1. No category

PDF

Release Notes for Cisco
Content Services Gateway 2nd Generation Release 1.0
Cisco IOS Release 12.4(11)MD10
Revised: October 18, 2010
Current Release—12.4(11)MD10
This publication describes the requirements, dependencies, and caveats for the Cisco Content Services
Gateway - 2nd Generation, more commonly known as the Content Services Gateway 2 or CSG2. These
release notes are updated for every maintenance release.
Use these release notes with the Cross-Platform Release Notes for Cisco IOS Release 12.4, located on
Cisco.com.
Caveats
Caveats describe unexpected behavior in Cisco IOS software releases. Severity 1 caveats are the most
serious caveats; severity 2 caveats are less serious. Severity 3 caveats are moderate caveats, and only
select severity 3 caveats are included in the caveats document.
All caveats in Cisco IOS Release 12.4 and Cisco IOS Release 12.4 T are also in Cisco IOS Release
12.4(11)MD10.
•
For a list of the software caveats that affect the CSG2 or SAMI software for Cisco IOS Release
12.4(11)MD10, see the “Caveats for Cisco IOS Release 12.4(11)MD10” section on page 13.
•
For information on caveats in Cisco IOS Release 12.4, see Caveats for Cisco IOS Release 12.4,
located on Cisco.com.
•
For information on caveats in Cisco IOS Release 12.4 T, see Caveats for Cisco IOS Release 12.4T,
located on Cisco.com and the Documentation CD-ROM.
Using the Bug Navigator II
If you have an account with Cisco.com, you can use Bug Navigator II to find the most current list of
caveats of any severity for any software release. To reach Bug Navigator II, log in to Cisco.com and click
Software Center: Cisco IOS Software: Cisco Bugtool Navigator II.
Americas Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
This publication includes the following information:
•
Introduction, page 3
•
Features, page 3
•
System Requirements, page 6
•
Prerequisites and Restrictions, page 13
•
Caveats for Cisco IOS Release 12.4(11)MD10, page 13
– CSG2 Software for Cisco IOS Release 12.4(11)MD10 - Open Caveats, page 13
– CSG2 Software for Cisco IOS Release 12.4(11)MD10 - Closed Caveats, page 16
– SAMI Software for Cisco IOS Release 12.4(11)MD10 - Open Caveats, page 16
– SAMI Software for Cisco IOS Release 12.4(11)MD10 - Closed Caveats, page 16
– Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats, page 17
•
Caveats for Cisco IOS Release 12.4(11)MD9, page 18
– CSG2 Software for Cisco IOS Release 12.4(11)MD9 - Open Caveats, page 19
– CSG2 Software for Cisco IOS Release 12.4(11)MD9 - Closed Caveats, page 20
– SAMI Software for Cisco IOS Release 12.4(11)MD9 - Open Caveats, page 21
– SAMI Software for Cisco IOS Release 12.4(11)MD9 - Closed Caveats, page 21
•
Caveats for Cisco IOS Release 12.4(11)MD8, page 22
– CSG2 Software for Cisco IOS Release 12.4(11)MD8 - Open Caveats, page 22
– CSG2 Software for Cisco IOS Release 12.4(11)MD8 - Closed Caveats, page 23
– SAMI Software for Cisco IOS Release 12.4(11)MD8 - Open Caveats, page 24
– SAMI Software for Cisco IOS Release 12.4(11)MD8 - Closed Caveats, page 24
•
Caveats for Cisco IOS Release 12.4(11)MD7, page 24
– CSG2 Software for Cisco IOS Release 12.4(11)MD7 - Open Caveats, page 30
– CSG2 Software for Cisco IOS Release 12.4(11)MD7 - Closed Caveats, page 31
– SAMI Software for Cisco IOS Release 12.4(11)MD7 - Open Caveats, page 33
– SAMI Software for Cisco IOS Release 12.4(11)MD7 - Closed Caveats, page 33
•
Caveats for Cisco IOS Release 12.4(11)MD6, page 35
– CSG2 Software for Cisco IOS Release 12.4(11)MD6 - Open Caveats, page 36
– CSG2 Software for Cisco IOS Release 12.4(11)MD6 - Closed Caveats, page 36
– SAMI Software for Cisco IOS Release 12.4(11)MD6 - Open Caveats, page 39
– SAMI Software for Cisco IOS Release 12.4(11)MD6 - Closed Caveats, page 39
•
Caveats for Cisco IOS Release 12.4(11)MD5, page 40
– CSG2 Software for Cisco IOS Release 12.4(11)MD5 - Open Caveats, page 40
– CSG2 Software for Cisco IOS Release 12.4(11)MD5 - Closed Caveats, page 42
– SAMI Software for Cisco IOS Release 12.4(11)MD5 - Open Caveats, page 42
– SAMI Software for Cisco IOS Release 12.4(11)MD5 - Closed Caveats, page 43
•
Caveats for Cisco IOS Release 12.4(11)MD4, page 43
– CSG2 Software for Cisco IOS Release 12.4(11)MD4 - Open Caveats, page 44
2
OL-13796-01
Introduction
– CSG2 Software for Cisco IOS Release 12.4(11)MD4 - Closed Caveats, page 45
– SAMI Software for Cisco IOS Release 12.4(11)MD4 - Open Caveats, page 46
– SAMI Software for Cisco IOS Release 12.4(11)MD4 - Closed Caveats, page 46
•
Caveats for Cisco IOS Release 12.4(11)MD3, page 46
– CSG2 Software for Cisco IOS Release 12.4(11)MD3 - Open Caveats, page 47
– CSG2 Software for Cisco IOS Release 12.4(11)MD3 - Closed Caveats, page 48
– SAMI Software for Cisco IOS Release 12.4(11)MD3 - Open Caveats, page 50
– SAMI Software for Cisco IOS Release 12.4(11)MD3 - Closed Caveats, page 50
•
Documentation and Technical Assistance, page 50
Introduction
The CSG2 is an application that runs on the Service and Application Module for IP (SAMI), a high-speed
processing module. The CSG2 provides content-aware billing, service control, traffic analysis, and data
mining in a highly scalable, fault-tolerant package. The CSG2 provides the software required by mobile
wireless operating companies and other billing, applications, and service customers.
The CSG2 runs on the SAMI, a new-generation high performance service module for the Cisco 7600
series router platforms. The CSG2 is typically located at the edge of a network in an Internet service
provider (ISP) point of presence (POP), or Regional Data Center.
Features
This section lists the CSG2 features and the CSG2 release in which the feature was introduced. For full
descriptions of all of these features, see the Cisco Content Services Gateway - 2nd Generation
Installation and Configuration Guide, Cisco IOS Release 12.4(11)MD.
To see the software part numbers associated with each CSG2 release; the Supervisor hardware required
by each CSG2 release; the minimum Cisco IOS release required for new features in each CSG2 release;
and the minimum IOS level supported by each CSG2 release, see the “Software Requirements” section
on page 7.
OL-13796-01
•
CSG2 Features Supported for Cisco IOS Release 12.4(11)MD10, page 4
•
CSG2 Features Supported for Cisco IOS Release 12.4(11)MD9, page 4
•
CSG2 Features Supported for Cisco IOS Release 12.4(11)MD8, page 4
•
CSG2 Features Supported for Cisco IOS Release 12.4(11)MD7, page 4
•
CSG2 Features Supported for Cisco IOS Release 12.4(11)MD6, page 4
•
CSG2 Features Supported for Cisco IOS Release 12.4(11)MD5, page 5
•
CSG2 Features Supported for Cisco IOS Release 12.4(11)MD4, page 5
•
CSG2 Features Supported for Cisco IOS Release 12.4(11)MD3, page 5
3
Features
CSG2 Features Supported for Cisco IOS Release 12.4(11)MD10
The CSG2 software for Cisco IOS Release 12.4(11)MD10 supports the entire feature set listed in “CSG2
Features Supported for Cisco IOS Release 12.4(11)MD9” section on page 4. There are no new features
in this release.
CSG2 Features Supported for Cisco IOS Release 12.4(11)MD9
The CSG2 software for Cisco IOS Release 12.4(11)MD9 supports the entire feature set listed in “CSG2
Features Supported for Cisco IOS Release 12.4(11)MD6” section on page 4.
In addition, the CSG2 software for Cisco IOS Release 12.4(15)MD3 supports the following new
features:
•
Policy Matching for HTTP Downgrade
For more information, see Closed caveat CSCsq12202.
CSG2 Features Supported for Cisco IOS Release 12.4(11)MD8
The CSG2 software for Cisco IOS Release 12.4(11)MD8 supports the entire feature set listed in “CSG2
Features Supported for Cisco IOS Release 12.4(11)MD6” section on page 4. There are no new features
in this release.
CSG2 Features Supported for Cisco IOS Release 12.4(11)MD7
The CSG2 software for Cisco IOS Release 12.4(11)MD7 supports the entire feature set listed in “CSG2
Features Supported for Cisco IOS Release 12.4(11)MD6” section on page 4. There are no new features
in this release.
CSG2 Features Supported for Cisco IOS Release 12.4(11)MD6
The CSG2 software for Cisco IOS Release 12.4(11)MD6 supports the entire feature set listed in “CSG2
Features Supported for Cisco IOS Release 12.4(11)MD3” section on page 5. Additionally, CSG2
software for Cisco IOS Release 12.4(11)MD6 supports the following new features:
•
Setting the Mode for TCP Sessions
Some applications, such as the Cisco VPN client, use TCP signaling to establish and terminate TCP
sessions, but they do not follow the TCP specification to send and acknowledge data packets. To
support these applications, the CSG2 has a configuration option to set the mode for TCP sessions.
A TCP session in transparent mode monitors TCP signaling to establish and terminate the session.
All packets are forwarded, and all TCP payload bytes regardless of retransmission are reported. You
can use the “zero” configuration option to report zero TCP bytes.
A TCP session in datagram mode establishes the session on the first SYN packet, and terminates by
the content’s idle timer. In this instance, all packets are forwarded. Zero TCP bytes are reported.
The last byte of the IPv4 Flow TLV in the TCP CDR is reserved for future use. Its bit “0” is set to
“1” when a TCP session is in transparent or datagram mode.
•
4
Generating HTTP Stats Term
OL-13796-01
Features
Prior to Cisco IOS Release 12.4(11)MD6, if the last transaction was an HTTP request that was
incomplete or did not match a policy, the CSG2-generated HTTP Stats Term for that transaction was
downgraded to Layer 4 inspection.
In Cisco IOS Release 12.4(11)MD6 and later, the CSG2 generates a fixed HTTP Stats Term CDR
for the last transaction if all of the following conditions are met:
– The last transaction is a complete HTTP request.
– The last transaction is not downgraded to Layer 4 inspection.
– The last transaction does not match any policy.
Otherwise, the CSG2 generates an HTTP Header and Stats CDRs for the last transaction.
•
Monitoring Logging Errors on the Supervisor Engine
The CSG2 high availability (HA) coordinates traffic delivery to the active system through the
redundancy facility (RF) and Hot Standby Routing Protocol (HSRP), and through the RF for
Interdevice redundancy (RF Interdev). When the RF detects an active/active error condition, the
CSG2 reloads to recover from the error situation and logs the following message to the Supervisor
Engine console and to syslog:
%RF_INTERDEV-3-RELOAD: % RF induced self-reload. my state = ACTIVE peer state
= STANDBY
You can monitor these messages by configuring the sami module cpu 3 logging errors command
on the Supervisor Engine.
CSG2 Features Supported for Cisco IOS Release 12.4(11)MD5
The CSG2 software for Cisco IOS Release 12.4(11)MD5 supports the entire feature set listed in “CSG2
Features Supported for Cisco IOS Release 12.4(11)MD3” section on page 5. There are no new features
in this release.
CSG2 Features Supported for Cisco IOS Release 12.4(11)MD4
The CSG2 software for Cisco IOS Release 12.4(11)MD4 supports the entire feature set listed in “CSG2
Features Supported for Cisco IOS Release 12.4(11)MD3” section on page 5. There are no new features
in this release.
CSG2 Features Supported for Cisco IOS Release 12.4(11)MD3
The CSG2 software for Cisco IOS Release 12.4(11)MD3 supports the entire feature set for the CSG1
software release 3.1(3)C7(1), with the following exceptions:
•
The CSG2 does not support Layer 7 inspection for FTP.
•
The CSG2 does not support RADIUS monitor capabilities.
In addition, the CSG2 software for Cisco IOS Release 12.4(11)MD3 supports the following new
features:
OL-13796-01
•
Support for bidirectional peer-to-peer (P2P) charging
•
Support for IP fragmentation for all protocols
•
Support for out-of-order TCP segments for all protocols
5
System Requirements
•
Support for TCP reset on no quota
•
Configuration of quota reauthorization threshold and timer
•
Exclusion of RFC 2822 headers in Simple Mail Transfer Protocol (SMTP) billing records
•
Separate queue-size tuning for the Billing Mediation Agent (BMA), the Cisco Persistent Storage
Device (PSD), and the quota servers
•
Complete online diagnostics at reload
•
New Cisco CSG2 MIB: CISCO-CONTENT-SERVICES-MIB
•
Simple Network Management Protocol Version 3 (SNMPv3)
•
More current values for usage in reports to the quota servers and to the BMA
– Sending intermediate transaction call detail records (CDRs)
– Sending intermediate service-level CDRs
– Sending reauthorization requests
•
Support for PAUSE on interleaved Real Time Streaming Protocol (RTSP) connections
•
Support for TCP selective acknowledgement (S-ACK)
•
Protocol transparency
•
Remote Command and Logging from the Supervisor Engine (RCAL)
•
Field-upgradeable ROM-monitor (ROMmon)
•
ROMmon recovery
•
New command-line interface (CLI) that replaces Cisco CSG1 environmental variables
•
Multiple accounting types per service
•
Correlation of start and stop for user sessions
•
RTSP stream reporting and re-use enhancements
•
Support for the plus operator (+) in maps
•
Quota reporting in Service Reauthorization message
System Requirements
This section describes the following memory and software requirements for CSG2:
•
Memory Requirements, page 6
•
Hardware Supported, page 7
•
Software Requirements, page 7
•
Determining the Software Version, page 12
For hardware requirements, such as power supply and environmental requirements, as well as hardware
installation instructions, see the Service and Application Module for IP User Guide.
Memory Requirements
The CSG2 memory is not configurable.
6
OL-13796-01
System Requirements
Hardware Supported
Use of the CSG2 requires the following supervisor engine, and a module with ports to connect server
and client networks:
•
A Supervisor Engine 720 with an MSFC3-BXL (SUP720-MSFC3-BXL)
Software Requirements
This section includes the following information:
•
SAMI Module Part Numbers, page 7
•
CSG2 Software Part Numbers, page 8
•
CSG2 Software Upgrade Part Numbers, page 9
•
CSG2 Software and SAMI Module Bundle Part Numbers, page 11
•
Supported Hardware and Software for the CSG2, page 11
When referring to this section, keep the following considerations in mind:
•
Do not use the Supervisor Hardware Supported column to infer supervisor hardware support.
Consult the Cisco IOS Upgrade Planner to determine which IOS releases support the desired
supervisor hardware.
•
Each feature set is limited to those features that can be configured at the Minimum Cisco IOS Level
Supported.
SAMI Module Part Numbers
The following table lists the SAMI module part numbers and associated information for each CSG2
release:
CSG2 Release
SAMI Module
Part Numbers
Supervisor Hardware
Supported
Minimum Cisco IOS
Release Required for Minimum Cisco IOS Level
New Features
Supported
12.4(11)MD9
WS-SVC-SAMI-BB-K9
SUP720-MSFC3-BXL
WS-SVC-SAMI-BB-K9=
SC-SBC-NAP-SAMI-1-K9
12.2(33)SRB1
12.2(33)SRB1
12.4(11)MD8
WS-SVC-SAMI-BB-K9
SUP720-MSFC3-BXL
WS-SVC-SAMI-BB-K9=
SC-SBC-NAP-SAMI-1-K9
12.2(33)SRB1
12.2(33)SRB1
12.4(11)MD7
SUP720-MSFC3-BXL
WS-SVC-SAMI-BB-K9
WS-SVC-SAMI-BB-K9=
SC-SBC-NAP-SAMI-1-K9
12.2(33)SRB1
12.2(33)SRB1
12.4(11)MD6
WS-SVC-SAMI-BB-K9
SUP720-MSFC3-BXL
WS-SVC-SAMI-BB-K9=
SC-SBC-NAP-SAMI-1-K9
12.2(33)SRB1
12.2(33)SRB1
12.4(11)MD5
WS-SVC-SAMI-BB-K9
SUP720-MSFC3-BXL
WS-SVC-SAMI-BB-K9=
SC-SBC-NAP-SAMI-1-K9
12.2(33)SRB1
12.2(33)SRB1
OL-13796-01
7
System Requirements
CSG2 Release
SAMI Module
Part Numbers
Supervisor Hardware
Supported
Minimum Cisco IOS
Release Required for Minimum Cisco IOS Level
New Features
Supported
12.4(11)MD4
WS-SVC-SAMI-BB-K9
SUP720-MSFC3-BXL
WS-SVC-SAMI-BB-K9=
SC-SBC-NAP-SAMI-1-K9
12.2(33)SRB1
12.2(33)SRB1
12.4(11)MD3
WS-SVC-SAMI-BB-K9
SUP720-MSFC3-BXL
WS-SVC-SAMI-BB-K9=
SC-SBC-NAP-SAMI-1-K9
12.2(33)SRB1
12.2(33)SRB1
CSG2 Software Part Numbers
The following table lists the CSG2 software part numbers and associated information for each CSG2
release:
CSG2 Software
Part Numbers
Supervisor Hardware
Supported
Minimum Cisco IOS
Release Required for Minimum Cisco IOS Level
New Features
Supported
12.4(11)MD9
SC-SVC-CSG2-B1-K9
SC-SVC-CSG2-B1-K9=
SC-SVC-CSG2-P1-K9
SC-SVC-CSG2-P1-K9=
SC-SVC-CSG2-E1-K9
SC-SVC-CSG2-E1-K9=
SUP720-MSFC3-BXL
12.2(33)SRB1
12.2(33)SRB1
12.4(11)MD8
SC-SVC-CSG2-B1-K9
SC-SVC-CSG2-B1-K9=
SC-SVC-CSG2-P1-K9
SC-SVC-CSG2-P1-K9=
SC-SVC-CSG2-E1-K9
SC-SVC-CSG2-E1-K9=
SUP720-MSFC3-BXL
12.2(33)SRB1
12.2(33)SRB1
12.4(11)MD7
SC-SVC-CSG2-B1-K9
SC-SVC-CSG2-B1-K9=
SC-SVC-CSG2-P1-K9
SC-SVC-CSG2-P1-K9=
SC-SVC-CSG2-E1-K9
SC-SVC-CSG2-E1-K9=
SUP720-MSFC3-BXL
12.2(33)SRB1
12.2(33)SRB1
12.4(11)MD6
SC-SVC-CSG2-B1-K9
SC-SVC-CSG2-B1-K9=
SC-SVC-CSG2-P1-K9
SC-SVC-CSG2-P1-K9=
SC-SVC-CSG2-E1-K9
SC-SVC-CSG2-E1-K9=
SUP720-MSFC3-BXL
12.2(33)SRB1
12.2(33)SRB1
12.4(11)MD5
SC-SVC-CSG2-B1-K9
SC-SVC-CSG2-B1-K9=
SC-SVC-CSG2-P1-K9
SC-SVC-CSG2-P1-K9=
SC-SVC-CSG2-E1-K9
SC-SVC-CSG2-E1-K9=
SUP720-MSFC3-BXL
12.2(33)SRB1
12.2(33)SRB1
CSG2 Release
8
OL-13796-01
System Requirements
CSG2 Software
Part Numbers
Supervisor Hardware
Supported
Minimum Cisco IOS
Release Required for Minimum Cisco IOS Level
New Features
Supported
12.4(11)MD4
SC-SVC-CSG2-B1-K9
SC-SVC-CSG2-B1-K9=
SC-SVC-CSG2-P1-K9
SC-SVC-CSG2-P1-K9=
SC-SVC-CSG2-E1-K9
SC-SVC-CSG2-E1-K9=
SUP720-MSFC3-BXL
12.2(33)SRB1
12.2(33)SRB1
12.4(11)MD3
SC-SVC-CSG2-B1-K9
SC-SVC-CSG2-B1-K9=
SC-SVC-CSG2-P1-K9
SC-SVC-CSG2-P1-K9=
SC-SVC-CSG2-E1-K9
SC-SVC-CSG2-E1-K9=
SUP720-MSFC3-BXL
12.2(33)SRB1
12.2(33)SRB1
CSG2 Release
CSG2 Software Upgrade Part Numbers
The following table lists the CSG2 software upgrade part numbers and associated information for each
CSG2 release:
CSG2 Software Upgrade
Part Numbers
Supervisor Hardware
Supported
Minimum Cisco IOS
Release Required for Minimum Cisco IOS Level
New Features
Supported
12.4(11)MD9
FL-CSGB7CSG2B1-K9
FL-CSGB7CSG2B1-K9=
FL-CSGP7CSG2P1-K9
FL-CSGP7CSG2P1-K9=
FL-CSGE7CSG2E1-K9
FL-CSGE7CSG2E1-K9=
FL-CSG2-PEP-K9=
FL-CSG2-BP-K9=
FL-CSG2-BEP-K9=
SUP720-MSFC3-BXL
12.2(33)SRB1
12.2(33)SRB1
12.4(11)MD8
FL-CSGB7CSG2B1-K9
FL-CSGB7CSG2B1-K9=
FL-CSGP7CSG2P1-K9
FL-CSGP7CSG2P1-K9=
FL-CSGE7CSG2E1-K9
FL-CSGE7CSG2E1-K9=
FL-CSG2-PEP-K9=
FL-CSG2-BP-K9=
FL-CSG2-BEP-K9=
SUP720-MSFC3-BXL
12.2(33)SRB1
12.2(33)SRB1
CSG2 Release
OL-13796-01
9
System Requirements
CSG2 Software Upgrade
Part Numbers
Supervisor Hardware
Supported
Minimum Cisco IOS
Release Required for Minimum Cisco IOS Level
New Features
Supported
12.4(11)MD7
FL-CSGB7CSG2B1-K9
FL-CSGB7CSG2B1-K9=
FL-CSGP7CSG2P1-K9
FL-CSGP7CSG2P1-K9=
FL-CSGE7CSG2E1-K9
FL-CSGE7CSG2E1-K9=
FL-CSG2-PEP-K9=
FL-CSG2-BP-K9=
FL-CSG2-BEP-K9=
SUP720-MSFC3-BXL
12.2(33)SRB1
12.2(33)SRB1
12.4(11)MD6
FL-CSGB7CSG2B1-K9
FL-CSGB7CSG2B1-K9=
FL-CSGP7CSG2P1-K9
FL-CSGP7CSG2P1-K9=
FL-CSGE7CSG2E1-K9
FL-CSGE7CSG2E1-K9=
FL-CSG2-PEP-K9=
FL-CSG2-BP-K9=
FL-CSG2-BEP-K9=
SUP720-MSFC3-BXL
12.2(33)SRB1
12.2(33)SRB1
12.4(11)MD5
FL-CSGB7CSG2B1-K9
FL-CSGB7CSG2B1-K9=
FL-CSGP7CSG2P1-K9
FL-CSGP7CSG2P1-K9=
FL-CSGE7CSG2E1-K9
FL-CSGE7CSG2E1-K9=
FL-CSG2-PEP-K9=
FL-CSG2-BP-K9=
FL-CSG2-BEP-K9=
SUP720-MSFC3-BXL
12.2(33)SRB1
12.2(33)SRB1
12.4(11)MD4
FL-CSGB7CSG2B1-K9
FL-CSGB7CSG2B1-K9=
FL-CSGP7CSG2P1-K9
FL-CSGP7CSG2P1-K9=
FL-CSGE7CSG2E1-K9
FL-CSGE7CSG2E1-K9=
FL-CSG2-PEP-K9=
FL-CSG2-BP-K9=
FL-CSG2-BEP-K9=
SUP720-MSFC3-BXL
12.2(33)SRB1
12.2(33)SRB1
12.4(11)MD3
FL-CSGB7CSG2B1-K9
FL-CSGB7CSG2B1-K9=
FL-CSGP7CSG2P1-K9
FL-CSGP7CSG2P1-K9=
FL-CSGE7CSG2E1-K9
FL-CSGE7CSG2E1-K9=
FL-CSG2-PEP-K9=
FL-CSG2-BP-K9=
FL-CSG2-BEP-K9=
SUP720-MSFC3-BXL
12.2(33)SRB1
12.2(33)SRB1
CSG2 Release
10
OL-13796-01
System Requirements
CSG2 Software and SAMI Module Bundle Part Numbers
The following table lists the CSG2 software and SAMI module bundle part numbers and associated
information for each CSG2 release:
CSG2 Software and SAMI
Module Bundle Part Numbers
Supervisor Hardware
Supported
Minimum Cisco IOS
Release Required for Minimum Cisco IOS
New Features
Level Supported
12.4(11)MD9
SAMI-CSG2-EBDL-K9=
SAMI-CSG2-PBDL-K9=
SUP720-MSFC3-BXL
12.2(33)SRB1
12.2(33)SRB1
12.4(11)MD8
SAMI-CSG2-EBDL-K9=
SAMI-CSG2-PBDL-K9=
SUP720-MSFC3-BXL
12.2(33)SRB1
12.2(33)SRB1
12.4(11)MD7
SAMI-CSG2-EBDL-K9=
SAMI-CSG2-PBDL-K9=
SUP720-MSFC3-BXL
12.2(33)SRB1
12.2(33)SRB1
12.4(11)MD6
SAMI-CSG2-EBDL-K9=
SAMI-CSG2-PBDL-K9=
SUP720-MSFC3-BXL
12.2(33)SRB1
12.2(33)SRB1
12.4(11)MD5
SAMI-CSG2-EBDL-K9=
SAMI-CSG2-PBDL-K9=
SUP720-MSFC3-BXL
12.2(33)SRB1
12.2(33)SRB1
12.4(11)MD4
SAMI-CSG2-EBDL-K9=
SAMI-CSG2-PBDL-K9=
SUP720-MSFC3-BXL
12.2(33)SRB1
12.2(33)SRB1
12.4(11)MD3
SAMI-CSG2-EBDL-K9=
SAMI-CSG2-PBDL-K9=
SUP720-MSFC3-BXL
12.2(33)SRB1
12.2(33)SRB1
CSG2 Release
Supported Hardware and Software for the CSG2
The following table lists the supported hardware and software for the CSG2:
Product
Description
Minimum
Software Version
Recommended
Software Version
Cisco IOS
Release
SAMI Module
12.4(11)MD
12.4(11)MD9
12.2(33)SRB1
WS-SVC-SAMI-BB-K9= with SUP720 with an SAMI Module
MSFC3-BXL (SUP720-MSFC3-BXL)
12.4(11)MD
12.4(11)MD9
12.2(33)SRB1
SC-SBC-NAP-SAMI-1-K9 with SUP720 with
an MSFC3-BXL (SUP720-MSFC3-BXL)
SAMI Module
12.4(11)MD
12.4(11)MD9
12.2(33)SRB1
SC-SVC-CSG2-B1-K9 with SUP720 with an
MSFC3-BXL (SUP720-MSFC3-BXL)
CSG2 Software
12.4(11)MD
12.4(11)MD9
12.2(33)SRB1
SC-SVC-CSG2-B1-K9= with SUP720 with an
MSFC3-BXL (SUP720-MSFC3-BXL)
CSG2 Software
12.4(11)MD
12.4(11)MD9
12.2(33)SRB1
SC-SVC-CSG2-P1-K9 with SUP720 with an
MSFC3-BXL (SUP720-MSFC3-BXL)
CSG2 Software
12.4(11)MD
12.4(11)MD9
12.2(33)SRB1
SC-SVC-CSG2-P1-K9= with SUP720 with an
MSFC3-BXL (SUP720-MSFC3-BXL)
CSG2 Software
12.4(11)MD
12.4(11)MD9
12.2(33)SRB1
Product Number
CSG2
WS-SVC-SAMI-BB-K9 with SUP720 with an
MSFC3-BXL (SUP720-MSFC3-BXL)
OL-13796-01
11
System Requirements
Product
Description
Minimum
Software Version
Recommended
Software Version
Cisco IOS
Release
SC-SVC-CSG2-E1-K9 with SUP720 with an
MSFC3-BXL (SUP720-MSFC3-BXL)
CSG2 Software
12.4(11)MD
12.4(11)MD9
12.2(33)SRB1
SC-SVC-CSG2-E1-K9= with SUP720 with an
MSFC3-BXL (SUP720-MSFC3-BXL)
CSG2 Software
12.4(11)MD
12.4(11)MD9
12.2(33)SRB1
FL-CSGB7CSG2B1-K9 with SUP720 with an
MSFC3-BXL (SUP720-MSFC3-BXL)
CSG2 Software
Upgrade
12.4(11)MD
12.4(11)MD9
12.2(33)SRB1
FL-CSGB7CSG2B1-K9= with SUP720 with an CSG2 Software
MSFC3-BXL (SUP720-MSFC3-BXL)
Upgrade
12.4(11)MD
12.4(11)MD9
12.2(33)SRB1
FL-CSGP7CSG2P1-K9 with SUP720 with an
MSFC3-BXL (SUP720-MSFC3-BXL)
CSG2 Software
Upgrade
12.4(11)MD
12.4(11)MD9
12.2(33)SRB1
FL-CSGP7CSG2P1-K9= with SUP720 with an CSG2 Software
MSFC3-BXL (SUP720-MSFC3-BXL)
Upgrade
12.4(11)MD
12.4(11)MD9
12.2(33)SRB1
FL-CSGE7CSG2E1-K9 with SUP720 with an
MSFC3-BXL (SUP720-MSFC3-BXL)
CSG2 Software
Upgrade
12.4(11)MD
12.4(11)MD9
12.2(33)SRB1
FL-CSGE7CSG2E1-K9= with SUP720 with an CSG2 Software
MSFC3-BXL (SUP720-MSFC3-BXL)
Upgrade
12.4(11)MD
12.4(11)MD9
12.2(33)SRB1
FL-CSG2-PEP-K9= with SUP720 with an
MSFC3-BXL (SUP720-MSFC3-BXL)
CSG2 Software
Upgrade
12.4(11)MD
12.4(11)MD9
12.2(33)SRB1
FL-CSG2-BP-K9= with SUP720 with an
MSFC3-BXL (SUP720-MSFC3-BXL)
CSG2 Software
Upgrade
12.4(11)MD
12.4(11)MD9
12.2(33)SRB1
FL-CSG2-BEP-K9= with SUP720 with an
MSFC3-BXL (SUP720-MSFC3-BXL)
CSG2 Software
Upgrade
12.4(11)MD
12.4(11)MD9
12.2(33)SRB1
SAMI-CSG2-EBDL-K9= with SUP720 with an CSG2 Software
MSFC3-BXL (SUP720-MSFC3-BXL)
and SAMI
Module Bundle
12.4(11)MD
12.4(11)MD9
12.2(33)SRB1
SAMI-CSG2-PBDL-K9= with SUP720 with an CSG2 Software
MSFC3-BXL (SUP720-MSFC3-BXL)
and SAMI
Module Bundle
12.4(11)MD
12.4(11)MD9
12.2(33)SRB1
Console Cable
Not applicable
Not applicable
Not applicable
Accessory kit
(contains the
Console Cable)
Not applicable
Not applicable
Not applicable
Product Number
Console Cable
72-876-01
Accessory Kit
800-05097-01
Determining the Software Version
To determine the version of Cisco IOS software that is currently running on your Cisco network device,
log in to the device and enter the show version EXEC command.
To show CSG2 versions, use the show module command in privileged EXEC mode.
To provide meaningful problem determination information, use the show tech-support command in
privileged EXEC mode.
12
OL-13796-01
Prerequisites and Restrictions
Prerequisites and Restrictions
For the latest prerequisites and restrictions for the CSG2, see the “Overview” chapter of the Cisco
Content Services Gateway - 2nd Generation Installation and Configuration Guide, Cisco IOS Release
12.4(11)MD.
Caveats for Cisco IOS Release 12.4(11)MD10
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or SAMI
software for Cisco IOS Release 12.4(11)MD10.
•
CSG2 Software for Cisco IOS Release 12.4(11)MD10 - Open Caveats, page 13
•
CSG2 Software for Cisco IOS Release 12.4(11)MD10 - Closed Caveats, page 16
•
SAMI Software for Cisco IOS Release 12.4(11)MD10 - Open Caveats, page 16
•
SAMI Software for Cisco IOS Release 12.4(11)MD10 - Closed Caveats, page 16
•
Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats, page 17
CSG2 Software for Cisco IOS Release 12.4(11)MD10 - Open Caveats
The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(11)MD10.
•
CSCsj16263—New connections denied during high traffic spike
Attempts to establish new connections through the CSG2 fail, particularly when traffic first starts to
flow through the CSG2 at high volume. During this period, deep IPC queues are often observed on
one or more of the CSG2 processors. Load management might show denied sessions.
For this problem to occur, the following conditions must all be true:
– There must be very high rates of transactions or session establishment (greater than the
specified rates).
– There must be a rapid change in traffic conditions from low to a rate exceeding the specified
capacity.
Workaround: Do not exceed the transaction rate capacity of the CSG2.
•
CSCsj17103—CSG2: Timestamps in Service Stop Notify not consistent
The CSG2 might generate a CDR with a Connection timestamp that is one second earlier than the
Service-Start timestamp.
Workaround: Configure the BMA to use either the Usage TLV or the Connection Duration Value
of the Timestamp TLV.
•
CSCsj33130—The CSG2 cannot boot up with a very large configuration
With configurations that include very large numbers of inservice contents that refer to policies with
URL maps, the CSG2 can take more than 15 minutes to boot up, causing the CSG2 to be reset. This
can result in a rebooting loop in which the CSG2 never fully enters service. This problem does not
occur if the contents are not inservice when the CSG2 is rebooted.
Workaround: Make sure the contents are not inservice before rebooting the CSG2, then bring the
contents inservice after the reboot is complete.
OL-13796-01
13
Caveats for Cisco IOS Release 12.4(11)MD10
•
CSCsk23363—CSG-4-UNEXPECTED: Error: CSG Startup Failed - NTP clock not in sync
Due to an NTP clock synchronization problem, when the CSG2 is first started, the clocks between
the TPs and the CP might be off by 1 or 2 seconds. It can take up to 5 minutes for the clocks to
synchronize.
Workaround: None.
•
CSCsl02342—Tariff switch not reporting all required TLVs in messages to BMA
If the quota server is configured to provide a tariff-switch time to the CSG2 in a SvcAuthResponse,
the CSG2 does not report the tariff-switch TLV to the BMA.
Workaround: None.
•
CSCsl57813—CSG2: Some show commands do not honor term length break sequence
When entering CSG2 show commands that collect and display information from all of the CPUs in
the CSG2, the output might not break or pause as expected based on the term length configuration.
If that happens, long output can scroll off-screen unexpectedly.
This problem does not occur for information gathered from the CP, whether in a distributed
command or otherwise.
Workaround: None.
•
CSCsm60821—CSG2: CDRs are generated on policy without accounting
The CSG2 might generate CDRs even when it is configured not to by disabling accounting under
the CSG2 policy.
Workaround: For contents with a single policy configured, remove the policy.
•
CSCsx33049—Service Reauthorization Request sent in error
If the ip csg quota-server retransmit command in global configuration mode is set to 5 seconds or
less and a quota server switchover occurs, the CSG2 might send a Service Reauthorization Request
in error, before the Service Authorization Request.
Workaround: Increase the retransmission duration on the ip csg quota-server retransmit
command.
•
CSCsx72588— CSG2: The ip csg entries user idle command with the pod keyword is required for
POD to work
The Packet of Disconnect (POD) feature does not work at the billing plan level.
Workaround: Configure PoD at the global level by configuring the pod keyword on the ip csg
entries user idle pod command in global configuration mode.
•
CSCsy57824—WAP 1.x AoC URL redirect fails with meter exclude mms wap
With the meter exclude mms wap command configured and AoC enabled on a service, when a
subscriber tries to browse with WAP 1.x, the CSG2 consults the quota server with a content
authorization request and the quota server then responds with a content authorization response with
the action of redirect and the URL to be redirected to. the page does not load on the subscriber’s cell
phone.
Workaround: Disable the exclude mms option redirect command.
•
CSCsy57924—CSG2: Memory leak when removing RADIUS VSA configuration
If a large number of reporting RADIUS VSA subattributes are configured or unconfigured for the
CSG2, a large number of messages like the following is generated:
0x4518DEAC 0000000272 0000000001 0000000272 CSG RADIUS VSA
Workaround: None.
14
OL-13796-01
Caveats for Cisco IOS Release 12.4(11)MD10
•
CSCsz21796—Bad refcount possible on error from SSVC
When the CSG2 tries to send an HTTP redirect packet to a subscriber, the following error message
might be generated:
%SYS-2-BADSHARE: Bad refcount <function name>
Workaround: None.
•
CSCta70187—Content inactive until recreated; cannot bring content WAP-WAP2 inservice
If a change is made on the standby CSG2, and a content is taken out of service, the CSG2 might not
be able to bring the content back inservice. The following error message is generated:
% Cannot bring content <*> inservice, content out of service in progress
Workaround: Remove and reapply the entire context configuration.
•
CSCtb71637—%CSG-3-KUT_CLEANUP_ERROR on CSG2
The CSG2 generates the following error messages continuously:
SAMI 1/8: Aug 30 14:05:33 AEST: %CSG-3-KUT_CLEANUP_ERROR:
OPENMOBILEWEB, ip= 10.227.179.191, uid= 61425166227, (1/48/2822/9217),
-Traceback= 0x4428BB68 0x45145678 0x451475CC 0x4514A2D0 0x4514A5D8
0x4513B158 0x450FBF6C 0x4524E69C 0x44F76AE8 0x44F948FC 0x44F97558
0x4507D9EC 0x44F624AC 0x44F624AC 0x4507DAA8 0x45081C10
SAMI 1/8: Aug 30 14:08:00 AEST: %CSG-3-KUT_CLEANUP_ERROR:
OPENMOBILEWEB, ip= 10.228.102.132, uid= 61425170578, (1/48/2054/9217),
-Traceback= 0x4428BB68 0x45145678 0x451475CC 0x4514A2D0 0x4514A5D8
0x4513B158 0x450FBF6C 0x4524E69C 0x44F76AE8 0x44F948FC 0x44F97558
0x4507D9EC 0x44F624AC 0x44F624AC 0x4507DAA8 0x44E6AEC4
Workaround: None.
•
CSCtc21701—Stale VTY session issue
Under certain conditions, a stale VTY could be created in the CSG2 which can be detected using the
output of the show ip csg users command.
Workaround: None.
•
CSCtc76186—TCP sessions not closed to the server side
When both of the TCP peers decide to close a session, each peer must send its own FIN/ACK and
then also ACK the FIN/ACK of the peer. The CSG2 appears to close the session before the last ACK
exchange:
– Instead of forwarding the last ACK from the client to the server, it sends an RST to the client.
– Instead of forwarding the last ACK from the server to the client, it silently discards the last
ACK.
After a while, the server side might run out of sockets.
Workaround: Configure the server to expire the sessions faster after the FIN, or configure the mode
tcp datagram command in CSG2 content configuration mode on the specific content on the CSG2.
OL-13796-01
15
Caveats for Cisco IOS Release 12.4(11)MD10
CSG2 Software for Cisco IOS Release 12.4(11)MD10 - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(11)MD10:
•
CSCso07424—CSG2 MIB Support: multiple variables request not handled correctly
When performing snmpget on multiple OIDs on a CSG2, the device does not handle the SNMP
request correctly.
•
CSCtb70452—CSG2: Continuation TLV correlator might not be unique
If the data for a record does not fit in a single IP packet, the BMA or quota server might associate
data from a Continue CDR with an incorrect BMA or quota server record. This can occur because
the CSG2 generates a correlator value in the Continue TLV that might not be unique per CSG2.
•
CSCtc21701—Stale VTY session issue
Under certain conditions, a stale VTY could be created in the CSG2 which can be detected using the
output of the show ip csg users command.
•
CSCtd32600—RADIUS Accounting Start dropped
When the CSG2 is configured as a RADIUS proxy, it might not forward some RADIUS Accounting
Start packets from the GGSN to the RADIUS server. The CSG2 drops the sessions due to a lack of
response from the RADIUS server.
SAMI Software for Cisco IOS Release 12.4(11)MD10 - Open Caveats
The following list identifies Open caveats in the SAMI software that impact the CSG2 software for Cisco
IOS Release 12.4(11)MD10:
•
CSCsj09391—No error messages on the CP when IXP runs out of destination filters
When the SAMI/CSG2 runs out of destination filters, a new IP address configuration might not be
effective even though it is accepted, and no error message is issued when the IP address is
configured.
To verify that the SAMI/CSG2 has run out of destination filters, enter the show sami ixp statistics
command after applying an IP address. If the Out of filter elements counter is not zero, and if it
increments as a result of configuring the IP address, then the Network Processor destination filter
limit has been reached.
Workaround: None.
SAMI Software for Cisco IOS Release 12.4(11)MD10 - Closed Caveats
There are no Closed caveats in the SAMI software that impact the CSG2 software for Cisco IOS Release
12.4(11)MD10.
16
OL-13796-01
Caveats for Cisco IOS Release 12.4(11)MD10
Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats
The following list identifies Cisco PSIRT closed caveats that impact Cisco IOS Release 12.4(11)MD10:
•
CSCsy09250
Skinny Client Control Protocol (SCCP) crafted messages may cause a Cisco IOS device that is
configured with the Network Address Translation (NAT) SCCP Fragmentation Support feature to
reload.
Cisco has released free software updates that address this vulnerability. A workaround that mitigates
this vulnerability is available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-sccp.shtml.
•
CSCsz45567
A device running Cisco IOS Software, Cisco IOS XE Software, or Cisco IOS XR Software is
vulnerable to a remote denial of service condition if it is configured for Multiprotocol Label
Switching (MPLS) and has support for Label Distribution Protocol (LDP).
A crafted LDP UDP packet can cause an affected device running Cisco IOS Software or
Cisco IOS XE Software to reload. On devices running affected versions of Cisco IOS XR Software,
such packets can cause the device to restart the mpls_ldp process.
A system is vulnerable if configured with either LDP or Tag Distribution Protocol (TDP).
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20100324-ldp.shtml
•
CSCsz48614
Devices running Cisco IOS Software and configured for Cisco Unified Communications Manager
Express (CME) or Cisco Unified Survivable Remote Site Telephony (SRST) operation are affected
by two denial of service vulnerabilities that may result in a device reload if successfully exploited.
The vulnerabilities are triggered when the Cisco IOS device processes specific, malformed Skinny
Call Control Protocol (SCCP) messages.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-cucme.shtml.
•
CSCsz49741
Devices running Cisco IOS Software and configured for Cisco Unified Communications Manager
Express (CME) or Cisco Unified Survivable Remote Site Telephony (SRST) operation are affected
by two denial of service vulnerabilities that may result in a device reload if successfully exploited.
The vulnerabilities are triggered when the Cisco IOS device processes specific, malformed Skinny
Call Control Protocol (SCCP) messages.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-cucme.shtml.
OL-13796-01
17
Caveats for Cisco IOS Release 12.4(11)MD9
•
CSCsz75186
Cisco IOS Software is affected by a denial of service vulnerability that may allow a remote
unauthenticated attacker to cause an affected device to reload or hang. The vulnerability may be
triggered by a TCP segment containing crafted TCP options that is received during the TCP session
establishment phase. In addition to specific, crafted TCP options, the device must have a special
configuration to be affected by this vulnerability.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-tcp.shtml.
•
CSCta19962
The H.323 implementation in Cisco IOS Software contains two vulnerabilities that may be exploited
remotely to cause a denial of service (DoS) condition on a device that is running a vulnerable version
of Cisco IOS Software.
Cisco has released free software updates that address these vulnerabilities. There are no
workarounds to mitigate these vulnerabilities other than disabling H.323 on the vulnerable device if
H.323 is not required.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-h323.shtml.
•
CSCtb13491
A malformed Internet Key Exchange (IKE) packet may cause a device running Cisco IOS Software
to reload. Only Cisco 7200 Series and Cisco 7301 routers running Cisco IOS software with a VPN
Acceleration Module 2+ (VAM2+) installed are affected. Cisco has released free software updates
that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-ipsec.shtml.
•
CSCtb93855
The H.323 implementation in Cisco IOS Software contains two vulnerabilities that may be exploited
remotely to cause a denial of service (DoS) condition on a device that is running a vulnerable version
of Cisco IOS Software.
Cisco has released free software updates that address these vulnerabilities. There are no
workarounds to mitigate these vulnerabilities other than disabling H.323 on the vulnerable device if
H.323 is not required.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-h323.shtml.
Caveats for Cisco IOS Release 12.4(11)MD9
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or SAMI
software for Cisco IOS Release 12.4(11)MD9.
18
•
CSG2 Software for Cisco IOS Release 12.4(11)MD9 - Open Caveats, page 19
•
CSG2 Software for Cisco IOS Release 12.4(11)MD9 - Closed Caveats, page 20
•
SAMI Software for Cisco IOS Release 12.4(11)MD9 - Open Caveats, page 21
•
SAMI Software for Cisco IOS Release 12.4(11)MD9 - Closed Caveats, page 21
OL-13796-01
Caveats for Cisco IOS Release 12.4(11)MD9
CSG2 Software for Cisco IOS Release 12.4(11)MD9 - Open Caveats
The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(11)MD9.
•
CSCsj16263—New connections denied during high traffic spike
Attempts to establish new connections through the CSG2 fail, particularly when traffic first starts to
flow through the CSG2 at high volume. During this period, deep IPC queues are often observed on
one or more of the CSG2 processors. Load management might show denied sessions.
For this problem to occur, the following conditions must all be true:
– There must be very high rates of transactions or session establishment (greater than the
specified rates).
– There must be a rapid change in traffic conditions from low to a rate exceeding the specified
capacity.
Workaround: Do not exceed the transaction rate capacity of the CSG2.
•
CSCsj33130—The CSG2 cannot boot up with a very large configuration
With configurations that include very large numbers of inservice contents that refer to policies with
URL maps, the CSG2 can take more than 15 minutes to boot up, causing the CSG2 to be reset. This
can result in a rebooting loop in which the CSG2 never fully enters service. This problem does not
occur if the contents are not inservice when the CSG2 is rebooted.
Workaround: Make sure the contents are not inservice before rebooting the CSG2, then bring the
contents inservice after the reboot is complete.
•
CSCsl02342—Tariff switch not reporting all required TLVs in messages to BMA
If the quota server is configured to provide a tariff-switch time to the CSG2 in a SvcAuthResponse,
the CSG2 does not report the tariff-switch TLV to the BMA.
Workaround: None.
•
CSCsl57813—CSG2: Some show commands do not honor term length break sequence
When entering CSG2 show commands that collect and display information from all of the CPUs in
the CSG2, the output might not break or pause as expected based on the term length configuration.
If that happens, long output can scroll off-screen unexpectedly.
This problem does not occur for information gathered from the CP, whether in a distributed
command or otherwise.
Workaround: None.
•
CSCsm60821—CSG2: CDRs are generated on policy without accounting
The CSG2 might generate CDRs even when it is configured not to by disabling accounting under
the CSG2 policy.
Workaround: For contents with a single policy configured, remove the policy.
•
CSCsx33049—Service Reauthorization Request sent in error
If the ip csg quota-server retransmit command in global configuration mode is set to 5 seconds or
less and a quota server switchover occurs, the CSG2 might send a Service Reauthorization Request
in error, before the Service Authorization Request.
Workaround: Increase the retransmission duration on the ip csg quota-server retransmit
command.
OL-13796-01
19
Caveats for Cisco IOS Release 12.4(11)MD9
•
CSCsx72588— CSG2: The ip csg entries user idle command with the pod keyword is required for
POD to work
The Packet of Disconnect (POD) feature does not work at the billing plan level.
Workaround: Configure PoD at the global level by configuring the pod keyword on the ip csg
entries user idle pod command in global configuration mode.
•
CSCsy57824—WAP 1.x AoC URL redirect fails with meter exclude mms wap
With the meter exclude mms wap command configured and AoC enabled on a service, when a
subscriber tries to browse with WAP 1.x, the CSG2 consults the quota server with a content
authorization request and the quota server then responds with a content authorization response with
the action of redirect and the URL to be redirected to. the page does not load on the subscriber’s cell
phone.
Workaround: Disable the exclude mms option redirect command.
CSG2 Software for Cisco IOS Release 12.4(11)MD9 - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(11)MD9:
•
CSCsq12202—CSG2: Downgraded HTTP traffic should match catchall policy if configured
When the CSG2 detects an HTTP protocol error, such as non-HTTP traffic hitting content that is
configured with parse protocol http, it downgrades to Layer 4 inspection. The CSG2 allows all
remaining traffic to pass through, and reports the traffic in the Unassigned Bytes TLV.
To be consistent with the CSG1, after downgrading to Layer 4 inspection the CSG2 should match
the current transaction to the catchall policy in the content, if there is one configured. If no catchall
policy is configured, then the CSG2 should use the block configuration in the content to determine
whether to forward or block the traffic.
•
CSCsz42035—CSG2: Quota Server bombarded with reauth requests for free service
For a prepaid subscriber with zero quota using a service with zero weight, the CSG2 might generate
multiple reauthorization requests within a few seconds.
•
CSCsz59223—CSG2: Users on the standby CSG2 might be removed even though they are on the
active CSG2
In a stateful redundant CSG2 configuration, the standby CSG2 User Table might not contain all of
the subscribers that are present in the active CSG2 User Table.
This problem can occur if the standby CSG2 receives a RADIUS Accounting On or Off message
from a GGSN, then receives a RADIUS Accounting Start message from the GGSN before
completing processing of the RADIUS Accounting On or Off message.
This problem can also occur if the clear ip csg user command is entered.
•
CSCsz69398—Memory leak - Leakage of RADIUS attributes
The CSG2 might encounter a memory leakage that results in a malloc failure of RADIUS attributes
and prevents the CSG2 from processing incoming RADIUS requests.
•
CSCta07579—R3.5 Traceback clearing user running WAP traffic
Doing Layer 7 WAP inspection, a KUT_CLEANUP_ERROR traceback is dumped to the console
when the CSG2 attempts to remove a WAP user from the User Table. the user is not removed from
the User Table.
20
OL-13796-01
Caveats for Cisco IOS Release 12.4(11)MD9
•
CSCta21064—CSG2: HTTP might reserve and not charge or cancel reserved quota
If an HTTP packet consists of retransmitted bytes of a previous transaction, and new bytes of a new
transaction, a service's “reserved”, as displayed in the output of the show ip csg user all detail
command, might keep incrementing.
•
CSCta39130—Byte reporting in resize TCP with RETX for multiple transactions
When a retransmitted packet has multiple transactions, the reported IP bytes for each transaction in
that packet are incorrect.
SAMI Software for Cisco IOS Release 12.4(11)MD9 - Open Caveats
The following list identifies Open caveats in the SAMI software that impact the CSG2 software for Cisco
IOS Release 12.4(11)MD9:
•
CSCsj09391—No error messages on the CP when IXP runs out of destination filters
When the SAMI/CSG2 runs out of destination filters, a new IP address configuration might not be
effective even though it is accepted, and no error message is issued when the IP address is
configured.
To verify that the SAMI/CSG2 has run out of destination filters, enter the show sami ixp statistics
command after applying an IP address. If the Out of filter elements counter is not zero, and if it
increments as a result of configuring the IP address, then the Network Processor destination filter
limit has been reached.
Workaround: None.
SAMI Software for Cisco IOS Release 12.4(11)MD9 - Closed Caveats
The following list identifies Closed caveats in the SAMI software that impact the CSG2 software for
Cisco IOS Release 12.4(11)MD9:
•
CSCsx70889
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service
(DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
•
CSCsy15227
Cisco IOS Software configured with Authentication Proxy for HTTP(S), Web Authentication or the
consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the
authentication proxy server or bypass the consent webpage.
There are no workarounds that mitigate this vulnerability.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090923-auth-proxy.shtml
OL-13796-01
21
Caveats for Cisco IOS Release 12.4(11)MD8
Caveats for Cisco IOS Release 12.4(11)MD8
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or SAMI
software for Cisco IOS Release 12.4(11)MD8.
•
CSG2 Software for Cisco IOS Release 12.4(11)MD8 - Open Caveats, page 22
•
CSG2 Software for Cisco IOS Release 12.4(11)MD8 - Closed Caveats, page 23
•
SAMI Software for Cisco IOS Release 12.4(11)MD8 - Open Caveats, page 24
•
SAMI Software for Cisco IOS Release 12.4(11)MD8 - Closed Caveats, page 24
CSG2 Software for Cisco IOS Release 12.4(11)MD8 - Open Caveats
The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(11)MD8.
•
CSCsj16263—New connections denied during high traffic spike
Attempts to establish new connections through the CSG2 fail, particularly when traffic first starts to
flow through the CSG2 at high volume. During this period, deep IPC queues are often observed on
one or more of the CSG2 processors. Load management might show denied sessions.
For this problem to occur, the following conditions must all be true:
– There must be very high rates of transactions or session establishment (greater than the
specified rates).
– There must be a rapid change in traffic conditions from low to a rate exceeding the specified
capacity.
Workaround: Do not exceed the transaction rate capacity of the CSG2.
•
CSCsj33130—The CSG2 cannot boot up with a very large configuration
With configurations that include very large numbers of inservice contents that refer to policies with
URL maps, the CSG2 can take more than 15 minutes to boot up, causing the CSG2 to be reset. This
can result in a rebooting loop in which the CSG2 never fully enters service. This problem does not
occur if the contents are not inservice when the CSG2 is rebooted.
Workaround: Make sure the contents are not inservice before rebooting the CSG2, then bring the
contents inservice after the reboot is complete.
•
CSCsl02342—Tariff switch not reporting all required TLVs in messages to BMA
If the quota server is configured to provide a tariff-switch time to the CSG2 in a SvcAuthResponse,
the CSG2 does not report the tariff-switch TLV to the BMA.
Workaround: None.
•
CSCsl57813—CSG2: Some show commands do not honor term length break sequence
When entering CSG2 show commands that collect and display information from all of the CPUs in
the CSG2, the output might not break or pause as expected based on the term length configuration.
If that happens, long output can scroll off-screen unexpectedly.
This problem does not occur for information gathered from the CP, whether in a distributed
command or otherwise.
Workaround: None.
22
OL-13796-01
Caveats for Cisco IOS Release 12.4(11)MD8
•
CSCsm60821—CSG2: CDRs are generated on policy without accounting
The CSG2 might generate CDRs even when it is configured not to by disabling accounting under
the CSG2 policy.
Workaround: For contents with a single policy configured, remove the policy.
•
CSCsx33049—Service Reauthorization Request sent in error
If the ip csg quota-server retransmit command in global configuration mode is set to 5 seconds or
less and a quota server switchover occurs, the CSG2 might send a Service Reauthorization Request
in error, before the Service Authorization Request.
Workaround: Increase the retransmission duration on the ip csg quota-server retransmit
command.
•
CSCsx72588— CSG2: The ip csg entries user idle command with the pod keyword is required for
POD to work
The Packet of Disconnect (POD) feature does not work at the billing plan level.
Workaround: Configure PoD at the global level by configuring the pod keyword on the ip csg
entries user idle pod command in global configuration mode.
•
CSCsy57824—WAP 1.x AoC URL redirect fails with meter exclude mms wap
With the meter exclude mms wap command configured and AoC enabled on a service, when a
subscriber tries to browse with WAP 1.x, the CSG2 consults the quota server with a content
authorization request and the quota server then responds with a content authorization response with
the action of redirect and the URL to be redirected to. the page does not load on the subscriber’s cell
phone.
Workaround: Disable the exclude mms option redirect command.
CSG2 Software for Cisco IOS Release 12.4(11)MD8 - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(11)MD8:
•
CSCsr57168—ServiceStop lost during quota server failure if User Table entry deleted
If all quota servers are active, and a quota server fails, and the user logs off of the network during
the failover. the CSG2 might fail to generate a ServiceStop message. This might result in the user
session not being billed correctly.
•
CSCsy57839—CSG2: RADIUS debug can cause traceback and card reloading
If the CSG2 is configured for RADIUS endpoint or proxy, and you enter the debug ip csg radius
command, the CSG2 might reload.
•
CSCsy85405—Crash in HTTP code when records delay is configured
The CSG2 might reload under certain rare situations.
For this problem to occur, the following conditions must all be true:
– The data flow must match a CSG content configured with policies that require HTTP deep
packet inspection (accounting type http).
– The user traffic must be prepaid.
– The records delay command must be configured for the HTTP content.
– A retransmitted pipelined request or response packet must result in temporary quota exhaustion
and a subsequent Service Reauthorization Request to the quota server.
OL-13796-01
23
Caveats for Cisco IOS Release 12.4(11)MD7
– A timing window must be created in which the transaction is closed prior to receiving the
response from the quota server
SAMI Software for Cisco IOS Release 12.4(11)MD8 - Open Caveats
The following list identifies Open caveats in the SAMI software that impact the CSG2 software for Cisco
IOS Release 12.4(11)MD8:
•
CSCsj09391—No error messages on the CP when IXP runs out of destination filters
When the SAMI/CSG2 runs out of destination filters, a new IP address configuration might not be
effective even though it is accepted, and no error message is issued when the IP address is
configured.
To verify that the SAMI/CSG2 has run out of destination filters, enter the show sami ixp statistics
command after applying an IP address. If the Out of filter elements counter is not zero, and if it
increments as a result of configuring the IP address, then the Network Processor destination filter
limit has been reached.
Workaround: None.
SAMI Software for Cisco IOS Release 12.4(11)MD8 - Closed Caveats
The following list identifies Closed caveats in the SAMI software that impact the CSG2 software for
Cisco IOS Release 12.4(11)MD8:
•
CSCsj23017—The active CSG self-reloads during standby CSG process watchdog timeout crash
If you have configured two CSG2s for high availability (that is, as an active and standby pair), and
the standby CSG2 encounters an exception due to process watchdog timeout (that is, a runaway
process), then the active CSG2 might also reload (RF-induced self-reload).
Caveats for Cisco IOS Release 12.4(11)MD7
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or SAMI
software for Cisco IOS Release 12.4(11)MD7.
•
CSG2 Software for Cisco IOS Release 12.4(11)MD7 - Open Caveats, page 30
•
CSG2 Software for Cisco IOS Release 12.4(11)MD7 - Closed Caveats, page 31
•
SAMI Software for Cisco IOS Release 12.4(11)MD7 - Open Caveats, page 33
•
SAMI Software for Cisco IOS Release 12.4(11)MD7 - Closed Caveats, page 33
CSG2 Software for Cisco IOS Release 12.4(11)MD7 - Open Caveats
The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(11)MD7.
•
CSCsj16263—New connections denied during high traffic spike
Attempts to establish new connections through the CSG2 fail, particularly when traffic first starts to
flow through the CSG2 at high volume. During this period, deep IPC queues are often observed on
one or more of the CSG2 processors. Load management might show denied sessions.
24
OL-13796-01
Caveats for Cisco IOS Release 12.4(11)MD7
For this problem to occur, the following conditions must all be true:
– There must be very high rates of transactions or session establishment (greater than the
specified rates).
– There must be a rapid change in traffic conditions from low to a rate exceeding the specified
capacity.
Workaround: Do not exceed the transaction rate capacity of the CSG2.
•
CSCsj33130—The CSG2 cannot boot up with a very large configuration
With configurations that include very large numbers of inservice contents that refer to policies with
URL maps, the CSG2 can take more than 15 minutes to boot up, causing the CSG2 to be reset. This
can result in a rebooting loop in which the CSG2 never fully enters service. This problem does not
occur if the contents are not inservice when the CSG2 is rebooted.
Workaround: Make sure the contents are not inservice before rebooting the CSG2, then bring the
contents inservice after the reboot is complete.
•
CSCsl02342—Tariff switch not reporting all required TLVs in messages to BMA
If the quota server is configured to provide a tariff-switch time to the CSG2 in a SvcAuthResponse,
the CSG2 does not report the tariff-switch TLV to the BMA.
Workaround: None.
•
CSCsl57813—CSG2: Some show commands do not honor term length break sequence
When entering CSG2 show commands that collect and display information from all of the CPUs in
the CSG2, the output might not break or pause as expected based on the term length configuration.
If that happens, long output can scroll off-screen unexpectedly.
This problem does not occur for information gathered from the CP, whether in a distributed
command or otherwise.
Workaround: None.
•
CSCsm60821—CSG2: CDRs are generated on policy without accounting
The CSG2 might generate CDRs even when it is configured not to by disabling accounting under
the CSG2 policy.
Workaround: For contents with a single policy configured, remove the policy.
•
CSCsr57168—ServiceStop lost during quota server failure if user table entry deleted
If all quota servers are active, a quota server failover occurs, and a user logs off of the network
during the failover, a failover, the CSG2 might fail to generate a ServiceStop message. As a result,
the CSG2 might not bill the user session correctly.
Workaround: Always run quota servers in active/standby mode.
•
CSCsx33049—Service Reauthorization Request sent in error
If the ip csg quota-server retransmit command in global configuration mode is set to 5 seconds or
less and a quota server switchover occurs, the CSG2 might send a Service Reauthorization Request
in error, before the Service Authorization Request.
Workaround: Increase the retransmission duration on the ip csg quota-server retransmit
command.
•
CSCsx72588— CSG2: The ip csg entries user idle command with the pod keyword is required for
POD to work
The Packet of Disconnect (POD) feature does not work at the billing plan level.
OL-13796-01
25
Caveats for Cisco IOS Release 12.4(11)MD7
Workaround: Configure PoD at the global level by configuring the pod keyword on the ip csg
entries user idle pod command in global configuration mode.
•
CSCsy57824—WAP 1.x AoC URL redirect fails with meter exclude mms wap
With the meter exclude mms wap command configured and AoC enabled on a service, when a
subscriber tries to browse with WAP 1.x, the CSG2 consults the quota server with a content
authorization request and the quota server then responds with a content authorization response with
the action of redirect and the URL to be redirected to. the page does not load on the subscriber’s cell
phone.
Workaround: Disable the exclude mms option redirect command.
CSG2 Software for Cisco IOS Release 12.4(11)MD7 - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(11)MD7.
•
CSCsj45655—CSG2: The client-group command might not work with named access lists
If you configure a named access list, using the ip access-list command in global configuration mode,
and you then reference that access list in a CSG2 content, using the client-group command in CSG2
content configuration mode, the named access list might not work.
This is not a problem with numbered access lists, only named access lists.
•
CSCsr93270—Year and month incorrect in BCD timestamps
If you configure the following commands:
records granularity service bytes 10240000 seconds 3600
ip csg records format fixed
Then CDRs for the service might report start and stop dates with years and months in the wrong
format.
•
CSCsu03235—CSG2 - Redirection on zero quota grant not working with AoC enabled
If a service is configured for Advice of Charge, the CSG2 might fail to redirect a user when zero
quota is received from the quota server in a Service Authorization Response.
•
CSCsv12836—CSG2: The Qualified Remaining Quota TLV does not carry more than 4 bytes
If duration-based billing is configured, and the remaining quota is very large (greater than
2147483647), the CSG2 might not use the upper 4 bytes of the Qualified Remaining Quota TLV.
•
CSCsv27593—CSG2 R2 - Duration-based billing shows incorrect usage value in the
SvcReAuthReq Usage TLV
If duration-based billing is configured, and there is a difference between the remaining quota and
the quota required for the current transaction, and the last billable timestamp is very large (greater
than 2147483647), the CSG might show an incorrect usage value in the SvcReAuthReq message.
•
CSCsv60425—R3: Memory allocation failures under stress when routes are configured incorrectly
The CSG2 might experience a memory allocation failure on the I/O memory pool of one of its
processors with a %SYS-2-MALLOCFAIL error message.
For this problem to occur, all of the following conditions must be met:
– There must be no route to a given subscriber or server network.
– There must be no default route.
– There must be no next-hop (reverse) configured for the content.
26
OL-13796-01
Caveats for Cisco IOS Release 12.4(11)MD7
•
CSCsv66930—CSG2 crash at csg_kut_svc_timeout
A WS-SVC-SAMI-BB-K9 service blade running an c7svcsami-csg-mz or c7svcsami-csgk9-mz
image might reload.
For this problem to occur, all of the following conditions must be met:
– A CSG2 User Table entry for a subscriber must be deleted due to a trigger such as a RADIUS
Accounting Stop message.
– The subscriber must be using a prepaid service.
– The traffic that maps to the prepaid service must be FTP or HTTP traffic parsed at Layer 7, or
any Internet Protocol (IPv4) traffic parsed at Layer 4.
•
CSCsv95317—R3: A configuration failure might occur when using more than one console
If you use more than one console to interface with the CSG2, with one console used for show
commands and the other for configuration commands, the configuration console might lock up with
the following error message:
Config failed, CSG being configured by line
Configuration will not be possible until the CSG has been rebooted.
•
CSCsv95675—CSG2: Quota is not credited back to the user when the quota server fails and
passthrough is configured
Quota which could not be returned to the quota server is not credited back to the user.
For this problem to occur, all of the following conditions must be met:
– Passthrough must be configured for the service.
– The current quota must have been granted by the quota server with a quota timeout.
– The CSG2 must be unable to successfully deliver the Quota Return message to the quota server
(due to server failure).
•
CSCsw66339—Maximum length VRF name handled improperly by
CISCO-CONTENT-SERVICES-MIB
If there is a VRF configured with a name that is 32 character long, and the VRF is used in a user
database, BMA, or quota server definition, the CSG2 might experience buffer overflow problems
resulting from SNMP queries on the CISCO-CONTENT-SERVICES-MIB.
•
CSCsx18737—The debug ip csg qs detail command might cause the CSG2 to crash when it
receives a Quota Push Request
The CSG2 might crash when the debug ip csg qs detail command is enabled and the VCSG2
receives a non-standard Quota Push Request message.
•
CSCsx96877—The CSG2 fails to boot with some specific configurations
When applying some specific configurations to a CSG2, and then reloading the CSG2, the CSG2
might fail to come up again, and continue to reload in an endless loop.
•
CSCsy41471—RADIUS packets are not being proxied to the RADIUS server, and both the “rad
attr” counter and the “radius deny” counter continue to increase
The CSG2 might fail to proxy RADIUS request when it depletes the RADIUS attribute pool while
processing large numbers of RADIUS requests at very high rates.
OL-13796-01
27
Caveats for Cisco IOS Release 12.4(11)MD7
SAMI Software for Cisco IOS Release 12.4(11)MD7 - Open Caveats
The following list identifies Open caveats in the SAMI software that impact the CSG2 software for Cisco
IOS Release 12.4(11)MD7:
•
CSCsj09391—No error messages on the CP when IXP runs out of destination filters
When the SAMI/CSG2 runs out of destination filters, a new IP address configuration might not be
effective even though it is accepted, and no error message is issued when the IP address is
configured.
To verify that the SAMI/CSG2 has run out of destination filters, enter the show sami ixp statistics
command after applying an IP address. If the Out of filter elements counter is not zero, and if it
increments as a result of configuring the IP address, then the Network Processor destination filter
limit has been reached.
Workaround: None.
SAMI Software for Cisco IOS Release 12.4(11)MD7 - Closed Caveats
The following list identifies Closed caveats in the SAMI software that impact the CSG2 software for
Cisco IOS Release 12.4(11)MD7:
•
CSCsk64158—Cisco IOS Software Multiple Features Crafted UDP Packet Vulnerability
Symptoms: Several features within Cisco IOS software are affected by a crafted UDP packet
vulnerability. If any of the affected features are enabled, a successful attack will result in a blocked
input queue on the inbound interface. Only crafted UDP packets destined for the device could result
in the interface being blocked, transit traffic will not block the interface.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the workarounds section of the
advisory. This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml.
•
CSCsm27071—Cisco IOS Software Multiple Features IP Sockets Vulnerability
A vulnerability in the handling of IP sockets can cause devices to be vulnerable to a denial of service
attack when any of several features of Cisco IOS software are enabled. A sequence of specially
crafted TCP/IP packets could cause any of the following results:
– The configured feature may stop accepting new connections or sessions.
– The memory of the device may be consumed.
– The device may experience prolonged high CPU utilization.
– The device may reload. Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the “workarounds” section of the
advisory. The advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
•
CSCso04657—SSLVPN service stops accepting any new SSLVPN connections
Symptoms: SSLVPN service stops accepting any new SSLVPN connections.
28
OL-13796-01
Caveats for Cisco IOS Release 12.4(11)MD7
Conditions: A device configured for SSLVPN may stop accepting any new SSLVPN connections,
due to a vulnerability in the processing of new TCP connections for SSLVPN services. If debug ip
tcp transactions is enabled and this vulnerability is triggered, debug messages with connection
queue limit reached will be observed. This vulnerability is documented in two separate Cisco bug
IDs, both of which are required for a full fix: CSCso04657 and CSCsg00102.
•
CSCsu11522—A voice gateway might crash when processing a valid SIP message
A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS software
that can be exploited remotely to cause a reload of the Cisco IOS device.
Cisco has released free software updates that address this vulnerability. There are no workarounds
available to mitigate the vulnerability apart from disabling SIP, if the Cisco IOS device does not
need to run SIP for VoIP services. However, mitigation techniques are available to help limit
exposure to the vulnerability.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml.
•
CSCsv38166—SCP + views (role-based CLI) allows privilege escalation
The server side of the Secure Copy (SCP) implementation in Cisco IOS software contains a
vulnerability that could allow authenticated users with an attached command-line interface (CLI)
view to transfer files to and from a Cisco IOS device that is configured to be an SCP server,
regardless of what users are authorized to do, per the CLI view configuration. This vulnerability
could allow valid users to retrieve or write to any file on the device's file system, including the
device's saved configuration and Cisco IOS image files, even if the CLI view attached to the user
does not allow it. This configuration file may include passwords or other sensitive information.
The Cisco IOS SCP server is an optional service that is disabled by default. CLI views are a
fundamental component of the Cisco IOS Role-Based CLI Access feature, which is also disabled by
default. Devices that are not specifically configured to enable the Cisco IOS SCP server, or that are
configured to use it but do not use role-based CLI access, are not affected by this vulnerability.
This vulnerability does not apply to the Cisco IOS SCP client feature.
Cisco has released free software updates that address this vulnerability.
There are no workarounds available for this vulnerability apart from disabling either the SCP server
or the CLI view feature if these services are not required by administrators.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml.
•
CSCsw24700—SSLVPN sessions cause a memory leak in the device
Cisco IOS software contains two vulnerabilities within the Cisco IOS WebVPN or Cisco IOS
SSLVPN feature (SSLVPN) that can be remotely exploited without authentication to cause a denial
of service condition. Both vulnerabilities affect both Cisco IOS WebVPN and Cisco IOS SSLVPN
features:
1.
Crafted HTTPS packet will crash device - Cisco Bug ID CSCsk62253.
2.
SSLVPN sessions cause a memory leak in the device - Cisco Bug ID CSCsw24700.
Cisco has released free software updates that address these vulnerabilities. There are no
workarounds that mitigate these vulnerabilities. This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
OL-13796-01
29
Caveats for Cisco IOS Release 12.4(11)MD6
Caveats for Cisco IOS Release 12.4(11)MD6
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or SAMI
software for Cisco IOS Release 12.4(11)MD6.
•
CSG2 Software for Cisco IOS Release 12.4(11)MD6 - Open Caveats, page 36
•
CSG2 Software for Cisco IOS Release 12.4(11)MD6 - Closed Caveats, page 36
•
SAMI Software for Cisco IOS Release 12.4(11)MD6 - Open Caveats, page 39
•
SAMI Software for Cisco IOS Release 12.4(11)MD6 - Closed Caveats, page 39
CSG2 Software for Cisco IOS Release 12.4(11)MD7 - Open Caveats
The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(11)MD7.
•
CSCsj16263—New connections denied during high traffic spike
Attempts to establish new connections through the CSG2 fail, particularly when traffic first starts to
flow through the CSG2 at high volume. During this period, deep IPC queues are often observed on
one or more of the CSG2 processors. Load management might show denied sessions.
For this problem to occur, the following conditions must all be true:
– There must be very high rates of transactions or session establishment (greater than the
specified rates).
– There must be a rapid change in traffic conditions from low to a rate exceeding the specified
capacity.
Workaround: Do not exceed the transaction rate capacity of the CSG2.
•
CSCsj33130—The CSG2 cannot boot up with a very large configuration
With configurations that include very large numbers of inservice contents that refer to policies with
URL maps, the CSG2 can take more than 15 minutes to boot up, causing the CSG2 to be reset. This
can result in a rebooting loop in which the CSG2 never fully enters service. This problem does not
occur if the contents are not inservice when the CSG2 is rebooted.
Workaround: Make sure the contents are not inservice before rebooting the CSG2, then bring the
contents inservice after the reboot is complete.
•
CSCsl02342—Tariff switch not reporting all required TLVs in messages to BMA
If the quota server is configured to provide a tariff-switch time to the CSG2 in a SvcAuthResponse,
the CSG2 does not report the tariff-switch TLV to the BMA.
Workaround: None.
•
CSCsl57813—CSG2: Some show commands do not honor term length break sequence
When entering CSG2 show commands that collect and display information from all of the CPUs in
the CSG2, the output might not break or pause as expected based on the term length configuration.
If that happens, long output can scroll off-screen unexpectedly.
This problem does not occur for information gathered from the CP, whether in a distributed
command or otherwise.
Workaround: None.
30
OL-13796-01
Caveats for Cisco IOS Release 12.4(11)MD6
•
CSCsm60821—CSG2: CDRs are generated on policy without accounting
The CSG2 might generate CDRs even when it is configured not to by disabling accounting under
the CSG2 policy.
Workaround: For contents with a single policy configured, remove the policy.
•
CSCsr57168—ServiceStop lost during quota server failure if user table entry deleted
If all quota servers are active, a quota server failover occurs, and a user logs off of the network
during the failover, a failover, the CSG2 might fail to generate a ServiceStop message. As a result,
the CSG2 might not bill the user session correctly.
Workaround: Always run quota servers in active/standby mode.
•
CSCsx33049—Service Reauthorization Request sent in error
If the ip csg quota-server retransmit command in global configuration mode is set to 5 seconds or
less and a quota server switchover occurs, the CSG2 might send a Service Reauthorization Request
in error, before the Service Authorization Request.
Workaround: Increase the retransmission duration on the ip csg quota-server retransmit
command.
•
CSCsx72588— CSG2: The ip csg entries user idle command with the pod keyword is required for
POD to work
The Packet of Disconnect (POD) feature does not work at the billing plan level.
Workaround: Configure PoD at the global level by configuring the pod keyword on the ip csg
entries user idle pod command in global configuration mode.
•
CSCsy57824—WAP 1.x AoC URL redirect fails with meter exclude mms wap
With the meter exclude mms wap command configured and AoC enabled on a service, when a
subscriber tries to browse with WAP 1.x, the CSG2 consults the quota server with a content
authorization request and the quota server then responds with a content authorization response with
the action of redirect and the URL to be redirected to. the page does not load on the subscriber’s cell
phone.
Workaround: Disable the exclude mms option redirect command.
CSG2 Software for Cisco IOS Release 12.4(11)MD7 - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(11)MD7.
•
CSCsj45655—CSG2: The client-group command might not work with named access lists
If you configure a named access list, using the ip access-list command in global configuration mode,
and you then reference that access list in a CSG2 content, using the client-group command in CSG2
content configuration mode, the named access list might not work.
This is not a problem with numbered access lists, only named access lists.
•
CSCsr93270—Year and month incorrect in BCD timestamps
If you configure the following commands:
records granularity service bytes 10240000 seconds 3600
ip csg records format fixed
Then CDRs for the service might report start and stop dates with years and months in the wrong
format.
OL-13796-01
31
Caveats for Cisco IOS Release 12.4(11)MD6
•
CSCsu03235—CSG2 - Redirection on zero quota grant not working with AoC enabled
If a service is configured for Advice of Charge, the CSG2 might fail to redirect a user when zero
quota is received from the quota server in a Service Authorization Response.
•
CSCsv12836—CSG2: The Qualified Remaining Quota TLV does not carry more than 4 bytes
If duration-based billing is configured, and the remaining quota is very large (greater than
2147483647), the CSG2 might not use the upper 4 bytes of the Qualified Remaining Quota TLV.
•
CSCsv27593—CSG2 R2 - Duration-based billing shows incorrect usage value in the
SvcReAuthReq Usage TLV
If duration-based billing is configured, and there is a difference between the remaining quota and
the quota required for the current transaction, and the last billable timestamp is very large (greater
than 2147483647), the CSG might show an incorrect usage value in the SvcReAuthReq message.
•
CSCsv60425—R3: Memory allocation failures under stress when routes are configured incorrectly
The CSG2 might experience a memory allocation failure on the I/O memory pool of one of its
processors with a %SYS-2-MALLOCFAIL error message.
For this problem to occur, all of the following conditions must be met:
– There must be no route to a given subscriber or server network.
– There must be no default route.
– There must be no next-hop (reverse) configured for the content.
•
CSCsv66930—CSG2 crash at csg_kut_svc_timeout
A WS-SVC-SAMI-BB-K9 service blade running an c7svcsami-csg-mz or c7svcsami-csgk9-mz
image might reload.
For this problem to occur, all of the following conditions must be met:
– A CSG2 User Table entry for a subscriber must be deleted due to a trigger such as a RADIUS
Accounting Stop message.
– The subscriber must be using a prepaid service.
– The traffic that maps to the prepaid service must be FTP or HTTP traffic parsed at Layer 7, or
any Internet Protocol (IPv4) traffic parsed at Layer 4.
•
CSCsv95317—R3: A configuration failure might occur when using more than one console
If you use more than one console to interface with the CSG2, with one console used for show
commands and the other for configuration commands, the configuration console might lock up with
the following error message:
Config failed, CSG being configured by line
Configuration will not be possible until the CSG has been rebooted.
•
CSCsv95675—CSG2: Quota is not credited back to the user when the quota server fails and
passthrough is configured
Quota which could not be returned to the quota server is not credited back to the user.
For this problem to occur, all of the following conditions must be met:
– Passthrough must be configured for the service.
– The current quota must have been granted by the quota server with a quota timeout.
– The CSG2 must be unable to successfully deliver the Quota Return message to the quota server
(due to server failure).
32
OL-13796-01
Caveats for Cisco IOS Release 12.4(11)MD6
•
CSCsw66339—Maximum length VRF name handled improperly by
CISCO-CONTENT-SERVICES-MIB
If there is a VRF configured with a name that is 32 character long, and the VRF is used in a user
database, BMA, or quota server definition, the CSG2 might experience buffer overflow problems
resulting from SNMP queries on the CISCO-CONTENT-SERVICES-MIB.
•
CSCsx18737—The debug ip csg qs detail command might cause the CSG2 to crash when it
receives a Quota Push Request
The CSG2 might crash when the debug ip csg qs detail command is enabled and the VCSG2
receives a non-standard Quota Push Request message.
•
CSCsx96877—The CSG2 fails to boot with some specific configurations
When applying some specific configurations to a CSG2, and then reloading the CSG2, the CSG2
might fail to come up again, and continue to reload in an endless loop.
•
CSCsy41471—RADIUS packets are not being proxied to the RADIUS server, and both the “rad
attr” counter and the “radius deny” counter continue to increase
The CSG2 might fail to proxy RADIUS request when it depletes the RADIUS attribute pool while
processing large numbers of RADIUS requests at very high rates.
SAMI Software for Cisco IOS Release 12.4(11)MD7 - Open Caveats
The following list identifies Open caveats in the SAMI software that impact the CSG2 software for Cisco
IOS Release 12.4(11)MD7:
•
CSCsj09391—No error messages on the CP when IXP runs out of destination filters
When the SAMI/CSG2 runs out of destination filters, a new IP address configuration might not be
effective even though it is accepted, and no error message is issued when the IP address is
configured.
To verify that the SAMI/CSG2 has run out of destination filters, enter the show sami ixp statistics
command after applying an IP address. If the Out of filter elements counter is not zero, and if it
increments as a result of configuring the IP address, then the Network Processor destination filter
limit has been reached.
Workaround: None.
SAMI Software for Cisco IOS Release 12.4(11)MD7 - Closed Caveats
The following list identifies Closed caveats in the SAMI software that impact the CSG2 software for
Cisco IOS Release 12.4(11)MD7:
•
CSCsk64158—Cisco IOS Software Multiple Features Crafted UDP Packet Vulnerability
Symptoms: Several features within Cisco IOS software are affected by a crafted UDP packet
vulnerability. If any of the affected features are enabled, a successful attack will result in a blocked
input queue on the inbound interface. Only crafted UDP packets destined for the device could result
in the interface being blocked, transit traffic will not block the interface.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the workarounds section of the
advisory. This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml.
OL-13796-01
33
Caveats for Cisco IOS Release 12.4(11)MD6
•
CSCsm27071—Cisco IOS Software Multiple Features IP Sockets Vulnerability
A vulnerability in the handling of IP sockets can cause devices to be vulnerable to a denial of service
attack when any of several features of Cisco IOS software are enabled. A sequence of specially
crafted TCP/IP packets could cause any of the following results:
– The configured feature may stop accepting new connections or sessions.
– The memory of the device may be consumed.
– The device may experience prolonged high CPU utilization.
– The device may reload. Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the “workarounds” section of the
advisory. The advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
•
CSCso04657—SSLVPN service stops accepting any new SSLVPN connections
Symptoms: SSLVPN service stops accepting any new SSLVPN connections.
Conditions: A device configured for SSLVPN may stop accepting any new SSLVPN connections,
due to a vulnerability in the processing of new TCP connections for SSLVPN services. If debug ip
tcp transactions is enabled and this vulnerability is triggered, debug messages with connection
queue limit reached will be observed. This vulnerability is documented in two separate Cisco bug
IDs, both of which are required for a full fix: CSCso04657 and CSCsg00102.
•
CSCsu11522—A voice gateway might crash when processing a valid SIP message
A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS software
that can be exploited remotely to cause a reload of the Cisco IOS device.
Cisco has released free software updates that address this vulnerability. There are no workarounds
available to mitigate the vulnerability apart from disabling SIP, if the Cisco IOS device does not
need to run SIP for VoIP services. However, mitigation techniques are available to help limit
exposure to the vulnerability.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml.
•
CSCsv04836
Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the
state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP
connection, an attacker could force the TCP connection to remain in a long-lived state, possibly
indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on
a system under attack may be consumed, preventing new TCP connections from being accepted. In
some cases, a system reboot may be necessary to recover normal system operation. To exploit these
vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable
system.
In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that
may result in a system crash. This additional vulnerability was found as a result of testing the TCP
state manipulation vulnerabilities.
Cisco has released free software updates for download from the Cisco website that address these
vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml.
34
OL-13796-01
Caveats for Cisco IOS Release 12.4(11)MD6
•
CSCsv38166—SCP + views (role-based CLI) allows privilege escalation
The server side of the Secure Copy (SCP) implementation in Cisco IOS software contains a
vulnerability that could allow authenticated users with an attached command-line interface (CLI)
view to transfer files to and from a Cisco IOS device that is configured to be an SCP server,
regardless of what users are authorized to do, per the CLI view configuration. This vulnerability
could allow valid users to retrieve or write to any file on the device's file system, including the
device's saved configuration and Cisco IOS image files, even if the CLI view attached to the user
does not allow it. This configuration file may include passwords or other sensitive information.
The Cisco IOS SCP server is an optional service that is disabled by default. CLI views are a
fundamental component of the Cisco IOS Role-Based CLI Access feature, which is also disabled by
default. Devices that are not specifically configured to enable the Cisco IOS SCP server, or that are
configured to use it but do not use role-based CLI access, are not affected by this vulnerability.
This vulnerability does not apply to the Cisco IOS SCP client feature.
Cisco has released free software updates that address this vulnerability.
There are no workarounds available for this vulnerability apart from disabling either the SCP server
or the CLI view feature if these services are not required by administrators.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml.
•
CSCsw24700—SSLVPN sessions cause a memory leak in the device
Cisco IOS software contains two vulnerabilities within the Cisco IOS WebVPN or Cisco IOS
SSLVPN feature (SSLVPN) that can be remotely exploited without authentication to cause a denial
of service condition. Both vulnerabilities affect both Cisco IOS WebVPN and Cisco IOS SSLVPN
features:
1.
Crafted HTTPS packet will crash device - Cisco Bug ID CSCsk62253.
2.
SSLVPN sessions cause a memory leak in the device - Cisco Bug ID CSCsw24700.
Cisco has released free software updates that address these vulnerabilities. There are no
workarounds that mitigate these vulnerabilities. This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Caveats for Cisco IOS Release 12.4(11)MD6
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or SAMI
software for Cisco IOS Release 12.4(11)MD6.
OL-13796-01
•
CSG2 Software for Cisco IOS Release 12.4(11)MD6 - Open Caveats, page 36
•
CSG2 Software for Cisco IOS Release 12.4(11)MD6 - Closed Caveats, page 36
•
SAMI Software for Cisco IOS Release 12.4(11)MD6 - Open Caveats, page 39
•
SAMI Software for Cisco IOS Release 12.4(11)MD6 - Closed Caveats, page 39
35
Caveats for Cisco IOS Release 12.4(11)MD6
CSG2 Software for Cisco IOS Release 12.4(11)MD6 - Open Caveats
The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(11)MD6.
•
CSCsj16263—New connections denied during high traffic spike
Attempts to establish new connections through the CSG2 fail, particularly when traffic first starts to
flow through the CSG2 at high volume. During this period, deep IPC queues are often observed on
one or more of the CSG2 processors. Load management might show denied sessions.
For this problem to occur, the following conditions must all be true:
– There must be very high rates of transactions or session establishment (greater than the
specified rates).
– There must be a rapid change in traffic conditions from low to a rate exceeding the specified
capacity.
Workaround: Do not exceed the transaction rate capacity of the CSG2.
•
CSCsj33130—The CSG2 cannot boot up with a very large configuration
With configurations that include very large numbers of inservice contents that refer to policies with
URL maps, the CSG2 can take more than 15 minutes to boot up, causing the CSG2 to be reset. This
can result in a rebooting loop in which the CSG2 never fully enters service. This problem does not
occur if the contents are not inservice when the CSG2 is rebooted.
Workaround: Make sure the contents are not inservice before rebooting the CSG2, then bring the
contents inservice after the reboot is complete.
•
CSCsl02342—Tariff switch not reporting all required TLVs in messages to BMA
If the quota server is configured to provide a tariff-switch time to the CSG2 in a SvcAuthResponse,
the CSG2 does not report the tariff-switch TLV to the BMA.
Workaround: None.
•
CSCsl57813—CSG2: Some show commands do not honor term length break sequence
When entering CSG2 show commands that collect and display information from all of the CPUs in
the CSG2, the output might not break or pause as expected based on the term length configuration.
If that happens, long output can scroll off-screen unexpectedly.
This problem does not occur for information gathered from the CP, whether in a distributed
command or otherwise.
Workaround: None.
•
CSCsm60821—CSG2: CDRs are generated on policy without accounting
The CSG2 might generate CDRs even when it is configured not to by disabling accounting under
the CSG2 policy.
Workaround: For contents with a single policy configured, remove the policy.
CSG2 Software for Cisco IOS Release 12.4(11)MD6 - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(11)MD6.
•
CSCsm28152—CSG2: RTSP - Stream CDRs sent out along with service-level CDRs
If RTSP is configured for Layer 7 and service- level CDRs, the CSG2 might send the CDRs to the
BMA by mistake. The service-level CDRs are generated correctly, but some RTSP stream CDRs are
also generated.
36
OL-13796-01
Caveats for Cisco IOS Release 12.4(11)MD6
•
CSCsm32575—R1: Crash if CDR format is changed from variable to fixed with traffic
The CSG2 reloads if report format is changed from variable to fixed while running HTTP or RTSP
traffic.
This problem occurs under the following conditions:
– Configure report format to variable through ip csg records format variable.
– Run HTTP or RTSP traffic.
– Change report format to fixed with ip csg records format fixed.
•
CSCsm34572—CSG2:R1- WAP aborts not sent for no quota and next-hop configuration
If WAP 1 content is configured with a next-hop address, the user has no quota at the start of a
transaction, and WAP redirect is not configured, the transaction is not terminated with an abort.
If the user runs out of quota during a transaction, the transaction is not terminated with aborts to
both the client and server, regardless of whether WAP redirect is configured.
•
CSCsm35164—CSG2 R1 Tiny window during bootup where CDRs might use internal clock time
If the CSG2 generates a CDR immediately after reloading, the value of the Start Time in the
Timestamp TLV might be incorrect. Typically, the invalid value corresponds to a date in the year
2002.
•
CSCsm44411—CSG2:R1 - WAP - Quadrans TLV reports 0 for fixed format CDR
The Quadrans TLV in a fixed format WAP CDR reports a value of 0 for prepaid traffic even though
there is known usage. The total usage reported in the Service Stop is accurate.
•
CSCsm51197—The CSG2 (active or standby) fails to drain PSD data
If a CSG2 in active or standby state with CDRs on its associated PSD is reset, the CSG2 might stop
or fail to drain outstanding CDRs from the PSD.
•
CSCsm73773—CSG2: Content on standby CSG2 cannot be moved to inservice
If the number of current sessions on a given content is not zero, the content configuration on the
standby CSG2 cannot be moved from no inservice to inservice.
•
CSCsm84321—Quota server traffic stalls if no ip csg quota-server reassign is configured and the
quota server fails
If no ip csg quota-server reassign is configured and the traffic to all quota servers stalls while one
or more quota servers reports FAILED or flaps from FAILED to ACTIVE to FAILED, no quota
server messages can get through and the CSG2 prevents prepaid traffic from flowing.
•
CSCsm93349—CSG2: Spurious access when removing a match header name/value expression
A traceback might be seen while putting a content into service.
This problem can occur if the following sequence of events occurs:
– A map definition is configured with a specific match type (header, method, or URL).
– The match type is unconfigured using the no form of the command.
– A different match type is configured for the map definition. For example, match method is
originally configured and unconfigured, then match header is configured.
•
CSCso18183—CSG2: Incorrect usage reported when complete quota server outage occurs
In a prepaid configuration with basis second configured, if a complete quota server outage occurs
the value reported in the Service Stop Notification CDR's Usage TLV might be lower than it should
be.
OL-13796-01
37
Caveats for Cisco IOS Release 12.4(11)MD6
•
CSCso35402—The CSG2 might crash while processing traffic after a RADIUS Stop
If the CSG2 is configured to generate postpaid service-level CDRs for a user, traffic for the user
might continue to flow over an existing session after a RADIUS Stop is received by the CSG2 for
that user. This can occur when traffic is received between the time that the RADIUS Stop is received
and the user's associated sessions are cleaned up internally.
•
CSCsq06947—CSG2: Unable to scale to 500K User Table entries with five or more RADIUS
Accounting Start messages
When the CSG2 receives more RADIUS Accounting Start messages than expected, with a large
number of RADIUS attributes from the Network Access Server (NAS), the CSG2 might deny the
RADIUS requests because the buffer pool cannot grow fast enough to accommodate them.
•
CSCsq25027—CSG2 R1: Incorrect service selected after removing configuration of billing plan
If you remove a configured billing plan or service using the no option (for example, no ip csg
billing), and you then configure a new billing plan or service and assign it to a new transaction, the
CSG2 might assign the wrong services to the transaction.
•
CSCsq90709—CSG2: The show ip csg user all command might not display some sticky user
entries
The output from the show ip csg users all command might include some but not all of the sticky
user entries.
•
CSCsr25704—The CSG2 TPs boot up with a default configuration
When the Supervisor Engine is very heavily loaded, close to its maximum capacity, some of the
CSG2 traffic processors might boot up with an invalid configuration. The CSG2 might log the
following message:
%CSG-2-UNEXPECTED_CRIT: Error: Timeout waiting for traffic processors to
initialize. NTP clock is not sync; please correct NTP server issue.
This condition occurs when you bootup CSGs while the SUP is close to its maximum capacity (very
high CPU).
•
CSCsr42444—The CSG2 does not allow user traffic in a VPN session in transparent mode
With a Cisco VPN client and a Cisco VPN concentrator, in a VPN session in IPSec transparent
mode, no user traffic flows. The VPN connection is established, but traffic does not flow.
•
CSCsr43716—CSG2: RTSP crash due to URL fastblk memory corruption
While performing Layer 7 parsing of RTSP traffic, the CSG2 might crash if it receives a DESCRIBE
message containing a URL that exceeds 512 bytes.
•
CSCsr45063—CSG2 - IMAP improperly handles token > 255 bytes
The CSG2 reloads with a crash indication.
The CSG2 might reload while performing L7 inspection of IMAP traffic if certain fields within the
flow are >256 bytes.
38
OL-13796-01
Caveats for Cisco IOS Release 12.4(11)MD6
SAMI Software for Cisco IOS Release 12.4(11)MD6 - Open Caveats
The following list identifies Open caveats in the SAMI software that impact the CSG2 software for Cisco
IOS Release 12.4(11)MD6:
•
CSCsj09391—No error messages on the CP when IXP runs out of destination filters
When the SAMI/CSG2 runs out of destination filters, a new IP address configuration might not be
effective even though it is accepted, and no error message is issued when the IP address is
configured.
To verify that the SAMI/CSG2 has run out of destination filters, enter the show sami ixp statistics
command after applying an IP address. If the Out of filter elements counter is not zero, and if it
increments as a result of configuring the IP address, then the Network Processor destination filter
limit has been reached.
Workaround: None.
SAMI Software for Cisco IOS Release 12.4(11)MD6 - Closed Caveats
The following list identifies Closed caveats in the SAMI software that impact the CSG2 software for
Cisco IOS Release 12.4(11)MD6:
•
CSCsg94209—The show command on a CPU3-8 redirected to the Supervisor Engine produces a
0-byte file
From processor 3-8, a pipe redirect when using rcp to the Supervisor Engine can result in errors, or
can cause the processor to reload. For example, the following command might result in a 0-byte file:
Router-3> sh tech | redirect rcp://127.0.0.81/shtech
•
CSCsh12480
Cisco IOS software configured for Cisco IOS firewall Application Inspection Control (AIC) with a
HTTP configured application-specific policy are vulnerable to a Denial of Service when processing
a specific malformed HTTP transit packet. Successful exploitation of the vulnerability might result
in a reload of the affected device.
Cisco has released free software updates that address this vulnerability.
A mitigation for this vulnerability is available. See the “Workarounds” section of the advisory for
details.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml.
•
CSCsi17020
A series of segmented Skinny Call Control Protocol (SCCP) messages might cause a Cisco IOS
device that is configured with the Network Address Translation (NAT) SCCP Fragmentation
Support feature to reload.
Cisco has released free software updates that address this vulnerability. A workaround that mitigates
this vulnerability is available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml.
•
CSCsj17733—Values for entPhysicalFirmwareRev and entPhysicalSoftwareRev are not shown
The ENTITY-MIB entries entPhysicalFirmwareRev and entPhysicalSoftwareRev do not return any
values from the SAMI processor.
OL-13796-01
39
Caveats for Cisco IOS Release 12.4(11)MD5
•
CSCsk42759
Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS
that can be exploited remotely to trigger a memory leak or to cause a reload of the Cisco IOS device.
Cisco has released free software updates that address these vulnerabilities. Fixed Cisco IOS
software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities
addressed in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from
disabling the protocol or feature itself, if administrators do not require the Cisco IOS device to
provide voice over IP services.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml.
Caveats for Cisco IOS Release 12.4(11)MD5
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or SAMI
software for Cisco IOS Release 12.4(11)MD5.
•
CSG2 Software for Cisco IOS Release 12.4(11)MD5 - Open Caveats, page 40
•
CSG2 Software for Cisco IOS Release 12.4(11)MD5 - Closed Caveats, page 42
•
SAMI Software for Cisco IOS Release 12.4(11)MD5 - Open Caveats, page 42
•
SAMI Software for Cisco IOS Release 12.4(11)MD5 - Closed Caveats, page 43
CSG2 Software for Cisco IOS Release 12.4(11)MD5 - Open Caveats
The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(11)MD5.
•
CSCsj16263—New connections denied during high traffic spike
Attempts to establish new connections through the CSG2 fail, particularly when traffic first starts to
flow through the CSG2 at high volume. During this period, deep IPC queues are often observed on
one or more of the CSG2 processors. Load management might show denied sessions.
For this problem to occur, the following conditions must all be true:
– There must be very high rates of transactions or session establishment (greater than the
specified rates).
– There must be a rapid change in traffic conditions from low to a rate exceeding the specified
capacity.
Workaround: Do not exceed the transaction rate capacity of the CSG2.
•
CSCsj33130—The CSG2 cannot boot up with a very large configuration
With configurations that include very large numbers of inservice contents that refer to policies with
URL maps, the CSG2 can take more than 15 minutes to boot up, causing the CSG2 to be reset. This
can result in a rebooting loop in which the CSG2 never fully enters service. This problem does not
occur if the contents are not inservice when the CSG2 is rebooted.
Workaround: Make sure the contents are not inservice before rebooting the CSG2, then bring the
contents inservice after the reboot is complete.
40
OL-13796-01
Caveats for Cisco IOS Release 12.4(11)MD5
•
CSCsl02342—Tariff switch not reporting all required TLVs in messages to BMA
If the quota server is configured to provide a tariff-switch time to the CSG2 in a SvcAuthResponse,
the CSG2 does not report the tariff-switch TLV to the BMA.
Workaround: None.
•
CSCsl57813—CSG2: Some show commands do not honor term length break sequence
When entering CSG2 show commands that collect and display information from all of the CPUs in
the CSG2, the output might not break or pause as expected based on the term length configuration.
If that happens, long output can scroll off-screen unexpectedly.
This problem does not occur for information gathered from the CP, whether in a distributed
command or otherwise.
Workaround: None.
•
CSCsm32575—R1: Crash if CDR format is changed from variable to fixed with traffic
The CSG2 might crash if the report format is changed from variable to fixed while running HTTP
or RTSP traffic.
Workaround: Configure the HTTP and RTSP contents out of service and verify that there are no
HTTP or RTSP sessions. Change the report format back to variable. Configure the HTTP and RTSP
contents inservice.
•
CSCsm60821—CSG2: CDRs are generated on policy without accounting
The CSG2 might generate CDRs even when it is configured not to by disabling accounting under
the CSG2 policy.
Workaround: For contents with a single policy configured, remove the policy.
•
CSCsm34572—CSG2:R1- WAP aborts not sent for no quota and next-hop configuration
If WAP 1 content is configured with a next-hop address, the user has no quota at the start of a
transaction, and WAP redirect is not configured, the transaction is not terminated with an abort.
If the user runs out of quota during a transaction, the transaction is not terminated with aborts to
both the client and server, regardless of whether WAP redirect is configured.
Workaround: None.
•
CSCsm35164—CSG2 R1 Tiny window during bootup where CDRs might use internal clock time
If the CSG2 generates a CDR immediately after reloading, the value of the Start Time in the
Timestamp TLV might be incorrect. Typically, the invalid value corresponds to a date in the year
2002.
This problem can occur if the CDR is generated before a value for the clock is received from the
Supervisor Engine on a CSG2 Traffic Processor.
Since a clock value is usually received from the Supervisor Engine module shortly after bootup, the
probability of this problem occurring is very small. Furthermore, deployment of CSG2s in a
redundant configuration greatly reduces the probability of this problem occurring, because the
redundant CSG2s receive a clock from the Supervisor Engine module before becoming active (and
even before HSRP negotiation has completed).
Workaround: None. However, deployments with redundant CSG2 configurations should have a
very, very small probability of experiencing this problem.
OL-13796-01
41
Caveats for Cisco IOS Release 12.4(11)MD5
•
CSCsm84321—Quota server traffic stalls if no ip csg quota-server reassign is configured and the
quota server fails
If no ip csg quota-server reassign is configured and the traffic to all quota servers stalls while one
or more quota servers reports FAILED or flaps from FAILED to ACTIVE to FAILED, no quota
server messages can get through and the CSG2 prevents prepaid traffic from flowing.
Workaround: None.
•
CSCsq25027—CSG2 R1: Incorrect service selected after removing configuration of billing plan
If you remove a configured billing plan or service using the no option (for example, no ip csg
billing), and you then configure a new billing plan or service and assign it to a new transaction, the
CSG2 might assign the wrong services to the transaction.
Workaround: Save the running configuration and force a reload of the CSG2.
CSG2 Software for Cisco IOS Release 12.4(11)MD5 - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(11)MD5.
•
CSCsm44411—CSG2 R1 - WAP - Quadrans TLV reports “0” for fixed format CDR
The Quadrans TLV in a fixed-format WAP CDR might report “0” for prepaid traffic even though
there is known usage.
For this problem to occur, the following conditions must all be true:
– The user must be prepaid.
– Fixed-format CDRs must be configured on the CSG.
•
CSCso93857—CSG2: WAP- malformed N ACK packet causes crash
When a CSG2 parses a packet containing WAP payload 0xbffefefffefefffe, it can enter an infinite
loop, causing the process to hang and resulting in a crash forced by the watchdog timer.
•
CSCso95950—CSG2: TCP Window scaling can cause CSG2 to drop packets
TCP Window scaling can cause TCP connections to fail.
For this problem to occur, the following conditions must all be true:
– The TCP window scaling option must be used with a window greater than 64k.
– The device that is receiving the data (that is, the client) must be slow when ACKing. That is, the
device must be ACKing data more than 64k behind what the server is currently sending.
SAMI Software for Cisco IOS Release 12.4(11)MD5 - Open Caveats
The following list identifies Open caveats in the SAMI software that impact the CSG2 software for Cisco
IOS Release 12.4(11)MD5:
•
CSCsg94209—The show command on a CPU3-8 redirected to the Supervisor Engine produces a
0-byte file
From processor 3-8, a pipe redirect when using rcp to the Supervisor Engine can result in errors, or
can cause the processor to reload. For example, the following command might result in a 0-byte file:
Router-3> sh tech | redirect rcp://127.0.0.81/shtech
Workaround: Do not use the redirect feature when using rcp to the Supervisor Engine.
42
OL-13796-01
Caveats for Cisco IOS Release 12.4(11)MD4
•
CSCsj09391—No error messages on the CP when IXP runs out of destination filters
When the SAMI/CSG2 runs out of destination filters, a new IP address configuration might not be
effective even though it is accepted, and no error message is issued when the IP address is
configured.
To verify that the SAMI/CSG2 has run out of destination filters, enter the show sami ixp statistics
command after applying an IP address. If the Out of filter elements counter is not zero, and if it
increments as a result of configuring the IP address, then the Network Processor destination filter
limit has been reached.
Workaround: None.
•
CSCsj17733—Values for entPhysicalFirmwareRev and entPhysicalSoftwareRev are not shown
The ENTITY-MIB entries entPhysicalFirmwareRev and entPhysicalSoftwareRev do not return any
values from the SAMI processor.
Workaround: None.
SAMI Software for Cisco IOS Release 12.4(11)MD5 - Closed Caveats
The following list identifies Closed caveats in the SAMI software that impact the CSG2 software for
Cisco IOS Release 12.4(11)MD5:
•
CSCsk26489—Corrupted NV config area can cause crash
When the maximum number of boot retires for the daughter cards is exceeded, and processor 0 is in
safe mode for debugging, processors 3-8 might reload or become unreachable.
•
CSCsl50039—Upgrade takes a long time in some new SAMI modules
In some SAMI modules for Cisco7600 routers, the upgrade command might take a long time to
complete, from 10 minutes up to an hour or so, resulting in many timeouts. This problem occurs with
some specific Compact Flash cards in SAMI, such as Cisco 1GB, 16-3264-01,
SGCF1GSMC4ISAM501 PMK070616F02.
Caveats for Cisco IOS Release 12.4(11)MD4
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or SAMI
software for Cisco IOS Release 12.4(11)MD4.
OL-13796-01
•
CSG2 Software for Cisco IOS Release 12.4(11)MD4 - Open Caveats, page 44
•
CSG2 Software for Cisco IOS Release 12.4(11)MD4 - Closed Caveats, page 45
•
SAMI Software for Cisco IOS Release 12.4(11)MD4 - Open Caveats, page 46
•
SAMI Software for Cisco IOS Release 12.4(11)MD4 - Closed Caveats, page 46
43
Caveats for Cisco IOS Release 12.4(11)MD4
CSG2 Software for Cisco IOS Release 12.4(11)MD4 - Open Caveats
The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(11)MD4.
•
CSCsj16263—New connections denied during high traffic spike
Attempts to establish new connections through the CSG2 fail, particularly when traffic first starts to
flow through the CSG2 at high volume. During this period, deep IPC queues are often observed on
one or more of the CSG2 processors. Load management might show denied sessions.
For this problem to occur, the following conditions must all be true:
– There must be very high rates of transactions or session establishment (greater than the
specified rates).
– There must be a rapid change in traffic conditions from low to a rate exceeding the specified
capacity.
Workaround: Do not exceed the transaction rate capacity of the CSG2.
•
CSCsj33130—The CSG2 cannot boot up with a very large configuration
With configurations that include very large numbers of inservice contents that refer to policies with
URL maps, the CSG2 can take more than 15 minutes to boot up, causing the CSG2 to be reset. This
can result in a rebooting loop in which the CSG2 never fully enters service. This problem does not
occur if the contents are not inservice when the CSG2 is rebooted.
Workaround: Make sure the contents are not inservice before rebooting the CSG2, then bring the
contents inservice after the reboot is complete.
•
CSCsl57813—CSG2: Some show commands do not honor term length break sequence
When entering CSG2 show commands that collect and display information from all of the CPUs in
the CSG2, the output might not break or pause as expected based on the term length configuration.
If that happens, long output can scroll off-screen unexpectedly.
This problem does not occur for information gathered from the CP, whether in a distributed
command or otherwise.
Workaround: None.
•
CSCsm32575—R1: Crash if CDR format is changed from variable to fixed with traffic
The CSG2 might crash if the report format is changed from variable to fixed while running HTTP
or RTSP traffic.
Workaround: Configure the HTTP and RTSP contents out of service and verify that there are no
HTTP or RTSP sessions. Change the report format back to variable. Configure the HTTP and RTSP
contents inservice.
•
CSCsm34572—CSG2:R1- WAP aborts not sent for no quota and next-hop configuration
If WAP 1 content is configured with a next-hop address, the user has no quota at the start of a
transaction, and WAP redirect is not configured, the transaction is not terminated with an abort.
If the user runs out of quota during a transaction, the transaction is not terminated with aborts to
both the client and server, regardless of whether WAP redirect is configured.
Workaround: None.
•
CSCsm35164—CSG2 R1 Tiny window during bootup where CDRs might use internal clock time
If the CSG2 generates a CDR immediately after reloading, the value of the Start Time in the
Timestamp TLV might be incorrect. Typically, the invalid value corresponds to a date in the year
2002.
44
OL-13796-01
Caveats for Cisco IOS Release 12.4(11)MD4
This problem can occur if the CDR is generated before a value for the clock is received from the
Supervisor Engine on a CSG2 Traffic Processor.
Since a clock value is usually received from the Supervisor Engine module shortly after bootup, the
probability of this problem occurring is very small. Furthermore, deployment of CSG2s in a
redundant configuration greatly reduces the probability of this problem occurring, because the
redundant CSG2s receive a clock from the Supervisor Engine module before becoming active (and
even before HSRP negotiation has completed).
Workaround: None. However, deployments with redundant CSG2 configurations should have a
very, very small probability of experiencing this problem.
•
CSCsm60821—CSG2: CDRs are generated on policy without accounting
The CSG2 might generate CDRs even when it is configured not to by disabling accounting under
the CSG2 policy.
Workaround: For contents with a single policy configured, remove the policy.
CSG2 Software for Cisco IOS Release 12.4(11)MD4 - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(11)MD4.
•
CSCsl37424—New CSG2 card does not have IP connectivity to SUP
When a new CSG2 card is installed and configured, the IP connectivity from the CSG2 to the
Supervisor Engine on the configured VLANs might not be established until after a reload of the
CSG2 card. This problem can occur when there is no configuration file available on the Supervisor
Engine for the slot.
Note
•
The fix for CSCsl37424 is integrated in Cisco IOS Release 12.2(33.00.03)SRC.
CSCso35402—CSG2 crashes while processing traffic after a RADIUS Stop
Traffic for a user continues to flow over an existing session after a RADIUS Stop is received by the
CSG2 for that user.
For this problem to occur, the following conditions must all be true:
– The traffic must be received during a very small window after the RADIUS Stop is received and
before the user's associated sessions are cleaned up.
– The CSG2 must be configured to generate postpaid service-level CDRs for the user.
•
CSCso36075—The CSG2 blocks e-mail when the server sends data before the client ACK
Some users cannot retrieve e-mail from some POP or IMAP servers when traffic is going though the
CSG2. When e-mail servers send data before the CSG2 receives an ACK from the client, the CSG2
might drop the server data.
OL-13796-01
45
Caveats for Cisco IOS Release 12.4(11)MD3
SAMI Software for Cisco IOS Release 12.4(11)MD4 - Open Caveats
The following list identifies Open caveats in the SAMI software that impact the CSG2 software for Cisco
IOS Release 12.4(11)MD4.
•
CSCsg94209—The show command on a CPU3-8 redirected to the Supervisor Engine produces a
0-byte file
From processor 3-8, a pipe redirect when using rcp to the Supervisor Engine can result in errors, or
can cause the processor to reload. For example, the following command might result in a 0-byte file:
Router-3> sh tech | redirect rcp://127.0.0.81/shtech
Workaround: Do not use the redirect feature when using rcp to the Supervisor Engine.
•
CSCsj09391—No error messages on the CP when IXP runs out of destination filters
When the SAMI/CSG2 runs out of destination filters, a new IP address configuration might not be
effective even though it is accepted, and no error message is issued when the IP address is
configured.
To verify that the SAMI/CSG2 has run out of destination filters, enter the show sami ixp statistics
command after applying an IP address. If the Out of filter elements counter is not zero, and if it
increments as a result of configuring the IP address, then the Network Processor destination filter
limit has been reached.
Workaround: None.
•
CSCsj17733—Values for entPhysicalFirmwareRev and entPhysicalSoftwareRev are not shown
The ENTITY-MIB entries entPhysicalFirmwareRev and entPhysicalSoftwareRev do not return any
values from the SAMI processor.
Workaround: None.
•
CSCsk26489—Corrupted NV config area can cause crash
When the maximum number of boot retires for the daughter cards is exceeded, and processor 0 is in
safe mode for debugging, processors 3-8 might reload or become unreachable.
Workaround: Log in to processor 0 from the Supervisor Engine, erase the PPC bootflash for all
PPCs, and reload the card.
SAMI Software for Cisco IOS Release 12.4(11)MD4 - Closed Caveats
There are no Closed caveats in the SAMI software that impact the CSG2 software for Cisco IOS Release
12.4(11)MD4.
Caveats for Cisco IOS Release 12.4(11)MD3
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or SAMI
software for Cisco IOS Release 12.4(11)MD3.
46
•
CSG2 Software for Cisco IOS Release 12.4(11)MD3 - Open Caveats, page 47
•
CSG2 Software for Cisco IOS Release 12.4(11)MD3 - Closed Caveats, page 48
•
SAMI Software for Cisco IOS Release 12.4(11)MD3 - Open Caveats, page 50
•
SAMI Software for Cisco IOS Release 12.4(11)MD3 - Closed Caveats, page 50v
OL-13796-01
Caveats for Cisco IOS Release 12.4(11)MD3
CSG2 Software for Cisco IOS Release 12.4(11)MD3 - Open Caveats
The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(11)MD3.
•
CSCsj16263—New connections denied during high traffic spike
Attempts to establish new connections through the CSG2 fail, particularly when traffic first starts to
flow through the CSG2 at high volume. During this period, deep IPC queues are often observed on
one or more of the CSG2 processors. Load management might show denied sessions.
For this problem to occur, the following conditions must all be true:
– There must be very high rates of transactions or session establishment (greater than the
specified rates).
– There must be a rapid change in traffic conditions from low to a rate exceeding the specified
capacity.
Workaround: Do not exceed the transaction rate capacity of the CSG2.
•
CSCsj33130—The CSG2 cannot boot up with a very large configuration
With configurations that include very large numbers of inservice contents that refer to policies with
URL maps, the CSG2 can take more than 15 minutes to boot up, causing the CSG2 to be reset. This
can result in a rebooting loop in which the CSG2 never fully enters service. This problem does not
occur if the contents are not inservice when the CSG2 is rebooted.
Workaround: Make sure the contents are not inservice before rebooting the CSG2, then bring the
contents inservice after the reboot is complete.
•
CSCsl37424—New CSG2 card does not have IP connectivity to SUP
When a new CSG2 card is installed and configured, the IP connectivity from the CSG2 to the
Supervisor Engine on the configured VLANs might not be established until after a reload of the
CSG2 card. This problem can occur when there is no configuration file available on the Supervisor
Engine for the slot.
Workaround: Reload the CSG2 card, or make sure that a file with the name
bootflash:SLOTslotSAMIC3.cfg exists on the Supervisor Engine prior to bringing up the SAMI.
•
CSCsl57813—CSG2: Some show commands do not honor term length break sequence
When entering CSG2 show commands that collect and display information from all of the CPUs in
the CSG2, the output might not break or pause as expected based on the term length configuration.
If that happens, long output can scroll off-screen unexpectedly.
This problem does not occur for information gathered from the CP, whether in a distributed
command or otherwise.
Workaround: None.
•
CSCsm32575—R1: Crash if CDR format is changed from variable to fixed with traffic
The CSG2 might crash if the report format is changed from variable to fixed while running HTTP
or RTSP traffic.
Workaround: Configure the HTTP and RTSP contents out of service and verify that there are no
HTTP or RTSP sessions. Change the report format back to variable. Configure the HTTP and RTSP
contents inservice.
•
CSCsm34572—CSG2:R1- WAP aborts not sent for no quota and next-hop configuration
If WAP 1 content is configured with a next-hop address, the user has no quota at the start of a
transaction, and WAP redirect is not configured, the transaction is not terminated with an abort.
OL-13796-01
47
Caveats for Cisco IOS Release 12.4(11)MD3
If the user runs out of quota during a transaction, the transaction is not terminated with aborts to
both the client and server, regardless of whether WAP redirect is configured.
Workaround: None.
•
CSCsm35164—CSG2 R1 Tiny window during bootup where CDRs might use internal clock time
If the CSG2 generates a CDR immediately after reloading, the value of the Start Time in the
Timestamp TLV might be incorrect. Typically, the invalid value corresponds to a date in the year
2002.
This problem can occur if the CDR is generated before a value for the clock is received from the
Supervisor Engine on a CSG2 Traffic Processor.
Since a clock value is usually received from the Supervisor Engine module shortly after bootup, the
probability of this problem occurring is very small. Furthermore, deployment of CSG2s in a
redundant configuration greatly reduces the probability of this problem occurring, because the
redundant CSG2s receive a clock from the Supervisor Engine module before becoming active (and
even before HSRP negotiation has completed).
Workaround: None. However, deployments with redundant CSG2 configurations should have a
very, very small probability of experiencing this problem.
CSG2 Software for Cisco IOS Release 12.4(11)MD3 - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(11)MD3.
•
CSCsk02966—KSvc Passthrough fastblk pool in-use column displays huge number
In the output for the show fastblk command, the fastblk pool associated with KSvc Passthrough
displays a large value for the number in use, larger than the total pool size and the maximum
recorded pool size.
For this problem to occur, the following conditions must all be true:
– The configuration must have passthrough configured under a service.
– A quota server must be available and must be able to grant a user an initial set of quota.
– The quota server must then become unavailable.
– This must occur for several users.
•
CSCsk10724—PPC crashes when handling 449kpps over GRE tunnel
At very high packet rates, the SAMI PowerPC processor (PPC) might reload unexpectedly. This
condition is not restricted to GRE configurations, but is much less common in other configurations.
•
CSCsk23363—CSG-4-UNEXPECTED: Error: CSG2 Startup Failed - NTP clock not in sync
When the CSG2 first starts, the TP and CP clocks might be out-of-sync by 1 or 2 seconds. It might
take up to 5 minutes for the clocks to become fully synchronized. This is a timing-related issue,
resulting from an NTP clock synchronization problem, that occurs only infrequently.
•
CSCsk40803—CSG2: I/O Memory depleted when excessive RADIUS messages are received
If the CSG2 receives a large number of RADIUS messages when under high traffic load, the CSG2
might deplete all of its I/O memory. If this occurs, the following messages are generated:
SAMI 2/3: Aug 23 00:04:41.543: %SYS-2-MALLOCFAIL: Memory allocation of 780
bytes failed from 0x40DE4050, alignment 32
Pool: I/O Free: 2400 Cause: Memory fragmentation
48
OL-13796-01
Caveats for Cisco IOS Release 12.4(11)MD3
Alternate Pool: None Free: 0 Cause: No Alternate pool
-Process= “Pool Manager”, ipl= 0, pid= 5, -Traceback= 0x4020FFD0 0x40CFFCD8
0x40D04BB4 0x40DE4054 0x40D2CB7C 0x40D2CDD4 0x40E46CD0 0x40E4A25C
•
CSCsk49823—CSG2 MD1 image resources depleted with continuous SNMP requests
If a quota server, PSD, user database, or BMA is configured, and there are continuous simple SNMP
walk requests for the CISCO-CONTENT-SERVICES-MIB, the CSG2 memory can be depleted to
the point that it stops operating.
•
CSCsk65641—Total Usage in service stop reports negative value
The CSG2 might report a negative value for Total Usage in a Service Stop.
For this problem to occur, all of the following conditions must be met:
– Refund must be configured.
– For a prepaid user, the “Pending Usage” field in the output for the show ip csg accounting users
command must be greater than 2147483647.
•
CSCsm10333—CSG2 R1: Corruption of WAP URL memory pool
If a browser sends a WAP 1 GET/POST request in which the URL expands multiple IP packets., the
WAP URL memory pool might become corrupted. If this occurs, the CSG2 might crash the next time
that part of memory is referenced.
•
CSCsm13094—R2: Crash when enabling service level CDRs with traffic running
With HTTP traffic running and being parsed at Layer 7, if the user configures a service with
service-level CDRs while generating intermediate CDRs, the following spurious memory access
messages are generated:
SAMI 4/4: Jan 9 17:07:06.556: %ALIGN-3-SPURIOUS: Spurious memory access made at
0x44FB67B0 reading 0x24
SAMI 4/4: Jan 9 17:07:06.556: %ALIGN-3-TRACE: -Traceback= 0x44FB67B0
0x44F367D4 0x44F3AC24 0x44F3BD54 0x44F1C4C4 0x44F1CBCC 0x444744FC
0x44474710
SAMI 4/4: Jan 9 17:07:06.556: %ALIGN-3-TRACE: -Traceback= 0x44FB67B0
0x44F3AB90 0x44F3BD54 0x44F1C4C4 0x44F1CBCC 0x444744FC 0x44474710
0x44DF1058
SAMI 4/4: Jan 9 17:07:06.556: %ALIGN-3-TRACE: -Traceback= 0x44FB67B0
0x44F367D4 0x44F3CC88 0x44F1C850 0x44F8F980 0x44EC9120 0x44ECC4C0 0x0
Then the SAMI crashes and reloads.
•
CSCsm15728—CSG2 comes up without IP connectivity due to a temporary unsynchronization of
the NTP at the Supervisor Engine
If the Supervisor Engine NTP status is not synchronized, or if it shows a large dispersion while the
CSG2 is coming up, then NTP packets between the Supervisor Engine and the NTP server are lost.
If that occurs, then the CSG2 does not establish IP connectivity when it boots up. The CSG2 enters
quiescent state after a 10-minute timeout waiting for the clock to synchronize, and the standby CSG2
does not participate in HA. The show ntp status command shows that the CSG2 is not synchronized.
OL-13796-01
49
Documentation and Technical Assistance
SAMI Software for Cisco IOS Release 12.4(11)MD3 - Open Caveats
The following list identifies Open caveats in the SAMI software that impact the CSG2 software for Cisco
IOS Release 12.4(11)MD3.
•
CSCsg94209—The show command on a CPU3-8 redirected to the Supervisor Engine produces a
0-byte file
From processor 3-8, a pipe redirect when using rcp to the Supervisor Engine can result in errors, or
can cause the processor to reload. For example, the following command might result in a 0-byte file:
Router-3> sh tech | redirect rcp://127.0.0.81/shtech
Workaround: Do not use the redirect feature when using rcp to the Supervisor Engine.
•
CSCsj09391—No error messages on the CP when IXP runs out of destination filters
When the SAMI/CSG2 runs out of destination filters, a new IP address configuration might not be
effective even though it is accepted, and no error message is issued when the IP address is
configured.
To verify that the SAMI/CSG2 has run out of destination filters, enter the show sami ixp statistics
command after applying an IP address. If the Out of filter elements counter is not zero, and if it
increments as a result of configuring the IP address, then the Network Processor destination filter
limit has been reached.
Workaround: None.
•
CSCsj17733—Values for entPhysicalFirmwareRev and entPhysicalSoftwareRev are not shown
The ENTITY-MIB entries entPhysicalFirmwareRev and entPhysicalSoftwareRev do not return any
values from the SAMI processor.
Workaround: None.
•
CSCsk26489—Corrupted NV config area can cause crash
When the maximum number of boot retires for the daughter cards is exceeded, and processor 0 is in
safe mode for debugging, processors 3-8 might reload or become unreachable.
Workaround: Log in to processor 0 from the Supervisor Engine, erase the PPC bootflash for all
PPCs, and reload the card.
SAMI Software for Cisco IOS Release 12.4(11)MD3 - Closed Caveats
There are no Closed caveats in the SAMI software that impact the CSG2 software for Cisco IOS Release
12.4(11)MD3.
Documentation and Technical Assistance
This section contains the following information:
50
•
Related Documentation, page 51
•
Obtaining Documentation and Submitting a Service Request, page 52
OL-13796-01
Documentation and Technical Assistance
Related Documentation
Use these release notes with these documents:
•
CSG2 Documentation, page 51
•
Release-Specific Documents, page 51
•
Platform-Specific Documents, page 51
•
Cisco IOS Software Documentation Set, page 51
CSG2 Documentation
For more detailed installation and configuration information, see the following publication:
•
Cisco Content Services Gateway - 2nd Generation Release 1Installation and Configuration Guide
Release-Specific Documents
The following documents are specific to Cisco IOS Release 12.4 and are located at Cisco.com:
•
Cisco IOS Release 12.4 Mainline Release Notes
Documentation > Cisco IOS Software > Cisco IOS Software Releases 12.4 Mainline > Release
Notes
•
Cisco IOS Release 12.4 T Release Notes
Documentation > Cisco IOS Software > Cisco IOS Software Releases 12.4 T > Release Notes
Note
If you have an account with Cisco.com, you can use Bug Navigator II to find caveats of any severity for
any release. You can reach Bug Navigator II on Cisco.com at http://www.cisco.com/support/bugtools.
•
Product bulletins, field notices, and other release-specific documents on Cisco.com at:
Documentation > Cisco IOS Software > Cisco IOS Software Releases 12.4 Mainline
Platform-Specific Documents
These documents are available for the Cisco 7600 series router platform on Cisco.com and the
Documentation CD-ROM:
•
Cisco Service and Application Module for IP User Guide
•
Cisco 7600 series routers documentation:
– Cisco 7600 Series Cisco IOS Software Configuration Guide
– Cisco 7600 Series Cisco IOS Command Reference
– Release Notes for Cisco IOS Release 12.2SR for the Cisco 7600 Series Routers
Cisco IOS Software Documentation Set
The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS
command references, and several other supporting documents that are shipped with your order in
electronic form on the Documentation CD-ROM, unless you specifically ordered the printed versions.
OL-13796-01
51
Documentation and Technical Assistance
Documentation Modules
Each module in the Cisco IOS documentation set consists of two books: a configuration guide and a
corresponding command reference guide. Chapters in a configuration guide describe protocols,
configuration tasks, Cisco IOS software functionality, and contain comprehensive configuration
examples. Chapters in a command reference guide list command syntax information. Use each
configuration guide with its corresponding command reference. The Cisco IOS documentation modules
are available on Cisco.com at:
Note
•
Documentation > Cisco IOS Software > Cisco IOS Software Releases 12.4 Mainline >
Command References
•
Documentation > Cisco IOS Software > Cisco IOS Software Releases 12.4 Mainline >
Command References > Configuration Guides
To view a list of MIBs supported by Cisco, by product, go to:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS version 2.0.
This document is to be used in conjunction with the documents listed in the “Related Documentation” section.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks
can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word
partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and
figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and
coincidental.
Copyright © 2010 Cisco Systems, Inc. All rights reserved.
52
OL-13796-01

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz