Release Notes for Cisco
Content Services Gateway 2nd Generation Release 4.0
Cisco IOS Release 12.4(24)MD7
First Published: September 29, 2011
Last Updated: April 8, 2013
Current Release: Cisco IOS Release 12.4(24)MD7
OL-19293-01
This publication describes the requirements, dependencies, and caveats for the Cisco Content Services
Gateway - 2nd Generation, more commonly known as the Content Services Gateway 2 or CSG2. These
release notes are updated for every maintenance release.
Use these release notes with the Cross-Platform Release Notes for Cisco IOS Release 12.4, located on
Cisco.com.
Caveats
Caveats describe unexpected behavior in Cisco IOS software releases. Severity 1 caveats are the most
serious caveats; severity 2 caveats are less serious. Severity 3 caveats are moderate caveats, and only
select severity 3 caveats are included in the caveats document.
All caveats in Cisco IOS Release 12.4 and Cisco IOS Release 12.4 T are also in Cisco IOS Release
12.4(24)MD7.
•
For a list of the software caveats that affect the CSG2 or Cisco SAMI software for Cisco IOS Release
12.4(24)MD7, see the “Caveats for Cisco IOS Release 12.4(24)MD7” section on page 8.
•
For information on caveats in Cisco IOS Release 12.4, see Caveats for Cisco IOS Release 12.4,
located on Cisco.com.
•
For information on caveats in Cisco IOS Release 12.4 T, see Caveats for Cisco IOS Release 12.4T,
located on Cisco.com and the Documentation CD-ROM.
Americas Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Using the Bug Navigator II
If you have an account with Cisco.com, you can use Bug Navigator II to find the most current list of
caveats of any severity for any software release. To reach Bug Navigator II, log in to Cisco.com and click
Software Center: Cisco IOS Software: Cisco Bugtool Navigator II.
This publication includes the following information:
•
Introduction, page 3
•
Features, page 3
•
System Requirements, page 6
•
Prerequisites and Restrictions, page 7
•
Caveats for Cisco IOS Release 12.4(24)MD7, page 8
– CSG2 Software for Cisco IOS Release 12.4(24)MD7 - Open Caveats, page 8
– CSG2 Software for Cisco IOS Release 12.4(24)MD7 - Closed Caveats, page 8
– Cisco SAMI Software for Cisco IOS Release 12.4(24)MD7 - Open Caveats, page 9
– Cisco SAMI Software for Cisco IOS Release 12.4(24)MD7 - Closed Caveats, page 9
– Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats, page 10
•
Caveats for Cisco IOS Release 12.4(24)MD6, page 10
– CSG2 Software for Cisco IOS Release 12.4(24)MD6 - Open Caveats, page 10
– CSG2 Software for Cisco IOS Release 12.4(24)MD6 - Closed Caveats, page 11
– Cisco SAMI Software for Cisco IOS Release 12.4(24)MD6 - Open Caveats, page 12
– Cisco SAMI Software for Cisco IOS Release 12.4(24)MD6 - Closed Caveats, page 12
•
Caveats for Cisco IOS Release 12.4(24)MD5, page 13
– CSG2 Software for Cisco IOS Release 12.4(24)MD5 - Open Caveats, page 13
– CSG2 Software for Cisco IOS Release 12.4(24)MD5 - Closed Caveats, page 13
– Cisco SAMI Software for Cisco IOS Release 12.4(24)MD5 - Open Caveats, page 14
– Cisco SAMI Software for Cisco IOS Release 12.4(24)MD5 - Closed Caveats, page 15
– Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats, page 15
•
Caveats for Cisco IOS Release 12.4(24)MD4, page 16
– CSG2 Software for Cisco IOS Release 12.4(24)MD4 - Open Caveats, page 16
– CSG2 Software for Cisco IOS Release 12.4(24)MD4 - Closed Caveats, page 16
– Cisco SAMI Software for Cisco IOS Release 12.4(24)MD4 - Open Caveats, page 16
– Cisco SAMI Software for Cisco IOS Release 12.4(24)MD4 - Closed Caveats, page 17
– Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats, page 17
•
Caveats for Cisco IOS Release 12.4(24)MD3, page 18
– CSG2 Software for Cisco IOS Release 12.4(24)MD3 - Open Caveats, page 18
– CSG2 Software for Cisco IOS Release 12.4(24)MD3 - Closed Caveats, page 18
– Cisco SAMI Software for Cisco IOS Release 12.4(24)MD3 - Open Caveats, page 20
– Cisco SAMI Software for Cisco IOS Release 12.4(24)MD3 - Closed Caveats, page 20
•
2
Caveats for Cisco IOS Release 12.4(24)MD2, page 20
OL-19293-01
Introduction
– CSG2 Software for Cisco IOS Release 12.4(24)MD2 - Open Caveats, page 21
– CSG2 Software for Cisco IOS Release 12.4(24)MD2 - Closed Caveats, page 21
– Cisco SAMI Software for Cisco IOS Release 12.4(24)MD2 - Open Caveats, page 23
– Cisco SAMI Software for Cisco IOS Release 12.4(24)MD2 - Closed Caveats, page 23
– Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats, page 23
•
Caveats for Cisco IOS Release 12.4(24)MD1, page 27
– CSG2 Software for Cisco IOS Release 12.4(24)MD1 - Open Caveats, page 27
– CSG2 Software for Cisco IOS Release 12.4(24)MD1 - Closed Caveats, page 27
– Cisco SAMI Software for Cisco IOS Release 12.4(24)MD1 - Open Caveats, page 29
– Cisco SAMI Software for Cisco IOS Release 12.4(24)MD1 - Closed Caveats, page 29
– Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats, page 29
•
Caveats for Cisco IOS Release 12.4(24)MD, page 31
– CSG2 Software for Cisco IOS Release 12.4(24)MD - Open Caveats, page 31
– CSG2 Software for Cisco IOS Release 12.4(24)MD - Closed Caveats, page 31
– Cisco SAMI Software for Cisco IOS Release 12.4(24)MD - Open Caveats, page 32
– Cisco SAMI Software for Cisco IOS Release 12.4(24)MD - Closed Caveats, page 32
•
Documentation and Technical Assistance, page 32
Introduction
The CSG2 is an application that runs on the Cisco Service and Application Module for IP (SAMI), a
high-speed processing module. The CSG2 provides content-aware billing, service control, traffic
analysis, and data mining in a highly scalable, fault-tolerant package. The CSG2 provides the software
required by mobile wireless operating companies and other billing, applications, and service customers.
The CSG2 runs on the Cisco SAMI, a new-generation high performance service module for the
Cisco 7600 series router platforms. The CSG2 is typically located at the edge of a network in an Internet
service provider (ISP) point of presence (POP), or Regional Data Center.
Features
This section lists the CSG2 features and the CSG2 release in which the feature was introduced. For full
descriptions of all of these features, see the Cisco Content Services Gateway - 2nd Generation Release 4
Installation and Configuration Guide.
To see the software part numbers associated with each CSG2 release; the Supervisor hardware required
by each CSG2 release; the minimum Cisco IOS release required for new features in each CSG2 release;
and the minimum IOS level supported by each CSG2 release, see the “Software Requirements” section
on page 6.
OL-19293-01
•
CSG2 Features Supported for Cisco IOS Release 12.4(24)MD7, page 4
•
CSG2 Features Supported for Cisco IOS Release 12.4(24)MD6, page 4
•
CSG2 Features Supported for Cisco IOS Release 12.4(24)MD5, page 4
3
Features
•
CSG2 Features Supported for Cisco IOS Release 12.4(24)MD4, page 4
•
CSG2 Features Supported for Cisco IOS Release 12.4(24)MD3, page 4
•
CSG2 Features Supported for Cisco IOS Release 12.4(24)MD2, page 4
•
CSG2 Features Supported for Cisco IOS Release 12.4(24)MD1, page 5
•
CSG2 Features Supported for Cisco IOS Release 12.4(24)MD, page 5
CSG2 Features Supported for Cisco IOS Release 12.4(24)MD7
The CSG2 Release 4 software for Cisco IOS Release 12.4(24)MD7 supports the entire feature set listed
in the “CSG2 Features Supported for Cisco IOS Release 12.4(24)MD6” section on page 4.
CSG2 Features Supported for Cisco IOS Release 12.4(24)MD6
The CSG2 Release 4 software for Cisco IOS Release 12.4(24)MD6 supports the entire feature set listed
in the “CSG2 Features Supported for Cisco IOS Release 12.4(24)MD5” section on page 4.
CSG2 Features Supported for Cisco IOS Release 12.4(24)MD5
The CSG2 Release 4 software for Cisco IOS Release 12.4(24)MD5 supports the entire feature set listed
in the “CSG2 Features Supported for Cisco IOS Release 12.4(24)MD4” section on page 4.
CSG2 Features Supported for Cisco IOS Release 12.4(24)MD4
The CSG2 Release 4 software for Cisco IOS Release 12.4(24)MD4 supports the entire feature set listed
in the “CSG2 Features Supported for Cisco IOS Release 12.4(24)MD3” section on page 4.
CSG2 Features Supported for Cisco IOS Release 12.4(24)MD3
The CSG2 Release 4 software for Cisco IOS Release 12.4(24)MD3 supports the entire feature set listed
in the “CSG2 Features Supported for Cisco IOS Release 12.4(24)MD2” section on page 4.
In addition, the CSG2 software for Cisco IOS Release 12.4(24)MD3 supports the following new feature:
•
Enhanced CCA Failure Reporting
CSG2 Features Supported for Cisco IOS Release 12.4(24)MD2
The CSG2 Release 4 software for Cisco IOS Release 12.4(24)MD2 supports the entire feature set listed
in the “CSG2 Features Supported for Cisco IOS Release 12.4(24)MD1” section on page 5.
In addition, the CSG2 software for Cisco IOS Release 12.4(24)MD2 supports the following new
features:
4
•
Configurable REGEX Memory
•
Configurable URL Map Normalization
OL-19293-01
Features
•
Reuse of Idle RADIUS Proxy Ports
•
RTSP Teardown Reply Delay
•
Support for Preloaded Headers and Header Groups for Header Insertion
•
User Session Continuation After PCRF Timeout
CSG2 Features Supported for Cisco IOS Release 12.4(24)MD1
The CSG2 Release 4 software for Cisco IOS Release 12.4(24)MD1 supports the entire feature set listed
in the “CSG2 Features Supported for Cisco IOS Release 12.4(24)MD” section on page 5.
In addition, the CSG2 software for Cisco IOS Release 12.4(24)MD1 supports the following new
features:
•
CISCO-CONTENT-SERVICES-MIB (updated)
•
Display of User Table Entry Creation Time
•
Support for the Cisco eGGSN for Cisco GGSN Release 10.0 and the Single IP Feature
•
Support for Preloaded Domain Groups and QoS Profiles
•
Wireless TCP (WTCP) Support for HTTP Header Insertion
CSG2 Features Supported for Cisco IOS Release 12.4(24)MD
The CSG2 Release 4 software for Cisco IOS Release 12.4(24)MD supports the entire feature set for the
CSG2 Release 3.5 software for Cisco IOS Release 12.4(22)MDA1.
In addition, the CSG2 software for Cisco IOS Release 12.4(24)MD supports the following new features:
•
Activity-Based Time Billing
•
Billing Plan User Counts
•
Content Access Control
•
Dynamic Redirection
•
Support for eG-CDRs with the Cisco GGSN Release 9.2
•
Final Unit Indication with Redirect
•
Header Insertion
Wireless TCP for header insertion is not supported.
•
Layer 7 Domain Name System (DNS) Inspection
•
MIB Support for CISCO-ISCSI-MIB
MIB support for new features is not included in this image.
The CISCO-CONTENT-SERVICES_MIB is not updated for this release of the CSG2.
OL-19293-01
•
Per-Subscriber Volume and Time Thresholds
•
Support for up to 1024 RADIUS Proxies
•
Support for up to 2048 RADIUS Endpoints
•
Support for up to 32,768 Service Rules
•
User Logoff Notifications
5
System Requirements
System Requirements
This section describes the following memory and software requirements for CSG2:
•
Memory Requirements, page 6
•
Hardware Supported, page 6
•
Software Requirements, page 6
•
Determining the Software Version, page 7
For hardware requirements, such as power supply and environmental requirements, as well as hardware
installation instructions, see the Service and Application Module for IP User Guide.
Memory Requirements
The CSG2 memory is not configurable.
The Cisco SAMI is available with a default 1 GB memory or an optional 2-GB memory.
Hardware Supported
Use of the CSG2 requires one of the following Cisco 7600 Series Routers and Supervisor Engines, and
a module with ports to connect server and client networks:
•
Cisco 7600 Series Supervisor Engine 720 with a Multilayer Switch Feature Card 3 (WS-SUP720)
running Cisco IOS Release 12.4(33)SRB1 or later
•
Cisco 7600 Series Supervisor Engine 720 with a Multilayer Switch Feature Card 3 and Policy
Feature Card 3B (WS-SUP720-3B) running Cisco IOS Release 12.4(33)SRB1 or later
•
Cisco 7600 Series Supervisor Engine 720 with a Multilayer Switch Feature Card 3 and Policy
Feature Card 3BXL (WS-SUP720-3BXL) running Cisco IOS Release 12.2(33)SRB1 or later
•
Cisco 7600 Series Supervisor Engine 32 with a Multilayer Switch Feature Card
(WS-SUP32-GE-3B) running Cisco IOS Release 12.2(33)SRC or later and LCP ROMMON Version
12.2[121] or later on the Cisco SAMI
•
Cisco 7600 Series Supervisor Engine 32 with a Multilayer Switch Feature Card and 10 Gigabit
Ethernet Uplinks (WS-SUP32-10GE-3B) running Cisco IOS Release 12.4(33)SRC or later and LCP
ROMMON Version 12.2[121] or later on the Cisco SAMI
•
Cisco 7600 Series Route Switch Processor 720 with Distributed Forwarding Card 3C
(RSP720-3C-GE) running Cisco IOS Release 12.4(33)SRC or later
•
Cisco 7600 Series Route Switch Processor 720 with Distributed Forwarding Card 3CXL
(RSP720-3CXL-GE) running Cisco IOS Release 12.2(33)SRC or later
Software Requirements
When referring to this section, keep the following considerations in mind:
•
6
Do not use the Supervisor Hardware Supported column to infer supervisor hardware support.
Consult the Cisco IOS Upgrade Planner to determine which IOS releases support the desired
supervisor hardware.
OL-19293-01
Prerequisites and Restrictions
•
Each feature set is limited to those features that can be configured at the Minimum Cisco IOS Level
Supported.
The following table lists the CSG2 and Cisco SAMI module part numbers and associated information
for each CSG2 release:
CSG2 Release
12.4(24)MD7
12.4(24)MD6
12.4(24)MD5
12.4(24)MD4
12.4(24)MD3
12.4(24)MD2
12.4(24)MD1
12.4(24)MD
Supervisor Software
Minimum Cisco IOS
Release Required for
New Features
Supervisor Software
Minimum Cisco IOS Level
Supported
CSG2 and Cisco SAMI
Module Part Numbers
Supervisor Hardware
Supported
Cisco SAMI Module
Part Numbers:
WS-SUP720
WS-SUP720-3B
WS-SUP720-3BXL
12.2(33)SRB1
12.2(33)SRB1
WS-SUP32-GE-3B
WS-SUP32-10GE-3B
12.2(33)SRC
12.2(33)SRC
RSP720-3C-GE
RSP720-3CXL-GE
12.2(33)SRC
12.2(33)SRC
WS-SVC-SAMI-BB-K9
WS-SVC-SAMI-BB-K9=
MEM-SAMI-6P-2GB
CSG2 Software License
Part Numbers:
SSAC40K9-12424MD
SSAC40K9-12424MD=
CSG2 Software
Subscriber License
Part Numbers:
FL-SC-10K-SUB
FL-SC-100K-SUB
CSG2 Software Upgrade
License Part Numbers:
FL-SC-R35R4-K9-UP
CSG2 Software and
Cisco SAMI Module
Bundle Part Numbers:
SAMI-CSG2-R2AS-K9=
Determining the Software Version
To determine the version of Cisco IOS software that is currently running on your Cisco network device,
log in to the CSG2 or Supervisor Engine and enter the show version EXEC command.
To show CSG2 versions, log in to the Supervisor Engine and enter the show module command in
privileged EXEC mode.
To provide meaningful problem determination information, log in to the CSG2 or Supervisor Engine and
enter the show tech-support command in privileged EXEC mode.
Prerequisites and Restrictions
For the latest prerequisites and restrictions for the CSG2, see the “Overview” chapter of the
Cisco Content Services Gateway - 2nd Generation Release 4 Installation and Configuration Guide.
OL-19293-01
7
Caveats for Cisco IOS Release 12.4(24)MD7
Caveats for Cisco IOS Release 12.4(24)MD7
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or Cisco SAMI
software for Cisco IOS Release 12.4(24)MD7.
•
CSG2 Software for Cisco IOS Release 12.4(24)MD7 - Open Caveats, page 8
•
CSG2 Software for Cisco IOS Release 12.4(24)MD7 - Closed Caveats, page 8
•
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD7 - Open Caveats, page 9
•
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD7 - Closed Caveats, page 9
•
Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats, page 10
CSG2 Software for Cisco IOS Release 12.4(24)MD7 - Open Caveats
The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(24)MD7:
•
CSCty02688—CSG2: Improper session synchronization during upgrade
When performing an in-service upgrade and synchronizing sessions from the active CSG2
Release 4, or any earlier release, to the standby CSG2 Release 5, or any later release, the
synchronization might not complete correctly. The standby CSG2 is synchronized with an
unexpectedly huge number of IP bytes uploaded and downloaded for all sessions. When the standby
CSG2 becomes active, it reports this huge number of uploaded and downloaded IP bytes to the
BMA, causing all sessions to be overcharged.
Workaround: Do not perform an in-service upgrade from CSG2 Release 4, or any earlier release,
to CSG2 Release 5, or any later release.
CSG2 Software for Cisco IOS Release 12.4(24)MD7 - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(24)MD7:
•
CSCts47723—CSG2 sends wrong usage count in CCR-F when CCA-U timeout or failure occur
If a CCA-U timeout/failure occurs on the CSG2, the CSG2 might send the wrong usage count in the
CCR-F. The CSG2 continues to count the usage even after the CCA-U timeout/failure occurs.
•
CSCtt08817—RTSP protocol statistics report a 0 value
When control-url is configured for a content, the output for the show ip csg stats protocol
command displays 0 for the RTSP protocol.
•
CSCtu31661—New CLI to stop counting if CCR-U failed
The CSG2 stops counting usage if the CCR-U fails. This CDETS introduces the ip csg ccr-u-fail
stop-count command, which enables the CSG2 to continue to count usage in the event of a CCR-U
failure.
•
CSCtu53660—CSG2- Diameter error- Dia Transport: TCP port unavailable
In the Gx interface, the TCP port to the PCRF server might become unavailable.
The TCP connection on the Gx interface between the CSG2 and the PCRF is not coming up. The
issue is encountered after the PCRF connection goes down and comes up multiple times. This causes
the local port leak to accumulate, and the local port becomes unavailable to establish the TCP
connection.
8
OL-19293-01
Caveats for Cisco IOS Release 12.4(24)MD7
•
CSCtw68505—User's billing is unknown
Some subscribers associated with a secondary PDP are not assigned a billing plan, because the 3GPP
charging ID (as part of the RADIUS attributes) is missing in the user’s Profile Request that is sent
to the quota server.
•
CSCtx04022—CSG2 not assigning policy when SSH over port 80
If the CSG2 is configured to parse the HTTP protocol in a content, and a prepaid user sends
non-HTTP data that matches the content (for example, SSH over port 80), the CSG2 passes the
traffic without sending a Segmentation and Reassembly (SAR) to the quota server.
•
CSCty49899—Standby PCEF sends Create Session Request to PCRF after reload
When a user is deleted on the active CSG2, the standby CSG2 also sends a CCR-F. That causes the
“pcrf failure” counter to increment, as the Diameter connection is not established on the standby
CSG2.
•
CSCub27714—User sessions stuck in CSG2 cause delayed Service Stop to go in sticky User Table
The CSG2 might send a Service Stop message to the quota server that was not associated with the
user. This can occur even if Quota Server Reassignment is disabled.
For this problem to occur, all of the following conditions must be met:
– A prepaid user must exist in the system.
– The quota must expire and 0 quota must be received in the Service Reauth Response.
– The reauthorization delay must be around 1200 seconds.
– The CSG2 must block the traffic and clear some of the sessions.
– The CSG2 must receive a RADIUS Accounting Stop message for the user (user logout) before
the content idle timer expires.
– A few established sessions must get stuck in the CSG2 and not cleared after the RADIUS
Accounting Stop message.
– The CSG2 must send out the Service Stop after the sessions are cleared by the content idle timer.
This results in the creation of a sticky user while sending the Service Stop, as the affinity is already
cleared. While creating the sticky user, the CSG2 might assign a different quota server and forward
the service stop to that quota server.
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD7 - Open Caveats
There are no Open caveats in the Cisco SAMI software that impact the CSG2 software for Cisco IOS
Release 12.4(24)MD7.
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD7 - Closed Caveats
There are no Closed caveats in the Cisco SAMI software that impact the CSG2 software for Cisco IOS
Release 12.4(24)MD7.
OL-19293-01
9
Caveats for Cisco IOS Release 12.4(24)MD6
Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats
The following list identifies Cisco PSIRT closed caveats that impact Cisco IOS Release 12.4(24)MD7:
•
CSCtg47129
The Cisco IOS Software implementation of the virtual routing and forwarding (VRF) aware network
address translation (NAT) feature contains a vulnerability when translating IP packets that could
allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate
this vulnerability are not available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-nat
Note: The March 27, 2013, Cisco IOS Software Security Advisory bundled publication includes
seven Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each
Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the
vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases
that correct all Cisco IOS Software vulnerabilities in the March 2013 bundled publication.
Individual publication links are in “Cisco Event Response: Semiannual Cisco IOS Software Security
Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar13.html
•
CSCtn76183
The Cisco IOS Software Network Address Translation (NAT) feature contains two denial of service
(DoS) vulnerabilities in the translation of IP packets.
The vulnerabilities are caused when packets in transit on the vulnerable device require translation.
Cisco has released free software updates that address these vulnerabilities. This advisory is available
at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-nat
Caveats for Cisco IOS Release 12.4(24)MD6
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or Cisco SAMI
software for Cisco IOS Release 12.4(24)MD6.
•
CSG2 Software for Cisco IOS Release 12.4(24)MD6 - Open Caveats, page 10
•
CSG2 Software for Cisco IOS Release 12.4(24)MD6 - Closed Caveats, page 11
•
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD6 - Open Caveats, page 12
•
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD6 - Closed Caveats, page 12
CSG2 Software for Cisco IOS Release 12.4(24)MD6 - Open Caveats
The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(24)MD6:
•
CSCts47723—CSG2 sends wrong usage count in CCR-F when CCA-U timeout or failure occur
If a CCA-U timeout/failure occurs on the CSG2, the CSG2 might send the wrong usage count in the
CCR-F. The CSG2 continues to count the usage even after the CCA-U timeout/failure occurs.
10
OL-19293-01
Caveats for Cisco IOS Release 12.4(24)MD6
Workaround: None.
•
CSCty02688—CSG2: Improper session synchronization during upgrade
When performing an in-service upgrade and synchronizing sessions from the active CSG2
Release 4, or any earlier release, to the standby CSG2 Release 5, or any later release, the
synchronization might not complete correctly. The standby CSG2 is synchronized with an
unexpectedly huge number of IP bytes uploaded and downloaded for all sessions. When the standby
CSG2 becomes active, it reports this huge number of uploaded and downloaded IP bytes to the
BMA, causing all sessions to be overcharged.
Workaround: Do not perform an in-service upgrade from CSG2 Release 4, or any earlier release,
to CSG2 Release 5, or any later release.
CSG2 Software for Cisco IOS Release 12.4(24)MD6 - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(24)MD6:
•
CSCtn80399—The CSG2 must include the default bearer’s accounting session id in the PoD
The CSG is sending the dedicated bearer session ID in Packet of Disconnect (PoD) requests to clear
users instead of the default bearer ID.
•
CSCtq60404—The CSG2 reloads when creating and deleting Gx users with traffic
The CSG2 might reload when creating and deleting tens of thousands of Gx users with traffic. The
CSG2 must be under heavy load, creating and deleting 100,000 to 180,000 users and processing 10
sessions per user.
•
CSCtq60705—The CSG2 fails to parse egcdr_correlator_id correctly in RADIUS messages
When eG-CDRs are configured for use between the eGGSN/PGW and the CSG2, the eGGSN/PGW
might reject GTP messages from the CSG2, with the following message:
%CSG-3-GTP_REJECT: GTP received
•
CSCtq83846—Possible leak due to an out-of-order mid-flow SYN with the ACK bit set
The CSG2 might experience a memory leak due to an out-of-order mid-flow SYN with the ACK bit
set. To detect the leak, examine the Pct Used value in the Application column in the CSG Buffer
Management Stats section of the output of the show ip csg stats command.
•
CSCtq94337—eGGSN- Packets are stuck in the quota server queue
In an eGGSN configuration, packets might become stuck in the quota server queue.
•
CSCtr08631—The CSG2 is reporting negative usage to the BMA after a failover
After a failover, the Service Usage reported as quadrans in an intermediate or final BMA CDR is
less than that reported in a prior intermediate CDR.
For this problem to occur, all of the following conditions must be met:
– Intermediate CDRs must be configured for type OTHER or NBAR.
– A CSG2 failover must have occurred after an intermediate CDR has been generated for one or
more long-lived Layer 4 sessions.
•
CSCtr69315—The CSG2 is delaying CCRs
The CSG2 might not send a CCR to the PCRF immediately after receiving accounting messages
from the PGW. Therefore the CCR timeout occurs before the CCA is received, even though the CCA
is received immediately. The retransmit CCR is sent to the next PCRF in the configuration. The CCA
received for the retransmit CCR has 5012 - error in CCA Result code AVP.
OL-19293-01
11
Caveats for Cisco IOS Release 12.4(24)MD6
A burst of 20 to 40 CCRs is sent to the PCRF, then no messages for almost two minutes.
•
CSCtr88344—RAR received before CCA-I is dropped; further RARs after CCA-I handled
When the PCRF places the CCA-I and the RAR in the same packet, the RAR message and all
subsequent RAR messages are ignored. Since no RAA is returned for the first RAR, all subsequent
RARs are also rejected.
•
CSCts13678—Charging ID missing in Service Stop message when Gx enabled
When a subscriber is Gx-enabled, and the user is deleted, the CSG2 sends a Service Stop message
to the quota server, but the CSG2 does not include the RADIUS attribute Charging ID in the
message.
•
CSCts08568—Ability to tweak the TCP MSS for indirectly connected network
If the Diameter TCP peer is on a different subnet than the CSG2 diameter peer, the TCP MSS cannot
be tuned for the indirectly connected network for the Diameter application. This occurs for either a
Gx or a Gy implementation on the CSG2. By default, a value of 536 bytes is chosen for the TCP
MSS, and the ip tcp mss 1460 global configuration command does not increase the MTU to 1460.
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD6 - Open Caveats
The following list identifies Open caveats in the Cisco SAMI software that impact the CSG2 software
for Cisco IOS Release 12.4(24)MD6.
•
CSCtk35711—CSG2 takes 5 minutes to detect iSCSI failure due to network outage
The CSG2 might take up to five minutes to detect an iSCSI failure resulting from a network outage.
For this problem to occur, all of the following conditions must be met:
– The session timeout must be set to 50 seconds or greater.
– The interface that the CSG2 uses to communicate with the iSCSI target must be down.
Workaround: Enter the following commands to enable the CSG2 to detect the failure after the
session times out.
ip tcp mss 1460
ip tcp path-mtu-discovery
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD6 - Closed Caveats
The following list identifies the Closed caveats in the Cisco SAMI software that impact the CSG2
software for Cisco IOS Release 12.4(24)MD6:
•
CSCsj81608—The show cdp command fails
The show cdp entry * command output is empty.
•
CSCsy84312—Not able to write the core file in the redundant Cisco SAMI during the process
watchdog timeout
In a redundant implementation, the Cisco SAMI application is not able to write to the core file when
forced to crash with the process watchdog timeout option.
•
CSCtk12410—Crash in a standby processor causes an RF-induced self-reload of active
When two Cisco SAMIs are configured as an active and standby pair, any unexpected reload of one
of the processors in the standby SAMI can cause the active SAMI to reload because of an
RF-induced self-reload.
12
OL-19293-01
Caveats for Cisco IOS Release 12.4(24)MD5
This condition can occur if the HSRP priority of the standby SAMI is greater than the priority of the
active SAMI, either because of explicit configuration or based on the IP address of the active and
standby SAMIs.
•
CSCtq39561— HSRP/RF running while writing debuginfo causes delayed switchover
A delayed switchover can occur in an active-standby pair of Cisco SAMIs. That is, when the active
SAMI goes down, the standby SAMI might not become active for several minutes.
•
CSCtr32221—Decrease time-interval of PPC to IXP health-monitoring messages
In an active-standby Cisco SAMI pair, if the standby SAMI has a higher HSRP priority than the
active SAMI, the active SAMI might reload when the IXP on the standby SAMI fails.
Caveats for Cisco IOS Release 12.4(24)MD5
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or Cisco SAMI
software for Cisco IOS Release 12.4(24)MD5.
•
CSG2 Software for Cisco IOS Release 12.4(24)MD5 - Open Caveats, page 13
•
CSG2 Software for Cisco IOS Release 12.4(24)MD5 - Closed Caveats, page 13
•
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD5 - Open Caveats, page 14
•
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD5 - Closed Caveats, page 15
•
Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats, page 15
CSG2 Software for Cisco IOS Release 12.4(24)MD5 - Open Caveats
The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(24)MD5:
•
CSCtn80399—The CSG2 must include the default bearer’s accounting session id in the PoD
The CSG is sending the dedicated bearer session ID in Packet of Disconnect (PoD) requests to clear
users instead of the default bearer ID.
Workaround: None.
•
CSCtq60705—The CSG2 fails to parse egcdr_correlator_id correctly in RADIUS messages
When eG-CDRs are configured for use between the eGGSN/PGW and the CSG2, the eGGSN/PGW
might reject GTP messages from the CSG2, with the following message:
%CSG-3-GTP_REJECT: GTP received
Workaround: None.
CSG2 Software for Cisco IOS Release 12.4(24)MD5 - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(24)MD5:
•
CSCtb17999—Tracebacks on DPR from server, client closes TCP before sending DPA
When the PCRF (Policy and Charging Rules Function) sends a Diameter DPR (Disconnect Peer
Request) followed by a TCP FIN to the CSG2 that is acting as the PCEF (Policy Charging
Enforcement Function), the CSG2 first sends a TCP FIN-ACK and then tries to send a Diameter
DPA (Disconnect Peer Answer) back to the PCRF. However, the DPA is not delivered because the
OL-19293-01
13
Caveats for Cisco IOS Release 12.4(24)MD5
TCP connection has been closed, and tracebacks are seen on the CSG2/PCEF. The CSG2/PCEF
should instead send the DPA message first and then follow up the TCP connection termination by
sending the FIN-ACK.
•
CSCtn15950—Configuration rollback fails while taking a content out-of-service
Rolling back the CSG2 configuration might fail while taking a content out-of-service.
•
CSCtn62963—Support HTTPS URL redirection
Modify the CSG2 to support HTTPS URL redirection.
•
CSCtn86043—QoS parameters to QCI mapping is incorrect for REL99 QoS
The mapping of Quality of Service (QoS) parameters to QoS Class Identifier (QCI) is incorrect for
Release 99 QoS.
•
CSCtq46748—Standby CSG2 might reload when processing an HA update message
The standby CSG2 might reload.
For this problem to occur, all of the following conditions must be met:
– The CSG2 must be operating as a standby device in a high availability (HA) configuration.
– Many RADIUS attributes (10 or so) must be configured for reporting in the Packet of
Disconnect (PoD).
– The system must be under stress, such as would occur when processing a bulk HA state update
soon after bootup.
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD5 - Open Caveats
The following list identifies Open caveats in the Cisco SAMI software that impact the CSG2 software
for Cisco IOS Release 12.4(24)MD5.
•
CSCsj81608—The show cdp command fails
The show cdp entry * command output is empty.
Workaround: None.
•
CSCtk35711—CSG2 takes 5 minutes to detect iSCSI failure due to network outage
The CSG2 might take up to five minutes to detect an iSCSI failure resulting from a network outage.
For this problem to occur, all of the following conditions must be met:
– The session timeout must be set to 50 seconds or greater.
– The interface that the CSG2 uses to communicate with the iSCSI target must be down.
Workaround: Enter the following commands to enable the CSG2 to detect the failure after the
session times out.
ip tcp mss 1460
ip tcp path-mtu-discovery
14
OL-19293-01
Caveats for Cisco IOS Release 12.4(24)MD5
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD5 - Closed Caveats
The following list identifies the Closed caveats in the Cisco SAMI software that impact the CSG2
software for Cisco IOS Release 12.4(24)MD5:
•
CSCsr37333—Run SysMgr with eFence to detect memory errors
Sometimes the SysMgr process crashes without any reason. The crash occurs due to memory
corruptions that are generated during the boot. Those corruptions might not appear for a period of
time, until the process hits the corrupted area and then fails. The fix eliminated the memory
corruptions that occurred during the boot.
•
CSCtc60025—Implement heartbeat mechanism between LCP and PPCs
When any of the Cisco SAMI daughter cards has a sudden hardware failure during run time, such as
a reset circuitry failure, the control processor fails to detect the failure and assumes that the system
is UP. The Supervisor Engine continues to show the Cisco SAMI status as OK. The standby unit
remains unaware of the active failure, and fails to switch over until the keepalive timeout occurs.
This results in total outage for minutes until the standby takes over.
The hardware/software watchdogs also fail to act under these conditions.
•
CSCtd17963—Unexpected exception while debuginfo collected due to IXP Health-Monitoring
failure leading to crash
During a Health-Monitoring failure in the Cisco SAMI, each processor writes more than one
debuginfo file. Some of the debuginfo files are incomplete and there will be crashinfo written in the
name of debuginfo.
•
CSCtl90606—Traffic is passed to and from the GGSN SAMI even if the SVCLCs have been
removed
Traffic leaks between the Cisco SAMI and the Supervisor Engine even if the service line cards
(SVCLCs) have been removed.
•
CSCtn95286—SAMI: Summit registers workaround for FRU power failure
At high traffic loads, the Cisco SAMI might reload as a result of a failure of power convertor 0x5.
%OIR-SP-6-PWRFAILURE: Module 2 is being disabled due to power convertor failure 0x5
%C6KPWR-SP-4-DISABLED: power to module in slot 2 set off (FRU-power failed)
•
CSCto72922—SAMI IXP not dropping packets larger than maximum supported packet size
Packets larger than 3072 bytes, which is the maximum supported packet size for the Cisco SAMI,
are being forwarded to the Cisco SAMI PowerPCs (PPCs), resulting in the following error message:
%ETSEC-1-ERROR_INT_CAUSE IEVENT_BABR
Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats
The following list identifies Cisco PSIRT closed caveats that impact Cisco IOS Release 12.4(24)MD5:
•
CSCtj41194
Cisco IOS Software contains a vulnerability in the IP version 6 (IPv6) protocol stack
implementation that could allow an unauthenticated, remote attacker to cause a reload of an affected
device that has IPv6 enabled. The vulnerability may be triggered when the device processes a
malformed IPv6 packet.
Cisco has released free software updates that address this vulnerability. There are no workarounds
to mitigate this vulnerability.
OL-19293-01
15
Caveats for Cisco IOS Release 12.4(24)MD4
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110928-ipv6.shtml.
Caveats for Cisco IOS Release 12.4(24)MD4
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or Cisco SAMI
software for Cisco IOS Release 12.4(24)MD4.
•
CSG2 Software for Cisco IOS Release 12.4(24)MD4 - Open Caveats, page 16
•
CSG2 Software for Cisco IOS Release 12.4(24)MD4 - Closed Caveats, page 16
•
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD4 - Open Caveats, page 16
•
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD4 - Closed Caveats, page 17
•
Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats, page 17
CSG2 Software for Cisco IOS Release 12.4(24)MD4 - Open Caveats
There are no Open caveats in the CSG2 software for Cisco IOS Release 12.4(24)MD4.
CSG2 Software for Cisco IOS Release 12.4(24)MD4 - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(24)MD4:
•
CSCtl48268—CSG2: Diameter protocol error can cause memory corruption and crash
The CSG2 might crash as a result of a memory corruption or accessing an invalid address. The logs
from the crashinfo show that the PCRF sent Diameter protocol errors.
•
CSCtl59093—CSG2 R5 crash during content inservice
When activating a content using the inservice command, the CSG2 might generate CPUHOG and
CPUYIELD error messages.
For this problem to occur, all of the following conditions must be met:
– A large number of match patterns must be configured.
– A large number of the match patterns must be double-wildcard match patterns.
– The CSG2 regular expression (regex) memory must be configured at or near the maximum
setting.
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD4 - Open Caveats
The following list identifies Open caveats in the Cisco SAMI software that impact the CSG2 software
for Cisco IOS Release 12.4(24)MD4.
•
CSCsj81608—The show cdp command fails
The show cdp entry * command output is empty.
Workaround: None.
•
CSCtk35711—CSG2 takes 5 minutes to detect iSCSI failure due to network outage
The CSG2 might take up to five minutes to detect an iSCSI failure resulting from a network outage.
16
OL-19293-01
Caveats for Cisco IOS Release 12.4(24)MD4
For this problem to occur, all of the following conditions must be met:
– The session timeout must be set to 50 seconds or greater.
– The interface that the CSG2 uses to communicate with the iSCSI target must be down.
Workaround: Enter the following commands to enable the CSG2 to detect the failure after the
session times out.
ip tcp mss 1460
ip tcp path-mtu-discovery
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD4 - Closed Caveats
The following list identifies the Closed caveats in the Cisco SAMI software that impact the CSG2
software for Cisco IOS Release 12.4(24)MD4:
•
CSCtj86047—Unable to disassociate iSCSI profile from the CSG2
The iSCSI configuration on the CSG2 cannot be modified. The following error is logged:
%Cannot modify in use target profile, first dissociate profile TEST from application
•
CSCtk98031—Target name not included in iSCSI login message
After modifying the iSCSI configuration, the iSCSI login fails.
The Cisco SAMI debug shows the following error message:
iSCSI ERROR: login error status class 2, status details 7
The server log shows the following error message:
Initiator did not specify target name in LOGIN request
Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats
The following list identifies Cisco PSIRT closed caveats that impact Cisco IOS Release 12.4(24)MD4:
•
CSCtd10712
The Cisco IOS Software network address translation (NAT) feature contains multiple denial of
service (DoS) vulnerabilities in the translation of the following protocols:
– NetMeeting Directory (Lightweight Directory Access Protocol, LDAP)
– Session Initiation Protocol (Multiple vulnerabilities)
– H.323 protocol
All the vulnerabilities described in this document are caused by packets in transit on the affected
devices when those packets require application layer translation.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110928-nat.shtml.
OL-19293-01
17
Caveats for Cisco IOS Release 12.4(24)MD3
Caveats for Cisco IOS Release 12.4(24)MD3
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or Cisco SAMI
software for Cisco IOS Release 12.4(24)MD3.
•
CSG2 Software for Cisco IOS Release 12.4(24)MD3 - Open Caveats, page 18
•
CSG2 Software for Cisco IOS Release 12.4(24)MD3 - Closed Caveats, page 18
•
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD3 - Open Caveats, page 20
•
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD3 - Closed Caveats, page 20
CSG2 Software for Cisco IOS Release 12.4(24)MD3 - Open Caveats
There are no Open caveats in the CSG2 software for Cisco IOS Release 12.4(24)MD3.
CSG2 Software for Cisco IOS Release 12.4(24)MD3 - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(24)MD3:
•
CSCsh25384—CP crash in csg_gtp_queue_and_send when running simple_redund
If a failover occurs and the no ip csg bma or no ip csg quota-server command is issued, the CSG2
might crash.
•
CSCti07167—SIP Invite method with map attributes matches wrong policy
A SIP Invite method with attribute maps always matches the default policy instead of the expected
policy.
•
CSCti18302—CSG2 software forced reload after configuring no ip csg bma activate
The CSG2 software forced a reload after a configuration change.
For this problem to occur, all of the following conditions must be met:
– The active BMA queues must be full with 20,000 elements waiting to be acknowledged.
– The no ip csg bma activate 4 command must be configured.
– The ip csg bma activate 4 sticky 60 must be configured.
•
CSCti35812—Reload triggered when parsing POP3 packet
When the CSG2 is performing Layer 7 parsing of POP3 or SMTP e-mail traffic, and an e-mail packet
is received with a crafted malformed, header, a watchdog might trigger a reload of the CSG2.
•
CSCtj04285—Slow clearing of the quota server queues in the CSG2
During high traffic conditions the CSG2 clears the quota server queue too slowly.
•
CSCtj09087—CSG2: Cannot preload a content that conflicts with CLI content
If the CSG2 tries to preload a content definition with IP filter parameters that match a content that
has already been configured with CLI, the CSG2 does not allow the preloaded content to be brought
inservice. The following message is displayed:
SAMI 9/3: CSG-3-PRELOAD ERR: Cannot bring content IP_ANY_PRELOAD inservice,
it duplicates content IP_ANY_CLI
18
OL-19293-01
Caveats for Cisco IOS Release 12.4(24)MD3
•
CSCtj19341—CSG2: Crash in free_all_lists
Under high Gx user load, the CSG2 might crash.
•
CSCtj25636—CCR-I resent to the backup before the original CCR-I is sent
When Diameter does not receive a response to a Diameter request from the PCRF within the
configured timeout interval, the primary Diameter peer sends a CCR-I shortly after the backup has
sent out the same CCR-I with the retransmit flag set.
•
CSCtj73069—CSG2: Usage statistics are not replicated to redundant side during failover
The session usage statistics are not replicated to the standby CSG2.
•
CSCtj84347—CSG2: Relative URL matching fails due to bad host name in recomposed URL
If an HTTP.request-method: spans multiple TCP segments, with the host HTTP header field in the
first TCP segment, relative URL matching might fail.
•
CSCtj98606—CSG2 R5: Preloaded Service-Rating-Group not applied on CSG2 services
A preloaded service rating plan (AVP 131162) from the PCRF might not install correctly on CSG2
services.
•
CSCtj99945—CSG2: Improper quota server load balancing
The assignment of user entries to quota servers for load-balancing might be askew. For example, if
100 user entries were created with two active quota servers configured, the expected behavior is that
each quota server would be assigned about 50 user entries. However, the number of user entries
assigned to each quota server might actually be asymmetric and inconsistent.
•
CSCtk13449—Simultaneous crashes on active/standby at dllobj_lite_add
A simultaneous reset might occur of two CSG2s operating in redundant mode.
•
CSCtk13992—CSG2 out of IDs: %IDMGR-3-INVALID_ID: bad id in id_get (Out of IDs!)
In an eGGSN deployment with Gx-enabled users, the CSG2 might stop processing certain requests,
such as Gx (Diameter requests), causing subscriber outages. The CSG2 might also fail to log in
remotely over SSH, generating the following message:
SAMI 4/3: %IDMGR-3-INVALID_ID: bad id in id_get (Out of IDs!) (id: 0x0)
•
CSCtk36462—Severe memory leak due to SNMP SMALL CHUNK - k_ccsProtocolStatsEntry_get
A severe memory leak might occur on the CSG2 when SNMP polling the following OIDs:
CISCO-CONTENT-SERVICES-MIB
ccsProtocolStatsEntry - 1.3.6.1.4.1.9.9.597.1.2.6.1
ccsBillingPlanStatsEntry - 1.3.6.1.4.1.9.9.597.1.2.7.1
CISCO-MOBILE-POLICY-CHARGING-CONTROL-MIB
cmpccPCRFMethodListStatsTableEntry - 1.3.6.1.4.1.9.9.690.1.2.2.1
cmpccProfileConfigTableEntry - 1.3.6.1.4.1.9.9.690.1.1.1.1
•
CSCtk62797—CSG2: HA update flag for Gx being set incorrectly
While updating packet filters in Gx, the HA update flag is being set incorrectly after the check to
send HA update.
OL-19293-01
19
Caveats for Cisco IOS Release 12.4(24)MD2
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD3 - Open Caveats
The following list identifies Open caveats in the Cisco SAMI software that impact the CSG2 software
for Cisco IOS Release 12.4(24)MD3.
•
CSCtk35711—CSG2 takes 5 minutes to detect iSCSI failure due to network outage
The CSG2 might take up to five minutes to detect an iSCSI failure resulting from a network outage.
For this problem to occur, all of the following conditions must be met:
– The session timeout must be set to 50 seconds or greater.
– The interface that the CSG2 uses to communicate with the iSCSI target must be down.
Workaround: Enter the following commands to enable the CSG2 to detect the failure after the
session times out.
ip tcp mss 1460
ip tcp path-mtu-discovery
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD3 - Closed Caveats
The following list identifies the Closed caveats in the Cisco SAMI software that impact the CSG2
software for Cisco IOS Release 12.4(24)MD3:
•
CSCtf55436—iSCSI session to EMC not reestablished after interface comes up
When an iSCSI connection with EMC on the GGSN drops due to a session timeout, and the user
tries to log in again, the iSCSI session might not be reestablished.
•
CSCtf71296—iSCSI state is set incorrectly after session timeout
The iSCSI state in the show ip iscsi session command output displays as “Free” when the
connection to the iSCSI target is brought down asynchronously.
•
CSCti10016—Huge amount of disk size loss after format
When formatting a disk that is 32 GB or larger, the show command displays only 4 GB free on the
device.
Caveats for Cisco IOS Release 12.4(24)MD2
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or Cisco SAMI
software for Cisco IOS Release 12.4(24)MD2.
20
•
CSG2 Software for Cisco IOS Release 12.4(24)MD2 - Open Caveats, page 21
•
CSG2 Software for Cisco IOS Release 12.4(24)MD2 - Closed Caveats, page 21
•
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD2 - Open Caveats, page 23
•
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD2 - Closed Caveats, page 23
OL-19293-01
Caveats for Cisco IOS Release 12.4(24)MD2
CSG2 Software for Cisco IOS Release 12.4(24)MD2 - Open Caveats
The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(24)MD2:
•
CSCti07167—SIP Invite method with map attributes matches wrong policy
A SIP Invite method with attribute maps always matches the default policy instead of the expected
policy.
Workaround: None.
•
CSCti18302—CSG2 software forced reload after configuring no ip csg bma activate
The CSG2 software forced a reload after a configuration change.
For this problem to occur, all of the following conditions must be met:
– The active BMA queues must be full with 20,000 elements waiting to be acknowledged.
– The no ip csg bma activate 4 command must be configured.
– The ip csg bma activate 4 sticky 60 must be configured.
Workaround: Wait for the BMA queues to drain prior to making configuration changes, or make
the changes during a maintenance window.
CSG2 Software for Cisco IOS Release 12.4(24)MD2 - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(24)MD2:
•
CSCtf33305—CSG2: 150 Cisco-Flow-Description AVPs in a Gx rule freeze the card
When many Cisco-Flow-Description AVPs or Flow-Description AVPs are embedded within one Gx
charging rule, the CSG2 might be unable to install the complete rule, the CSG2 console might
become unresponsive, and the CSG2 CP CPU utilization might approach 100%.
•
CSCtg33015—Memory leak on standby CSG2 processors 4-8
A memory leak is observed on the standby CSG2 in a redundant CSG2 pair. The leak is seen only
on processors 4-8 of the standby CSG2.
Comparing simultaneous show tech commands from the active and standby CSG2s, the show
fastblk output of the show tech command on processors 4 through 8 of the standby CSG2 show a
significantly higher memory consumption than the active CSG2. The memory consumption of the
standby CSG2 also increases steadily over time.
The exact circumstances that cause this memory leak are unknown, but it is likely related to per-user
or per-service QoS.
•
CSCtg68095—Match attribute a & m for SIP INVITE messages is not working
The match attribute m command for a SIP INVITE message does not work.
•
CSCtg70982—The secret RADIUS key specified with the ip csg radius endpoint command
changes after each write memory operation
The secret RADIUS key for the endpoint that is displayed in the show run output changes as write
memory operations are performed.
•
CSCtg90246—The PoD IP address is not assigned if the sticky user was created before the gateway
sends the RADIUS Accounting Start message
If a user is created as a sticky user before the gateway sends the RADIUS Accounting Start message,
the CSG2 fails to send the PoD or CoA for the user.
OL-19293-01
21
Caveats for Cisco IOS Release 12.4(24)MD2
•
CSCtg98342—The CSG2 freezes for a few seconds after RADIUS Accounting ON/OFF messages
When RADIUS Accounting Off and RADIUS Accounting On messages are sent from the GGSN to
the CSG2, the CSG2 freezes for several seconds.
•
CSCth06554—R5: CSG2 RADIUS attribute leaks memory which results in crash
The CSG2 Traffic Processors (TPs) might leak processor memory that belongs to fastblocks
earmarked for the storage RADIUS attributes.
For this problem to occur, all of the following conditions must be met:
– RADIUS attributes must be configured under a user class using the ip csg user class command.
– A RADIUS Accounting Start message must be received for a subscriber.
– Some or all of the RADIUS attributes in the message must match those configured under a user
class.
– A subsequent RADIUS Accounting Start or RAIDIUS Accounting Interim message must be
received for the same subscriber.
– The list of matching RADIUS attributes in the new message, and the value of each matching
attribute, must be identical to those received in the first RADIUS Accounting Start message.
•
CSCth07062—R5: DATACORRUPTION after going from standby to active
With two CSG2 running replication, the following data corruption might be seen:
AMI 2/3: May 29 16:38:42.634: %DATACORRUPTION-1-DATAINCONSISTENCY:
Attempt to memcpy 201 bytes should have been 64 bytes, -PC= 0x4415E7F8z, -Traceback=
0x446AA270z 0x453B3C64z 0x4415E7F8z 0x4416A0A0z 0x4416BCECz 0x44071F68z
0x4407295Cz 0x4407350Cz 0x443481ACz 0x443483B8z 0x44234ED4z 0x442375A4z
0x4547E26Cz 0x44207160z 0x44207160z 0x4547E328z
•
CSCth09467—CSG2: The Accounting session ID is not used for RADIUS correlation
The accounting session ID is not used for RADIUS correlation to stop the user. The output of the
show user command does not show the user's Correlator attribute. The CP leaks fastblk memory
allocated for the RADIUS Correlator attribute.
For this problem to occur, all of the following conditions must be met:
– The ip csg radius correlation command must be configured.
– The RADIUS Accounting Start message must have Cisco VSA subattributes, but not
“user_session_correlator=”, so that the Acct-Session-Id (RADIUS attribute 44) is used for
correlation.
•
CSCth13275—CSG2 is printing content out of service in progress although inservice
When a CSG2 content is inservice with a large number of sessions, and the inservice command is
entered again, the CSG2 incorrectly displays the following message:
SAMI 1/3: 000113: Jun 3 00:33:02: %CSG-4-CFG_ERROR:
% Cannot bring content INT-IC-HTTP1 inservice, content out of service in progress
-Process= “CSG BGCFG”, ipl= 1, pid= 156
•
CSCth21954—PCRF sending 30 rules per user causes crash
When using eGGSN and large numbers of Gx/RADIUS attributes, the CSG2 can crash when sending
the CoA.
•
CSCth23631—FTP CDR Error: NewLine char in UserName, FileString and FTPCommand TLVs
The CDRs for Layer 7 FTP parsing include a NewLine character (0d 0a) after UserName, FileString,
and FTPCommand TLVs.
22
OL-19293-01
Caveats for Cisco IOS Release 12.4(24)MD2
•
CSCth43275—CSG2 R5 Gx Preload: Service not updated when billing basis is changed
When attempting to update an existing preloaded service with a change to basis seconds connect,
the service might fail to preload.
•
CSCth45928—CSG2 R5 Gx Preload: CSG2 clears before disabling global mining
If you send a Preload AVP configured with clear DNS table and mining disabled, and mining is
currently enabled on the CSG2, the Preload command fails.
•
CSCth56243—Traceback when showing user with many flow descriptions in rules
In a CSG2 Gx environment in which there are more than 20 flow descriptions as part of a single Gx
rule, the show ip csg users detail command might show a traceback and truncate the output.
•
CSCth61006—CSG2: %IPC-0-CFG_DOWNLOAD_ERROR seen upon reboot
After a reload, the CSG2 might log an IPC-0-CFG_DOWNLOAD_ERROR message, and the CSG2
might block user traffic. This problem can occur if more than 16 ip csg user profile or ip csg select
commands are configured.
•
CSCti06218—Spurious memory access when sending fixed-format CDR
When the ip csg records format fixed command is configured to send fixed-format CDRs, a
spurious memory access error might occur.
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD2 - Open Caveats
There are no Open caveats in the Cisco SAMI software that impact the CSG2 software for Cisco IOS
Release 12.4(24)MD2.
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD2 - Closed Caveats
The following list identifies the Closed caveats in the Cisco SAMI software that impact the CSG2
software for Cisco IOS Release 12.4(24)MD2:
•
CSCtg50821—Crashed in crashdump
When the CSG2 crashes, the crash information file might be empty, or it might contain files with
little or no content.
Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats
The following list identifies Cisco PSIRT closed caveats that impact Cisco IOS Release 12.4(24)MD2:
•
CSCta20040
Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS
Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device
when SIP operation is enabled.
Cisco has released free software updates that address these vulnerabilities. There are no
workarounds for devices that must run SIP; however, mitigations are available to limit exposure to
the vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100922-sip.shtml.
OL-19293-01
23
Caveats for Cisco IOS Release 12.4(24)MD2
Note: The September 22, 2010, Cisco IOS Software Security Advisory bundled publication includes
six Cisco Security Advisories. Five of the advisories address vulnerabilities in Cisco IOS Software,
and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each
advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory.
The table at the following URL lists releases that correct all Cisco IOS Software vulnerabilities that
have been published on September 22, 2010, or earlier:
http://www.cisco.com/warp/public/707/cisco-sa-20100922-bundle.shtml
Individual publication links are in “Cisco Event Response: Semiannual Cisco IOS Software Security
Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep10.html
Cisco Unified Communications Manager (CUCM) is affected by the vulnerabilities described in this
advisory. The following Cisco Security Advisory has been published to disclose the vulnerabilities
that affect the Cisco Unified Communications Manager at the following location:
http://www.cisco.com/warp/public/707/cisco-sa-20090826-cucm.shtml
•
CSCtc73759
The H.323 implementation in Cisco IOS Software contains two vulnerabilities that may be exploited
remotely to cause a denial of service (DoS) condition on a device that is running a vulnerable version
of Cisco IOS Software.
Cisco has released free software updates that address these vulnerabilities. There are no
workarounds to mitigate these vulnerabilities other than disabling H.323 on the vulnerable device.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100922-h323.shtml.
Note: The September 22, 2010, Cisco IOS Software Security Advisory bundled publication includes
six Cisco Security Advisories. Five of the advisories address vulnerabilities in Cisco IOS Software,
and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each
advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory.
The table at the following URL lists releases that correct all Cisco IOS Software vulnerabilities that
have been published on September 22, 2010, or earlier:
http://www.cisco.com/warp/public/707/cisco-sa-20100922-bundle.shtml
Individual publication links are in “Cisco Event Response: Semiannual Cisco IOS Software Security
Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep10.html
•
CSCte14603
A vulnerability in the Internet Group Management Protocol (IGMP) version 3 implementation of
Cisco IOS Software and Cisco IOS XE Software allows a remote unauthenticated attacker to cause
a reload of an affected device. Repeated attempts to exploit this vulnerability could result in a
sustained denial of service (DoS) condition. Cisco has released free software updates that address
this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100922-igmp.shtml.
Note: The September 22, 2010, Cisco IOS Software Security Advisory bundled publication includes
six Cisco Security Advisories. Five of the advisories address vulnerabilities in Cisco IOS Software,
and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each
advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory.
The table at the following URL lists releases that correct all Cisco IOS Software vulnerabilities that
have been published on September 22, 2010, or earlier:
http://www.cisco.com/warp/public/707/cisco-sa-20100922-bundle.shtml
24
OL-19293-01
Caveats for Cisco IOS Release 12.4(24)MD2
Individual publication links are in “Cisco Event Response: Semiannual Cisco IOS Software Security
Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep10.html
•
CSCtf17624
The Cisco IOS Software Network Address Translation functionality contains three denial of service
(DoS) vulnerabilities. The first vulnerability is in the translation of Session Initiation Protocol (SIP)
packets, the second vulnerability in the translation of H.323 packets and the third vulnerability is in
the translation of H.225.0 call signaling for H.323 packets.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100922-nat.shtml.
Note: The September 22, 2010, Cisco IOS Software Security Advisory bundled publication includes
six Cisco Security Advisories. Five of the advisories address vulnerabilities in Cisco IOS Software,
and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each
advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory.
The table at the following URL lists releases that correct all Cisco IOS Software vulnerabilities that
have been published on September 22, 2010, or earlier:
http://www.cisco.com/warp/public/707/cisco-sa-20100922-bundle.shtml
Individual publication links are in “Cisco Event Response: Semiannual Cisco IOS Software Security
Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep10.html
•
CSCtf91428
The Cisco IOS Software Network Address Translation functionality contains three denial of service
(DoS) vulnerabilities. The first vulnerability is in the translation of Session Initiation Protocol (SIP)
packets, the second vulnerability in the translation of H.323 packets and the third vulnerability is in
the translation of H.225.0 call signaling for H.323 packets.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100922-nat.shtml.
Note: The September 22, 2010, Cisco IOS Software Security Advisory bundled publication includes
six Cisco Security Advisories. Five of the advisories address vulnerabilities in Cisco IOS Software,
and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each
advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory.
The table at the following URL lists releases that correct all Cisco IOS Software vulnerabilities that
have been published on September 22, 2010, or earlier:
http://www.cisco.com/warp/public/707/cisco-sa-20100922-bundle.shtml
Individual publication links are in “Cisco Event Response: Semiannual Cisco IOS Software Security
Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep10.html
•
CSCth17178
A service policy bypass vulnerability exists in the Cisco Content Services Gateway—Second
Generation (CSG2) which runs on the Cisco Service Application Module for IP (SAMI). This
vulnerability could allow in certain configurations:
– Customers to access sites that would normally match a billing policy to be accessed without
being charged to the end customer.
OL-19293-01
25
Caveats for Cisco IOS Release 12.4(24)MD2
– Customers to access sites that would normally be denied based on configured restriction
policies.
Additionally Cisco IOS Software Release 12.4(24)MD1 on the CSG2 contains two vulnerabilities
that can be exploited remotely, via an unauthenticated attacker resulting in a denial of service of
traffic through the CSG2. Both these vulnerabilities require only a single content service to be active
on the CSG2 and are exploited via crafted TCP packets. A three way hand-shake is not required to
exploit either of these vulnerabilities.
No workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110126-csg2.shtml
•
CSCth41891
A service policy bypass vulnerability exists in the Cisco Content Services Gateway—Second
Generation (CSG2) which runs on the Cisco Service Application Module for IP (SAMI). This
vulnerability could allow in certain configurations:
– Customers to access sites that would normally match a billing policy to be accessed without
being charged to the end customer.
– Customers to access sites that would normally be denied based on configured restriction
policies.
Additionally Cisco IOS Software Release 12.4(24)MD1 on the CSG2 contains two vulnerabilities
that can be exploited remotely, via an unauthenticated attacker resulting in a denial of service of
traffic through the CSG2. Both these vulnerabilities require only a single content service to be active
on the CSG2 and are exploited via crafted TCP packets. A three way hand-shake is not required to
exploit either of these vulnerabilities.
No workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110126-csg2.shtml
•
CSCtk35917
A service policy bypass vulnerability exists in the Cisco Content Services Gateway—Second
Generation (CSG2) which runs on the Cisco Service Application Module for IP (SAMI). This
vulnerability could allow in certain configurations:
– Customers to access sites that would normally match a billing policy to be accessed without
being charged to the end customer.
– Customers to access sites that would normally be denied based on configured restriction
policies.
Additionally Cisco IOS Software Release 12.4(24)MD1 on the CSG2 contains two vulnerabilities
that can be exploited remotely, via an unauthenticated attacker resulting in a denial of service of
traffic through the CSG2. Both these vulnerabilities require only a single content service to be active
on the CSG2 and are exploited via crafted TCP packets. A three way hand-shake is not required to
exploit either of these vulnerabilities.
No workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110126-csg2.shtml
26
OL-19293-01
Caveats for Cisco IOS Release 12.4(24)MD1
Caveats for Cisco IOS Release 12.4(24)MD1
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or Cisco SAMI
software for Cisco IOS Release 12.4(24)MD1.
•
CSG2 Software for Cisco IOS Release 12.4(24)MD1 - Open Caveats, page 27
•
CSG2 Software for Cisco IOS Release 12.4(24)MD1 - Closed Caveats, page 27
•
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD1 - Open Caveats, page 29
•
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD1 - Closed Caveats, page 29
•
Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats, page 29
CSG2 Software for Cisco IOS Release 12.4(24)MD1 - Open Caveats
There are no Open caveats in the CSG2 software for Cisco IOS Release 12.4(24)MD1.
CSG2 Software for Cisco IOS Release 12.4(24)MD1 - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(24)MD1:
•
CSCte17561—CSG2 R4: L7 DNS not flagging certain sessions as being “unparseable”
If a DNS transaction contains a packet with a DNS payload that exceeds the maximum parse length,
the CSG2 might reset the session, causing the transaction to fail.
•
CSCte79276—CSG2 CCR-I prepaid-request-number not zero
The CSG2 occasionally sends a CCR-I message with a CC-Request-Number AVP that is not set to
zero. Some PCRF implementation expect a zero value; those PCRFs reject or ignore the non-zero
CCR-I from the CSG2, resulting in a subscriber connection failure.
•
CSCte81938—Spurious accesses
One or more spurious accesses might be seen on the CSG2 TPs. The following error messages are
generated:
SAMI 7/5: %ALIGN-3-SPURIOUS: Spurious memory access made at 0x4512C1C8
reading 0x3C
SAMI 7/5: %ALIGN-3-TRACE: -Traceback= 0x4512C1C8 0x4512DC4C 0x4512F540
0x450E5700 0x450E60BC 0x44514F04 0x44515110 0x44F95098
For this problem to occur, the following conditions must all be true:
– There must be one or more HTTP sessions parsed at layer 7 (that is, sessions that match a CSG2
content configured with parse protocol http.
– The CSG2 must be configured as part of a High Availability (HA) redundancy pair.
– An HA switchover must occur, causing the standby CSG2 to become the active CSG2.
– The HTTP sessions must survive the switchover. That is, the first packet for the session must
arrive well before the switchover, and the last packet for the session must arrive well after the
switchover.
– The data for the HTTP sessions must arrive as IP fragments on the new active CSG2.
OL-19293-01
27
Caveats for Cisco IOS Release 12.4(24)MD1
•
CSCte97026—RADIUS AVPs of some subscribers missing from CDRs
If a subscriber is created and replicated from an active CSG2 R3.0 to a standby CSG2 R3.5, the
RADIUS AVPs for that subscriber might not be included in its CDRs.
•
CSCtf00838—The aaa group server diameter command causes the configuration to not propagate
to TPs
If you add the aaa group server diameter command to an existing large CSG2 configuration, the
configuration might not propagate to the TPs after a reboot.
•
CSCtf11077—CSG2 crashing after snmpwalk -v2c -c private ip 1.3.6.1.4.1.9 command
If the snmpwalk -v2c -c private ip 1.3.6.1.4.1.9 command is executed on the
CISCO-IF-EXTENSION-MIB, or on tables in the MIB, the CSG32 might crash with the following
debug log:
11:05:19 UTC Fri Feb 19 2010: Unexpected exception to CPU: vector 1400, PC =
0x45414000, LR = 0x441AFD80
-Traceback= 0x45414000z 0x441AFD80z 0x441B04A0z 0x4542E428z 0x4485CACCz
0x4542F348z 0x44879E14z 0x44879FA0z 0x44F50DE8z 0x44F5630Cz 0x44F44444z
0x44F73454z 0x452B13A4z 0x452B4A84z
•
CSCtf31387—SNMP query resulting in tracebacks
While performing SNMP queries, the following tracebacks might be logged:
AMI 8/3: Feb 26 22:07:22.299: %LINK-3-UPDOWN: Interface GigabitEthernet0/0,
changed state to up
SAMI 8/3: Feb 26 22:37:57.415: %ALIGN-3-SPURIOUS: Spurious memory access made
at 0x440E6450z reading 0x0
SAMI 8/3: Feb 26 22:37:57.415: %ALIGN-3-TRACE: -Traceback= 0x440E6450z
0x4418DEE0z 0x4418E4ACz 0x44F50E98z 0x44F563BCz 0x44F444F4z 0x44F73504z
0x452B1464z
SAMI 8/3: Feb 26 22:37:57.415: %ALIGN-3-TRACE: -Traceback= 0x440E77ECz
0x4418DEF8z 0x4418E4ACz 0x44F50E98z 0x44F563BCz 0x44F444F4z 0x44F73504z
0x452B1464z
•
CSCtf36840—Buffer overrun during attribute parsing of SIP packet
The CSG2 might crash when parsing SIP headers longer than 256 characters.
•
CSCtf51779—CSG2 fails to bring content in service due to REGEX error
The CSG2 might fail to bring a content in service due to the following REGEX error:
REGEX: regexp length <n>, bigger than allowed maximum length 128
•
CSCtf55741—The CSG2 might not return recently-granted quota in a quota return
After an upgrade to CSG2 Release 3.5, the CSG2 might use more quota than is allowed.
•
CSCtg00838—CSG2 reload at rgx_is_epsilon
While parsing an HTTP header, the Cisco SAMI might reload.
•
CSCtg01115—L4Flow “NetworkInit” flag not set correctly in intermediate UDP stat CDR
For a network-initiated UDP flow that is part of an RTSP session, the L4Flow “Network Initiated”
flag is set correctly in the final “UDP Stats” CDR, but not in any “Intermediate UDP Stats” CDRs.
In the “Intermediate UDP Stats” CDR, the flag is always set to zero, even if the flow is
network-initiated.
28
OL-19293-01
Caveats for Cisco IOS Release 12.4(24)MD1
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD1 - Open Caveats
There are no Open caveats in the Cisco SAMI software that impact the CSG2 software for Cisco IOS
Release 12.4(24)MD1.
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD1 - Closed Caveats
The following list identifies the Closed caveats in the Cisco SAMI software that impact the CSG2
software for Cisco IOS Release 12.4(24)MD1:
•
CSCsz42882—File systems not cleaned up when iSCSI link goes down
With iSCSI link flaps, stale file systems remain in the system. Once the stale file descriptors reach
the maximum supported limit, new file systems cannot be created and the iSCSI link fails to come
up.
•
CSCte71467—GGSN crashes when connecting to ISCSI target
When connecting to a Linux target, the iSCSI session fails to come up and the GGSN crashes.
•
CSCtf16844—An unexpected exception occurs at the iscsi_handle_write_event when
unconfiguring iSCSI
When an iSCSI session is in the Failed state and you try to unconfigure the target, a fatal error might
occur.
•
CSCtb83004—Input queue drops increment every 7-10 seconds on G0/0 with minimal traffic
When Layer 2 packets reach the home agents, the show interface GigabitEthernet 0/0 input queue
drops increments with minimal traffic.
Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats
The following list identifies Cisco PSIRT closed caveats that impact Cisco IOS Release 12.4(24)MD1:
•
CSCsy09250
Skinny Client Control Protocol (SCCP) crafted messages may cause a Cisco IOS device that is
configured with the Network Address Translation (NAT) SCCP Fragmentation Support feature to
reload.
Cisco has released free software updates that address this vulnerability. A workaround that mitigates
this vulnerability is available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-sccp.shtml.
•
CSCsz45567
A device running Cisco IOS Software, Cisco IOS XE Software, or Cisco IOS XR Software is
vulnerable to a remote denial of service condition if it is configured for Multiprotocol Label
Switching (MPLS) and has support for Label Distribution Protocol (LDP).
A crafted LDP UDP packet can cause an affected device running Cisco IOS Software or
Cisco IOS XE Software to reload. On devices running affected versions of Cisco IOS XR Software,
such packets can cause the device to restart the mpls_ldp process.
A system is vulnerable if configured with either LDP or Tag Distribution Protocol (TDP).
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available.
OL-19293-01
29
Caveats for Cisco IOS Release 12.4(24)MD1
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20100324-ldp.shtml
•
CSCsz48614
Devices running Cisco IOS Software and configured for Cisco Unified Communications Manager
Express (CME) or Cisco Unified Survivable Remote Site Telephony (SRST) operation are affected
by two denial of service vulnerabilities that may result in a device reload if successfully exploited.
The vulnerabilities are triggered when the Cisco IOS device processes specific, malformed Skinny
Call Control Protocol (SCCP) messages.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-cucme.shtml.
•
CSCsz48680
Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS
Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device
when SIP operation is enabled. Remote code execution may also be possible.
Cisco has released free software updates that address these vulnerabilities. For devices that must run
SIP there are no workarounds; however, mitigations are available to limit exposure of the
vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-sip.shtml.
•
CSCsz49741
Devices running Cisco IOS Software and configured for Cisco Unified Communications Manager
Express (CME) or Cisco Unified Survivable Remote Site Telephony (SRST) operation are affected
by two denial of service vulnerabilities that may result in a device reload if successfully exploited.
The vulnerabilities are triggered when the Cisco IOS device processes specific, malformed Skinny
Call Control Protocol (SCCP) messages.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-cucme.shtml.
•
CSCsz75186
Cisco IOS Software is affected by a denial of service vulnerability that may allow a remote
unauthenticated attacker to cause an affected device to reload or hang. The vulnerability may be
triggered by a TCP segment containing crafted TCP options that is received during the TCP session
establishment phase. In addition to specific, crafted TCP options, the device must have a special
configuration to be affected by this vulnerability.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-tcp.shtml.
•
CSCsz89904
Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS
Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device
when SIP operation is enabled. Remote code execution may also be possible.
Cisco has released free software updates that address these vulnerabilities. For devices that must run
SIP there are no workarounds; however, mitigations are available to limit exposure of the
vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-sip.shtml.
30
OL-19293-01
Caveats for Cisco IOS Release 12.4(24)MD
•
CSCta19962
The H.323 implementation in Cisco IOS Software contains two vulnerabilities that may be
exploited remotely to cause a denial of service (DoS) condition on a device that is running a
vulnerable version of Cisco IOS Software.
Cisco has released free software updates that address these vulnerabilities. There are no
workarounds to mitigate these vulnerabilities other than disabling H.323 on the vulnerable device if
H.323 is not required.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-h323.shtml.
•
CSCtb93855
The H.323 implementation in Cisco IOS Software contains two vulnerabilities that may be
exploited remotely to cause a denial of service (DoS) condition on a device that is running a
vulnerable version of Cisco IOS Software.
Cisco has released free software updates that address these vulnerabilities. There are no
workarounds to mitigate these vulnerabilities other than disabling H.323 on the vulnerable device if
H.323 is not required.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-h323.shtml.
Caveats for Cisco IOS Release 12.4(24)MD
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or Cisco SAMI
software for Cisco IOS Release 12.4(24)MD.
•
CSG2 Software for Cisco IOS Release 12.4(24)MD - Open Caveats, page 31
•
CSG2 Software for Cisco IOS Release 12.4(24)MD - Closed Caveats, page 31
•
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD - Open Caveats, page 32
•
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD - Closed Caveats, page 32
CSG2 Software for Cisco IOS Release 12.4(24)MD - Open Caveats
•
There are no Open caveats in the CSG2 software for Cisco IOS Release 12.4(24)MD.
CSG2 Software for Cisco IOS Release 12.4(24)MD - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(24)MD:
•
CSCta44366—iSCSI connection not getting initiated from CSG2
If the CSG2 is rebooted and the configuration does not begin with any of the ip csg commands, then
after the reboot the iSCSI connection from the CSG2 is not initiated, even if the ip csg iscsi profile
command is configured.
•
CSCtb04085—CSG 2 traceback - Bad refcount
The CSG2 might generate the following error message when it tries to send an HTTP redirect
packet:
%SYS-2-BADSHARE: Bad refcount <function name>
OL-19293-01
31
Documentation and Technical Assistance
•
CSCtb70452—CSG2: Continue TLV correlator might not be unique
If the CSG2 generates a Continue CDR because the data does not fit in a single IP packet, and the
correlator value in the Continue TLV is not unique for the CSG2, the BMA or quota server might
associate data from the Continue CDR with an incorrect BMA or quota server record.
•
CSCtc76186—TCP sessions not closed to the server side
When two TCP peers close a session, RFC 793 provides that each peer must send its own FIN/ACK
and then ACK the peer’s FIN/ACK. However, the CSG2 closes the session before the final
exchanges of ACKs:
– Instead of forwarding the last ACK from the client to the server, the CSG2 sends an RST to the
client.
– Instead of forwarding the last ACK from the server to the client, the CSG2 discards it.
If that continues for a while, the server side might run out of sockets.
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD - Open Caveats
There are no Open caveats in the Cisco SAMI software that impact the CSG2 software for Cisco IOS
Release 12.4(24)MD.
Cisco SAMI Software for Cisco IOS Release 12.4(24)MD - Closed Caveats
The following list identifies the Closed caveats in the Cisco SAMI software that impact the CSG2
software for Cisco IOS Release 12.4(24)MD:
•
CSCsj81608—The show cdp command fails
The show cdp entry * command output is empty.
Documentation and Technical Assistance
This section contains the following information:
•
Related Documentation, page 32
•
Obtaining Documentation and Submitting a Service Request, page 34
Related Documentation
Use these release notes with these documents:
32
•
CSG2 Documentation, page 33
•
Release-Specific Documents, page 33
•
Platform-Specific Documents, page 33
•
Cisco IOS Software Documentation Set, page 33
OL-19293-01
Documentation and Technical Assistance
CSG2 Documentation
For more detailed installation and configuration information, see the following publication:
•
Cisco Content Services Gateway - 2nd Generation Release 4 Installation and Configuration Guide
Release-Specific Documents
The following documents are specific to Cisco IOS Release 12.4 and are located at Cisco.com:
•
Cisco IOS Release 12.4 Mainline Release Notes
Documentation > Cisco IOS Software > Cisco IOS Software Releases 12.4 Mainline > Release
Notes
•
Cisco IOS Release 12.4 T Release Notes
Documentation > Cisco IOS Software > Cisco IOS Software Releases 12.4 T > Release Notes
Note
If you have an account with Cisco.com, you can use Bug Navigator II to find caveats of any severity for
any release. You can reach Bug Navigator II on Cisco.com at http://www.cisco.com/support/bugtools.
•
Product bulletins, field notices, and other release-specific documents on Cisco.com at:
Documentation > Cisco IOS Software > Cisco IOS Software Releases 12.4 Mainline
Platform-Specific Documents
These documents are available for the Cisco 7600 series router platform on Cisco.com and the
Documentation CD-ROM:
•
Cisco Service and Application Module for IP User Guide
•
Diameter Credit Control Application feature guide
•
Cisco 7600 series routers documentation:
– Cisco 7600 Series Cisco IOS Software Configuration Guide
– Cisco 7600 Series Cisco IOS Command Reference
– Release Notes for Cisco IOS Release 12.2SR for the Cisco 7600 Series Routers
Cisco IOS Software Documentation Set
The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS
command references, and several other supporting documents that are shipped with your order in
electronic form on the Documentation CD-ROM, unless you specifically ordered the printed versions.
Documentation Modules
Each module in the Cisco IOS documentation set consists of two books: a configuration guide and a
corresponding command reference guide. Chapters in a configuration guide describe protocols,
configuration tasks, Cisco IOS software functionality, and contain comprehensive configuration
OL-19293-01
33
Documentation and Technical Assistance
examples. Chapters in a command reference guide list command syntax information. Use each
configuration guide with its corresponding command reference. The Cisco IOS documentation modules
are available on Cisco.com at:
Note
•
Documentation > Cisco IOS Software > Cisco IOS Software Releases 12.4 Mainline >
Command References
•
Documentation > Cisco IOS Software > Cisco IOS Software Releases 12.4 Mainline >
Command References > Configuration Guides
To view a list of MIBs supported by Cisco, by product, go to:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS version 2.0.
This document is to be used in conjunction with the documents listed in the “Related Documentation” section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of
Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners.
The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and
figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and
coincidental.
Copyright © 2013 Cisco Systems, Inc. All rights reserved.
34
OL-19293-01