Release Notes for Cisco
Content Services Gateway 2nd Generation Release 2.0
Cisco IOS Release 12.4(15)MD5
Revised: February 23, 2012
Current Release—12.4(15)MD5
This publication describes the requirements, dependencies, and caveats for the Cisco Content Services
Gateway - 2nd Generation, more commonly known as the Content Services Gateway 2 or CSG2. These
release notes are updated for every maintenance release.
Use these release notes with the Cross-Platform Release Notes for Cisco IOS Release 12.4, located on
Cisco.com.
Caveats
Caveats describe unexpected behavior in Cisco IOS software releases. Severity 1 caveats are the most
serious caveats; severity 2 caveats are less serious. Severity 3 caveats are moderate caveats, and only
select severity 3 caveats are included in the caveats document.
All caveats in Cisco IOS Release 12.4 and Cisco IOS Release 12.4 T are also in Cisco IOS Release
12.4(15)MD5.
•
For a list of the software caveats that affect the CSG2 or SAMI software for Cisco IOS Release
12.4(15)MD5, see the “Caveats for Cisco IOS Release 12.4(15)MD4” section on page 14.
•
For information on caveats in Cisco IOS Release 12.4, see Caveats for Cisco IOS Release 12.4,
located on Cisco.com.
•
For information on caveats in Cisco IOS Release 12.4 T, see Caveats for Cisco IOS Release 12.4T,
located on Cisco.com and the Documentation CD-ROM.
Using the Bug Navigator II
If you have an account with Cisco.com, you can use Bug Navigator II to find the most current list of
caveats of any severity for any software release. To reach Bug Navigator II, log in to Cisco.com and click
Software Center: Cisco IOS Software: Cisco Bugtool Navigator II.
Americas Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
This publication includes the following information:
•
Introduction, page 3
•
Features, page 3
•
System Requirements, page 5
•
Prerequisites and Restrictions, page 10
•
Caveats for Cisco IOS Release 12.4(15)MD5, page 10
– CSG2 Software for Cisco IOS Release 12.4(15)MD5 - Open Caveats, page 10
– CSG2 Software for Cisco IOS Release 12.4(15)MD5 - Closed Caveats, page 13
– Cisco SAMI Software for Cisco IOS Release 12.4(15)MD5 - Open Caveats, page 13
– Cisco SAMI Software for Cisco IOS Release 12.4(15)MD5 - Closed Caveats, page 14
– Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats, page 14
•
Caveats for Cisco IOS Release 12.4(15)MD4, page 14
– CSG2 Software for Cisco IOS Release 12.4(15)MD4 - Open Caveats, page 15
– CSG2 Software for Cisco IOS Release 12.4(15)MD4 - Closed Caveats, page 15
– Cisco SAMI Software for Cisco IOS Release 12.4(15)MD4 - Open Caveats, page 16
– Cisco SAMI Software for Cisco IOS Release 12.4(15)MD4 - Closed Caveats, page 16
– Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats, page 16
•
Caveats for Cisco IOS Release 12.4(15)MD3, page 18
– CSG2 Software for Cisco IOS Release 12.4(15)MD3 - Open Caveats, page 18
– CSG2 Software for Cisco IOS Release 12.4(15)MD3 - Closed Caveats, page 18
– Cisco SAMI Software for Cisco IOS Release 12.4(15)MD3 - Open Caveats, page 21
– Cisco SAMI Software for Cisco IOS Release 12.4(15)MD3 - Closed Caveats, page 21
•
Caveats for Cisco IOS Release 12.4(15)MD2, page 22
– CSG2 Software for Cisco IOS Release 12.4(15)MD2 - Open Caveats, page 22
– CSG2 Software for Cisco IOS Release 12.4(15)MD2 - Closed Caveats, page 22
– Cisco SAMI Software for Cisco IOS Release 12.4(15)MD2 - Open Caveats, page 24
– Cisco SAMI Software for Cisco IOS Release 12.4(15)MD2 - Closed Caveats, page 24
– Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats, page 25
•
Caveats for Cisco IOS Release 12.4(15)MD1, page 26
– CSG2 Software for Cisco IOS Release 12.4(15)MD1 - Open Caveats, page 26
– CSG2 Software for Cisco IOS Release 12.4(15)MD1 - Closed Caveats, page 27
– Cisco SAMI Software for Cisco IOS Release 12.4(15)MD1 - Open Caveats, page 29
– Cisco SAMI Software for Cisco IOS Release 12.4(15)MD1 - Closed Caveats, page 29
– Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats, page 29
•
Caveats for Cisco IOS Release 12.4(15)MD, page 30
– CSG2 Software for Cisco IOS Release 12.4(15)MD - Open Caveats, page 30
– CSG2 Software for Cisco IOS Release 12.4(15)MD - Closed Caveats, page 31
– Cisco SAMI Software for Cisco IOS Release 12.4(15)MD - Open Caveats, page 32
2
OL-15492-01
Introduction
– Cisco SAMI Software for Cisco IOS Release 12.4(15)MD - Closed Caveats, page 33
•
Documentation and Technical Assistance, page 34
Introduction
The CSG2 is an application that runs on the Cisco Service and Application Module for IP (Cisco SAMI),
a high-speed processing module. The CSG2 provides content-aware billing, service control, traffic
analysis, and data mining in a highly scalable, fault-tolerant package. The CSG2 provides the software
required by mobile wireless operating companies and other billing, applications, and service customers.
The CSG2 runs on the Cisco SAMI, a new-generation high performance service module for the
Cisco 7600 series router platforms. The CSG2 is typically located at the edge of a network in an Internet
service provider (ISP) point of presence (POP), or Regional Data Center.
Features
This section lists the CSG2 features and the CSG2 release in which the feature was introduced. For full
descriptions of all of these features, see the Cisco Content Services Gateway - 2nd Generation
Installation and Configuration Guide, Cisco IOS Release 12.4(15)MD.
To see the software part numbers associated with each CSG2 release; the Supervisor hardware required
by each CSG2 release; the minimum Cisco IOS release required for new features in each CSG2 release;
and the minimum IOS level supported by each CSG2 release, see the “Software Requirements” section
on page 5.
•
CSG2 Features Supported for Cisco IOS Release 12.4(15)MD5, page 3
•
CSG2 Features Supported for Cisco IOS Release 12.4(15)MD4, page 3
•
CSG2 Features Supported for Cisco IOS Release 12.4(15)MD3, page 4
•
CSG2 Features Supported for Cisco IOS Release 12.4(15)MD2, page 4
•
CSG2 Features Supported for Cisco IOS Release 12.4(15)MD1, page 4
•
CSG2 Features Supported for Cisco IOS Release 12.4(15)MD, page 4
CSG2 Features Supported for Cisco IOS Release 12.4(15)MD5
The CSG2 software for Cisco IOS Release 12.4(15)MD5 supports the entire feature set listed in “CSG2
Features Supported for Cisco IOS Release 12.4(15)MD3” section on page 4. There are no new features
in this release.
CSG2 Features Supported for Cisco IOS Release 12.4(15)MD4
The CSG2 software for Cisco IOS Release 12.4(15)MD4 supports the entire feature set listed in “CSG2
Features Supported for Cisco IOS Release 12.4(15)MD3” section on page 4. There are no new features
in this release.
OL-15492-01
3
Features
CSG2 Features Supported for Cisco IOS Release 12.4(15)MD3
The CSG2 software for Cisco IOS Release 12.4(15)MD3 supports the entire feature set listed in “CSG2
Features Supported for Cisco IOS Release 12.4(15)MD” section on page 4.
In addition, the CSG2 software for Cisco IOS Release 12.4(15)MD3 supports the following new
features:
•
Policy Matching for HTTP Downgrade
For more information, see Closed caveat CSCsq12202.
CSG2 Features Supported for Cisco IOS Release 12.4(15)MD2
The CSG2 software for Cisco IOS Release 12.4(15)MD2 supports the entire feature set listed in “CSG2
Features Supported for Cisco IOS Release 12.4(15)MD” section on page 4. There are no new features in
this release.
CSG2 Features Supported for Cisco IOS Release 12.4(15)MD1
The CSG2 software for Cisco IOS Release 12.4(15)MD1 supports the entire feature set listed in “CSG2
Features Supported for Cisco IOS Release 12.4(15)MD” section on page 4. There are no new features in
this release.
CSG2 Features Supported for Cisco IOS Release 12.4(15)MD
The CSG2 Release 2.0 software for Cisco IOS Release 12.4(15)MD supports the entire feature set for
the CSG2 Release 1.0 software for Cisco IOS Release 12.4(11)MD5.
In addition, the CSG2 software for Cisco IOS Release 12.4(15)MD supports the following new features:
4
•
RADIUS monitor
•
Layer 7 inspection for FTP
•
Layer 4 redundancy for FTP and RTSP
•
Layer 7 inspection for SIP
•
Roaming Service Control (also known as seamless roaming or RADIUS reauthorization)
•
Use of SAN via iSCSI for CDR backup
•
Larger CSG2 User Table: Up to 1,250,000 entries for the 2GB-Cisco SAMI option
•
Customizable CSG2 User Table entry deletion rate
•
Performance enhancements
•
Secure Shell (SSH) for remote maintenance
•
CISCO-PSD-CLIENT-MIB
OL-15492-01
System Requirements
•
New platform support
– Cisco 7600 Series Supervisor Engine 32, with a Multilayer Switch Feature Card, running Cisco
IOS Release 12.2(33)SRC or later and LCP ROMMON Version 12.2[121] or later
– Cisco Route Switch Processor 720 with Distributed Forwarding Card DFC3CXL, running Cisco
IOS Release 12.2(33)SRC or later
System Requirements
This section describes the following memory and software requirements for CSG2:
•
Memory Requirements, page 5
•
Hardware Supported, page 5
•
Software Requirements, page 5
•
Determining the Software Version, page 10
For hardware requirements, such as power supply and environmental requirements, as well as hardware
installation instructions, see the Service and Application Module for IP User Guide.
Memory Requirements
The CSG2 memory is not configurable.
The Cisco SAMI is available with a default 1 GB memory or an optional 2-GB memory.
Hardware Supported
Use of the CSG2 requires one of the following supervisor engines, and a module with ports to connect
server and client networks:
•
Supervisor Engine 720 with an MSFC3-BXL (SUP720-MSFC3-BXL) running Cisco IOS Release
12.2(33)SRB1 or later.
•
Cisco 7600 Series Supervisor Engine 32, with a Multilayer Switch Feature Card, running Cisco IOS
Release 12.2(33)SRC or later and LCP ROMMON Version 12.2[121] or later
•
Cisco Route Switch Processor 720 with Distributed Forwarding Card DFC3CXL, running Cisco IOS
Release 12.2(33)SRC or later
Software Requirements
This section includes the following information:
OL-15492-01
•
Cisco SAMI Module Part Numbers, page 6
•
CSG2 Software License Part Numbers, page 6
•
CSG2 Software Upgrade License Part Numbers, page 7
•
Supported Hardware and Software for the CSG2, page 7
5
System Requirements
When referring to this section, keep the following considerations in mind:
•
Do not use the Supervisor Hardware Supported column to infer supervisor hardware support.
Consult the Cisco IOS Upgrade Planner to determine which IOS releases support the desired
supervisor hardware.
•
Each feature set is limited to those features that can be configured at the Minimum Cisco IOS Level
Supported.
Cisco SAMI Module Part Numbers
The following table lists the Cisco SAMI module part numbers and associated information for each
CSG2 release:
CSG2 Release
12.4(15)MD5
12.4(15)MD4
12.4(15)MD3
12.4(15)MD2
12.4(15)MD1
12.4(15)MD
Cisco SAMI Module
Part Numbers
Supervisor Hardware
Supported
Supervisor Software
Minimum Cisco IOS
Release Required for
New Features
WS-SVC-SAMI-BB-K9
WS-SVC-SAMI-BB-K9=
MEM-SAMI-6P-1GB
MEM-SAMI-6P-2GB
SUP720-MSFC3-BXL
12.2(33)SRB1
12.2(33)SRB1
SUP32-MSFC2A
12.2(33)SRC
12.2(33)SRC
RSP720-3CXL-GE
12.2(33)SRC
12.2(33)SRC
Supervisor Software
Minimum Cisco IOS Level
Supported
CSG2 Software License Part Numbers
The following table lists the CSG2 software license part numbers and associated information for each
CSG2 release:
CSG2 Release
12.4(15)MD5
12.4(15)MD4
12.4(15)MD3
12.4(15)MD2
12.4(15)MD1
12.4(15)MD
6
CSG2 Software
Part Numbers
Supervisor Hardware
Supported
Supervisor Software
Minimum Cisco IOS
Release Required for
New Features
SSAC20K9-12415MD
SSAC20K9-12415MD=
SUP720-MSFC3-BXL
12.2(33)SRB1
12.2(33)SRB1
SUP32-MSFC2A
12.2(33)SRC
12.2(33)SRC
RSP720-3CXL-GE
12.2(33)SRC
12.2(33)SRC
Supervisor Software
Minimum Cisco IOS Level
Supported
OL-15492-01
System Requirements
CSG2 Software Subscriber License Part Numbers
The following table lists the CSG2 software subscriber license part numbers and associated information
for each CSG2 release:
CSG2 Release
12.4(15)MD5
12.4(15)MD4
12.4(15)MD3
12.4(15)MD2
12.4(15)MD1
12.4(15)MD
CSG2 Software
Part Numbers
Supervisor Hardware
Supported
Supervisor Software
Minimum Cisco IOS
Release Required for
New Features
FL-SC-10K-SUB
FL-SC-100K-SUB
SUP720-MSFC3-BXL
12.2(33)SRB1
12.2(33)SRB1
SUP32-MSFC2A
12.2(33)SRC
12.2(33)SRC
RSP720-3CXL-GE
12.2(33)SRC
12.2(33)SRC
Supervisor Software
Minimum Cisco IOS Level
Supported
CSG2 Software Upgrade License Part Numbers
The following table lists the CSG2 software upgrade license part numbers and associated information
for each CSG2 release:
CSG2 Release
12.4(15)MD5
12.4(15)MD4
12.4(15)MD3
12.4(15)MD2
12.4(15)MD1
12.4(15)MD
CSG2 Software Upgrade
Part Numbers
Supervisor Hardware
Supported
Supervisor Software
Minimum Cisco IOS
Release Required for
New Features
FL-SC-R1R2-UP
SUP720-MSFC3-BXL
12.2(33)SRB1
12.2(33)SRB1
SUP32-MSFC2A
12.2(33)SRC
12.2(33)SRC
RSP720-3CXL-GE
12.2(33)SRC
12.2(33)SRC
Supervisor Software
Minimum Cisco IOS Level
Supported
Supported Hardware and Software for the CSG2
The following table lists the supported hardware and software for the CSG2:
Table 1
Supported Hardware and Software for the CSG2
Product
Description
Minimum
Software Version
Recommended
Software Version
Supervisor
Software Cisco
IOS Release
Cisco SAMI
Module
12.4(15)MD
12.4(15)MD4
12.2(33)SRB1
WS-SVC-SAMI-BB-K9= with SUP720 with an Cisco SAMI
MSFC3-BXL (SUP720-MSFC3-BXL) for the Module
Cisco 7600 series routers
12.4(15)MD
12.4(15)MD4
12.2(33)SRB1
Product Number
CSG2
WS-SVC-SAMI-BB-K9 with SUP720 with an
MSFC3-BXL (SUP720-MSFC3-BXL) for the
Cisco 7600 series routers
OL-15492-01
7
System Requirements
Table 1
Supported Hardware and Software for the CSG2 (continued)
Product
Description
Minimum
Software Version
Recommended
Software Version
Supervisor
Software Cisco
IOS Release
MEM-SAMI-6P-1GB with SUP720 with an
MSFC3-BXL (SUP720-MSFC3-BXL) for the
Cisco 7600 series routers
Cisco SAMI
Module
12.4(15)MD
12.4(15)MD4
12.2(33)SRB1
MEM-SAMI-6P-2GB with SUP720 with an
MSFC3-BXL (SUP720-MSFC3-BXL) for the
Cisco 7600 series routers
Cisco SAMI
Module
12.4(15)MD
12.4(15)MD4
12.2(33)SRB1
WS-SVC-SAMI-BB-K9 with SUP32 with an
MSFC2A (SUP32-MSFC2A) for the Cisco
7600 series routers
Cisco SAMI
Module
12.4(15)MD
12.4(15)MD4
12.2(33)SRC
WS-SVC-SAMI-BB-K9= with SUP32 with an
MSFC2A (SUP32-MSFC2A) for the Cisco
7600 series routers
Cisco SAMI
Module
12.4(15)MD
12.4(15)MD4
12.2(33)SRC
MEM-SAMI-6P-1GB with SUP32 with an
MSFC2A (SUP32-MSFC2A) for the Cisco
7600 series routers
Cisco SAMI
Module
12.4(15)MD
12.4(15)MD4
12.2(33)SRC
MEM-SAMI-6P-2GB with SUP32 with an
MSFC2A (SUP32-MSFC2A) for the Cisco
7600 series routers
Cisco SAMI
Module
12.4(15)MD
12.4(15)MD4
12.2(33)SRC
WS-SVC-SAMI-BB-K9 with RSP720 with
DFC3CXL with two Gigabit Ethernet ports
(RSP720-3CXL-GE)
Cisco SAMI
Module
12.4(15)MD
12.4(15)MD4
12.2(33)SRC
WS-SVC-SAMI-BB-K9= with RSP720 with
DFC3CXL with two Gigabit Ethernet ports
(RSP720-3CXL-GE)
Cisco SAMI
Module
12.4(15)MD
12.4(15)MD4
12.2(33)SRC
MEM-SAMI-6P-1GB with RSP720 with
DFC3CXL with two Gigabit Ethernet ports
(RSP720-3CXL-GE)
Cisco SAMI
Module
12.4(15)MD
12.4(15)MD4
12.2(33)SRC
MEM-SAMI-6P-2GB with RSP720 with
DFC3CXL with two Gigabit Ethernet ports
(RSP720-3CXL-GE)
Cisco SAMI
Module
12.4(15)MD
12.4(15)MD4
12.2(33)SRC
SSAC20K9-12415MD with SUP720 with an
MSFC3-BXL (SUP720-MSFC3-BXL)
CSG2 Software
License
12.4(15)MD
12.4(15)MD4
12.2(33)SRB1
SSAC20K9-12415MD= with SUP720 with an
MSFC3-BXL (SUP720-MSFC3-BXL)
CSG2 Software
License
12.4(15)MD
12.4(15)MD4
12.2(33)SRB1
SC-SVC-CSG2-P1-K9 with SUP32 with an
MSFC2A (SUP32-MSFC2A) for the Cisco
7600 series routers
CSG2 Software
License
12.4(15)MD
12.4(15)MD4
12.2(33)SRC
SC-SVC-CSG2-P1-K9= with SUP32 with an
MSFC2A (SUP32-MSFC2A) for the Cisco
7600 series routers
CSG2 Software
License
12.4(15)MD
12.4(15)MD4
12.2(33)SRC
Product Number
8
OL-15492-01
System Requirements
Table 1
Supported Hardware and Software for the CSG2 (continued)
Product
Description
Minimum
Software Version
Recommended
Software Version
Supervisor
Software Cisco
IOS Release
SC-SVC-CSG2-P1-K9 with RSP720 with
DFC3CXL with two Gigabit Ethernet ports
(RSP720-3CXL-GE)
CSG2 Software
License
12.4(15)MD
12.4(15)MD4
12.2(33)SRC
SC-SVC-CSG2-P1-K9= with RSP720 with
DFC3CXL with two Gigabit Ethernet ports
(RSP720-3CXL-GE)
CSG2 Software
License
12.4(15)MD
12.4(15)MD4
12.2(33)SRC
FL-SC-10K-SUB with SUP720 with an
MSFC3-BXL (SUP720-MSFC3-BXL)
CSG2 Software
Subscriber
License
12.4(15)MD
12.4(15)MD4
12.2(33)SRB1
FL-SC-100K-SUB with SUP720 with an
MSFC3-BXL (SUP720-MSFC3-BXL)
CSG2 Software
Subscriber
License
12.4(15)MD
12.4(15)MD4
12.2(33)SRB1
FL-SC-10K-SUB with SUP32 with an
MSFC2A (SUP32-MSFC2A) for the Cisco
7600 series routers
CSG2 Software
Subscriber
License
12.4(15)MD
12.4(15)MD4
12.2(33)SRC
FL-SC-100K-SUB with SUP32 with an
MSFC2A (SUP32-MSFC2A) for the Cisco
7600 series routers
CSG2 Software
Subscriber
License
12.4(15)MD
12.4(15)MD4
12.2(33)SRC
FL-SC-10K-SUB with RSP720 with DFC3CXL CSG2 Software
with two Gigabit Ethernet ports
Subscriber
License
(RSP720-3CXL-GE)
12.4(15)MD
12.4(15)MD4
12.2(33)SRC
FL-SC-100K-SUB with RSP720 with
DFC3CXL with two Gigabit Ethernet ports
(RSP720-3CXL-GE)
12.4(15)MD
12.4(15)MD4
12.2(33)SRC
SAMI-CSG2-R2AS-K9= with SUP720 with an CSG2 Software
MSFC3-BXL (SUP720-MSFC3-BXL)
and Cisco SAMI
Module Bundle
12.4(15)MD
12.4(15)MD4
12.2(33)SRB1
SAMI-CSG2-R2AS-K9= with SUP32 with an
MSFC2A (SUP32-MSFC2A) for the Cisco
7600 series routers
CSG2 Software
and Cisco SAMI
Module Bundle
12.4(15)MD
12.4(15)MD4
12.2(33)SRC
SAMI-CSG2-R2AS-K9= with RSP720 with
DFC3CXL with two Gigabit Ethernet ports
(RSP720-3CXL-GE)
CSG2 Software
and Cisco SAMI
Module Bundle
12.4(15)MD
12.4(15)MD4
12.2(33)SRC
Console Cable
Not applicable
Not applicable
Not applicable
Accessory kit
(contains the
Console Cable)
Not applicable
Not applicable
Not applicable
Product Number
CSG2 Software
Subscriber
License
Console Cable
72-876-01
Accessory Kit
800-05097-01
OL-15492-01
9
Prerequisites and Restrictions
Determining the Software Version
To determine the version of Cisco IOS software that is currently running on your Cisco network device,
log in to the CSG2 or Supervisor Engine and enter the show version EXEC command.
To show CSG2 versions, log in to the Supervisor Engine and enter the show module command in
privileged EXEC mode.
To provide meaningful problem determination information, log in to the CSG2 or Supervisor Engine and
enter the show tech-support command in privileged EXEC mode.
Prerequisites and Restrictions
For the latest prerequisites and restrictions for the CSG2, see the “Overview” chapter of the Cisco
Content Services Gateway - 2nd Generation Release 2.0 Installation and Configuration Guide, Cisco
IOS Release 12.4(15)MD.
Caveats for Cisco IOS Release 12.4(15)MD5
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or Cisco SAMI
software for Cisco IOS Release 12.4(15)MD5.
•
CSG2 Software for Cisco IOS Release 12.4(15)MD5 - Open Caveats, page 10
•
CSG2 Software for Cisco IOS Release 12.4(15)MD5 - Closed Caveats, page 13
•
Cisco SAMI Software for Cisco IOS Release 12.4(15)MD5 - Open Caveats, page 13
•
Cisco SAMI Software for Cisco IOS Release 12.4(15)MD5 - Closed Caveats, page 14
•
Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats, page 14
CSG2 Software for Cisco IOS Release 12.4(15)MD5 - Open Caveats
The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(15)MD5:
•
CSCsq05068—CSG2 R2: Prepaid RADIUS stress causes packet loss to the quota server
In a prepaid configuration that requires a billing plan from the quota server, if RADIUS Accounting
Starts begin arriving at a rate that exceeds the capacity of the CSG2, the CSG2 might drop some of
the responses from the quota server.
Workaround: Do not exceed the capacity of the CSG2.
•
CSCsr88505—CSG2 - Policy priority values greater than 511 should not be permitted
The CSG2 allows the configuration of priority values up to 65535 for policies within content rules.
However, the underlying code only allows values up to 511. Configuring a priority higher than 511
results in the content rule matching only the default policy.
Workaround: Ensure that all priority values are set to 511 or lower.
•
CSCsx72588— CSG2: The ip csg entries user idle command with the pod keyword is required for
POD to work
The Packet of Disconnect (POD) feature does not work at the billing plan level.
10
OL-15492-01
Caveats for Cisco IOS Release 12.4(15)MD5
Workaround: Configure PoD at the global level by configuring the pod keyword on the ip csg
entries user idle pod command in global configuration mode.
•
CSCsy57824—WAP 1.x AoC URL redirect fails with meter exclude mms wap
With the meter exclude mms wap command configured and AoC enabled on a service, when a
subscriber tries to browse with WAP 1.x, the CSG2 consults the quota server with a content
authorization request and the quota server then responds with a content authorization response with
the action of redirect and the URL to be redirected to. the page does not load on the subscriber’s cell
phone.
Workaround: Disable the exclude mms option redirect command.
•
CSCsy57924—CSG2: Memory leak when removing RADIUS VSA configuration
If a large number of reporting RADIUS VSA subattributes are configured or unconfigured for the
CSG2, a large number of messages like the following is generated:
0x4518DEAC 0000000272 0000000001 0000000272 CSG RADIUS VSA
Workaround: None.
•
CSCsz21796—Bad refcount possible on error from ssvc
If the CSG2 tries to send an HTTP redirect packet to a subscriber, the following error message might
be generated:
%SYS-2-BADSHARE: Bad refcount function-name
Workaround: None.
•
CSCta70187—Content inactive until recreated; cannot bring content WAP-WAP2 inservice
If a change is made on the standby CSG2, and a content is taken out of service, the CSG2 might not
be able to bring the content back inservice. The following error message is generated:
% Cannot bring content <*> inservice, content out of service in progress
Workaround: Remove and reapply the entire context configuration.
•
CSCta97199—Unexpected repetitions of service reauthorizations
When performing RADIUS reauthorization and time-based billing, the CSG2 might repeat.
Workaround: Enable the quota server to grant more than the remaining quota.
•
CSCtb37275—Stale virtual teletype session
Under certain conditions, a stale VTY could be created in the CSG2.
Workaround: None.
•
CSCtb71637—%CSG-3-KUT_CLEANUP_ERROR on CSG2
The CSG2 might generate continual error messages:
SAMI 1/8: Aug 30 14:05:33 AEST: %CSG-3-KUT_CLEANUP_ERROR:
OPENMOBILEWEB, ip= 10.227.179.191, uid= 61425166227, (1/48/2822/9217),
-Traceback= 0x4428BB68 0x45145678 0x451475CC 0x4514A2D0 0x4514A5D8
0x4513B158 0x450FBF6C 0x4524E69C 0x44F76AE8 0x44F948FC 0x44F97558
0x4507D9EC 0x44F624AC 0x44F624AC 0x4507DAA8 0x45081C10
SAMI 1/8: Aug 30 14:08:00 AEST: %CSG-3-KUT_CLEANUP_ERROR:
OPENMOBILEWEB, ip= 10.228.102.132, uid= 61425170578, (1/48/2054/9217),
-Traceback= 0x4428BB68 0x45145678 0x451475CC 0x4514A2D0 0x4514A5D8
0x4513B158 0x450FBF6C 0x4524E69C 0x44F76AE8 0x44F948FC 0x44F97558
0x4507D9EC 0x44F624AC 0x44F624AC 0x4507DAA8 0x44E6AEC4
OL-15492-01
11
Caveats for Cisco IOS Release 12.4(15)MD5
Workaround: None.
•
CSCtf55741—CSG2 might not return recently-granted quota in a quota return
A prepaid charging gateway might report that the CSG2 is using more quota than is allowed.
Workaround: None.
•
CSCtg01115—L4Flow “Network Initiated” flag not set correctly in intermediate UDP stat CDR
For a network-initiated UDP flow that is part of an RTSP session, the L4Flow “Network Initiated”
flag is set correctly in the final “UDP Stats” CDR, but not in any “Intermediate UDP Stats” CDRs.
In the “Intermediate UDP Stats” CDR, the flag is always set to zero, even if the flow is
network-initiated.
Workaround: None.
•
CSCtg70982—The secret RADIUS key specified with the ip csg radius endpoint command
changes after each write memory operation
The secret RADIUS key for the endpoint that is displayed in the show run output changes as write
memory operations are performed.
Workaround: None.
•
CSCtg90246—The PoD IP address is not assigned if the sticky user was created before the gateway
sends the RADIUS Accounting Start message
If a user is created as a sticky user before the gateway sends the RADIUS Accounting Start message,
the CSG2 fails to send the PoD or CoA for the user.
Workaround: None.
•
CSCth09467—CSG2: The Accounting session ID is not used for RADIUS correlation
The accounting session ID is not used for RADIUS correlation to stop the user. The output of the
show user command does not show the user's Correlator attribute. The CP leaks fastblk memory
allocated for the RADIUS Correlator attribute.
For this problem to occur, all of the following conditions must be met:
– The ip csg radius correlation command must be configured.
– The RADIUS Accounting Start message must have Cisco VSA subattributes, but not
“user_session_correlator=”, so that the Acct-Session-Id (RADIUS attribute 44) is used for
correlation.
Workaround: Ensure that the gateway includes the “user_session_correlator=” Cisco VSA
attributes.
•
CSCth23631—FTP CDR Error: NewLine character in UserName, FileString and FTPCommand
TLVs
The CDRs for Layer 7 FTP parsing include a NewLine character (0d 0a) after UserName, FileString,
and FTPCommand TLVs.
Workaround: None.
•
CSCty02688—CSG2: Improper session synchronization during upgrade
When performing an in-service upgrade and synchronizing sessions from the active CSG2
Release 4, or any earlier release, to the standby CSG2 Release 5, or any later release, the
synchronization might not complete correctly. The standby CSG2 is synchronized with an
unexpectedly huge number of IP bytes uploaded and downloaded for all sessions. When the standby
CSG2 becomes active, it reports this huge number of uploaded and downloaded IP bytes to the
BMA, causing all sessions to be overcharged.
12
OL-15492-01
Caveats for Cisco IOS Release 12.4(15)MD5
Workaround: Do not perform an in-service upgrade from CSG2 Release 4, or any earlier release,
to CSG2 Release 5, or any later release.
CSG2 Software for Cisco IOS Release 12.4(15)MD5 - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(15)MD5:
•
CSCsh25384—CP crash in csg_gtp_queue_and_send when running simple_redund
If a failover occurs and the no ip csg bma or no ip csg quota-server command is issued, the CSG2
might crash.
•
CSCtf51779—CSG2 fails to bring content in service due to REGEX error
The CSG2 might fail to bring a content in service due to the following REGEX error:
REGEX: regexp length <n>, bigger than allowed maximum length 128
•
CSCti35812—Reload triggered when parsing POP3 packet
When the CSG2 is performing Layer 7 parsing of POP3 or SMTP e-mail traffic, and an e-mail packet
is received with a crafted malformed, header, a watchdog might trigger a reload of the CSG2.
•
CSCtj04285—Slow clearing of the quota server queues in the CSG2
During high traffic conditions the CSG2 clears the quota server queue too slowly.
•
CSCtj73069—CSG2: Usage statistics are not replicated to redundant side during failover
The session usage statistics are not replicated to the standby CSG2.
•
CSCtj99945—CSG2: Improper quota server load balancing
The assignment of user entries to quota servers for load-balancing might be askew. For example, if
100 user entries were created with two active quota servers configured, the expected behavior is that
each quota server would be assigned about 50 user entries. However, the number of user entries
assigned to each quota server might actually be asymmetric and inconsistent.
•
CSCtk13449—Simultaneous crashes on active/standby at dllobj_lite_add
A simultaneous reset might occur of two CSG2s operating in redundant mode.
Cisco SAMI Software for Cisco IOS Release 12.4(15)MD5 - Open Caveats
The following list identifies Open caveats in the Cisco SAMI software that impact the CSG2 software
for Cisco IOS Release 12.4(15)MD5:
•
CSCtk35711—CSG2 takes 5 minutes to detect iSCSI failure due to network outage
The CSG2 might take up to five minutes to detect an iSCSI failure resulting from a network outage.
For this problem to occur, all of the following conditions must be met:
– The session timeout must be set to 50 seconds or greater.
– The interface that the CSG2 uses to communicate with the iSCSI target must be down.
Workaround: Enter the following commands to enable the CSG2 to detect the failure after the
session times out.
ip tcp mss 1460
ip tcp path-mtu-discovery
OL-15492-01
13
Caveats for Cisco IOS Release 12.4(15)MD4
Cisco SAMI Software for Cisco IOS Release 12.4(15)MD5 - Closed Caveats
The following list identifies Closed caveats in the Cisco SAMI software that impact the CSG2 software
for Cisco IOS Release 12.4(15)MD5:
•
CSCsz42882—File systems not cleaned up when iSCSI link goes down
With iSCSI link flaps, stale file systems remain in the system. Once the stale file descriptors reach
the maximum supported limit, new file systems cannot be created and the iSCSI link fails to come
up.
•
CSCta44366--iSCSI connection not getting initiated from the CSG2
If the CSG2 is rebooted, and the none of the configuration starts with ip csg, entering the ip csg iscsi
profile command after the reboot does not initiate an iSCSI connection.
Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats
The following list identifies Cisco PSIRT closed caveats that impact Cisco IOS Release 12.4(24)MD5:
•
CSCtd10712
The Cisco IOS Software network address translation (NAT) feature contains multiple denial of
service (DoS) vulnerabilities in the translation of the following protocols:
– NetMeeting Directory (Lightweight Directory Access Protocol, LDAP)
– Session Initiation Protocol (Multiple vulnerabilities)
– H.323 protocol
All the vulnerabilities described in this document are caused by packets in transit on the affected
devices when those packets require application layer translation.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110928-nat.shtml.
Caveats for Cisco IOS Release 12.4(15)MD4
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or Cisco SAMI
software for Cisco IOS Release 12.4(15)MD4.
14
•
CSG2 Software for Cisco IOS Release 12.4(15)MD4 - Open Caveats, page 15
•
CSG2 Software for Cisco IOS Release 12.4(15)MD4 - Closed Caveats, page 15
•
Cisco SAMI Software for Cisco IOS Release 12.4(15)MD4 - Open Caveats, page 16
•
Cisco SAMI Software for Cisco IOS Release 12.4(15)MD4 - Closed Caveats, page 16
•
Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats, page 16
OL-15492-01
Caveats for Cisco IOS Release 12.4(15)MD4
CSG2 Software for Cisco IOS Release 12.4(15)MD4 - Open Caveats
The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(15)MD4.
•
CSCsq05068—CSG2 R2: Prepaid RADIUS stress causes packet loss to the quota server
In a prepaid configuration that requires a billing plan from the quota server, if RADIUS Accounting
Starts begin arriving at a rate that exceeds the capacity of the CSG2, the CSG2 might drop some of
the responses from the quota server.
Workaround: Do not exceed the capacity of the CSG2.
•
CSCsx72588— CSG2: The ip csg entries user idle command with the pod keyword is required for
POD to work
The Packet of Disconnect (POD) feature does not work at the billing plan level.
Workaround: Configure PoD at the global level by configuring the pod keyword on the ip csg
entries user idle pod command in global configuration mode.
•
CSCsy57824—WAP 1.x AoC URL redirect fails with meter exclude mms wap
With the meter exclude mms wap command configured and AoC enabled on a service, when a
subscriber tries to browse with WAP 1.x, the CSG2 consults the quota server with a content
authorization request and the quota server then responds with a content authorization response with
the action of redirect and the URL to be redirected to. the page does not load on the subscriber’s cell
phone.
Workaround: Disable the exclude mms option redirect command.
CSG2 Software for Cisco IOS Release 12.4(15)MD4 - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(15)MD4.
•
CSCta46295—Image crashes when performing a ROLLBACK between two running configurations
If you attempt a ROLLBACK with a saved running configuration, using the config replace
(disk):(file) command on the CP, the CSG2 might crash.
•
CSCtb70452—CSG2: Continuation TLV correlator might not be unique
If the data for a record does not fit in a single IP packet, the BMA or quota server might associate
data from a Continue CDR with an incorrect BMA or quota server record. This can occur because
the CSG2 generates a correlator value in the Continue TLV that might not be unique per CSG2.
•
CSCtc21701—Stale VTY session issue
Under certain conditions, a stale VTY could be created in the CSG2 which can be detected using the
output of the show ip csg users command.
•
CSCtc76186—TCP sessions not closed to the server side
When both of the TCP peers decide to close a session, each peer must send its own FIN/ACK and
then also ACK the FIN/ACK of the peer. The CSG2 appears to close the session before the last ACK
exchange:
– Instead of forwarding the last ACK from the client to the server, it sends an RST to the client.
– Instead of forwarding the last ACK from the server to the client, it silently discards the last
ACK.
After a while, the server side might run out of sockets.
OL-15492-01
15
Caveats for Cisco IOS Release 12.4(15)MD4
•
CSCtd32600—RADIUS Accounting Start dropped
When the CSG2 is configured as a RADIUS proxy, it might not forward some RADIUS Accounting
Start packets from the GGSN to the RADIUS server. The CSG2 drops the sessions due to a lack of
response from the RADIUS server.
Cisco SAMI Software for Cisco IOS Release 12.4(15)MD4 - Open Caveats
There are no Open caveats in the Cisco SAMI software that impact the CSG2 software for Cisco IOS
Release 12.4(15)MD4.
Cisco SAMI Software for Cisco IOS Release 12.4(15)MD4 - Closed Caveats
The following list identifies Closed caveats in the Cisco SAMI software that impact the CSG2 software
for Cisco IOS Release 12.4(15)MD4.
•
CSCsy65876—The show tech output is empty when debug information is written by the Cisco
SAMI
Some debug information, such as the output from show tech and show sami config-mode
commands, is missing from the debug information files in some or all of the PPCs of the Cisco SAMI
that are generated prior to a reload, following a critical error.
This problem can occur when there is no active physical console connected to the PPC.
•
CSCsz86656—The Cisco SAMI is not setting the DBUS Trust bit to 1
The Cisco SAMI is not setting the DBUS trust bit to 1, which in turn causes the 7600 to re-mark the
DSCP of the packets.
Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats
The following list identifies Cisco PSIRT closed caveats that impact Cisco IOS Release 12.4(24)MD4:
•
CSCsy09250
Skinny Client Control Protocol (SCCP) crafted messages may cause a Cisco IOS device that is
configured with the Network Address Translation (NAT) SCCP Fragmentation Support feature to
reload.
Cisco has released free software updates that address this vulnerability. A workaround that mitigates
this vulnerability is available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-sccp.shtml.
•
CSCsz45567
A device running Cisco IOS Software, Cisco IOS XE Software, or Cisco IOS XR Software is
vulnerable to a remote denial of service condition if it is configured for Multiprotocol Label
Switching (MPLS) and has support for Label Distribution Protocol (LDP).
A crafted LDP UDP packet can cause an affected device running Cisco IOS Software or
Cisco IOS XE Software to reload. On devices running affected versions of Cisco IOS XR Software,
such packets can cause the device to restart the mpls_ldp process.
A system is vulnerable if configured with either LDP or Tag Distribution Protocol (TDP).
Cisco has released free software updates that address this vulnerability.
16
OL-15492-01
Caveats for Cisco IOS Release 12.4(15)MD4
Workarounds that mitigate this vulnerability are available.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20100324-ldp.shtml
•
CSCsz48614
Devices running Cisco IOS Software and configured for Cisco Unified Communications Manager
Express (CME) or Cisco Unified Survivable Remote Site Telephony (SRST) operation are affected
by two denial of service vulnerabilities that may result in a device reload if successfully exploited.
The vulnerabilities are triggered when the Cisco IOS device processes specific, malformed Skinny
Call Control Protocol (SCCP) messages.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-cucme.shtml.
•
CSCsz49741
Devices running Cisco IOS Software and configured for Cisco Unified Communications Manager
Express (CME) or Cisco Unified Survivable Remote Site Telephony (SRST) operation are affected
by two denial of service vulnerabilities that may result in a device reload if successfully exploited.
The vulnerabilities are triggered when the Cisco IOS device processes specific, malformed Skinny
Call Control Protocol (SCCP) messages.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-cucme.shtml.
•
CSCsz75186
Cisco IOS Software is affected by a denial of service vulnerability that may allow a remote
unauthenticated attacker to cause an affected device to reload or hang. The vulnerability may be
triggered by a TCP segment containing crafted TCP options that is received during the TCP session
establishment phase. In addition to specific, crafted TCP options, the device must have a special
configuration to be affected by this vulnerability.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-tcp.shtml.
•
CSCta19962
The H.323 implementation in Cisco IOS Software contains two vulnerabilities that may be exploited
remotely to cause a denial of service (DoS) condition on a device that is running a vulnerable version
of Cisco IOS Software.
Cisco has released free software updates that address these vulnerabilities. There are no
workarounds to mitigate these vulnerabilities other than disabling H.323 on the vulnerable device if
H.323 is not required.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-h323.shtml.
•
CSCtb93855
The H.323 implementation in Cisco IOS Software contains two vulnerabilities that may be exploited
remotely to cause a denial of service (DoS) condition on a device that is running a vulnerable version
of Cisco IOS Software.
Cisco has released free software updates that address these vulnerabilities. There are no
workarounds to mitigate these vulnerabilities other than disabling H.323 on the vulnerable device if
H.323 is not required.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-h323.shtml.
OL-15492-01
17
Caveats for Cisco IOS Release 12.4(15)MD3
Caveats for Cisco IOS Release 12.4(15)MD3
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or Cisco SAMI
software for Cisco IOS Release 12.4(15)MD3.
•
CSG2 Software for Cisco IOS Release 12.4(15)MD3 - Open Caveats, page 18
•
CSG2 Software for Cisco IOS Release 12.4(15)MD3 - Closed Caveats, page 18
•
Cisco SAMI Software for Cisco IOS Release 12.4(15)MD3 - Open Caveats, page 21
•
Cisco SAMI Software for Cisco IOS Release 12.4(15)MD3 - Closed Caveats, page 21
CSG2 Software for Cisco IOS Release 12.4(15)MD3 - Open Caveats
The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(15)MD3.
•
CSCsq05068—CSG2 R2: Prepaid RADIUS stress causes packet loss to the quota server
In a prepaid configuration that requires a billing plan from the quota server, if RADIUS Accounting
Starts begin arriving at a rate that exceeds the capacity of the CSG2, the CSG2 might drop some of
the responses from the quota server.
Workaround: Do not exceed the capacity of the CSG2.
•
CSCsx72588— CSG2: The ip csg entries user idle command with the pod keyword is required for
POD to work
The Packet of Disconnect (POD) feature does not work at the billing plan level.
Workaround: Configure PoD at the global level by configuring the pod keyword on the ip csg
entries user idle pod command in global configuration mode.
•
CSCsy57824—WAP 1.x AoC URL redirect fails with meter exclude mms wap
With the meter exclude mms wap command configured and AoC enabled on a service, when a
subscriber tries to browse with WAP 1.x, the CSG2 consults the quota server with a content
authorization request and the quota server then responds with a content authorization response with
the action of redirect and the URL to be redirected to. the page does not load on the subscriber’s cell
phone.
Workaround: Disable the exclude mms option redirect command.
•
CSCta46295—Image crashes when performing a ROLLBACK between two running configurations
If you attempt a ROLLBACK with a saved running configuration, using the config replace
(disk):(file) command on the CP, the CSG2 might crash.
Workaround: None.
CSG2 Software for Cisco IOS Release 12.4(15)MD3 - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(15)MD3.
•
CSCsj17103—CSG2: Timestamps in Service Stop Notify not consistent
The CSG2 might generate a CDR with a Connection timestamp that is one second earlier than the
Service-Start timestamp.
18
OL-15492-01
Caveats for Cisco IOS Release 12.4(15)MD3
•
CSCsl57813—CSG2: Some show commands do not honor term length break sequence
When entering CSG2 show commands that collect and display information from all of the CPUs in
the CSG2, the output might not break or pause as expected based on the term length configuration.
If that happens, long output can scroll off-screen unexpectedly.
This problem does not occur for information gathered from the CP, whether in a distributed
command or otherwise.
•
CSCsq12202—CSG2: Downgraded HTTP traffic should match catchall policy if configured
When the CSG2 detects an HTTP protocol error, such as non-HTTP traffic hitting content that is
configured with parse protocol http, it downgrades to Layer 4 inspection. The CSG2 allows all
remaining traffic to pass through, and reports the traffic in the Unassigned Bytes TLV.
To be consistent with the CSG1, after downgrading to Layer 4 inspection the CSG2 should match
the current transaction to the catchall policy in the content, if there is one configured. If no catchall
policy is configured, then the CSG2 should use the block configuration in the content to determine
whether to forward or block the traffic.
•
CSCsv83744—Failure to complete cold-bulk results in HA stall
If a spanning tree loop occurs in an HA network, a standby CSG2 might become stuck in
COLD-BULK state for several hours.
•
CSCsv95317—R3: Possible configuration failure when using more than one console
If you use more than one virtual teletype terminal (VTY console) when interacting with the CSG2
(for example, using one VTY to enter show commands and another to enter configuration
commands), one of the VTYs might hang and the CSG2 will not allow further configuration
commands. The CSG2 issues the following message:
Config failed, CSG being configured by line
You must reboot the CSG2 before continuing.
•
CSCsx18737—The debug ip csg qs detail command might cause the CSG2 to crash when a Quota
Push Request is received
The CSG2 might crash when the debug ip csg qs detail command is configured and a nonstandard
Quota Push Request message is received.
•
CSCsx33049—Service Reauthorization Request (SRAR) sent as first request
If the ip csg quota-server retransmit command is set to 5 or lower, and a quota server fails over,
the CSG2 might send a Service Reauthorization Request (SRAR) before sending a Service
Authorization Request.
•
CSCsy41471—Speedup recovery of RADIUS packet drop due to buffer depletion
If the CSG2 depleted the RADIUS attribute pool while processing a large number of RADIUS
requests at a very high rate, it might fail to proxy RADIUS requests to the RADIUS server, while
the “radius attribute” and “radius deny” counters continue to increase.
•
CSCsy57839—CSG2: RADIUS debug can cause traceback and card reloading
If the CSG2 is configured for RADIUS endpoint or RADIUS proxy, and the debug ip csg radius
command is entered, the CSG2 might reload.
•
CSCsy73456—The CSG2 might crash after Stack for process CSG BGCFG running low
The CSG2 might crash with the following messages in the crash information file:
SAMI 4/3: Mar 25 13:58:30.665 ISR: %SYS-6-STACKLOW: Stack for process CSG
BGCFG running low, 0/24000
OL-15492-01
19
Caveats for Cisco IOS Release 12.4(15)MD3
%Software-forced reload
13:58:30 ISR Wed Mar 25 2009: Unexpected exception to CPU: vector 1500, PC =
0x4504A33C, LR = 0x4504A298
-Traceback= 0x4504A33C 0x4504A298 0x4504F6B4 0x4504F844 0x44E40654
0x450A0FCC 0x4504C384 0x4504FA64
For this problem to occur, all of the following conditions must be met:
– A large map must be configured.
– The map must contain many match statements, wildcards, and Boolean operators.
– The map must be changed and the content put back in service.
•
CSCsy85405—Crash in HTTP code when the records delay command is configured
The CSG2 might reload under certain conditions.
For this problem to occur, all of the following conditions must be met:
– The data flow must match a CSG content configured with policies that require HTTP deep
packet inspection (accounting type http).
– The user must be a prepaid user.
– The records delay command must be configured under the HTTP content.
– A retransmitted pipelined request or response packet must result in temporary quota exhaustion
and a subsequent service reauthorization request to the quota server.
– The transaction must close before the response is received from the quota server.
•
CSCsy93255—CSG2 traceback when clearing user entries
Under certain RTSP load and stress conditions, some entries remain in the CSG2 User Table. Trying
to clear this state results in a traceback.
•
CSCsz42035—CSG2: Quota Server bombarded with reauth requests for free service
For a prepaid subscriber with zero quota using a service with zero weight, the CSG2 might generate
multiple reauthorization requests within a few seconds.
•
CSCsz59223—CSG2: Users on the standby CSG2 might be removed even though they are on the
active CSG2
In a stateful redundant CSG2 configuration, the standby CSG2 User Table might not contain all of
the subscribers that are present in the active CSG2 User Table.
This problem can occur if the standby CSG2 receives a RADIUS Accounting On or Off message
from a GGSN, then receives a RADIUS Accounting Start message from the GGSN before
completing processing of the RADIUS Accounting On or Off message.
This problem can also occur if the clear ip csg user command is entered.
•
CSCsz69398—Memory leak - Leakage of RADIUS attributes
The CSG2 might encounter a memory leakage that results in a malloc failure of RADIUS attributes
and prevents the CSG2 from processing incoming RADIUS requests.
•
CSCta07579—R3.5 Traceback clearing user running WAP traffic
Doing Layer 7 WAP inspection, a KUT_CLEANUP_ERROR traceback is dumped to the console
when the CSG2 attempts to remove a WAP user from the User Table. the user is not removed from
the User Table.
20
OL-15492-01
Caveats for Cisco IOS Release 12.4(15)MD3
•
CSCta21064—CSG2: HTTP might reserve and not charge or cancel reserved quota
If an HTTP packet consists of retransmitted bytes of a previous transaction, and new bytes of a new
transaction, a service's “reserved”, as displayed in the output of the show ip csg user all detail
command, might keep incrementing.
•
CSCta39130—Byte reporting in resize TCP with RETX for multiple transactions
When a retransmitted packet has multiple transactions, the reported IP bytes for each transaction in
that packet are incorrect.
Cisco SAMI Software for Cisco IOS Release 12.4(15)MD3 - Open Caveats
The following list identifies Open caveats in the Cisco SAMI software that impact the CSG2 software
for Cisco IOS Release 12.4(15)MD3.
•
CSCsw42794—Redirecting output to the PPC bootflash takes up to 100% in the Cisco SAMI
On the Cisco SAMI, redirecting show command output for a PowerPC (PPC) onto the PPC’s
bootflash can cause 100% CPU utilization.
Workaround: None.
Cisco SAMI Software for Cisco IOS Release 12.4(15)MD3 - Closed Caveats
The following list identifies Closed caveats in the Cisco SAMI software that impact the CSG2 software
for Cisco IOS Release 12.4(15)MD3.
•
CSCsq88312—Processor hangs after issuing reload
If there are too many syslog messages to be flushed out, the Cisco software application can hang
after a reload command from the Cisco SAMI PPC.
•
CSCsv75277—SAMI_EOBC_MAC_PROCESS %SYS-3-CPUHOG: %SYS-3-CPUYLD: Task ran
for (2392)
On the Cisco SAMI, bringing up a large number of subinterfaces by executing configuration
commands in a particular order might result in tracebacks.
•
CSCsw74149—I/O memory depleted if a packet has ICMP source and destination IP addresses that
are the same as the PPC interface IP address
If a packet has an ICMP source and destination IP address that is the same as the PPC interface IP
address, the Cisco SAMI runs out of I/O memory, and the following message appears:
%SYS-2-MALLOCFAIL: Memory allocation of 1708 bytes failed from 0x45407D18,
alignment 32
•
CSCsw78449—A Cisco SAMI processor might crash and console might hang when removing the
iSCSI configuration
A Cisco SAMI processor might crash when removing the ISCSI configuration using the no ip iscsi
profile command.
OL-15492-01
21
Caveats for Cisco IOS Release 12.4(15)MD2
Caveats for Cisco IOS Release 12.4(15)MD2
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or Cisco SAMI
software for Cisco IOS Release 12.4(15)MD2.
•
CSG2 Software for Cisco IOS Release 12.4(15)MD2 - Open Caveats, page 22
•
CSG2 Software for Cisco IOS Release 12.4(15)MD2 - Closed Caveats, page 22
•
Cisco SAMI Software for Cisco IOS Release 12.4(15)MD2 - Open Caveats, page 24
•
Cisco SAMI Software for Cisco IOS Release 12.4(15)MD2 - Closed Caveats, page 24
•
Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats, page 25
CSG2 Software for Cisco IOS Release 12.4(15)MD2 - Open Caveats
The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(15)MD2.
•
CSCsl57813—CSG2: Some show commands do not honor term length break sequence
When entering CSG2 show commands that collect and display information from all of the CPUs in
the CSG2, the output might not break or pause as expected based on the term length configuration.
If that happens, long output can scroll off-screen unexpectedly.
This problem does not occur for information gathered from the CP, whether in a distributed
command or otherwise.
Workaround: None.
•
CSCsq05068—CSG2 R2: Prepaid RADIUS stress causes packet loss to the quota server
In a prepaid configuration that requires a billing plan from the quota server, if RADIUS Accounting
Starts begin arriving at a rate that exceeds the capacity of the CSG2, the CSG2 might drop some of
the responses from the quota server.
Workaround: Do not exceed the capacity of the CSG2.
•
CSCsx72588— CSG2: The ip csg entries user idle command with the pod keyword is required for
POD to work
The Packet of Disconnect (POD) feature does not work at the billing plan level.
Workaround: Configure PoD at the global level by configuring the pod keyword on the ip csg
entries user idle pod command in global configuration mode.
•
CSCsy57824—WAP 1.x AoC URL redirect fails with meter exclude mms wap
With the meter exclude mms wap command configured and AoC enabled on a service, when a
subscriber tries to browse with WAP 1.x, the CSG2 consults the quota server with a content
authorization request and the quota server then responds with a content authorization response with
the action of redirect and the URL to be redirected to. the page does not load on the subscriber’s cell
phone.
Workaround: Disable the exclude mms option redirect command.
CSG2 Software for Cisco IOS Release 12.4(15)MD2 - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(15)MD2.
•
22
CSCsq78574—%SYS-2-LINKED: Bad enqueue of 0 in queue 631A71B0 error in log of 1841
OL-15492-01
Caveats for Cisco IOS Release 12.4(15)MD2
The CSG2 displays the following message numerous times per second in the log of an 1841:
Apr 16 10:25:13: %SYS-2-LINKED: Bad enqueue of 0 in queue 631A71B0
-Process= “Per-minute Jobs”, ipl= 4, pid= 166
-Traceback= 0x60913F98 0x601F0064 0x60214250 0x602D1EF4 0x615146B8 0x602F9A18
Apr 16 10:25:13: %SYS-2-LINKED: Bad enqueue of 0 in queue 631A71B0
-Process= “Per-minute Jobs”, ipl= 4, pid= 166
-Traceback= 0x60913F98 0x601F0064 0x60214250 0x602D1EF4 0x615146B8 0x602F9A18
Apr 16 10:25:13: %SYS-2-LINKED: Bad enqueue of 0 in queue 631A71B0
-Process= “Per-minute Jobs”, ipl= 4, pid= 166
•
CSCsu64671—[CSG2-R2] No Service Reauthorization to quota server during MS roaming
In Cisco CSG2 running R2 image, service reauthorization might not be sent to the quota server
during roaming.
For this problem to occur, all of the following conditions must be met:
– The user must be a prepaid user.
– Service must be configured with basis seconds.
– RADIUS reauthorization must be configured in the CSG2.
– The CSG2 must receive a RADIUS interim accounting update with different values for the
configured RADIUS attributes.
•
CSCsv01597—R3: Special SIP INVITE causing DATA Corruption traceback
When the CSG2 performs Layer 7 SIP parsing on a packet that contains a SIP or SDP header token
that exceeds 256 bytes, a DATA CORRUPTION traceback might be displayed on the console.
•
CSCsv12836—CSG2: The Qualified Remaining Quota TLV does not carry more than 4 bytes
If duration-based billing is configured, and the remaining quota is very large (greater than
2147483647), the CSG2 might not use the upper 4 bytes of the Qualified Remaining Quota TLV.
•
CSCsv27593—CSG2 R2 - Duration-based billing shows incorrect usage value in the
SvcReAuthReq Usage TLV
If duration-based billing is configured, and there is a difference between the remaining quota and
the quota required for the current transaction, and the last billable timestamp is very large (greater
than 2147483647), the CSG might show an incorrect usage value in the SvcReAuthReq message.
•
CSCsv60425—R3: Memory allocation failures under stress when routes are configured incorrectly
The CSG2 might experience a memory allocation failure on the I/O memory pool of one of its
processors with a %SYS-2-MALLOCFAIL error message.
For this problem to occur, all of the following conditions must be met:
– There must be no route to a given subscriber or server network.
– There must be no default route.
– There must be no next-hop (reverse) configured for the content.
•
CSCsv66930—CSG2 crash at csg_kut_svc_timeout
A WS-SVC-SAMI-BB-K9 service blade running an c7svcsami-csg-mz or c7svcsami-csgk9-mz
image might reload.
For this problem to occur, all of the following conditions must be met:
– A CSG2 User Table entry for a subscriber must be deleted due to a trigger such as a RADIUS
Accounting Stop message.
– The subscriber must be using a prepaid service.
OL-15492-01
23
Caveats for Cisco IOS Release 12.4(15)MD2
– The traffic that maps to the prepaid service must be FTP or HTTP traffic parsed at Layer 7, or
any Internet Protocol (IPv4) traffic parsed at Layer 4.
•
CSCsv76023—Unable to configure multiple RADIUS monitors for the same server
If you have already configured a RADIUS monitor for a RADIUS server address, and you try to
configure another RADIUS monitor for that address but for a different port, the CSG2 might not
allow you to do so.
•
CSCsv93751—CSG2: %SYS-2-LINKED: Bad enqueue of 0 in queue
The CSG2 displays the following message in the log:
Bad enqueue of 0 in queue xxxxxx
•
CSCsv95675—CSG2: Quota is not credited back to the user when the quota server fails and
passthrough is configured
Quota which could not be returned to the quota server is not credited back to the user.
For this problem to occur, all of the following conditions must be met:
– Passthrough must be configured for the service.
– The current quota must have been granted by the quota server with a quota timeout.
– The CSG2 must be unable to successfully deliver the Quota Return message to the quota server
(due to server failure).
Cisco SAMI Software for Cisco IOS Release 12.4(15)MD2 - Open Caveats
The following list identifies Open caveats in the Cisco SAMI software that impact the CSG2 software
for Cisco IOS Release 12.4(15)MD2.
•
CSCsr68717—Malformed IPv6 packet causes performance degradation on Cisco SAMI
Interfaces in the Cisco SAMI might take a long time to respond to ping packets. This problem can
occur if corrupted or malformed IPv6 pkts are sent to the Cisco SAMI.
Workaround: Add IPv6 ACLs to the Supervisor Engine to prevent any IPv6 packets from entering
the Cisco SAMI. When the ACLs are configured, the Cisco SAMI will no longer support GGSN
IPv6.
•
CSCsw42794—Redirecting output to the PPC bootflash takes up to 100% in the Cisco SAMI
On the Cisco SAMI, redirecting show command output for a PowerPC (PPC) onto the PPC’s
bootflash can cause 100% CPU utilization.
Workaround: None.
Cisco SAMI Software for Cisco IOS Release 12.4(15)MD2 - Closed Caveats
The following list identifies Closed caveats in the Cisco SAMI software that impact the CSG2 software
for Cisco IOS Release 12.4(15)MD2.
•
CSCso04657—SSLVPN service stops accepting any new SSLVPN connections
Symptoms: SSLVPN service stops accepting any new SSLVPN connections.
24
OL-15492-01
Caveats for Cisco IOS Release 12.4(15)MD2
Conditions: A device configured for SSLVPN may stop accepting any new SSLVPN connections,
due to a vulnerability in the processing of new TCP connections for SSLVPN services. If debug ip
tcp transactions is enabled and this vulnerability is triggered, debug messages with connection
queue limit reached will be observed. This vulnerability is documented in two separate Cisco bug
IDs, both of which are required for a full fix: CSCso04657 and CSCsg00102.
•
CSCsu49204—Processor crashed while sending traffic across PDPs with iSCSI backup
If Small Computer Systems Interface over IP (iSCSI) backup is configured while the BMA is down,
and there is a large volume of data plane traffic, a processor might crash.
Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats
The following list identifies Cisco PSIRT closed caveats that impact Cisco IOS Release 12.4(24)MD2:
•
CSCsk64158—Cisco IOS Software Multiple Features Crafted UDP Packet Vulnerability
Symptoms: Several features within Cisco IOS software are affected by a crafted UDP packet
vulnerability. If any of the affected features are enabled, a successful attack will result in a blocked
input queue on the inbound interface. Only crafted UDP packets destined for the device could result
in the interface being blocked, transit traffic will not block the interface.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the workarounds section of the
advisory. This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml.
Details on how to see if the affected feature is enabled on a device, is provided within the “Details”
section of this advisory.
•
CSCsm27071—Cisco IOS Software Multiple Features IP Sockets Vulnerability
A vulnerability in the handling of IP sockets can cause devices to be vulnerable to a denial of service
attack when any of several features of Cisco IOS software are enabled. A sequence of specially
crafted TCP/IP packets could cause any of the following results:
– The configured feature may stop accepting new connections or sessions.
– The memory of the device may be consumed.
– The device may experience prolonged high CPU utilization.
– The device may reload. Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the “workarounds” section of the
advisory. The advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
•
CSCsr29468—Cisco IOS Software Multiple Features Crafted TCP Sequence Vulnerability
Cisco IOS software contains a vulnerability in multiple features that could allow an attacker to cause
a denial of service (DoS) condition on the affected device. A sequence of specially crafted TCP
packets can cause the vulnerable device to reload.
Cisco has released free software updates that address this vulnerability.
Several mitigation strategies are outlined in the workarounds section of this advisory.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
OL-15492-01
25
Caveats for Cisco IOS Release 12.4(15)MD1
•
CSCsv04836
Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the
state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP
connection, an attacker could force the TCP connection to remain in a long-lived state, possibly
indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on
a system under attack may be consumed, preventing new TCP connections from being accepted. In
some cases, a system reboot may be necessary to recover normal system operation. To exploit these
vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable
system.
In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that
may result in a system crash. This additional vulnerability was found as a result of testing the TCP
state manipulation vulnerabilities.
Cisco has released free software updates for download from the Cisco website that address these
vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml.
Caveats for Cisco IOS Release 12.4(15)MD1
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or Cisco SAMI
software for Cisco IOS Release 12.4(15)MD1.
•
CSG2 Software for Cisco IOS Release 12.4(15)MD1 - Open Caveats, page 26
•
CSG2 Software for Cisco IOS Release 12.4(15)MD1 - Closed Caveats, page 27
•
Cisco SAMI Software for Cisco IOS Release 12.4(15)MD1 - Open Caveats, page 29
•
Cisco SAMI Software for Cisco IOS Release 12.4(15)MD1 - Closed Caveats, page 29
•
Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats, page 29
CSG2 Software for Cisco IOS Release 12.4(15)MD1 - Open Caveats
The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(15)MD1.
•
CSCsl57813—CSG2: Some show commands do not honor term length break sequence
When entering CSG2 show commands that collect and display information from all of the CPUs in
the CSG2, the output might not break or pause as expected based on the term length configuration.
If that happens, long output can scroll off-screen unexpectedly.
This problem does not occur for information gathered from the CP, whether in a distributed
command or otherwise.
Workaround: None.
•
CSCsq05068—CSG2 R2: Prepaid RADIUS stress causes packet loss to the quota server
In a prepaid configuration that requires a billing plan from the quota server, if RADIUS Accounting
Starts begin arriving at a rate that exceeds the capacity of the CSG2, the CSG2 might drop some of
the responses from the quota server.
Workaround: Do not exceed the capacity of the CSG2.
26
OL-15492-01
Caveats for Cisco IOS Release 12.4(15)MD1
CSG2 Software for Cisco IOS Release 12.4(15)MD1 - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(15)MD1.
•
CSCso63210—CSG2 R2: Many users idling out of the CSG2 User Table degrades performance
If an idle timer is configured for the User Table, and if thousands of users idle out at the same time,
the rate at which the CSG2 can handle incoming RADIUS messages is reduced.
•
CSCsq06947—CSG2: Unable to scale to 500K CSG2 User Table entries with 5 or more ip csg
report radius attribute commands configured
When the CSG2 receives a higher-than-expected rate of RADIUS Accounting Starts with a large
number of RADIUS attributes from the Network Access Server (NAS), it might deny the RADIUS
requests because it cannot grow the buffer pool fast enough.
•
CSCsq17440—CSG2 R2: Incorrect request type used in RTSP AoC for interleaved
During Layer 7 inspection for RTSP, the quota server receives an incorrect content authorization
request of type 0x08 (RTSP TCP). The request should be of type 0x09. The problem occurs when
the RTSP session is transporting data over the control session (interleaved).
•
CSCsq25027—CSG2 R1: Incorrect service selected after removing configuration of billing plan
If you remove a configured billing plan or service using the no option (for example, no ip csg
billing), and you then configure a new billing plan or service and assign it to a new transaction, the
CSG2 might assign the wrong services to the transaction.
•
CSCsq31810—The CSG2 R2 HSRP stays disabled after group change
If the standby ip command is removed from a protected interface on the standby router, then
reapplied, the reapplication fails, and output from the show standby command is empty.
For this problem to occur, one or more of the following conditions must be met:
– The interface must be associated initially with a specific standby group. It must then be removed
from that group, assigned to another group, then reassigned to the original group. For example:
interface gigabitEthernet 0/0.10
no standby 1 ip
standby 5 ip 10.10.30.105
no standby 5 ip
standby 1 ip
– The standby version 2 command must be configured on the interface.
•
CSCsq52319—CSG2 memory is depleted when HTTP and SIP are configured on the same 1 GB
Cisco SAMI
If both HTTP and SIP are configured on the same 1 GB Cisco SAMI, the CSG2’s memory might be
depleted. If this occurs, the CSG2 might deny incoming RADIUS requests.
•
CSCsq79149—CSG2 R2: Define New Units flag in Qualified TLVs for basis second transaction
TLVs that report units, such as the Qualified Usage TLV, might report a value of 1 (second) when
basis second transaction is configured.
•
CSCsq90709—CSG2: The show ip csg user all command might not display some sticky user
entries
The output from the show ip csg users all command might include some but not all of the sticky
user entries.
OL-15492-01
27
Caveats for Cisco IOS Release 12.4(15)MD1
•
CSCsr42444—The CSG2 does not allow user traffic in a VPN session in transparent mode
With a Cisco VPN client and a Cisco VPN concentrator, in a VPN session in IPSec transparent
mode, no user traffic flows. The VPN connection is established, but traffic does not flow.
•
CSCsr43716—CSG2: RTSP crash due to URL fastblk memory corruption
While performing Layer 7 parsing of RTSP traffic, the CSG2 might crash if it receives a DESCRIBE
message containing a URL that exceeds 512 bytes.
•
CSCsr45063—CSG2 - IMAP improperly handles token > 255 bytes
The CSG2 reloads with a crash indication.
The CSG2 might reload while performing L7 inspection of IMAP traffic if certain fields within the
flow are >256 bytes.
•
CSCsr52175—Ping failure after excessive interface updates and error messages from IXP
If any combination of the following situations occurs:
– Configuring thousands of exception dump commands with different addresses
– Removing thousands of interfaces from the configuration
– Thousands of HSRP state changes from ACTIVE to STANDBY on an interface
Then the following message might appear on the console:
%PLATFORM-1-DP_HM_FAIL: Failed to receive response from Fail to send message to
IXP: Msgcode : %d
. Check ‘sami health-monitoring’ configuration and see ‘show sami health-monitoring’ for
more info
Thereafter, although the interface might be UP on the CP, pings to the interface fail. Packets can be
seen leaving the CSG2 from the interface, but data to the interface is not seen by the CP.
•
CSCsr57168—ServiceStop lost during quota server failure if User Table entry deleted
If multiple quota servers are active, and the user logs off during a quota server failover, the CSG2
might fail to generate a ServiceStop message. This might result in the user session not being billed
correctly.
•
CSCsr93270—Year and month incorrect in BCD timestamps
If you configure the following commands:
records granularity service bytes 10240000 seconds 3600
ip csg records format fixed
Then CDRs for the service might report start and stop dates with years and months in the wrong
format.
•
CSCsu03235—CSG2 - Redirection on zero quota grant not working with AoC enabled
If a service is configured for Advice of Charge, the CSG2 might fail to redirect a user when zero
quota is received from the quota server in a Service Authorization Response.
•
CSCsu37742—Special SIP INVITE causing CSG2 to crash
CSG might crash when performing Layer 7 SIP inspection. The crash can occur while the CSG2 is
parsing an incorrectly formed SIP INVITE request (that is, a SIP INVITE request in which the SDP
portion of the message contains extra carriage return and line feed characters).
28
OL-15492-01
Caveats for Cisco IOS Release 12.4(15)MD1
Cisco SAMI Software for Cisco IOS Release 12.4(15)MD1 - Open Caveats
There are no Open caveats in the Cisco SAMI software that impact the CSG2 software for Cisco IOS
Release 12.4(15)MD1.
Cisco SAMI Software for Cisco IOS Release 12.4(15)MD1 - Closed Caveats
The following list identifies Closed caveats in the Cisco SAMI software that impact the CSG2 software
for Cisco IOS Release 12.4(15)MD1.
•
CSCsq38262—Sup32: PPCs fail to download the configuration unless the boot string is configured
in the Supervisor
The Cisco SAMI processors fail to download the configuration from the Supervisor Engine. EOBC
traffic does not work. The session from the Supervisor Engine to processors 1-8 does not work.
For this problem to occur, one or more of the following conditions must be true:
– Supervisor Engine 32 must be used in the chassis without executing the boot eobc upgrade
command.
– LCP ROMMON version 121 must have been used at some time on the Cisco SAMI.
– The Cisco SAMI must be moved from a Supervisor Engine 32 to a Supervisor Engine 720 or
Route Switch Processor 720, or vice versa.
– Booting via EOBC must be used with different version of the Supervisor Engine.
•
CSCsq47043—Standby crashes when re-configuring standby ip command
A router functioning as the standby for a Hot Standby Routing Protocol (HSRP) group might reload
when it is dissociated from that group and then re-associated with it.
Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats
The following list identifies Cisco PSIRT closed caveats that impact Cisco IOS Release 12.4(24)MD1:
•
CSCsq24002
Cisco IOS Software contains a vulnerability that could allow an attacker to cause a Cisco IOS device
to reload by remotely sending a crafted encryption packet. Cisco has released free software updates
that address this vulnerability. This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090923-tls.shtml.
•
CSCsx70889
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service
(DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
•
CSCsy15227
Cisco IOS Software configured with Authentication Proxy for HTTP(S), Web Authentication or the
consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the
authentication proxy server or bypass the consent webpage.
There are no workarounds that mitigate this vulnerability.
OL-15492-01
29
Caveats for Cisco IOS Release 12.4(15)MD
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090923-auth-proxy.shtml
Caveats for Cisco IOS Release 12.4(15)MD
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or Cisco SAMI
software for Cisco IOS Release 12.4(15)MD.
•
CSG2 Software for Cisco IOS Release 12.4(15)MD - Open Caveats, page 30
•
CSG2 Software for Cisco IOS Release 12.4(15)MD - Closed Caveats, page 31
•
Cisco SAMI Software for Cisco IOS Release 12.4(15)MD - Open Caveats, page 32
•
Cisco SAMI Software for Cisco IOS Release 12.4(15)MD - Closed Caveats, page 33
CSG2 Software for Cisco IOS Release 12.4(15)MD - Open Caveats
The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(15)MD.
•
CSCsl57813—CSG2: Some show commands do not honor term length break sequence
When entering CSG2 show commands that collect and display information from all of the CPUs in
the CSG2, the output might not break or pause as expected based on the term length configuration.
If that happens, long output can scroll off-screen unexpectedly.
This problem does not occur for information gathered from the CP, whether in a distributed
command or otherwise.
Workaround: None.
•
CSCso63210—CSG2 R2: Many users idling out of the CSG2 User Table degrades performance
If an idle timer is configured for the User Table, and if thousands of users idle out at the same time,
the rate at which the CSG2 can handle incoming RADIUS messages is reduced.
Workaround: Either do not configure an idle timer for the User Table, or do not allow so many users
to idle out of the User Table at the same time.
•
CSCsq05068—CSG2 R2: Prepaid RADIUS stress causes packet loss to the quota server
In a prepaid configuration that requires a billing plan from the quota server, if RADIUS Accounting
Starts begin arriving at a rate that exceeds the capacity of the CSG2, the CSG2 might drop some of
the responses from the quota server.
Workaround: Do not exceed the capacity of the CSG2.
•
CSCsq06947—CSG2: Unable to scale to 500K CSG2 User Table entries with 5 or more ip csg
report radius attribute commands configured
When the CSG2 receives a higher-than-expected rate of RADIUS Accounting Starts with a large
number of RADIUS attributes from the Network Access Server (NAS), it might deny the RADIUS
requests because it cannot grow the buffer pool fast enough.
Workaround: None.
•
CSCsq17440—CSG2 R2: Incorrect request type used in RTSP AoC for interleaved
During Layer 7 inspection for RTSP, the quota server receives an incorrect content authorization
request of type 0x08 (RTSP TCP). The request should be of type 0x09. The problem occurs when
the RTSP session is transporting data over the control session (interleaved).
30
OL-15492-01
Caveats for Cisco IOS Release 12.4(15)MD
Workaround: Disable the AoC feature for RTSP traffic.
•
CSCsq25027—CSG2 R1: Incorrect service selected after removing configuration of billing plan
If you remove a configured billing plan or service using the no option (for example, no ip csg
billing), and you then configure a new billing plan or service and assign it to a new transaction, the
CSG2 might assign the wrong services to the transaction.
Workaround: Save the running configuration and force a reload of the CSG2.
•
CSCsq31810—The CSG2 R2 HSRP stays disabled after group change
If the standby ip command is removed from a protected interface on the standby router, then
reapplied, the reapplication fails, and output from the show standby command is empty.
For this problem to occur, one or more of the following conditions must be met:
– The interface must be associated initially with a specific standby group. It must then be removed
from that group, assigned to another group, then reassigned to the original group. For example:
interface gigabitEthernet 0/0.10
no standby 1 ip
standby 5 ip 10.10.30.105
no standby 5 ip
standby 1 ip
– The standby version 2 command must be configured on the interface.
Workaround: Save the running configuration and force a reload of the standby router.
•
CSCsq52319—CSG2 memory is depleted when HTTP and SIP are configured on the same 1 GB
Cisco SAMI
If both HTTP and SIP are configured on the same 1 GB Cisco SAMI, the CSG2’s memory might be
depleted. If this occurs, the CSG2 might deny incoming RADIUS requests.
Workaround: Do not configure HTTP and SIP on the same board at the same time.
CSG2 Software for Cisco IOS Release 12.4(15)MD - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(15)MD.
•
CSCsj16263—New connections denied during high traffic spike
Attempts to establish new connections through the CSG2 fail, particularly when traffic first starts to
flow through the CSG2 at high volume. During this period, deep IPC queues are often observed on
one or more of the CSG2 processors. Load management might show denied sessions.
For this problem to occur, the following conditions must all be true:
– There must be very high rates of transactions or session establishment (greater than the
specified rates).
– There must be a rapid change in traffic conditions from low to a rate exceeding the specified
capacity.
•
CSCsj33130—The CSG2 cannot boot up with a very large configuration
With configurations that include very large numbers of inservice contents that refer to policies with
URL maps, the CSG2 can take more than 15 minutes to boot up, causing the CSG2 to be reset. This
can result in a rebooting loop in which the CSG2 never fully enters service. This problem does not
occur if the contents are not inservice when the CSG2 is rebooted.
OL-15492-01
31
Caveats for Cisco IOS Release 12.4(15)MD
•
CSCsl02342—Tariff switch not reporting all required TLVs in messages to BMA
If the quota server is configured to provide a tariff-switch time to the CSG2 in a SvcAuthResponse,
the CSG2 does not report the tariff-switch TLV to the BMA.
•
CSCsm32575—R1: Crash if CDR format is changed from variable to fixed with traffic
The CSG2 might crash if the report format is changed from variable to fixed while running HTTP
or RTSP traffic.
•
CSCsm34572—CSG2:R1- WAP aborts not sent for no quota and next-hop configuration
If WAP 1 content is configured with a next-hop address, the user has no quota at the start of a
transaction, and WAP redirect is not configured, the transaction is not terminated with an abort.
If the user runs out of quota during a transaction, the transaction is not terminated with aborts to
both the client and server, regardless of whether WAP redirect is configured.
•
CSCsm35164—CSG2 R1 Tiny window during bootup where CDRs might use internal clock time
If the CSG2 generates a CDR immediately after reloading, the value of the Start Time in the
Timestamp TLV might be incorrect. Typically, the invalid value corresponds to a date in the year
2002.
This problem can occur if the CDR is generated before a value for the clock is received from the
Supervisor Engine on a CSG2 Traffic Processor.
Since a clock value is usually received from the Supervisor Engine module shortly after bootup, the
probability of this problem occurring is very small. Furthermore, deployment of CSG2s in a
redundant configuration greatly reduces the probability of this problem occurring, because the
redundant CSG2s receive a clock from the Supervisor Engine module before becoming active (and
even before HSRP negotiation has completed).
•
CSCsm60821—CSG2: CDRs are generated on policy without accounting
The CSG2 might generate CDRs even when it is configured not to by disabling accounting under
the CSG policy.
•
CSCsm84321—Quota server traffic stalls if no ip csg quota-server reassign is configured and the
quota server fails
If no ip csg quota-server reassign is configured and the traffic to all quota servers stalls while one
or more quota servers reports FAILED or flaps from FAILED to ACTIVE to FAILED, no quota
server messages can get through and the CSG2 prevents prepaid traffic from flowing.
Cisco SAMI Software for Cisco IOS Release 12.4(15)MD - Open Caveats
The following list identifies Open caveats in the Cisco SAMI software that impact the CSG2 software
for Cisco IOS Release 12.4(15)MD.
•
CSCsq38262—Sup32: PPCs fail to download the configuration unless the boot string is configured
in the Supervisor
The Cisco SAMI processors fail to download the configuration from the Supervisor Engine. EOBC
traffic does not work. The session from the Supervisor Engine to processors 1-8 does not work.
For this problem to occur, one or more of the following conditions must be true:
– Supervisor Engine 32 must be used in the chassis without executing the boot eobc upgrade
command.
– LCP ROMMON version 121 must have been used at some time on the Cisco SAMI.
32
OL-15492-01
Caveats for Cisco IOS Release 12.4(15)MD
– The Cisco SAMI must be moved from a Supervisor Engine 32 to a Supervisor Engine 720 or
Route Switch Processor 720, or vice versa.
– Booting via EOBC must be used with different version of the Supervisor Engine.
Workaround: If you move the Cisco SAMI from a Supervisor Engine 32 to a Supervisor Engine
720 or Route Switch Processor 720, or vice versa, use the following procedure to avoid this problem:
a. Configure the boot string on the Supervisor Engine:
Sup(config)# boot device module sami-slot disk0:sami image
b. Reset the Cisco SAMI to boot normally.
If the Cisco SAMI has a usable image on its compact flash, enter the following command:
Sup(config)# hw-module module sami-slot reset
Otherwise, boot the Cisco SAMI through the Ethernet Out-of-Band Channel (EOBC) from the
Supervisor Engine by entering the following commands:
Sup(config)# boot device module sami-slot disk0:sami image
Sup(config)# hw-module module sami-slot boot eobc
Sup(config)# hw-module module sami-slot reset
c. After the Cisco SAMI comes up, ensure that the image is stored on the Cisco SAMI and
automatically comes back up after a reboot by entering the following command:
Sup(config)# upgrade hw-module slot sami-slot software disk0:sami image
d. Remove the Cisco SAMI boot string configuration from the Supervisor Engine by entering the
following command:
Sup(config)# no boot device module sami-slot disk0:sami image
Cisco SAMI Software for Cisco IOS Release 12.4(15)MD - Closed Caveats
The following list identifies Closed caveats in the Cisco SAMI software that impact the CSG2 software
for Cisco IOS Release 12.4(15)MD.
•
CSCsg94209—The show command on a CPU3-8 redirected to the Supervisor Engine produces a
0-byte file
From processor 3-8, a pipe redirect when using rcp to the Supervisor Engine can result in errors, or
can cause the processor to reload. For example, the following command might result in a 0-byte file:
Router-3> sh tech | redirect rcp://127.0.0.81/shtech
•
CSCsj09391—No error messages on the CP when IXP runs out of destination filters
When the Cisco SAMI/CSG2 runs out of destination filters, a new IP address configuration might
not be effective even though it is accepted, and no error message is issued when the IP address is
configured.
To verify that the Cisco SAMI/CSG2 has run out of destination filters, enter the show sami ixp
statistics command after applying an IP address. If the Out of filter elements counter is not zero,
and if it increments as a result of configuring the IP address, then the Network Processor destination
filter limit has been reached.
•
CSCsj17733—Values for entPhysicalFirmwareRev and entPhysicalSoftwareRev are not shown
The ENTITY-MIB entries entPhysicalFirmwareRev and entPhysicalSoftwareRev do not return any
values from the Cisco SAMI processor.
OL-15492-01
33
Documentation and Technical Assistance
Documentation and Technical Assistance
This section contains the following information:
•
Related Documentation, page 34
•
Obtaining Documentation and Submitting a Service Request, page 35
Related Documentation
Use these release notes with these documents:
•
CSG2 Documentation, page 34
•
Release-Specific Documents, page 34
•
Platform-Specific Documents, page 34
•
Cisco IOS Software Documentation Set, page 35
CSG2 Documentation
For more detailed installation and configuration information, see the following publication:
•
Cisco Content Services Gateway - 2nd Generation Release 2 Installation and Configuration Guide
Release-Specific Documents
The following documents are specific to Cisco IOS Release 12.4 and are located at Cisco.com:
•
Cisco IOS Release 12.4 Mainline Release Notes
Documentation > Cisco IOS Software > Cisco IOS Software Releases 12.4 Mainline > Release
Notes
•
Cisco IOS Release 12.4 T Release Notes
Documentation > Cisco IOS Software > Cisco IOS Software Releases 12.4 T > Release Notes
Note
If you have an account with Cisco.com, you can use Bug Navigator II to find caveats of any severity for
any release. You can reach Bug Navigator II on Cisco.com at http://www.cisco.com/support/bugtools.
•
Product bulletins, field notices, and other release-specific documents on Cisco.com at:
Documentation > Cisco IOS Software > Cisco IOS Software Releases 12.4 Mainline
Platform-Specific Documents
These documents are available for the Cisco 7600 series router platform on Cisco.com and the
Documentation CD-ROM:
•
Cisco Service and Application Module for IP User Guide
•
Cisco 7600 series routers documentation:
– Cisco 7600 Series Cisco IOS Software Configuration Guide
– Cisco 7600 Series Cisco IOS Command Reference
34
OL-15492-01
Documentation and Technical Assistance
– Release Notes for Cisco IOS Release 12.2SR for the Cisco 7600 Series Routers
Cisco IOS Software Documentation Set
The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS
command references, and several other supporting documents that are shipped with your order in
electronic form on the Documentation CD-ROM, unless you specifically ordered the printed versions.
Documentation Modules
Each module in the Cisco IOS documentation set consists of two books: a configuration guide and a
corresponding command reference guide. Chapters in a configuration guide describe protocols,
configuration tasks, Cisco IOS software functionality, and contain comprehensive configuration
examples. Chapters in a command reference guide list command syntax information. Use each
configuration guide with its corresponding command reference. The Cisco IOS documentation modules
are available on Cisco.com at:
Note
•
Documentation > Cisco IOS Software > Cisco IOS Software Releases 12.4 Mainline >
Command References
•
Documentation > Cisco IOS Software > Cisco IOS Software Releases 12.4 Mainline >
Command References > Configuration Guides
To view a list of MIBs supported by Cisco, by product, go to:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS version 2.0.
OL-15492-01
35
Documentation and Technical Assistance
This document is to be used in conjunction with the documents listed in the “Related Documentation” section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of
Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The
use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and
figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and
coincidental.
Copyright © 2012 Cisco Systems, Inc. All rights reserved.
36
OL-15492-01