 is configured on CSR and it is also used as the management ip, if we try to configure sub-interface Gig1.1, it gets configured as "native" by default( even without using the keyword "native"):-
At this point, the telnet session is lost and so is the connectivity with PNSC. When logging in using Vsphere and checking the config, it shows gig1.1 is configured as the native sub-interface. As follows:
Conditions: Configure Gig1.1 when Gig1 is configured
Symptom: The default queue-limit programming might not be correct if changing the throughput level without rebooting the box.
Conditions: The change of the license shaper value will not update the already programmed default queue-limit setting. It might cause performance or QoS drops condition misbehave.
Workaround: No workaround except perform a router reload.
Symptom: VLAN support is not present in SR-IOV.
Conditions: CSR 1000v installation with SR-IOV.
Workaround: There is no workaround.
Symptom: CSR datapath processes are using regular memcpy to copy packet buffers in different stages, which seems to have impact on throughput performance.
Symptom: A CPP crash triggered by NBAR may occur on Cisco ASR 1000 Series routers, Cisco 4000 Series ISR routers, and Cisco CSR 1000v routers.
Conditions: This symptom may occur under rare conditions of traffic mixture and rate when NBAR and NAT are both enabled.
Workaround: There is no workaround.
Symptom: A memory leak is seen in the MALLOCLITE process: show processes memory ------------------ Processor Pool Total: 282793968 Used: 280754252 Free: 2039716 I/O Pool Total: 41943040 Used: 18560544 Free: 23382496 PID TTY Allocated Freed Holding Getbufs Retbufs Process 0 0 268189264 170950536 88785564 1354 634324 *Init* 0 0 0 0 141933756 0 0 *MallocLite* 409 0 451333208 202702788 40928844 83639 83639 CCSIP_UDP_SOCKET 299003084 Total The memory continues to increase there.
Conditions: This symptom is observed while parsing to header, Gateway gets errors as below: Feb 26 12:07:28 EST: Parse Error: url_parseSipUrl: Received Bad Port Feb 26 12:07:28 EST: //2765/000000000000/SIP/Error/sippmh_cmp_tags: Parse Error in request header The correct response for the above should have been to send 400 Bad Request The request cannot be fulfilled due to bad syntax The memory associated with the above is not getting released is the side effect of the above.
Workaround: There is no workaround. Further Problem Description: This issue was not seen on versions earlier than 15.3X
Symptom: No address prefix flow records get reported when packets get fragmented at Tunnel interface, which has enabled with AVC flow monitor.
Conditions: May occur when packet are fragmented due the maximum packet length limit, called the Maximum Transmission Unit (MTU). When packet size is bigger than the interface MTU, the packet will be fragmented and will not be monitored by AVC.
Workaround: Increase the size of the MTU to accommodate larger packets. For example, configure an MTU of 3000 bytes with the following CLI: Device(config)# interface Gig0/2/1 Device(config-if)# mtu 3000 Further Problem Description: The issue may occur when UDP traffic becomes fragmented over a DMVPN tunnel interface due to a default maximum packet size (MTU) of 1500 bytes.
Conditions: on changing pap limit from 30 to 60 ith traffic on
Symptom: A vulnerability in IPSec tunnel implementation of Cisco IOS Software could allow an unauthenticated, remote attacker to change the tunnel MTU or path MTU and potentially cause IPSec tunnel to drop.
The vulnerability is due to incorrect processing of certain ICMP packets. An attacker could exploit this vulnerability by sending specific ICMP packets to an affected device in order to change the configured MTU value of the tunnel interface. An exploit could allow the attacker to change the tunnel MTU or path MTU and potentially cause IPSec tunnel to drop.
Conditions: A device configured for IPSec VTI and with path-mtu-discovery disabled.
Workaround: Issue is caused by ICMP unreachables. Blocking ICMP is a workaround.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C CVE ID CVE-2013-6694
has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-6694
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptom: when flapping mpls mldp with scale v4 setup, the lspvif interface disappears in "show ip mfib" output, and packets are dropped.
Symptom: Duplicate entry seen in "sh lldp neighbor"
Conditions: if the physical link is a member of a etherchannel bundle. lldp packets are processed on the bundle UIDB. Workaround: None.
Further Problem Description: Solution: if the physical link is a member of a etherchannel bundle. lldp packets are processed on physical link UIDB instead of the bundle UIDB.
Symptom: Group override does not take effect for interface-config strings. Actual ordering of interface config strings on cloned V-Access does not correspond to the expected order based on AAA settings in IKEv2 profile.
Conditions: User & group authorization configured in IKEv2 profile.
Workaround: Move all config-string attributes to a single authorization source (user or group).
Symptom: ucode crash@ipv4_nat_cgn_mode_dp_rel_mem on changing nat mode.
Conditions: In a scaled setup on changing nat mode
Symptom: "no ip subnet" in l3-custom results in creating custom protocol.
Conditions: Create L3 custom submode ip nbar custom t1est transport tcp id 1 "no ip subnet" cretaes custom protocol and exit submode.
Symptom: many packets are dropped for NatIn2out cause
Conditions: PAT, interface overload.
Symptom: LDAP ALG will encode the packet even there is no need to translate them, this will not impact function, but it is not necessary.
Conditions: LDAP ALG will encode the packet even there is no need to translate them.
Workaround: Will not impact function.
Symptom: ping fails with tunnel protection applied.
Conditions: Tunnel protection applied on GRE tunnel interface, using IKEv1 to negotiate IPsec SAs and remote node (IKEv1 responder) behind NAT.
Workaround: Can switch to using IKEv2.
Conditions: Conditional debugging and packet tracing is enabled on join interface for OTV.
Symptom: Large IPSEC packets get dropped when fragmentation is done after IPSEC encapsulation.
Conditions: This symptom is not observed under any specific conditions.
Workaround: There is no workaround.
Symptom: Multiple Tracebacks seen pertaining to uRPF component cannot allocate more memory No functional issues seen (i.e no session drops).
Conditions: TBs seen on Scaled Setup of 128K Authenticated Sessions + 256K Walkby sessions.
Workaround: Lower the session scale during RP Switchover Tested 107K Authenticated Sessions + 223K Walkby Sessions with no issues.
Symptom: IOS will fail to match the certificate map intermittently.
Conditions: IOS PKI using certificate maps, to authorize the Peer certificates or override CDP. In this case: - if a certificate map is written on a PC, with upper case letters in them: Ex: crypto pki certificate map HR-Users 10 subject-name co ou = HR-Users - and this is a part of the configuration that is merged with the running config through IOS file-system [directly from flash or FTP/TFTP/HTTP etc], IOS retains the upper case letters. [contrary to certificate maps written through CLI, always converts everything to lower case letters].
Workaround: A) - copy the certificate maps [that have upper case letters in them] to a notepad - remove the certificate maps [that have upper case letters in them] - paste the certificate maps, through IOS CLI - wherever these cert maps were being called, they will stay intact, and this change will take effect immediately or B) - The certificate map needs to enter IOS in a manner that IOS would insert it if you were to enter it in a CLI I.e. Make sure the external config generators generate the certificate map in such a way that everything is in lower case, and it has white spaces between DN OID, '=' and the value.
Symptom: Traffic which needs to be send between appnav-controllers will get lost. Received inter-appnav-controller packets will get assigned to the shutdown tunnel interface. As a result, no flows will be synchronized between this appnav-controller and appnav-controllers in the same appnav-controller-group. Asymmetrically routed packet will also fail due to lack of flow and unable to query flow from other appnav-controller.
Conditions: Having a shutdown tunnel interface configured with tunnel source equals to the local appnav-controller IP and tunnel destination equals to the IP of another appnav-controller in the appnav-controller-group (i.e. another ASR router). To detect this problem the following counter will go up for every dropped packet: show platform hardware qfp active statistics drop | i Disabled alternatively you can use a packet-trace feature on 3.10.2 and above to check for the dropped reply getting send to the shutdown tunnel interface.
Workaround: Remove the shutdown tunnel from configuration or un-shutdown it.
Further Problem Description: The received packet shares the same source and destination IP of an existing GRE tunnel before matching AppNav tunnel. And since the tunnel interface is disabled, the packet is dropped before reaching AppNav's handler.
A vulnerability in the Layer 2 Tunneling Protocol (L2TP) module of Cisco IOS XE on Cisco ASR 1000 Series Routers could allow an authenticated, remote attacker to cause a reload of the processing ESP card.
The vulnerability occurs during the processing of a malformed L2TP packet. An attacker could exploit this vulnerability by sending malformed L2TP packets over an established L2TP session. An exploit could allow the attacker to cause a reload of the affected ESP card.
Conditions: Device configured with ''no vpdn ip udp ignore checksum'.'
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2014-2183
has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2183
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptom: Ping failed with input errors when HDLC interface MTU set/removed.
Conditions: 1. set MTU (more than 2950) on HDLC interface, then remove MTU; 2. ping failed to peer HDLC interface.
Symptom: COS markings not seen proper on the dot1q interface.
Conditions: The issue will be seen if met all of following conditions: 1, MPLS packets with fragment happened in data plane on the dot1q interface.
Symptom: Standby RP source is not participating in clocking selection.
Conditions: we must have the below specific netclk config on the ASR1k and need to perform RP-switchover. "network-clock select 1 BITS R0 <T1/E1> <Framing>" "network-clock select 2 BITS R1 <T1/E1> <Framing>"
Workaround: Remove and re-apply the stby-network-clk Source with different framing Further Problem Description: This bug is specific to below combination. 1. You must configure NETCLK config on ASR RP-bits [ Active and Standby RP bits ] 2. Router must capable of hardware redundancy If the Customer is not using Netclk feature, you can ignore this ddts
Symptom: Error message is seen in log: %IOSXE-3-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:005 TS:00000006977394452567 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 12, src_addr 192.1.2.0, dest_addr 192.1.1.0, SPI 0x250cc2eb
Conditions: Traffic with over subscription shows the TBAR drops. Eventually all the traffic dropped.
Workaround: Increase Anti-replay window size to 20sec.
Symptom: onep_dpss_l2_raw_inject api returns ONEP_OK which is not support in IOS-XE platform.
Conditions: only when application want to invoke onep_dpss_l2_raw_inject to inject l2 packet.
Symptom: In an INTRA-box redundancy configuration, the STANDBY FP and ACTIVE FP may not be syncing dplane HA records robustly. The easiest way for the customer to recognize if this *might* be happening is by examining the output of the show platform hardware qfp active system intra and the show platform hardware qfp standby system intra CLIs. If the output shows the counters " rx dropped" and/or "retx" continuously incrementing, then this problem may have been encountered.
Conditions: DUAL FP systems with stateful HA features such as NAT configured.
Symptom: A vulnerability in IKE module of Cisco IOS and Cisco IOS XE could allow an unauthenticated, remote attacker to affect already established Security Associations (SA). The vulnerability is due to a wrong handling of rogue IKE Main Mode packets. An attacker could exploit this vulnerability by sending a crafted Main Mode packet to an affected device. An exploit could allow the attacker to cause dropping of valid, established IKE Security Associations on an affected device.
Conditions: Device configured to process IKE request that already has a number of established security associations.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C
CVE ID CVE-2014-2143 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2143
Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptom: enable performance monitor on local switching interface.
Conditions: Two interfaces are connected as local switching
Symptom: Sometimes an error log is seen when tracing packets with 'debug platform packet-trace' or some of the data seems inconsistent.
Conditions: Tracing multicast packets with packet-trace in IOS-XE 3.11.0 or IOS-XE3.12.0 using circular buffering: debug platform packet-trace <num-pkts> circular or using drop tracing: debug platform packet-trace drop [code <code-num>]
Workaround: Avoid the commands above when using
Symptom: MLP bundle flow control is not functional.
Conditions: Generate ICMP ECHREQ from the router to outside host over an MLP causes the bundle queuing process with a consequences of WRED malfunction and member links queue growth beyond the set queue-limits.
Symptom: Intermittent connectivity loss between hosts at different OTV sites. Pinging from one host to the other more than 8 times restores connectivity for about 8-10 minutes. Packet captures show ARP request broadcasts from a host at one site not being received by the host at the other site for about 7-8s, and then suddenly starting to work. This problem has a tendency to get worse over time, with more and more hosts being affected over the course of a week or two until connectivity between sites is essentially gone.
Conditions: ASR1K running 15.4 or 15.3 code, possibly earlier code, with OTV configured.
Workaround: None on the ASR thus far. Statically configuring ARP entries on the hosts will work.
Symptom: ISR4400-X Ucode Crash on 15.3(3)S, 15.4(1)S, 15.4(2)S CSR1000v Ucode Crash on 15.4(2)S.
Conditions: When sending a large packet over a small MTU that results in more than 8 fragments, the ucode will crash.
Workaround: Ensure your largest MTU is not more than 8x your smallest MTU.
Symptom: On ETR all the datapath packets are punted to RP unexpectedly due to lisp LSB checking.
Conditions: LISP network, send traffic from ITR to ETR, easy to see without lisp instance scale.
Symptom: The CP process crashes while collapsing a hierarchy layer node that had once exceeded 4000 entries. The collapse occurs when the number entries falls below 4000.
Conditions: This problem occurs while collapsing a node that had once exceeded 400 entries. The problem is specific to MLPPP, MFR and GEC aggregate because these features require notification when a schedule ID changes. The schedule ID changes when a scheduling node is reconstructed. The issue hit when the operation involves both the flushing and SID notification.
Symptom: An ATM-port might show input-errors of type overrun. Conditions: They get counted so, because they hit an on-demand AutoVC, where the nature of the packets (for example ILMI or BPDU) should not raise the VC.
Workaround: The concerning VC could be configured as permanent or the packets should be prevented on neighbor device as it is seen as unwanted or unexpected traffic.
Further Problem Description: Counting the packets as errors is correct, but counting them as overruns is misleading.
Symptom: Ucode Crash on CSR1000v.
Conditions: An initialization race condition may cause the CSR1000v to not align some memory correctly, which will result in a ucode crash.
Workaround: Reboot the CSR1000v.
Symptom: VTCP not send tcp segments according adjustment mss
Conditions: tcp sync with mss 1460 from interface B, and Interface A sent out sync with mss 1390 tcp segments (tcp payload 1390) come from interface A observed tcpsegments with tcp payload 1460 sent out via interface B.
Symptom: DMVPN spoke (ISR) gets stuck in NHRP state after config-unconfig-reconfing with TP.
Workaround: Reboot the router.
Symptom: When there is TBAR related drops, it is reported as IPFormatErr in Global Statistics.
Conditions: GetVPN config, with TBAR drops.
Symptom: Possible router crash due to deadlock in CPP processor caused by LUT NBAR code.
Conditions: Crash may occur only if stile_sys_lookup_table_set_aging is used in a loaded protocol pack.
Symptom: ACLs applied to the mgmte do not work on the new active RP after a RP switch over.
Conditions: After a RP switch over as the old standby RP becomes the new active RP.
Workaround: Remove then reapply the ACLs to the mgmte on the new active RP.
Symptom: Netflow cache entry is not created for IPV6 flows and entries for IPv4 entries is not accurate. For IPv4 entries the BGP next hop is not updated and set to 0.0.0.0.
Conditions: Upon Execution of RP switchover.
Workaround: After RP switch-over, remove BGP configuration from Core router ("P"), and configure it back. updaon BGP update on PE router, the BGP - NH will appear in FNF records.
Symptom: Memory leak in crypto process.
Conditions:10K scale SA setup and flap testing.
Symptom: L2 frame check failure when payload length increase with ldap alg.
Conditions: Steps: ====== translate sipAddress into longer address length.
Symptom: NAT ALG not translating in case of multiple sip address in SDP.
Conditions: sip invite message containing oline and cline with different addresses and both need translation dynamic nat with acl configured.
Workaround: Simplify the ACL associated with NAT mapping configuration.
Symptom: Traceback when IPV6 traffic is transiting through ATM sub-interface.
Conditions: Configuration of "atm route-bridged ipv6" configured at ATM sub-interface level.
Symptom: A Cisco router or switch may experiences a memory leak due to "Crypto IKMP" process. This may occur if multiple DHCP servers are configured under crypto config. Eg: crypto isakmp client configuration group NAME dHCP X.X.X.X X.X.X.X dhcp X.X.X.X X.X.X.X
Conditions: Multiple Dhcp servers configured under crypto.
Workaround: Only use a single Dhcp server. Due to an error in code, only the memory structures associated with data from the last Dhcp server in the list are properly freed after a lookup takes place. Data from other servers in the list is retained indefinitely with each lookup.
Symptom: core dump won't be generated after kernel crash in x86_64 platforms.
Symptom: A router crashes while making changes to an AppNav policy map or a class map.
Conditions: This symptom occurs under the following conditions: - Multiple AppNav controllers are used. - Sessions are created and can be seen using show service-insertion statistics sessions. - AppNav policy map and class map is modified when live traffic is redirected by AppNav. - Policy map or class map change results in a mismatch between AppNav controllers.
Workaround: When using AppNav Controller Group with multiple ACs, avoid changing the policy map or class map when there are active sessions present (use show service-insertion statistics sessions.
Further Problem Description: A crash occurs after a policy map or class map change results in changes to the existing session and subsequently a new connection matching this session is synced to the other ACs which are not aware of the new policy map or class map.
Symptom: Issues with source VLAN numbers while using with ERSPAN.
Conditions: VLAN greater than 1005 were not displayed in the running config. There is no service impact.
Symptom: Crash in cpp_cp_svr when executing 'show platform packet-trace packet all'.
Conditions: Crash can only occur when executing 'show platform packet-trace packet all'.
Workaround: Display a single packet at a time using 'show platform packet-trace packet <num>' instead of using 'all'.
Further Problem Description: Problem is very difficult to reproduce as probability of hitting the issue is less than 0.1%.
Symptom: Packet-trace statistics sometimes appear to report out-of-sync counts.
Conditions: Using packet-trace in IOS-XE3.11.
Symptom: Router might crash at the traceback as mentioned in description of ddts
Conditions: This crash can be simulated only with wrong config as it is being done in this case. Wrong config part1: Spoke has an active crypto map based session terminating on DVTI headend. Spoke now tries to bring up dmvpn tunnel (with same 6 tuple info) with same headend. So when shut/noshut is issued for dmvpn tunnel, spoke initiates CHILD_IPSEC_SA request instead of new session request. So when headend gets this child_sa_request proposal, ike forwards the proposal to IPSEC for proposal validation. Ipsec must have rejected the proposal with "no_proposal_chosen/ts_unacceptable" reason (because protocol is 47 for dmvpn and is different from dvti based session which is ?ip?) instead of rejecting it with "invalid KE" reason. Because IKE got unexpected INVALID_KE error from IPSEC (which it should have never got), there is a condition failing in IKE code resulting in crash!! Wrong config part2: Overlapping ikev2 profiles on headend. Which causes dmvpn tunnel also fall on "dvti" based ike profile, resulting in IPSEC proposal validation failure.
Workaround: Correct the configuration
Symptom: Cisco IOS XE includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) ID CVE-2014-0160.
This bug has been opened to address the potential impact on this product.
Conditions: Cisco IOS XE devices running release 3.11.0S, 3.11.1S or 3.12.0S and with the WebUI interface over HTTPs enabled. No other versions of Cisco IOS XE are affected.
Devices with the WebUI interface enabled and using HTTPs as transport protocol will include the following configuration:
Devices running IOS XE release 3.11.0S, 3.11.1S or 3.12.0S but WITHOUT the WebUI interface enabled, or with the WebUI interface enabled but NOT using HTTPs as transport protocol are NOT AFFECTED by this vulnerability.
Devices running IOS XE release 3.11.0S, 3.11.1S or 3.12.0S and with the HTTPs server enabled (by including in their configuration the line "ip http secure-server") are NOT affected. Both the HTTPs server and the WebUI interface need to be enabled for a device to be vulnerable.
The WebUI configuration guide is available at
http://www.cisco.com/c/en/us/td/docs/routers/asr1000/configuration/guide/chassis/asrswcfg/webui.html
Workaround: Not currently available.
Further Problem Description: Additional details about this vulnerability can be found at http://cve.mitre.org/cve/cve.html
The first column is the Cisco IOS XE Software Release. The second column is the First Fixed Release.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.3:
https://intellishield.cisco.com/security/alertmanager/cvss?target=new&version=2.0&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:H/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE-2014-0160 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: The saved ACLs applied to the mgmte from startup-config may not work after system reload.
Conditions: After system reload.
Workaround: Remove then reapply the ACLs to the mgmt after system reload.
Symptom: ucode crash@alg_fw_l7_inspect.
Conditions: with alg traffic and fw config.
Symptom: IOSD memory leak in CRYPTO_malloc.
Conditions: flapping flexvpn sessions from Anyconnect or Windows 7 IKEV2 clients.
Symptom: when platform receive a pre inject flow message, current behavior is create this flow in CFT, when a matching packet coming, platform will go to classification feature, if it matches the classification, packet will be punted, if missed, simply do nothing.
Conditions: call api onep_dpss_pre_flow_add_with_complete_tuple in a callback.
Further Problem Description: expected behavior is create this flow in CFT, set action to bypass, when a matching packet coming, bypass the flow. current behavior is create this flow in CFT, when a matching packet coming, platform will go to classification feature, if it matches the classification, packet will be punted, if missed, simply do nothing
Symptom: when ping xtr to pxtr, the pxtr response message is LSB disabled,the packet was seen on punt path.
Workaround: It's random, Sometimes will be hit, sometimes is not.
Symptom: Kernel messages seen on router.
Conditions: After a router reload and when initiating Vlans through power cli.
Symptom: can't configure erspan session destination port.
Conditions: can not configure the erspan destination port when the port index exceed the 9215.
Symptom: A cpp-ucode crash is encountered.
Conditions: Using packet-trace to trace packets in a feature environment where packets are replicated using egress conditions. debug platform packet-trace enable debug platform packet-trace packet 16 fia-trace debug platform condition egress debug platform condition start.
Workaround: Do not use fia-trace.
Symptom: Incomplete kernel core file with filename ending in.TEMP_IN_PROGRESS.
Conditions: Active RP kernel core dump in dual RP2 systems.
Symptom: Incorrect classification of NBAR.
Conditions: Problem should not occur since all protocol packs released to IOS XE version 15.4(02)S will make sure not to introduce this issue.
Workaround: Not required since released protocol packs will not introduce this issue.
Symptom: Crash occurs when IKEv2 attempts to clean up its contexts when it times-out waiting for received Certificate to be Validated by PKI component.
Conditions: Authentication with Certificates and PKI component's response to certificate validation is delayed.
Symptom: GETVPN traffic dropped.
Conditions: When enabled anti-replay with default time-based 5 seconds.
Workaround: Increase the anti-replay time interval to 10 seconds.
Symptom: CSR AMI generate with SRIOV and launched as C3 type cannot be reached after bootup
Conditions: SRIOV CSR AMI only.
Symptom: With Cisco IOS-XE 15.4(2)S, when adv/prem 2.5G, 5G or 10G license is installed, no more than 150 IPSec tunnels could be established.
Conditions: Normal conditions.
Workaround: No workaround available.
Symptom: Some Cisco IOS-XE releases include a version of openssl that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2010-5298 - SSL_MODE_RELEASE_BUFFERS session injection or denial of service
CVE-2014-0076 - Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
CVE-2014-0198 - SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
CVE-2014-0224 - SSL/TLS MITM vulnerability
This bug has been opened to address the potential impact on this product.
Conditions: Devices running an affected version of IOS-XE and the 'webui' has been configured to use HTTPS.
This vulnerability affects IOS-XE 3.11.0S, 3.11.1S, 3.12.0S, and 3.13.0S.
Devices with the WebUI interface enabled and using HTTPs as transport protocol will include the following configuration:
Devices running IOS XE release 3.11.0S, 3.11.1S or 3.12.0S but WITHOUT the WebUI interface enabled, or with the WebUI interface enabled but NOT using HTTPs as transport protocol are NOT AFFECTED by this vulnerability.
Devices running IOS XE release 3.11.0S, 3.11.1S or 3.12.0S and with the HTTPs server enabled (by including in their configuration the line "ip http secure-server") are NOT affected. Both the HTTPs server and the WebUI interface need to be enabled for a device to be vulnerable.
The WebUI configuration guide is available at
http://www.cisco.com/c/en/us/td/docs/routers/asr1000/configuration/guide/chassis/asrswcfg/webui.html
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/7.5:
https://intellishield.cisco.com/security/alertmanager/cvss?target=new&version=2.0&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: Some Cisco Internetwork Operating System (IOS) releases may be affected by the following vulnerabilities:
These products include a version of openssl that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2014-0195 - DTLS invalid fragment vulnerability
CVE-2014-0221 - DTLS recursion flaw
CVE-2014-0224 - SSL/TLS MITM vulnerability
This bug has been opened to address the potential impact on this product.
Conditions: Devices running an affected version of Cisco IOS and utilizing an affected configuration.
Workaround: None currently available.
Further Problem Description: CVE-2014-0224:
All Cisco IOS services that provide a form of TLS or SSL encryption are affected by this vulnerability. This includes features such as the HTTPS Web Management interface.
Cisco IOS devices that support SSLVPN (AnyConnect) and have the feature configured and enabled are affected by this vulnerability.
Cisco IOS devices that support SSLVPN (AnyConnect) and have the feature configured and enabled are affected by this vulnerability.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 10/9.5:
https://intellishield.cisco.com/security/alertmanager/cvss?target=new&version=2.0&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: Configuring VRF aware VXLAN results in traffic drop.
Conditions: Applying the VRF related configuration on the VTEP for VXLAN traffic results in traffic drop.
Workaround: Remove and re-apply the configuration
Symptom: CSR1000:DMVPN stuck in harp with “crypto ikev2 cts “ cli.
Conditions: Seen with crypto ikev2 cts cli
Symptom: Some configuration such as hostname missing after replacing startup config with a different file followed by reload.
Conditions: Here are conditions under which this issue seen. 1) Erase startup config 2) copy config file from boot-flash or FTP to startup config 3) reload.
Workaround: Workaround is to re configure the missing config.
occurs on configuring the license boot level.
Conditions: The issue is seen only on Cisco CSR 1000v BYOL AMI images, on configuring the license boot level.
Workaround: User can configure another boot level, without clearing the existing license boot level.
Symptom: The sh plat hard qfp act dat infr sw-hqf output is truncated.
Conditions: When 5 Gi interfaces are defined, the output is truncated
Workaround: Use less than 5 Gi interfaces.
Symptom: IDFW is not working for sgt replaced because of policy static sgt <sgt-num> command.
Conditions: Configure policy static sgt <sgt-num> command on ingress interface and in FW do match for same sgt number given in this CLI.
Symptom: Gigabit Ethernet interface counters show a value near 2 to the 64th.
Conditions: Occurs on a Cisco CSR1000v router using VMXNET3 driver after an Etherchannel interface is configured.
Workaround: Performing “clear counters” will reset the counter to zero.
Symptom: The show platform software object-manager f0 statistics command shows pending-objects that do not clear after making configuration changes (or potentially on system boot).
Conditions: Can occur on the CSR1000v or ISR4400X platforms with large scale configurations.
Symptom: An error message will be shown on the screen after adding a new interface on AMI. And the performance will be bad since the MTU is only 1500.
Conditions: Add a new interface on the fly.
Symptom: Observing more packet latency under oversubscribing throughput license on CSR1000v.
Conditions: Oversubscribing throughput license limit.
Symptom: There is no rapid-pvst spanning-tree mode in CSR1000v
Conditions: Rapid-PVST option not observed in case of CSR1000v.
Symptom: Crash alert group is not subscribed in Cisco TAC profile.
Conditions: Call-home default configuration.
Workaround: Create user profile to subscribe crash alert group.
Symptom: The following firewall policy is attached to the firewall zone-pair to allow http transactions:
The policy would cause lots of TCP out-of-order segment drops for HTTP flows, especially with long HTTP transactions which require multiple segments to complete the transaction (such as downloading large file from HTTP server); the TCP out-of-order segment drops cause lots of retransmissions, lowering the throughput and at times even causing the request to fail:
Replacing the class-map with the following using ACL to match HTTP port does not stop the TCP out-of-order segment drops for HTTP flows:
Conditions: Filtering HTTP flows.
Workaround: Replace the 'match protocol http' statement with a ACL match statement, and a 'match protocol tcp' statement in the class-map like below:
Symptom: The inspect class-map is a nested class-map, with one 'match class-map...' statement already configured. IOSd crash when the 'no match class-map...' command is entered (e.g., typo error):
The crash only happens for inspect class-map, performing the same operation with regular class-map does not cause IOSd crash.
Conditions: Removing non-exist 'match class-map...' statement from nested inspect class-map.
Workaround: Make sure no typo when removing 'match class-map...' statement from nested inspect class-map; or remove the nested class-map and reconfigure with the correct statements.
Symptom: There is no cap of IPsec tunnel numbers on CSR1000v.
Conditions: This symptom is observed all the time.
Workaround: There is no workaround.
Symptom: REST API is not working on AWS CSR. Conditions: in any condition
Symptom: ESP crashes for IOS-XE based platforms.
Conditions: Crash may occur when executing the CLI command: show platform hardware qfp active infrastructure exmem map
Further Problem Description: Command has been executed in field and internally without issue but the defect has been identified internally and a fix being provided as a preventive measure.
Symptom: CSR1K may experience drops.
Conditions: Communication between hosts through CSR on the same ESXi host - LRO and TSO enabled.
Workaround: Disable LRO and TSO:
1) On the host ESXi we disable LRO and TSO using this procedure:
Log in to the ESXi host or vCenter Server by using the vSphere Client.
Navigate to the host in the inventory tree, and on the Configuration tab click Advanced Settings under Software.
Select Net and scroll down until you reach parameters starting with VMXNET.
Set the following LRO parameters from 1 to 0:
Reboot the ESXi/ESX host to apply the changes.
2) On the end hosts disable LRO and TSO : ethtool -K eth0 tso off ethtool -K eth0 lro off to check if they are disabled: ethtool -k eth0 | grep offload
Further Problem Description: References:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2055140
http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1027511
Symptom: Crypto sessions get stuck in UP-IDLE state in scale scenario on CSR platform.
Workaround: Bring the sessions up in very small increments e.g. of 40 sessions at a time initially and keep monitoring. When the sessions stop coming up for 40 sessions at a time, switch to smaller number e.g. 20.
Symptom: Hyper-V Vswitch GUI only allows creation of one VLAN. In addition after the vSwitch GUI is used to create a VLAN it is not possible to send traffic from CSR1000v to a peer using subinterfaces. - Hyper-V vSwitch blocks traffic from mac-addresses that it did not assign. This causes protocols that assign there own mac-addresses to fail. (ex: HSRP, CLNS, EtherChannel).
Conditions: Problems are observed on CSR1000v running on Hyper-V hypervisor.
Workaround: No known workarounds.
Symptom: CSR1000: DMVPN stuck in nhrp with “crypto ikev2 cts “ cli
Conditions: Seen with crypto ikev2 cts cli
Symptom: Some configuration such as hostname is missing after replacing startup config with a different file followed by reload.
Conditions: Here are the conditions under which this issue is seen.
2) copy config file from bootflash or tftp to startup config
Workaround: Workaround is to reconfigure the missing configuration.
Symptom: When flapping NVI/Loopback interfaces of CSR acting as VxLAN gateway
Conditions: Happens only with the scaled VxLAN configuration (500 VNI with 1:1 mcast group)
Symptom: Kernel crashes occur while executing RFC2544 traffic tests.
Conditions: Longevity testing starting with packet size of 78 bytes to 1483 bytes utilizing incremental step size of 64 bytes. Typically, the crash occurs after 3-4 iterations of this pattern (1 million packets sent per each packet size).
Workaround: CPU Affinity (pinning) to KVM process and VHOST process, and utilizing the latest 3.12 images (2/12 and later) thus far has shown this issue to stop.
Symptom: Cisco switch may reload when configured for SNMP.
Conditions: This symptom is observed when SNMP inform host are configured.
Workaround: Remove the SNMP host configurations for SNMP informs. eg: no snmp-server host x.x.x.x informs version 2c <removed>
Symptom: Router crash: UNIX-EXT-SIGNAL: Segmentation fault(11), Process = MPLS TE LM
Conditions: Router is acting as a mid point for MPLS-TE tunnels and is doing ERO expansion. In the case the ERO expansion fails (due to IGP race conditions, or inter-AS scenario) and backup tunnels are in use (for MPLS-TE FRR feature) the router may crash.
Workaround: Configure the head-ends to perform full ERO computation to avoid having the mid points do any ERO expansion. This can be done using 'dynamic' path option, or using explicit path that specifies strict hops for each node along the desired LSP path. (Using 'loose' hops, or partial strict hops can lead to issue).
Symptom: Memory leak is seen at ssf_owner_get_feature_sb.
Conditions: This symptom occurs when the discriminator configuration is with logging, as given in the below examples: logging discriminator <NAME> logging host x.x.x.x discriminator DEBUG logging discriminator SysLog mnemonics drops NAME.
Workaround: Remove the discriminator configuration from the logging configuration.
Symptom: A Cisco router running Cisco IOS Release 15.3(1)T may crash with a bus error immediately after issuing the 'write memory' command. Example: 14:44:33 CST Thu Feb 14 2013: TLB (load or instruction fetch) exception, CPU signal 10, PC = 0x228B2C70 \.
Conditions: This symptom occurs while updating the router's running configuration with the 'write memory' command. It has been seen while updating various different commands such as, those under 'call-manager-fallback' ip route statements interface sub-commands.
Workaround: There is no workaround.
Symptom: Unnecessary Retransmissions going on in HA mode.
Conditions: When LDP NSR is enabled on any or all test units.
More Info: Occurring mainly due to unusual and indeterminate time taken by IPC to communicate packet info to standby and bring back ack to active
Symptom: When they "no interface Vlan XX", ntp broadcast config in the last vlan will disappear.
Conditions: The symptom was confirmed in 15.1(1)SY and 15.1(1)SY1
Workaround: Reconfigure ntp broadcast for the last vlan.
Symptom: NHRP local (no socket) entry gets converted to a socket entry causing matching traffic to be null route.
Conditions: DMVPN phase 3 network.
Workaround: Configure 'ip nhrp server-only' or remove 'ip nhrp shortcut' on the hub router.
Symptom: Issuing a command crypto key move rsa aaa non-exportable" throws an error, Failed to move keypair aaa to device.
Conditions: Before issuing the above command, generate the rsa keys with label 'aaa'.
Symptom: After applying an NTP access-group to deny inbound NTP queries, a device still responds to NTP queries as if the ACL was not configured. It will affect IOS-XE too.
Conditions: An NTP access-group must be configured to deny inbound NTP queries.
In the example shown, even though all inbound NTP queries should be denied, we will still process them as if the access-group was not configured
Workaround: Use NTP authentication instead of NTP access-groups to restrict NTP hosts.
More Info: After applying an NTP ACL access-group serve-only to permit inbound NTP client request - the correct ntp client association is established only in case that NTP authentication is applied.
Symptom: Router acting as a PKI client continues auto-enrollment to its CA even after the CA certificate has expired.
Conditions: Client router is configured with 'auto-enroll' under its trustpoint.
Workaround: Remove 'auto-enroll' from the trustpoint on the PKI client router, or, Delete the trustpoint in question on the PKI client router.
Further Problem Description: Consider a scenario where a PKI client has failed to auto renew its identity certificate i.e. it failed to re-enroll with its CA for some reason. The client router is expected to retry until one of the conditions below is reached: 1. "enrollment retry count" which is configured under the trustpoint is reached or, 2. CA certificate expires. However, it is seen the client router will continuously attempt to auto renew its identity certificate even after the CA certificate has expired.
Symptom: Memory leak occurs in process and I/O memory.
Conditions: This symptom is observed when NTPv6 is configured, for example; "ntp server ipv6 2001::1"
Workaround: Remove the NTPv6 configuration.
Symptom: An LDP session to a Juniper peer flaps when RP switchover occurs with mpls ldp nsr configured on a Cisco router running IOS.
Conditions: This symptom is observed when an mpls LDP session is established with a Juniper peer and RP switchover occurs with mpls ldp nsr configured.
Workaround: In order to workaround the traffic loss which occurs when the session flaps, configure mpls ldp graceful-restart in addition to nsr.
Symptom: Error message and traceback are printed to console. Conditions: IGP times out while Standby RP is becoming NSR Active.
Workaround: Enable NSR under the IGP to ensure no timeout occurs.
Symptom: PW status change messages, XCONNECT-5-PW_STATUS, are not all captured in log when PW status change logging is enabled.
Conditions: XCONNECT-5-PW_STATUS messages were rate-limited to 8 messages per 8 msec. For example, if 10 PWs changed state together via interface down then 8 messages would be logged and the remaining would be lost.
Symptom: XML Bootstrap configuration for the CSR1000v containing the configuration commands "service internal" and "license accept end user agreement force" is not successfully applied, as the "license..." command is always issued before the "service internal" command, regardless of which command comes first in the XML file.
Conditions: Only happens on CSR1000v and only happens when the bootstrap configuration commands are provided in XML (ovf-env.xml) format.
Workaround: Provide plain-text bootstrap configuration file (iosxe_config.txt) instead.
Further Problem Description: Cisco Virtual Appliance Configuration (CVAC) subsystem in IOSd attempts to fix up the order of XML configuration commands by moving all "license" commands to the head of the list. However, "license accept end user agreement force" is only a valid command after "service internal" has been configured, so this re-ordering causes the command to be rejected.
Symptom: [1] Standby RP will have out-of-sync entries. - with MPLS-TE NSR enabled, the standby RP will have out-of-sync entries, which will result in flapping of the path-protected LSP of the tunnel after an SSO. [2] Leaking an LSP - A third LSP will be signaled, and leaked (meaning, there is no management of the LSP). There are supposed to be two LSPs at steady state (primary and path protected), but with this defect, there will be (primary, path protected, and leaked LSP). This will continue to grow as failures occur on the tunnel.
Conditions: A reoptimization of a tunnel that has failed with path protection enabled.
Workaround: There is no workaround.
Symptom: CSR1000v may lose the configuration when performing a password recovery.
Conditions: Configuration is ignored by changing the configuration register to 0x40, and the system is booted in an effort to recover from a lost password.
Workaround: Restore the configuration from a backup copy.
Symptom: TCP connections into/out of applications running in virtual service containers can stall and never revive. This can be seen by trying to scp a large file into a container, and also for any TCP connection (e.g. Thrift) out from the container.
Conditions: Any large file transfer over TCP or long lived TCP connection with reasonable traffic bandwidth/total.
Workaround: None known. More Info: Transferring of small files, or short lived TCP connections do not seem to be affected. Non-TCP protocols (e.g. UDP) do not seem to be affected.
Symptom: A vulnerability in LISP control messages processing on Cisco IOS and Cisco IOS XE could allow an unauthenticated, remote attacker to cause a vulnerable device to disable CEF forwarding and eventually drop traffic passing through.
The vulnerability is due to insufficient checking of certain parameters in LISP control messages on ITR. An attacker could exploit this vulnerability by sending malformed LISP control messages to ITR. An exploit could allow the attacker to cause a vulnerable device to disable CEF forwarding and eventually drop traffic passing through.
Conditions: Malformed messages can only be generated by a device that is already registered to a LISP system: a valid ETR or ALT.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C
CVE ID CVE-2014-3262 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3262
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptom: Cisco IOS XE includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) ID CVE-2014-0160.
This bug has been opened to address the potential impact on this product.
Conditions: Cisco IOS XE devices running release 3.11.0S, 3.11.1S or 3.12.0S and with the WebUI interface over HTTPs enabled. No other versions of Cisco IOS XE are affected.
Devices with the WebUI interface enabled and using HTTPs as transport protocol will include the following configuration:
Devices running IOS XE release 3.11.0S, 3.11.1S or 3.12.0S but WITHOUT the WebUI interface enabled, or with the WebUI interface enabled but NOT using HTTPs as transport protocol are NOT AFFECTED by this vulnerability.
Devices running IOS XE release 3.11.0S, 3.11.1S or 3.12.0S and with the HTTPs server enabled (by including in their configuration the line "ip http secure-server") are NOT affected. Both the HTTPs server and the WebUI interface need to be enabled for a device to be vulnerable.
The WebUI configuration guide is available at
http://www.cisco.com/c/en/us/td/docs/routers/asr1000/configuration/guide/chassis/asrswcfg/webui.html
Workaround: Not currently available.
Further Problem Description: Additional details about this vulnerability can be found at http://cve.mitre.org/cve/cve.html
The first column is the Cisco IOS XE Software Release. The second column is the First Fixed Release.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.3:
https://intellishield.cisco.com/security/alertmanager/cvss?target=new&version=2.0&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:H/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE-2014-0160 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptom: An error message will be shown on the screen after adding a new interface on AMI. And the performance will be bad since the MTU is only 1500.
Conditions: Add a new interface on the fly.
Symptom: Cannot recover from a CSR 1000v failed-to-apply state after the policy is deleted or moved to a different profile.
Conditions: This problem occurs when trying to instantiate or assign a CSR 1000v with a wrong configuration. A failed-to-apply state appears. If you delete or move to a different policy without fixing the configuration, the failed-to-apply state remains.
Workaround: Do one of the following:
– If instantiating a CSR 1000v, redeploy the CSR 1000v with the correct configuration.
– If assigning a CSR 1000v, fix the configuration, then uninstall and install the Prime NSC CPA process in the CSR device.
Symptom: Files cannot be downloaded via the management interface via FTP/HTTP/SCP. This can include firmware files, configuration files, or license files.
Conditions: This symptom occurs on using the management interface on a Cisco ASR 1000 or ISR 4450-X router.
Workaround: There are two workarounds for this issue.
(1) Use an interface other than the management interface to download the file or use a protocol that does not use TCP as the session transport such as TFTP.
(2) Set the IP_ADDRESS rommon variable to the IP address of the management interface.
Symptom: UEA: Log files are not generated with PTP configurations
Conditions: Configure RSP2 as the slave and RSP1 as the master
Go to shell using “request platform software system shell”
Notice that the log files related to PTP aren't present
Symptom: ASR1k [or any IOS-XE based Cisco Router, like CSR1kv] sends Radius Accounting Stop message even when the IPSec VPN session is up. For example in XE 3.9 stop request is sent after about 1600 seconds, and in XE 3.9.2 it is sent after about 5800 seconds.
Conditions: ASR1k [or any IOS-XE based Cisco Router, like CSR1kv] acting as IPSec [IKEv1] Server. Also It is configured to perform VPN client authentication and accounting with the Radius Server.
Symptom: POST /api/v1/auth/token-services return HTTP response code 201 instead of 200
Conditions: When creating a token.
Symptom: Routing policy is not configured correctly if using routing profile swapping.
Conditions: If the routing policy has the same rules between the swapped profiles.
Symptom: PUT on /api/vi1/interface/<intf> with an empty string "" does not clear or unset the description.
Workaround: To clear or unset the description, omit the description attribute in the JSON input for the PUT request.
Symptom: CSR 1000v may experience drops.
Conditions: Communication between hosts through CSR on the same ESXi host - LRO and TSO enabled.
Workaround: Disable LRO and TSO:
1) On the host ESXi we disable LRO and TSO using this procedure:
Log in to the ESXi host or vCenter Server by using the vSphere Client.
Navigate to the host in the inventory tree, and on the Configuration tab click Advanced Settings under Software.
Select Net and scroll down until you reach parameters starting with VMXNET.
Set the following LRO parameters from 1 to 0:
Reboot the ESXi/ESX host to apply the changes.
2) On the end hosts disable LRO and TSO : ethtool -K eth0 tso off ethtool -K eth0 lro off to check if they are disabled: ethtool -k eth0 | grep offload
Further Problem Description: References:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2055140
http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1027511
Symptom:CSR1000v reloads when using VxLAN.
Conditions: An interface configured with VxLAN is flapped. Greater than 2k VNIs are used.
Workaround: Note that it is recommend to use less than 2k VNIs. However, this may not completely mitigate the issue
Symptom: Crypto sessions get stuck in UP-IDLE state in scale scenario on CSR platform.
Workaround: Bring the sessions up in very small increments e.g. of 40 sessions at a time initially and keep monitoring. When the sessions stop coming up for 40 sessions at a time, switch to smaller number e.g. 20.
Symptom: Crash observed when creating a zone for zone based firewalls
Conditions: Seen when using standard or evaluation licenses.
Workaround: Apply the appropriate premium or advance license to configure zone based firewalls.
Symptom: the CSR will continuing try to boot IOS and not complete. It will generate a kernel crash.
Conditions: When enabling VMware FT on CSR VM and power up.
Workaround: Don't enable VMware FT.
Symptom: cpp_svr crash noticed executing the command show platform hardware cpp active infrastructure punt policer handle 1000 cpp
Conditions: Noticed without any feature configurations
Symptom: The CSR may crash when sweeping between 2 CSR's with larger 9KB MTU while inducing link reset.
Conditions: When sending large MTU traffic, and creating link reset.
Workaround: Avoid causing link reset repeatedly.
Symptom: cpp_cp_svr process on a CSR1000v router crashes.
Conditions: Crash occurs when nbar is configured on a virtual machine with less than 4GB of memory.
Workaround: When configuring nbar use at least 4GB of memory on the Virtual Machine.
Symptom: The CSR running on ESXi will dump trace back continuously when config the 10th VMXNET3 interface.
Conditions: When configure the 10th VMXNET3 interface.
Symptom: The show platform software object-manager f0 statistics command shows pending-objects that do not clear after making configuration changes (or potentially on system boot).
Conditions: Can occur on the CSR1000v or ISR4400X platforms with large scale configurations.
Symptom: The hierarchical QoS policy like the following is attached to an interface:
No traceback seen when the QoS policy is attached to the interface. However after saving configuration, then reboot the CSR, most of the times, the following traceback and error message is seen when the CSR boot up:
Conditions: Attaching hierarchical QoS policy to interface, save config, and reboot the CSR.
Symptom: CRS kernel crash when adding or removing vNIC to the CSR VM from vSphere.
Conditions: Virtual interfaces deleted dynamically via vSphere may eventually cause corruption of data resulting in a crash of the Linux kernel
Workaround: Do not remove virtual interfaces dynamically (while router is running). Instead, take the router out of service, delete the virtual interface, and re-start the router.
Symptom: CSR licensing not taking any effect
Conditions: On a CSR router with 10Mbps license, we are able to send 54Mbps of traffic without any drops
Symptom: Crash when doing config replace with active traffic
Conditions: With OTV active flow, when we do config replace, we observe the crash.
Symptom: No characters are displayed when typed.
Conditions: When booting up CSR with csr.cnfg.
Symptom: The CSR Management container hosting the REST API and Cisco Prime Network Services Controller functionalities sometimes cannot successfully pick up its IP address from the system configuration. This will result in two symptoms:
– REST API URLs will not be reachable.
– Cisco PNSC will report the Cisco CSR1000v as unreachable.
Conditions: During periods of high memory usage, particular during boot up after license level change.
Symptom: The device reload when we grant certificates. crypto pki server <> grant all.
Conditions: Configured for crypto.
Symptom: IOS CA issues incorrect rollover identity certificates to its clients; the rollover certificates issued will have an expiry date corresponding to the end-date of the currently active (and soon to expire) CA certificate. Thus, the rollover identity certificate will not be valid after the CA rollover takes place.
Conditions: The issue is seen only if the clients have sent the rollover certificate request via an IOS RA certificate server.
Symptom: An IOS router may fail IKE Main Mode negotiation if the peer device sends both the seconds and kilobytes Life Type with their respective Life Duration attributes.
Conditions: This condition can occur when an IOS router is the responder for an IKE session, and the peer proposes both seconds and kilobytes Life Duration in its SA proposal.
Workaround: The workaround is to remove one of the Life Type attributes from the peer device configuration.
Symptom: Memory Leak observed on the device due to IPSEC causing the free memory to deplete to an extent where box becomes unreachable.
Conditions: IPSEC scaling being high.
Workaround: Reduce Scaling of IPSEC sessions.
Symptom: PKI fails to validate (sub, peer) cert chain received from IKE.
Conditions: - PKI hierarchy: root -> sub -> peer - root and sub locally trusted - IKE profile configured with "ca trust-point sub" only - chain-validation from sub to root
Symptom: When the primary peer becomes unreachable, the FlexVPN client establishes a tunnel with the backup peer as expected. However, if the primary peer becomes reachable again, the client attempts to build a new tunnel even though it has an existing active tunnel with the backup peer.
Conditions: The Flex client is configured with multiple peers and peer reactivate is not enabled.
Symptom: Router acting as a PKI client fails to delete its expired identity and CA certificates after it has rolled over. So, the output of "show crypto pki certificate" shows that the router has two sets of certificates: One set of identity and CA certificates that is current and valid. Another set of identity and CA certificates that is old and expired. Both sets of certificates are bound to the same trustpoint.
Conditions: The issue is seen primarily when the client router has enrolled to an IOS CA via and IOS RA router.
Workaround: None. The old set of certificates get deleted eventually upon the next certificate renewal process initiated by the client router.
Further Problem Description: An example of what is observed:
Symptom: Router acting as a PKI client continues auto-enrollment to its CA even after the CA certificate has expired.
Conditions: Client router is configured with 'auto-enroll' under its trustpoint.
Workaround: Remove 'auto-enroll' from the trustpoint on the PKI client router, or, Delete the trustpoint in question on the PKI client router.
Further Problem Description: Consider a scenario where a PKI client has failed to auto renew its identity certificate i.e. it failed to re-enroll with its CA for some reason. The client router is expected to retry until one of the conditions below is reached:
1. "enrollment retry count" which is configured under the trustpoint is reached or,
2. CA certificate expires. However, it is seen the client router will continuously attempt to auto renew its identity certificate even after the CA certificate has expired.
Symptom: Cisco router hangs and it stopped passing the traffic. Customer needs to reload the router to make it work until it hangs next time. It hangs sometimes once in month.
Conditions: This issue is seen with more than one router.
Workaround: There is no workaround.
Symptom: A Cisco router may crash when configuring NBAR or any other feature which enables NBAR internally. In the crash log file, the crash will be shown as a STACKLOW condition. Examples of this are:
Conditions: This crash is triggered by enabling NBAR directly or indirectly through another feature. Two such examples are configuring NAT on an interface or configuring NBAR on an interface. For example:
The router may not crash depending on how the configuration is done. For example configuring the feature over the console will not cause a crash. Configuring the feature over SSH, through FTP, Smart Install, etc though will cause the crash.
Workaround: A possible workaround may be to configure the feature over the console or through telnet.
Symptom: When incoming ESP packet has as final destination a local interface on the GM itself (including loopback), the packet is recirculated after decryption causing it to be dropped. If the decrypted packet is only a transit one, for example, it is for a host on a connected LAN, all works as expected.
Conditions: This issue occurs due to GETvpn, ipv6 and use of ingress ipv6 access lists.
Workaround: There is no workaround.
Symptom: MD5 is used to sign the PKCS10 embedded in SCEP encrypted message whatever hashing algorithm is configured under the relevant trustpoint or whatever the best hashing algorithm reported by the SCEP GetCACaps message is.
Conditions: Using SCEP for router enrollment.
Symptom: CPP 0 failure Stuck Thread(s) detected.
Conditions: Setting up about 2.2kps traffic with both nat/non-nat packets.
Symptom: CSR1K may experience drops.
Conditions: - communication between hosts through CSR on the same ESXi host - LRO and TSO enabled.
Workaround: disable LRO and TSO: 1) On the host ESXi we disable LRO and TSO using this procedure: Log in to the ESXi host or vCenter Server by using the vSphere Client. Navigate to the host in the inventory tree, and on the Configuration tab click Advanced Settings under Software. Select Net and scroll down until you reach parameters starting with Vmxnet. Set the following LRO parameters from 1 to 0: Net.VmxnetSwLROSL Net.Vmxnet3SwLRO Net.Vmxnet3HwLRO Net.Vmxnet2SwLRO Net.Vmxnet2HwLRO Net.UseHwTSO Reboot the ESXi/ESX host to apply the changes. 2) On the end hosts disable LRO and TSO : ethtool -K eth0 tso off ethtool -K eth0 lro off to check if they are disabled: ethtool -k eth0 | grep offload
Further Problem Description: References: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2055140
http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1027511
Symptom: When there is policy changed ( either KS or GM) in Pre-PAL, ASR1K used to re-register. The reason is that in TCAM we can't insert or move SA. ACL merge was done in ACE driver, re-registration was triggered from there. Post-PAL, ACL merge intelligence is moved to Control plane, so ACL is changed, it does the change flow priority. The SA is inserted with second priority, ASR1K is not able to handle that.
Conditions: ACL change on the KS or the GM.
Workaround: There are 4 Workaround :
1. Manually clear GetVPN registration on ASR1K using "clear crypto gdoi".
2. If permit ACL is appended to KS ACL or ACL is removed from bottom of KS ACL, then there is not flow priority change, and issue is not observed there. Limitation with this workaround is Group config on KS has only one SA. Also if Deny ACL is added there are few packet drops are observed.
3. EEM script which monitors Rekey Syslog and clears the registration. This is same as workaround 1, but automatically done. disadvantage of this workaround is that Rekey syslog is same during normal rekey and policy change rekey, so with normal rekey also re-registration will happen. Sample EEM script : event manager applet GM_RE_REG event syslog occurs 1 pattern ".*GM_RECV_REKEY.*" action 10 syslog priority warnings msg "EEM trigger workaround for CSCum08864" action 20 cli command "enable" action 30 cli command "clear cry gdoi" pattern "Are you sure you want to proceed" action 40 cli command "yes".
4. The ACL swapped on KS with new ACL and Rekey is done. The ASR1K GM will re-register, there is small packet drop during re-registration.
Symptom: Group override does not take effect for interface-config strings. Actual ordering of interface config strings on cloned V-Access does not correspond to the expected order based on AAA settings in IKEv2 profile.
Conditions: User & group authorization configured in IKEv2 profile.
Workaround: Move all config-string attributes to a single authorization source (user or group).
Symptom: Chunk manager is consuming memory with the allocated memory incrementing on SADB Peering Ch.
Conditions: Leak when crypto is configured.
Symptom: Alignment errors are observed after upgrading to Cisco IOS Release 15.2(4)M5.
Conditions: This symptom does not occur under specific conditions.
Workaround: There is no workaround.
Symptom: Increasing number of TEK generated every 30 secs.
Conditions: 1. Change the Group Identity on the Secondary KS causing encryption failure, Change the Group Identity on the Primary KS. All the GMs are deleted from the KSs.
2. Restore the Secondary Key Server. Wait for it to come up as Primary for the Group : GETVPN-GROUP-1
3. Restore the Primary Key Server with Group : GETVPN-GROUP-1
4. This is creating a new TEK policy every 30 sec from the newly elected Primary Key Server KS2. The sequence number for rekey remains 1.
5. KS1 is restored to be the primary role. 6. After the existing TEKS from the KS2 are expired it behaves normally.
Symptom: LDAP ALG will encode the packet even there is no need to translate them, this will not impact function, but it is not necessary.
Conditions: LDAP ALG will encode the packet even there is no need to translate them.
Workaround: Will not impact function
Symptom: Cisco 7301 router running EzVPN leaks memory when Crypto IKMP calls AAA API's which allocates memory for AAA attribute list.
Conditions: This symptom is observed in device running EzVPN, when it tries to allocate memory for AAA attribute list.
Workaround: Reload the router.
Symptom: Intermittently, if a root's CRL to validate Sub does not get downloaded [Internal or External failures], and the CRL by Sub gets downloaded, the following message will be seen:
Conditions: This symptom occurs in Cisco IOS configured with the IKEv1, Authentication mode RSA-SIG [Certificates]. PKI Infrastructure is as follows: Root -> Sub -> ID - Root and Sub Trustpoint have "revocation-check crl none". - Sub has "chain-validation continue Root".
Workaround: Disable Revocation-check and Chain-validation under Sub Trustpoint.
Symptom: IOS will fail to match the certificate map intermittently.
Conditions: IOS PKI using certificate maps, to authorize the Peer certificates or override CDP. In this case: - if a certificate map is written on a PC, with upper case letters in them: Ex: crypto pki certificate map HR-Users 10 subject-name co ou = HR-Users - and this is a part of the configuration that is merged with the running config through IOS file-system [directly from flash or FTP/TFTP/HTTP etc], IOS retains the upper case letters. [contrary to certificate maps written through CLI, always converts everything to lower case letters]
A) - copy the certificate maps [that have upper case letters in them] to a notepad - remove the certificate maps [that have upper case letters in them] - paste the certificate maps, through IOS CLI - wherever these cert maps were being called, they will stay intact, and this change will take effect immediately or
B) - The certificate map needs to enter IOS in a manner that IOS would insert it if you were to enter it in a CLI I.e. Make sure the external config generators generate the certificate map in such a way that everything is in lower case, and it has white spaces between DN OID, '=' and the value.
The following errors are seen when adding a child policy to a parent policy while configuring hierarchical QoS.
This can result in a ESP (F Fabric) reload, causing a traffic outage
1. An interface with a service-policy applied.
2. Replacing the child policy on the parent hierarchical policy applied to the interface.
Workaround:Remove the policy from the interface before making the changes to the child/parent policy then reapply the policy to the parent.
If you issue the no command to remove the child policy from the parent and then query for pending configuration objects using the "show platform software object-manager fp active statistics" command to make sure there are no pending objects, then issue the service-policy to add the new child policy to the parent, you will not see the ESP crash.
When replacing the child policy configured on a parent policy applied to an interface, the ESP may crash.
Using a file, that replace a child policy, copied from the hard-disk of the router to the running configuration will almost always cause the ESP to crash. If file is copied from tftp, it is less likely. If using CLI to replace the child policy, crash has not been experienced, but can not be completely ruled out. The issue is heavily based on timing and how fast the "no service-policy child_A" and "service-policy child_b" are processed together.
Symptom: ISR G2 router may crash while configure VTI/GRE tunnels.
Conditions: Configuring VTI/GRE tunnels.
Workaround: Shut down tunnel before making tunnel configuration changes
Symptom: A vulnerability in IKE module of Cisco IOS and Cisco IOS XE could allow an unauthenticated, remote attacker to affect already established Security Associations (SA). The vulnerability is due to a wrong handling of rogue IKE Main Mode packets. An attacker could exploit this vulnerability by sending a crafted Main Mode packet to an affected device. An exploit could allow the attacker to cause dropping of valid, established IKE Security Associations on an affected device.
Conditions: Device configured to process IKE request that already has a number of established security associations.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C
CVE ID CVE-2014-2143 has been assigned to document this issue. Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2143
Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptom: Router crashed while making changes to AppNav policy-map and/or class-map.
Conditions: Multiple AppNav controllers are used. Sessions had been created and can be seen using "show service-insertion statistics sessions". AppNav policy-map and class-map is modified when live traffic are being redirected by AppNav. Policy-map / class-map change resulted in mismatch between AppNav Controllers.
Workaround: When using AppNav Controller Group with multiple ACs, avoid changing policy-map / class-map when there are active sessions present (use "show service-insertion statistics sessions").
Further Problem Description: When policy-map, class-map change results in changes to existing session. When a new connection matching this session is sync'd to the other ACs which are not aware of the policy-map / class-map, it results in crash.
Symptom: Crash in cpp_cp_svr when executing 'show platform packet-trace packet all'.
Conditions: Crash can only occur when executing 'show platform packet-trace packet all'.
Workaround: Display a single packet at a time using 'show platform packet-trace packet <num>' instead of using 'all'.
Further Problem Description: Problem is very difficult to reproduce as probability of hitting the issue is less than 0.1%.
Symptom: The Cisco 7301 router running c7301-advipservicesk9-mz.152-4.M3 experiences a memory leak in the Crypto IKMP process particularly on the crypto_ikmp_config_send_ack_addr function.
Conditions: This symptom occurs when running the Cisco 7301 router and connecting EasyVPN through it.
Workaround: Reload the router over a period of time.
Symptom: create an RRI route for deny ACL lines in the crypto map
Conditions: 15.x code and L2L ipsec tunnel
Symptom: Initiator sends identity certificate based on “ca trustpoint” under the isakmp-profile. However, the responder does not do this. Instead it gets the identity certificate from the *first* trustpoint (out of the list of trustpoints) based on peer's cert_req payload in MM3.
Conditions: This symptom is observed under the following conditions: 1. IKEv1 with RSA-SIg Authentication, where each Peer has two certificates issued by the same CA. 2. Each Peer has isakmp profiles defined that match on certificate-map and have “ca trustpoint” statements with self-identity as fqdn.
Workaround: There is no workaround. At this point, responder does not have control over selecting the right certificate.
Symptom: RP is again fragmenting it.
Conditions: Giant pkts are sent from SPA after LAF.
Symptom: Ikev2 session is NOT coming UP
Conditions: Ikev2 session is NOT coming UP Loopback to loopback ping is not going through.
Symptom:'Internal_service' license state shows as 'Active, Not In Use' even after its expiry. The system Linux Shell cannot be accessed upon expiry of the 'Internal_service' 1 Day license which is expected. However if an new 1 Day license is installed again, the license state comes up as 'Active, In Use' but Linux Shell cannot be accessed.
Conditions:Install 1 Day 'Internal_service' license. Let the license expire then install another 1 Day 'Internal_service' license.
Workaround: Configure and unconfigure the 'platform shell' configuration command to recover the license to proper working state.
Now the System Linux Shell would be accessible.
Symptom: Chunk memory leak in Crypto Proxy
Conditions: This is only seen with IPSEC HA configured
Workaround: None at this time.
Symptom: crpcipSecGlobalActiveTunnels is incrementing endlessly.
Conditions: crpcipSecGlobalActiveTunnels OID does not decrements when the current active tunnel is removed.
Symptom: Tracebacks with the following signature "%QFPOOR-4-LOWRSRC_PERCENT" are seen on the console with negative percentage complaining of resource depletion.
Conditions: These tracebacks are usually seen on a clean-up operation performed on a router i.e manual removal of all configurations. But it's not limited to only this operation and could be seen with router configuration as well.
Further Problem Description: Error messages with “-ve” percentage values of resource depletion are incorrectly being printed on the console. It's safe to ignore them as the router is not under any duress. Moreover these traces don't cause any operational impact. It should be noted however that if such tracebacks are reported with “+ve” percentage values of resource depletion, then it's an altogether different issue. In such a case, the system may be under duress and inspection of the router configurations and it's operational state is required.
Symptom: Error messages shown on KS after SW upgrade to 15.2(4)M. Whenever a GM with multiple GDOI groups registers, an error message is logged on the respective KS: Oct 4 11:31:28.477 CEST: %CRYPTO-6-IKMP_NO_ID_CERT_FQDN_MATCH: ID of ce-de-xxxxx.wan.domain.net (type 2) and certificate fqdn with ce-de-xxxxx
Conditions: Multiple GDOI groups with different GETVPN local-addresses configured on GM. GM/KS are ISR G2 routers running on 15.2(4)M code.
Workaround: Configure “crypto isakmp identity dn”, i.e. set the ISAKMP identity to the distinguished name (DN) of the router certificate. http://www.cisco.com/c/en/US/docs/ios/security/command/reference/sec_c4.html#wp1060149
Symptom: The user will see the system shaping to too low a rate when a tunnel moves to a faster interface, and shaping to too high a rate when a tunnel moves to a slower interface.
Conditions: Upon a dynamic move of a tunnel to a link with a different speed and the QoS configuration option “shape average percent” has been applied, then rates are not automatically re-calculated.
Workaround: The workaround to this issue is to avoid “shape average percent” when possible. If not possible, then after a tunnel moves occurs modify the shaping percent by plus or minus 1 percent, and then restore to original value because this forces recalculation of the shaping rate.
Symptom: UEA: Log files are not generated with PTP configurations
Conditions: Configure RSP2 as the slave and RSP1 as the master Go to shell using “request platform software system shell” cd /tmp/rp/trace ls -ltr Notice that the log files related to PTP aren't present.
Symptom: Given a GETVPN GM that is configured with an ipv6 crypto map, if that crypto map is applied to two interfaces (one common identity, e.g. loopback) and if certain configuration operations are performed, the GM will loose connectivity to the ipv6 group. If the GM has dual-stack interfaces with both an ipv4 and an ipv6 crypto map. The IPv4 GETVPN functionality will not be affected while triggering the event documented in this defect.
Conditions: Performing configuration operations that follow the patterns described below : 0. IPv6 Crypto Map applied to two interface (E0/0 and E2/0, lets call them Primary and Secondary) At this stage all works well IPv6 traffic is encrypted between two test GMs.
1. Shut down Secondary interface (E2/0) Result, no change in functionality GM can still exchange encrypted IPv6 traffic with peers.
2. Remove the ipv6 crypto map from the Primary interface (E0/0, while E2/0 is in admin shutdown state). Result, IPv6 traffic is sent out in clear text
3. Re-apply crypto map to the Primary interface (i.e. E0/0) Result, no change, packets are still being sent out in clear text, even though GDOI sees the E0/0 interface as associated with the cry map and group.
4. Remove the crypto map from the Secondary interface which is still in shutdown state Result : No change in the behavior
5. Remove and re-apply the crypto map on the Primary interface Result : GM re-registers
Workaround: Remove the ipv6 crypto map from the Secondary Interface before shutting it down.
Symptom: Classification by ACL in QoS is broken when using it with IPSec tunnel.
Conditions: -use ACL for classification in policy-map and apply a QoS to physical interface -qos pre-classify is configured under IPSec tunnel
Workaround: apply a QoS to IPSec tunnel
Symptom: With an IOS router set as an EZVPN client, with either interactive (CLI) or HTTP-Intercept authentication enabled, if the user does not enter in proper credentials within 10 seconds, the router will resend AM3 to the EzVPN server. This causes a retransmission storm to trigger and quickly tear down the tunnel, which causes the authentication to fail.
Conditions: IOS router acting as EzVPN client
Workaround: 1) Have users enter credentials within 10 seconds of login prompt. 2) Save credentials on router so users don't need to enter them every time. 3) Downgrade to 15.1(4)M5 or earlier
Symptom: AAA sessions are lingering for old connections.
Conditions: Running Flex VPN server with accounting, clients are identified by email id
Further Problem Description: Accounting sessions are not cleared when a client does reconnect from a different IP upon reception and parsing of the IKEv2 Initial Contact payload
Symptom: QFP error logs not displayed on IOS console.
Symptom: No error-message for reason with restapi GET interface failure.
Conditions: Restapi GET interface on CSR 1000v interface which has ipv6 address configured.
Symptoms: Forwarding loop is observed for some PfR-controlled traffic. Conditions: This symptom is observed with the following conditions: - Traffic Classes (TCs) are controlled via PBR. - The parent route is withdrawn on selected BR/exit.
Workaround: This issue does not affect configured or statically defined applications, but only affects learned applications so this can be used as one workaround. Another option is to issue shut/no shut on PfR master or clear the related TCs with the clear pfr master traffic-class command (this fixes the issue until the next occurrence).
Symptom: RP crashes with punted fragment-bit set multicast packet.
Conditions: Fragment bit is set in the multicast packet
Symptom: A FlexVPN spoke configured with an inside VRF and front-door VRF may have problems with spoke-to-spoke tunnels if they are not the same. During tunnel negotiation, two Virtual-access interfaces are created (while only one is needed), the one in excess may fail to cleanup correctly. As a result, the routes created by NHRP process may lead to loss of traffic, or traffic may continue to flow through the Hub.
Conditions: This symptom occurs when the VRF used on the overlay (IVRF) and the VRF used on the transport (FVRF) are not the same.
Workaround: There is no workaround.
Symptom: A reload may occur while using show oer and show pfr commands via SSH.
Conditions: This symptom is observed when the show pfr master application detail command is used via SSH.
Workaround: There is no workaround.
Symptom: Crypto session does not comes up in EZVPN.
Conditions: This symptom is observed when a Crypto session is being established.
Workaround: There is no workaround.
Symptom: OSPF N2 default route missing from Spoke upon reloading Hub. Hub has a static default route configured and sends that route over DMVPN tunnel running OSPF to spoke. When hub is reloaded, the default route is missing on Spoke. NSSA-External LSA is there on Spoke after reload, but the routing bit is not set. Hence, it is not installed in RIB on Spoke.
Conditions: Default originated using command area X nssa default-information-originate.
Workaround: Removing & re adding area X nssa default-information-originate on Hub resolves the issue.
Symptom: The no passive-interface command will be added automatically after configuring the ipv6 enable command on the interface even though the passive-interface default command is configured for OSPFv3.
Conditions: This symptom occurs when the passive-interface default command is configured for OSPFv3.
Workaround: Adjust the configuration manually. In this example it would be passive-interface FastEthernet0/2/0.
Symptom: Prefixes withdrawn from BGP are not removed from the RIB, although they are removed from the BGP table.
Conditions: A withdraw message contains more than one NLRI, one of which is for a route that is not chosen as best. If deterministic med is enabled, then the other NLRI in the withdraw message might not eventually be removed from the RIB.
Workaround: Forcibly clear the RIB.
Further Problem Description: This issue may also occur if BGP PIC is enabled and the withdraw message contains a route that is currently serving as a backup path.
Symptom: A watchdog timeout crash occurs.
Conditions: This symptom occurs when DMVPN and IPv4/IPv6 EIGRP are configured. A crash occurs while DUAL is updating the EIGRP topology table.
Workaround: There is no workaround.
Symptom: Losing EIGRP Extended communities on BGP L3VPN route.
Conditions: This symptom is observed when Remote PE-CE connection is brought down and only backup EIGRP path remains in the BGP table.
Workaround: Clearing the problem route in the VRF will resolve the issue.
Symptom: Route over OSPFv2 sham-link shows two next hop.
Conditions: This symptom is observed when the route entry is ECMP route between the sham-link and another path.
Workaround: Break ECMP by adjusting the OSPF cost.
Symptom: ISIS going into INIT state.
Conditions: BFD flap leads to ISIS adjacency not coming up if the following conditions are true: 1.) In P2P mode only 2.) when local node supports RFC6213 and its remote neighbor does not support RFC6213 3.) The P2P link is down and adjacency is deleted on the remote neighbor and up again before the adjacency hold down timer expires on the local node that has the RFC6213 support.
Workaround: Any of the following work around will work. - Remove BFD on 903, wait for ISIS to come up and configure BFD again - Shut and no shut the interface on the local node with RFC6213 Or - Not to use P2P link at all
Symptom: ISIS Flap on performing SSO.
Conditions: with nsf ietf configured and one or more loopbacks configured as passive interfaces
Workaround: Two workarounds are available: 1)use nsf cisco or 2) Continue to use nsf ietf but configure ip router isis process_name on the loopback interfaces.
Symptom: On the Cisco CSR1000v an unexpected reset may occur when sending IPv4 small packet traffic at a high rate.
Conditions: This is intermittently seen with a basic CEF configuration passing bi-directional 64 Byte traffic near 100% Gigabit Ethernet line-rate.
Symptom: The LSMPI Tracebacks errors are seen while clearing IP routes multiple times.
Conditions: This symptom is observed under the following conditions:
– Has more than 1000 OSPF neighbors, which will make OSPF LSU packet get fragmented.
– Clear ip ospf process * and OSPF will send an LSU packet, which triggers this error message.
Symptom: Tunnel interface states down and fail to carry traffic.
Conditions: The tunnel interface stays down after the tunnel stay flaps. Can be from issuing “shut” and “no shut” commands manually, or the physical port state flaps. And the tunnel state might stay down forever after the event.
Workaround: Delete and recreate the tunnel interface with the same config will bring this tunnel back to up state.
Symptom: Extra flow is shown in show crypto session command.
Symptom: A crash was observed after configuring ethernet CFM on the router. The crash occurred in the linux_iosd process.
Conditions: The crash was seen on the Cisco ISR4400 and the Cisco CSR1000v.
Workaround: Do not configure CFM.
Symptom: Incorrect error message is seen when giving no parameter-map type inspect-global.
Conditions: Parameter-map type inspect global should be defined.
Symptom: ucode crash @ ipv4_ipsec_tunnel_input
Conditions: Bringup 10 FlexVPN sessions on Cisco CSR 100V.Workaround: Enter the no ip source-route command.
Symptom: The Cisco CSR 1000v is deployed from the OVF template, powered up until completion of the 1st time boot process, then powered down and a new vNIC is added while the router is offline. After the router is powered up again, the new interfaces are recognized but the Cisco CSR 1000v VM is observed at operating with 100% CPU usage. The router stays at 100% CPU as long as the newly added interface is in admin shutdown state. CSR CPU usage revert to normal once the interface is admin 'no shutdown'. Not all interface additions will result in this condition.
Conditions: When adding a new vNIC to the Cisco CSR 1000v.
Workaround: After the new interface is added, administer the no shutdown to the interface.
Symptom: The sh plat hard qfp act dat infr sw-hqf output is truncated.
Conditions: When 5 Gi interfaces are defined, the output is truncated
Workaround: Use less than 5 Gi interfaces.
Symptom: IDFW is not working for sgt replaced because of policy static sgt <sgt-num> command.
Conditions: Configure policy static sgt <sgt-num> command on ingress interface and in FW do match for same sgt number given in this CLI.
Symptom: Cisco CSR1000v running on XEN will see significantly lower throughput than on other hypervisors, i.e. ESXi.
Conditions: Cisco CSR1000v running on XEN Server 6.02
Symptom: Gigabit Ethernet interface counters show a value near 2 to the 64th.
Conditions: Occurs on a Cisco CSR1000v router using VMXNET3 driver after an Etherchannel interface is configured.
Workaround: Performing “clear counters” will reset the counter to zero.
Symptom: Hot removal of an interface not possible in the case of CSR 1000v [installed on an ESXi server].
Conditions: Issue seen when try to remove an interface from the Cisco CSR 1000v router when it is UP.
Symptom: RESTAPI interface discovery will fail.
Conditions: Having ipv6 address configured on interface and do RESTAPI GET interface.
Symptom: After booting up, two VMs came up with no installed licenses. Could not recover the licenses since the UDI of the VMs changed.
Conditions: Reset all Cisco CSR 1000v VMs running on a server (4:1 CPU oversubscription). All VMs are 4 vCPU with 4 GB RAM and 3 NICs each.
Workaround: Do not oversubscribe.
Symptom: IPsec transform set with esp-md5-hmac is not supported in this release. When esp-md5-hmac is used, though the IPsec tunnel is established, traffic can not pass through the tunnel. Inbound traffic will be dropped with HMAC error. Outbound traffic will reach to the peer, but will be dropped by the peer with HMAC error.
The following error message is displayed:
Conditions: Whenever esp-md5-hmac is used in an IPsec transform set.
Workaround: Use esp-sha-hmac, not esp-md5-hmac.
Symptom: Can show "Last reload reason: <NULL>"
Symptom: If Gi1 interface does not exist on the CSR when the CSR boots up, the following error message is logged:
The Gi1 interface (usually vnic2 of the CSR VM) could disappear from CSR for any one of the following reasons:
1) the vNIC is deleted from vSphere then the CSR is rebooted
2) the MAC address of the vNIC is changed from vSphere
Conditions: Gi1 interface does not exist on the CSR.
Workaround: If the CSR has multiple vNICs, use the 'clear platform software vnic-if nvtable' command to remap the vNICs to interfaces mapping, then reboot the CSR. Note that the command might remap the interfaces not in the order shown on vSphere for the CSR VM. Use with care.
Symptom: When the CSR1000v boots in premium mode, cannot configure throughput level or install a new premium throughput level license. Throughput will be set to 2500 kbps.
Symptom: Packets of smaller lengths (less than 100 bytes) may be dropped occasionally when a shaper is configured.
Conditions: This issue happens when a shaper is configured on CSR1000v and traffic consisting of smaller packet lengths (less than 100 bytes) are sent below the configured shape rate.
Workaround: There is no known workaround.
Symptom: When CSR1000v is being used as a VPN gateway and BFD session, the number of stable BFD sessions is lower than expected.
Conditions: When CSR1000v is being used as a VPN gateway and BFD session, the number of stable BFD sessions is lower than expected.
Symptom: Getting aggressive alert is seen when no alert is set.
Conditions: ZBFW is on and alert is seen after disabling the parameter-map type inspect global and clearing drops.
Symptom: Crash kernel does not work on ESXi.
Conditions: When main kernel crashes, it does not dump core.
Symptom: All of the IPSEC sessions didn't come up after ISAKMP Rekey
Symptoms: A router loses its default gateway during autoinstall.
Conditions: This issue was seen on Cisco IOS Release 12.4(15)T5, but should affect every Cisco IOS version.
1. Manually do a shut followed by a no shut on the interface.
2. Create an EEM script, for example:
3. In the network configuration, configure ip address dhcp for the interface which is supposed to get the default gateway from DHCP.
Symptom: The CSR router would crash at IPSec code if a DMVPN session is up and running for some time.
Conditions: Usually happens within an hour. No traffic is needed.
Symptoms: EIGRP flapping is seen continuously on the hub. A crash is seen at nhrp_add_static_map.
Conditions: This symptom is observed in the case where there are two Overlay addresses of a different Address Family on the same NBMA (such as IPv4 and IPv6 over Ipv4). This issue is observed after shut/no shut on the tunnel interface, causing a crash at the hub. A related issue is also seen when there is no IPv6 connectivity between the hub and spoke, causing continuous EIGRP flapping on the hub.
Workaround: There is no known workaround.
Conditions: Configured 2k sub-interfaces.
Symptoms: The EIGRP routes do not come up after removing and reenabling the tunnel interface.
Conditions: This symptom is observed when EIGRP routes do not populate properly.
Workaround: There is no workaround.
Conditions: Crash occurs when sending traffic through a non gig 0 interface
Workaround: No workaround as this is caused by unsupported CPUs with missing features. As per the data sheet ( http://www.cisco.com/c/en/US/prod/collateral/routers/ps12558/ps12559/data_sheet_c78-705395.pdf), the CPU requirement is “Intel Nehalem or AMD Barcelona CPU with clock frequency 1.8GHz” or higher.
Symptom: On the CSR1000v an unexpected reset may occur when sending IPv4 small packet traffic at a high rate.
Conditions: This is intermittently seen with a basic CEF configuration passing bi-directional 64 Byte traffic near 100% Gigabit Ethernet line-rate.
Symptom: Provisioned QoS service is not honored.
Conditions: When fair-queue is removed from the class on-the-fly, the rates, i.e., bandwidth and shape, are no longer configured in the hardware.
Workaround: Remove the fair-queue class and re-add it without fair-queue.
Symptom: LSMPI Tracebacks/Errors seen while clearing IP routes multiple times.
Conditions: ASR- GIG-------IXIA >> 2K vlans on GIGE and IXIA subi-intfs >> OSPF neighbour hood was properly achieved with 1000 Vlans
Symptom: QFP errors on applying AVC to MPLS interfaces.
Conditions: AVC is not supported on an MPLS interface so this is a misconfiguration.
Symptom: This warning message would be emitted on the IOS console on Cisco CSR1000v installed on the VMWARE ESXi with VMXNET3 network adapter.
Conditions: When the Cisco CSR1000v is over-subscribed and ESXi is not be able to handle the traffic.
Workaround: This is a warning message and VMXNET3 driver recovers from this condition.
Make sure that the Cisco CSR1000v is not over-subscribed to avoid this.
Symptom: Tunnel interface stays down and fails to carry traffic.
Conditions: The tunnel interface stays down after the tunnel stay flaps. Can be from issuing shut and no shut commands manually, or the physical port state flaps. And the tunnel state might stay down forever after the event.
Workaround: Deleting and recreating the tunnel interface with the same configuration will bring this tunnel back to up state.
For information about the Cisco CSR 1000v Series and associated services, see:
Documentation Roadmap for Cisco CSR 1000v Series, Cisco IOS XE 16.