- Introduction
- System Requirements
- Limitations and Restrictions
-
- Release 3.17S Features and Important Notes
- Release 3.16S Features and Important Notes
- Release 3.15S Features and Important Notes
- Release 3.14S Features and Important Notes
- Release 3.13S Features and Important Notes
- Release 3.12S Features and Important Notes
- Release 3.11S Features and Important Notes
- Release 3.10S Features and Important Notes
- Release 3.9S Features and Important Notes
- Release 3.8S Features and Important Notes
- Release 3.7S Features and Important Notes
- Release 3.6S Features and Important Notes
- MIBs
- Related Documentation
- Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.4S
- Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.3S
- Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.2S
- Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.1S
- Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.aS
- Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.S
Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.12S
This chapter provides information about the caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.12S. Caveats describe unexpected behavior.
Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.4S
This section contains the following topics:
Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.4S
All resolved bugs for this release are available in the Cisco Bug Search Tool through the Resolved bug search.
|
|
---|---|
ASRNAT: PPTP ALG: Incorrect UNNAT of Peer-Call-ID in Outgoing-Call-Reply |
Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.3S
This section contains the following topics:
Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.3S
All resolved bugs for this release are available in the Cisco Bug Search Tool through the Resolved bug search.
Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.2S
This section contains the following topics:
- Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.2S
- Open Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.2S
Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.2S
All resolved bugs for this release are available in the Cisco Bug Search Tool through the Resolved bug search. This search uses the following search criteria and filters:
|
|
---|---|
Open Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.2S
All open bugs for this release are available in the Cisco Bug Search Tool through the Open Bug Search.
Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.1S
This section contains the following topics:
- Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.1S
- Open Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.1S
Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.1S
Symptom: ESP80 may crash when tearing down PPP sessions on LNS at scale.
Conditions: Tearing down PPP sessions on LNS.
Workaround: There is no workaround.
Symptom: ASR 1000 ESP card crash, fman_fp_image core file and cpp-mcplo-ucode core file were generated.
Conditions: crash was seen when mpls flow monitor FLOW output command was issued on a interface with some traffic.
Workaround: Configure manually the following monitor/record for MPLS traffic (the native netflow ipv4 original-output doesn't include any MPLS field):
Symptom: ESP reloads after reporting one or both of the following interrupts:
– CGI_CSR32_CGI_OTHER_LEAF_INT__INT_YIC_M40_TIMEOUT
– PIT_CSR32_PIT_HPI_MISC_LEAF_INT__INT_HPI_ISN_INVALID_ADDRESS_INT
A ucode core file may or may not be created when this event occurs.
Conditions: Only applies to ESP100, ESP200 and ASR1002-X.
Workaround: There is no workaround. The issue is fixed in the following releases: 15.2(4)S6 / XE3.7.6S, 15.3(3)S4 / XE3.10.4S, 15.4(1)S3 / XE3.11.3S, 15.4(2)S / XE3.12.0S, 15.4(3)S / XE3.13.0S.
Symptom: Intermittent connectivity loss between hosts at different OTV sites. Pinging from one host to the other more than 8 times restores connectivity for about 8-10 minutes. The Packet captures show ARP request broadcasts from a host at one site not being received by the host at the other site for about 7-8s, and then suddenly starting to work. This problem has a tendency to get worse over time, with more and more hosts being affected over the course of a week or two until connectivity between sites is essentially gone.
Conditions: ASR1K running 15.4 or 15.3 code, possibly earlier code, with OTV configured.
Workaround: There is no workaround on the ASR 1000 platform so far. Statically configuring ARP entries on the hosts will work.
Symptom: Ucode crash occurs with UWS-WAN_XE311 profile.
Conditions: While verifying NAT64 with traffic on.
Workaround: There is no workaround.
Symptom: An ESP crash may occur after removing an MFR interface soon after it was created.
Conditions: This behavior may be seen on IOS-XE platforms running software versions that support MFR. It may be dependent on the timing of the configuration and removal of the interface. The crash only affects the ESP card.
Workaround: It may be possible to avoid the crash by waiting a few seconds after creating an MFR interface before removing it.
Symptom: A Cisco ASR 1000 Series router configured as an IPSec endpoint may fail to reassemble fragmented ESP packets. During this failure state, the router will also log %ATTN-3-SYNC_TIMEOUT errors.
Conditions: This symptom occurs due to UDP packet of a specific size received on the clear side of the device.
Workaround: Use software crypto for large packets received on the clear side by configuring post-frag encryption - crypto ipsec fragmentation after-encryption. This will prevent the device from getting into the ATTN_SYNC state.
Symptom: The show ip nat translation filter range [inside | outside] [local|glocal] start-ip end-ip command does not filter the output as per the range specified.
Conditions: This symptom occurs on Cisco ASR 1000 Series router.
Workaround: There is no workaround.
Symptom: There are compatibility issues between certain IOS-XE versions and SM-ES3X. With some combinations of SM-ES3X firmware and some releases of IOS-XE, the SM-ES3X will not boot. With the unsupported combinations, the SM-ES3X will not boot.
An error SPA-3-MSG_PARSE_FAILURE:iomd: Failed to parse incoming message from SM-ES3X-24-P slot 2 subslot 0 board 0. The module software may require an update and will be displayed on the IOS-XE console and the SM-ES3X will go into out of service state as shown in the show platform command.
Conditions: Versions of SM-ES3X modules is incompatible with some earlier versions of IOS-XE. SM-ES3x version EJ1 is only compatible with the following major release versions of IOS-XE, or later: 15.3(3)S4 (XE 3.10.4), 15.4(1)S3 (XE 3.11.3), and 15.4(2)S (XE3.12.1).
Workaround: Ensure that a compatible combination of SM-ES3X and IOS-XE images are used. Upgrade/downgrade one or the other to get to a compatible pair.
Symptom: ESP100 crashes while running IPoE subscriber traffic class features.
Conditions: IPoE subscriber traffic class features are configured on Cisco ASR 1000 Series Router platform with ESP100 board.
Workaround: There is no workaround.
Symptom: One-way audio on some outgoing calls to PSTN across CUBE-SP. This is seen for call flow scenarios involving forking and with multiple call legs for the same call going through the SBC.
Conditions: Cisco ASR 1000 Series Router configured as CUBE SP SBC running IOS XE 3.10.1.
Workaround: There is no workaround.
Symptom: When packets are sent to crypto, a txnpMaxMtuExceeded message is seen.
Conditions: This symptom occurs only on Cisco ASR 1002x, ASR1000-ESP100, and ASR1000-ESP200 routers.
Workaround: There is no workaround.
Conditions: On changing pap limit from 30 to 60 with traffic on.
Workaround: There is no workaround.
Symptom: ASR router crashes with IOSd punting packet to port-channel with ERSPAN configured on the router.
Conditions: Port-channel and ERSPAN configured on the router.
Workaround: There is no workaround.
Symptom: A cpp-ucode crash is encountered.
Conditions: Using packet-trace to trace packets in a feature environment where packets are replicated using egress conditions: debug platform packet-trace enable, debug platform packet-trace packet 16 fia-trace, debug platform condition egress, debug platform condition start.
Workaround: Do not use fia-trace.
Symptom: ROMMON get_mac_addr and IOSXE IDPROM access fail on booting standby RP2.
Conditions: External USB thumb drive used on RP2.
Workaround: Remove external USB thumb drive on RP2.
Symptom: Incomplete kernel core file with filename ending in TEMP_IN_PROGRESS.
Conditions: Active RP kernel core dump in dual RP2 systems.
Workaround: There is no workaround.
Symptom: Traffic which needs to be sent between AppNav-controllers will get lost. Received inter-appnav-controller packets are assigned to the shutdown tunnel interface. As a result, no flows will be synchronized between this appnav-controller and appnav-controllers in the same appnav-controller-group. Asymmetrically routed packet also fails due to lack of flow, and unable to query flow from other appnav-controller.
Conditions: Having a shutdown tunnel interface configured with tunnel source equals to the local appnav-controller IP and tunnel destination equals to the IP of another appnav-controller in the appnav-controller-group (i.e. another ASR router). To detect this problem, the following counter goes up for every dropped packet: show platform hardware qfp active statistics drop | i Disabled. Alternatively you can use a packet-trace feature on 3.10.2 and above to check the dropped reply getting sent to the shutdown tunnel interface.
Workaround: Remove the shutdown tunnel from configuration or un-shutdown it.
Symptom: A router crashes while making changes to an AppNav policy map or a class map.
Conditions: This symptom occurs under the following conditions:
– Multiple AppNav controllers are used.
– Sessions are created and can be seen using show service-insertion statistics sessions command.
– AppNav policy map and class map is modified when live traffic is redirected by AppNav.
– Policy map or class map change results in a mismatch between AppNav controllers.
Workaround: When using AppNav Controller Group with multiple ACs, avoid changing the policy map or class map when there are active sessions present (use show service-insertion statistics sessions command).
Symptom: ESP fails to initialize and reboots. The following message will be seen on the IOS console:
Here is an example: 01/01 16:22:35.120 [cpp-drv]: (ERR): COMP0053/dui/A41C: QFP0.0 - unable to turn on termination for DUI0. This is an intermittent failure, so the ESP will likely initialize successfully on the 2nd or 3rd attempt. This is an initialization issue, and once initialization completes successfully there are no further problems related to this condition.
Conditions: Only ASR1002-x, ESP100 and ESP200 are affected. Router configuration or traffic pattern do not affect this problem. The software is fixed in XE3.7.6S, XE3.10.4S, XE3.11.2S, XE3.12.0S and later releases.
Workaround: There is no workaround.
Symptom: PPTP sessions do not come up.
Conditions: Static translation for port 1723 for the inside server, and PAT for the data sessions.
Workaround: Use 1 to 1 mapping.
Symptom: An ESP crash is seen with IPv6 ping to or from an interface configured with IPSec and FNF.
Conditions: The crash is seen when the size of the IPv6 ping is greater than the interface IPv6 MTU.
Workaround: There is no known workaround. However, this is not a common scenario for IPv6 as fragmentation is always handled by the sending host/application.
Symptom: Kingpin crashes @ cmcc_2kp_cli_show_plim_status_cb.
Conditions: Kingpin crashes while issuing the show plat hard slot 0 plim status int command.
Workaround: There is no workaround.
Symptom: L2 frame checks failure when payload length increases with LDAP algorithm
Conditions: Steps: Translate SIP address into longer address length.
Workaround: There is no workaround.
Symptom: A CPP crash triggered by NBAR may occur on Cisco ASR 1000 Series routers, Cisco 4000 Series ISR routers, and Cisco CSR 1000V routers.
Conditions: This symptom may occur under rare conditions of traffic mixture and rate when NBAR and NAT are both enabled.
Workaround: There is no workaround.
Symptom: Issue PPP subscribers cannot be terminated in ASR1K, due to object being locked.
Conditions: EVSI Delete Errors: Out-of-Order 0, No dpidb 0, Underrun 0, VAI Recycle Timeouts 90215 =======> large number of VAI recycle timeouts EVSI wrong dpidb type errors 0 EVSI Async Events: Total 92754, HW error 88050 =======> large number of HW errors as well.
Workaround: Remove QOS of the PPP
Symptom: ASR that runs 15.2(4)S4 encounters ESP crash due to corrupted H323 packet.
Conditions: ASR that runs 15.2(4)S4 encounters ESP crash due to corrupted H323 packet.
Workaround: If customer do not need h.323 algorithm, a workaround is to disable h.323 algorithm using the no ip nat service h225 command.
Symptom: Some SIP packets drop with B2B, CGN, and BPA setup.
Conditions: Some SIP packets drop with B2B, CGN, and BPA setup.
Symptom: Traffic not flowing on a queue following QoS reconfiguration or new interface creation. Also possible inability to change QoS configuration on any interface or create new interfaces/sessions following occurrence of this condition.
Conditions: Queue was previously being over subscribed when it was deleted leaving it in a flowed off congested state such that it would never drain. This issue affects ASR1K using ESP100 or ESP200, ASR1002X, and ASR1001X platforms only (i.e. ASR1K using ESP5/10/20/40 are unaffected by this issue/change).
Workaround: There is no workaround.
Symptom: ACLs applied to the mgmte do not work on the new active RP after a RP switch over.
Conditions: After a RP switch over as the old standby RP becomes the new active RP.
Workaround: Remove then reapply the ACLs to the mgmte on the new active RP.
Symptom: The saved ACLs applied to the mgmte from startup-config may not work after the system reload.
Conditions: After system reload.
Workaround: Remove and then reapply the ACLs to the mgmte after system reload.
Symptom: The CP process crashes while collapsing a hierarchy layer node that had once exceeded 4000 entries. The collapse occurs when the number of entries fall below 4000.
Conditions: This problem occurs while collapsing a node that had once exceeded 400 entries. The problem is specific to MLPPP, MFR and GEC aggregate because these features require notification when a schedule ID changes. The schedule ID changes when a scheduling node is reconstructed. The issue is hit when the operation involves both the flushing and SID notification.
Workaround: There is no workaround.
Symptom: A Cisco ASR 1002x router crashes.
Conditions: This symptom occurs during duty cycle testing with a lot of negative events in the DMVPN setup.
Workaround: There is no workaround.
Symptom: A Cisco ASR 1002-X router might crash and reload writing a core file in the process.
Conditions: This symptom occurs with a Cisco ASR1002-X router running NAT with ALG traffic.
Workaround: There is no workaround.
Conditions: The device has NAT and WCCP configured. It looks like WCCP fails to setup the output interface correctly. This leads to NAT accessing a bad location in memory which causes a crash. The exact conditions are still being analyzed.
Workaround: There is no workaround.
Symptom: A Cisco ASR1002X production router acting as a WAN-Aggregator reloads unexpectedly after pushing the AVC configuration from Cisco Prime infrastructure through an SSH session. The configuration push was successful onto the box, and the flow statistics were exported to the PI. However, after 30 minutes, the router reloaded with a "CPP mcplo_ucode" crash and a "fman_fp" crash. The box is configured with IKEv2 DMVPN and basic NAT, along with BGP and EIGRP. Four static NHRP tunnels from different branch locations terminated onto this box. All traffic from the branches were encrypted, decrypted on this router and NAT was applied to the decrypted traffic before sending it out of the port-channel interface towards the production network.
Conditions: This symptom is observed on a Cisco ASR 1002X router running CCO IOS-XE version 3.10.1. The crash has occurred only once. Currently AVC configurations have been backed out and the router is stable. This affects the AVC deployment on the network seriously.
Workaround: There is no workaround.
Symptom: In an INTRA-box redundancy configuration, the STANDBY FP and ACTIVE FP may not be syncing data plane. HA records robustly. The easiest way for the customer to recognize if this is happening is by examining the output of the show platform hardware qfp active system intra and the show platform hardware qfp standby system intra commands. If the output shows the counters "rx dropped" and/or "retx" continuously incrementing, then this problem may have been encountered.
Conditions: DUAL FP systems with stateful HA features such as NAT configured.
Workaround: There is no workaround.
Symptom: ASR1006/15.4(1)S crashed while adding port and host specific deny statements on specific lines for the WCCP-Redirect ACL.
Conditions: Adding port and host specific deny statements on specific lines for the WCCP-Redirect ACL.
Workaround: There is no workaround.
Symptom: After sub package ISSU operation is performed, ELC does not come up and the following error messages are seen:
Conditions: Issue is seen specific to ASR1000 Ethernet Line Cards (ELC): ASR1000-2T 20X1GE and ASR1000-6TGE line cards, and sub package upgrade. Issue is seen across all releases that support ELC.
Workaround: Consolidated upgrade can be performed.
Symptom: fman_rp process crashes. RP card is reloaded.
Conditions: When routing loop occurs in network and causes massive routing information update, an internal logic error may be triggered.
Workaround: Avoid routing loop.
Symptom: Crash in cpp_cp_svr when executing the show platform packet-trace packet all command.
Conditions: Crash can only occur when executing the show platform packet-trace packet all command.
Workaround: Display a single packet at a time using the show platform packet-trace packet num command instead of using all.
Symptom: Configured following features as part of IWAN performance testing for UTAH platform: AVC, PFR, QoS, AppNav, WAAS, DMVPN, and Crypto. Make sure DMVPN and MPLS tunnels are up and performance monitor, WAAS and crypto are enabled for these tunnels. Router crashes with traffic profile.
Conditions: Traffic profile includes, voice, http, and media traffic. A crash is seen as soon the traffic is initialized at less than 15% of load.
Workaround: There is no workaround.
Symptom: Ping fails with tunnel protection applied.
Conditions: Tunnel protection applied on GRE tunnel interface, using IKEv1 to negotiate IPsec SAs and remote node (IKEv1 responder) behind NAT.
Workaround: The users can switch to IKEv2.
Symptom: A customer on active box would only like to use the no activate commad for a single delegate registration entry below:
subscriber sip: 999999@site.com sip-contact sip: 001999999999@10.0.0.1 adjacency CUCM-llab delegate-registration sip:test.site.com adjacency PSTN-lab-SIP-CONNECT-test-lab profile SIP-CONNECT_TIMERS activate
Conditions: Sessions are deactivated and the stand-by router crashes.
Workaround: The no activate command must be executed at the delegate-registration sub section. This will prevent the deactivation of the sessions.
Symptom: SNMP Query on the object dot3StatsDuplexStatus is shown as unknown.
Conditions: While testing Ether-Like MIB for ASR1000-6TGE.
Workaround: There is no workaround.
Symptom: One-way audio incoming calls are redirected through CVP.
Initially, the caller is connected to IP-IVR, both ingress and egress leg of the CUBE is doing G711. Call is connected to the IP-IVR, then CVP sends a refer to the VXML GW for playing prompts and ringback tone. When the call is transferred to the agent, CUBE negotiated G729 at the sip level with the CVP, but because of mid-call signaling block on the ingress side, continue with the G711. Hence, xcoder is invoked on the CUBE to handle G729 to G711 and vise-versa, but CUBE is still sending G711 media to the agent phone side while the agent phone is sending G729 media to the CUBE.
Workaround: There is no workaround.
Symptom: Net flow cache entry is not created for IPV6 flows, and entries for IPv4 entries is not accurate. For IPv4 entries, the BGP next hop is not updated and set to 0.0.0.0.
Conditions: Upon Execution of RP switchover.
Workaround: After RP switch-over, remove BGP configuration from Core router ("P"), and configure it back. Upon BGP update on PE router, the BGP-NH will appear in FNF records.
Symptom: ASR crashes with no known trigger in CCSIP_SPI_CONTROL process.
Conditions: It is an error scenario where crash occurs when router is not able to send ACK for 200 OK where branch parameters differ.
Workaround: There is no workaround.
Symptom: Signal quality on 10G port using SFP-10G-LR and SFP-10G-ZR are poor. Some packets are lost as CRC errors at 10G full bandwidth traffic test.
Conditions: This is seen on 1RU-VE built-in 10G ports with software version 15.4(02)S
Workaround: There is no workaround, except to upgrade the software.
Symptom: CRC receive side errors have appeared on a variety of P4/P5 Nightster units utilizing both SR and LR optics during traffic flow tests. Not all units are experiencing the issue at present. Approximately, 10% of traffic are lost due to this issue at full 10G bandwidth traffic.
Conditions: This issue is seen on release 1RU-VE routers built-in 10G port running on software version 15.4(02)S.
Workaround: There is no workaround except to upgrade the software.
Symptom: Copper SFP (SFP-GE-T) interface in subslot 0/0 of Nightster does not come up with 10/100 mbps forced speed.
Conditions: The copper sfp (SFP-GE-T) interface hit this condition after router power cycle is issued.
Workaround: There is no workaround.
Symptom: Traceback and log error is noticed.
Conditions: While initiating H323 call with the SBC feature.
Workaround: There is no workaround.
Symptom: ATOM port-mode xconnect is up, but all traffic under the l2 vc is dropped and statistics shown under show mpls l2 vc detail command are zero.
Conditions: On reloading the router multiple times continuously with traffic on port-mode ATOM vc, at times the VC does not come up. This issue is seen only on the SPA SPA-2CHT3-CE-ATM.
Workaround: Shut/no shut of the controller on which the port-mode ATOM vc is created.
Symptom: When configured as virtual tunnel end point (VTEP), the Router stops processing any data. It even fails to establish the OSPF neighbor relationship post the reload.
Conditions: When configured as VTEP, traffic stops on all Ports of the Ethernet Line Card after sometime. The problem also happens with packets going out of the ELC Ports having Multicast MAC address as destination MAC in the Ethernet header. The problem occurs only with ASR1000-6TGE/ASR1000-2T 20X1GE if any of the 1G/10G ports have egress Multicast MAC traffic.
Workaround: Reload the Line card and stop egress Multicast MAC traffic.
Open Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.1S
Symptom: In EFP xconnect setup, if local access EFP is default encap, local EFP state change from up to down will trigger remote CE interface down. This is the remote host shutdown feature.
Conditions: Occurs under he following conditions:
– Xconnect configured under EFP
– EFP is default encapsulation type
Workaround: There is no workaround.
Symptom: Broadcast Packets are dropped after adding EVC config to ASR 1002 Router. The issue happened on and before Release 3.09.02. The issue doesn't happen on and after Release 03.10.00. After adding evc config, broadcast packets are dropped, L2BDReplicationStart is counted, and replication tree information disappears.
Conditions: on and before 03.09.02.
Workaround: To execute no shutdown command under service instance before configuration change.
Symptom: The team resource has not released after 32k EFP is configured and deleted on the ASR 1001 Router.
Conditions: With a configuration running 3.13 image, configure 32k EFP and check the tcam resource on the ASR 1K and delete the EFP. Then check the tcam on the asr1k, and will find the resource has not been released.
Workaround: Reload the router or FP.
Symptom: ESP Crashed when sending IPv6 fragmented traffic through dmvpn hub(mgre tunnel).
Conditions: This happens when sending big IPv6 packets (need to do IPv6 fragmenation after adding tunnel header) traffic through dmvpn hub (mgre tunnel). Large amount of IPv6 fragment traffic (for example, 5G on ESP20) which exceeds reassembly performance number (less then 2G).
Workaround: Change MTU to avoid IPv6 fragmentation.
Symptom: BFD failing on RSP Failover on ASR1K with scale configuration.
Workaround: There is no workaround.
Symptom: Crashes on ASR 1000 Router.
Conditions: Memory allocation is failed.
Workaround: There is no workaround.
Symptom: High RP and ESP utilization and generation of many large (~ 1 MB) logging files with names of the form "cpp_cp_F*".
Conditions: IPv4 multicast packets received on interfaces configured for IP subscriber sessions.
Workaround: There is no workaround.
Symptom: In the LISP getVpn solution test, when the getvpn profile is applied in physical interface in the data path flow (such as interface between GM1 to core), the traffic gets dropped with qfp error of IpsecIkeIndicate"/"OUT_V4_PKT_HIT_IKE_START_SP when the getvpn profile is applied to the LISP0 interface. The encrypted traffic flows in the LISP setup properly.
Conditions: getvpn profile is applied to the physical interface instead of lisp interface.
Workaround: Apply getvpn profile in the LISP interface.
Symptom: On ASR1006 system, on the DMVPN hub, with 2K ipv4 tunnel over ipv6 transport. When do clear crypto session on hub and spoke twice, ESP is crashed.
Conditions: On ASR1006 system, on the DMVPN hub, with 2K ipv4 tunnel over ipv6 transport. when do clear crypto session on hub and spoke twice, ESP is crashed.
Workaround: There is no workaround.
Symptom: ESP crashes at imgr_pktc_cmdsmapcreate_impl.
Conditions: Multiple RP switchovers with 10K flexvpn sessions with traffic
Workaround: There is no workaround.
Symptom: DPSS session is not cleared from the router when the dpss application ends gracefully. The session get cleared automatically after approx 3 mins. During this time, application with same application name cannot reconnect.
Conditions: Provide the conditions.
Workaround: Run the following command on router to clear the session immediately: one stop session all or Wait for the session to get cleaned automatically, or terminate the application ungracefully (ctrl + c).
Symptom: FP crash after the IOS-XE upgrade to 3.11.0S.
Conditions: ASR 1K router running 3.11.0S.
Workaround: There is no workaround.
Symptom: ASR1000 may crash unexpectedly.
Conditions: The crash is due to Flexible Net flow aging timers.
Workaround: There is no workaround.
Symptom: ASR1002 running asr1000rp1-adventerprisek9.03.04.06.S.151-3.S6.bin crashes at crypto ipsec update peer path mtu.
Workaround: There is no workaround.
Symptom: ASR1k crashes in SIP code.
Workaround: There is no workaround.
Symptom: When using the Anyconnect autoreconnect feature on the ASR platform, configurations dynamically applied to the virtual-access interface might be lost over the reconnection.
Example, the interface after initial connection establishment would have a QOS service policy applied:
Conditions: This has been observed with configurations being applied from the user AAA profile over Radius authentication. Affected parameters observed are QOS service policies and access-group.
Workaround: Do not use the reconnect feature or apply those configurations directly to the Virtual-Template (if this is an option).
Symptom: Config-sync failure is seen when unconfiguring the crypto gdoi group.
Workaround: There is no workaround.
Conditions: MSRPC regression test (mcp_alg_msrpc.tcl) is run
Workaround: There is no workaround.
Symptom: ASR1K crashes when pinging end-to-end over OTV with a frame size greater than (MTU-42) bytes.
Conditions: This has been seen on two ASR1002-X's running IOS-XE 03.10.01.S. Crash was seen when passing large packets across an OTV topology.
Workaround: Limit oversize packets across overlay topology.
Symptom: FTP signaling goes through fine across the ASR in the broken state, but the FTP Data session ( for both active/passive) does not get established.
Conditions: ASR running any of the recent IOS XE code after 3.7.3 with CGN shows this problem after normal operations for about every 2-5 hours.
Workaround: Either clear all the NAT translations ( clear ip nat trans *) or reload the ESP or issue is not seen on the IOS versions before XE 3.7.3 ( including).
Symptom: When doing ISSU super-pkg/sub-pkg upgrade/downgrade between XE3.12.0 CCO to/from latest XE3.12.1 throttle image with Broadband features, Stdby RP fails to come online within the expected time (around 10 mins) and it takes ~18 mins to come to STANDBY HOT state. Noticed that the process CCM RP(82) stucks about 8 mins.
Conditions: Fix for DDTS CSCuo84195 ISSU xe310<>xe311: STBY-RP stuck in process @CCM RF(82) after loadversion Is causing this DDTS.
Though DDTS CSCuo84195 issue is introduced in XE3.11.0, but only identified and fixed recently. Without this DDTS there will be an ISSU issue between XE310 <-> XE311 (or XE312 or XE313)+ images.
After the fix following are the compatible and versions, XE3.10.3 <-> XE3.11.2 <-> 3.12.1 <-> 3.13
Since we cannot commit to already existing labels of XE3.11.0, XE3.11.1 XE3.12.0, this will be known breakages and issu between these image to any latter image will fail.
Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.aS
This section contains the following topic:
Open Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.aS
This section documents the open issues in Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.aS:
Symptom: The CLI is currently not supported. The mapping option is not available if the user types a ? after the buffer keyword, as shown in the example below:
Router#
show platform hardware slot 0 plim buffer ?
Router#
show platform hardware subslot 0/0 plim buffer ?
Router#
show platform hardware port 0/0/0 plim buffer ?
The following list of CLIs will point the user to the show platform hardware port 0/0/0 plim buffer ? command:
– show platform hardware slot 0 plim qos input bandwidth
– show platform hardware subslot <slot/card> plim qos input bandwidth
– show platform hardware subslot <slot/card> plim qos input map counters
– show platform hardware port <slot/card/port> plim qos input map counters
– show platform hardware port <slot/card/port> plim qos input bandwidth
– show platform hardware interface <interfacename> plim qos input map counters
– show platform hardware interface <interfacename> plim qos input bandwidth
Conditions: An error would occur if the user tries to execute the CLI as below:
Router#
show platform hardware slot 0 plim buffer mapping ^ % Invalid input detected at '^' marker
Workaround: For the built in SPA ports (sub slot 0/0), use the following port mapping for PLIM commands:
|
|
---|---|
Symptom: VLAN error reported on the native GE port independent of port speed, which is connected to a C3750G GE switch.
Conditions: The configuration of the UUT port is default and the switch port is:
switchport access vlan 2 switchport mode dot1q-tunnel no cdp enable
Workaround: The current workaround is to implement a different GE Switch model in this environment.
Symptom: The router reloads randomly when the CPU utilization is near 100% and flexible Netflow with a sampler is configured.
Conditions: The router reloads randomly when running performance tests at near 100% CPU utilization with Flexible Netflow and 1-out-of-10 sampler. No configuration changes are seen at the time of the crash, only running traffic is seen at various levels and monitoring CPU/memory utilization. The sampler configuration seems to be the trigger, and the crash doesn't happen with plain Flexible Netflow. Also, the crash is only seen with IPv4 traffic. IPv6 traffic does not produce the crash with the same configuration.
Workaround: Use Flexible Netflow without the sampler configured.
Symptom: The ASR 1001-X Router may reload when a very large scale IPv6 ACL/ACE configuration is utilized.
Conditions: Large scale IPv6 ACL config is used: 4000 IPv6 ACL (each ACL has 6 ACE) with total 24000 ACE per system.
Workaround: There is no workaround.
Symptom: COS Based classification of Ethernet packets for the BUILT-IN-2T 6X1GE SPA might not work. Packets will hit the QIN-ANY entry if configured first, rather than explicitly configured QINQ entry and pick up the classification policy for QIN-ANY entry.
Conditions: This problem only occurs if the user configures the QINAny entry followed by an explicit QINQ entry. For example, encap dot1q 50 second-dot1q any encap dot1q 50 secnd-dot1q 10 encap dot1q 50 secnd-dot1q 50
. So all the packets that have the outer VLAN tag as 50 will always hit the hardware entry corresponding to the entry 50-any which will cause the classification policy of 50-any to be applied to entry 50-10 and 50-50 as well.
Workaround: Configure explicit QINQ tagged entries first followed by the QINAny entry.For example, <Explicit tags should go first during configuration> encap dot1q 50 secnd-dot1q 10 encap dot1q 50 secnd-dot1q 50
<Make sure to configure the QINAny entry as the last entry> encap dot1q 50 second-dot1q any
.
Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.S
This section contains the following topics:
- Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.S
- Open Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.12S
Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.S
This section documents the resolved issues in Cisco ASR 1000 Series Aggregation Services Routers Release 3.12.S.
Symptom: ASR 1000 Router crashed with the following error message:
Conditions: ASR 1000 Router running 03.10.00.S with configured zone based firewall.
Workaround: There is no workaround.
Symptom: An IOS-XE router may reload unexpectedly when zone-based firewall is configured.
Conditions: Zone-based firewall is configured and may be dependent on many active MSRPC sessions.
Workaround: There is no workaround.
Symptom: When subscriber session is created with ip subscriber interface on subinterface in shutdown state, after bringing the subinterface up, the out packet counters are not increasing. Subscriber does not have IP connectivity, since traffic is going only in one direction.
Conditions: ASR 1K ISG running IOS XE 3.7.4.S (15.2(4).S4), with ip subscriber interface created from subinterface in the shutdown state.
Workaround: Clearing subscriber session when subinterface is up/up will re-establish session when the connectivity is restored.
Symptom: While provisioning an ISG IP Subscriber session, it is possible to leak an ESS segment chunk (IOSXE ESS SEG).
Conditions: The memory leak may occur when there is an error provisioning an ISG IP subscriber session.
Workaround: There is no workaround.
Symptom: Tracebacks are seen while configuring APS parameters on a PoS link.
Conditions: Occurs during normal CLI configurations.
Workaround: There is no workaround.
Symptom: When Subpackage ISSU Upgrade is performed on ASR1002-X router after upgrading the standby RP (R0/1) with new RP subpackages, switchover is forced from the active IOS process to the standby IOS process. During the switchover, new active RP performs configuration Bulk-Sync with the standby RP. During this Bulk Sync operation, the configuration related to the interfaces is not synced to the standby due to Bulk Sync MCL failures.
The following sample error message will be displayed when this error is present:
Conditions: The symptom is observed after redundancy force-switchover step in ISSU upgrade procedure.
Workaround: Perform a standby IOS reload using the hw-module subslot R0/0 reload command.
Symptom: When the Traffic is flowing through ATM1xOC3, the rate of flow fluctuates very faster and the counters does not match. The show interface atm0/3/0 | i pack command can be used repeatedly to check the rate.
Conditions: The traffic should be flowing through ATM SPA.
Workaround: There is no workaround.
Symptom: TTB Rx information is not getting updated on one ASR 1000 Router serial interfaces - Bident.
Conditions: Range of framing type.
Workaround: Default interface and reconfigure OR OIR Bident.
Symptom: Incorrect end interface number range as 0 to 6.
Conditions: While trying to configure built-in GigE interfaces with interface range command
Workaround: There is no workaround.
Symptom: When configuring the following commands on ASR 1000 platform, you get the errors mentioned below:
– exception memory ignore overflow io frequency 30 maxcount 5
– exception memory ignore overflow processor frequency 30 maxcount 5
Conditions: Hardware and software on ASR1k and all IOS platforms, should have non zero values in following commands:
– exception memory ignore overflow io frequency 30 maxcount 5
– exception memory ignore overflow processor frequency 30 maxcount 5
Workaround: There is no workaround.
Symptom: %CMRP-3-UDI_AUTH: F0: command: Quack Unique Device Identifier authentication failed, show up on ASR1001 Router.
Conditions: After reloading the box or inserting SFPs.
Workaround: There is no workaround.
Symptom: ATM interface - SPA-1XOC3-ATM-V2 - shows counters frozen when interface is shut down.
Conditions: Running traffic over an ATM (SPA-1XOC3-ATM-V2) interface and then shutting down the interface.The interface counters remain frozen and do not return to zero.
Workaround: There is no workaround.
Conditions: Errors are observed when SPA is reloaded.
Workaround: There is no workaround.
Symptom: The show platform hardware port slot/bay/interface plim statistics command does not work correctly. In case of ingress plim classification, the RX high counters are always shown as zero. This is observed on ASR1002-X Router.
Conditions: Plim ingress classification classifies the ingress classification into two HIGH and LOW priority traffic. Note that this is not about the classification not happening correctly. Traffic is classified correctly, it is just that the 'RX high priority' counters under the show platform hardware port slot/bay/interface plim statistics command are not displayed (always shown as 0).
Workaround: There is no workaround.
Symptom: On an ASR 1000 router with CT3 SPA, Malloc Failures and SPA firmware download failures are seen.
Conditions: SPA should have many channels configured (more than 50% of its maximum capacity) and SPA soft reload is done.
Workaround: There is no workaround.
Symptom: Clear command for punt-policer statistics are not logical and located under: show platform hardware qfp active infrastructure punt policer command.
Conditions: Attempting to clear statistics of counters depicted using the show platform soft punt-policer command.
Workaround: Use the show platform hardware qfp active infrastructure punt policer clear command.
Symptom: The show platform software memory qfp-control-process qfp active command is not working.
Conditions: Execution of the show command.
Workaround: There is no workaround.
Symptom: Upon installing metro ip services and performing a RP switchover, memory leak is noticed:
Conditions: When this condition occurs perform the following:
1. Install metroIPservices license.
Workaround: There is no workaround.
Symptom: On the ASR1000 platform family, CISCO-ENHANCED-MEMPOOL-MIB & CISCO-MEMORY-POOL-MIB show lsmpi_io pool is available with little free memory. As a result, various SNMP management software applications may generate an error notification.
Conditions: This condition is shown from the moment the router boots up. The lsmpi_io pool is used on the Route Processor of all ASR1000 routers. Unlike other IOS versions, IOSd on the ASR is a process running on IOS XE. IOSd has a single logical interface, which communicates to IOS XE. This interface is called the Linux Shared Memory Punt Interface (LSMPI). When the ASR 1000 Router boots up, the lsmpi_io pool is created and nearly all of the memory is allocated up front by design. Therefore, the little free memory shown in the MIBs is by design and does not indicate an error condition.
Workaround: There is no workaround for the lsmpi_io pool having little free memory. If some other piece of software is generating alarms for this reason, the management software needs to be adjusted.
Symptom: Tunnel interface QoS tail drop counter reported at physical interface. Service policy is applied on the tunnel 5432. Drops are seen on the output of show policy-map tunnel 5432 command. Drops are seen on the physical interface over which the tunnel is built. NO drops are seen on the Tunnel interface. From the output below, OQD is 0 for the tunnel interface.
Conditions: When packets are dropped on a tunnel interface, the output of the show platform hardware qfp act interface all statistics drop_summary command and show interface summary would only show the dropped packets against the phsyical interface, which made it difficult to determine which tunnel the packets were being dropped on.
Workaround: There is no workaround.
Symptom: QoS on Service instances using COS matching in the child level of a hierarchical policy-map may fail to properly match traffic. Traffic may be classified into an incorrect QoS class.
Conditions: Using COS matching in the child level of a hierarchical QoS policy-map on a service instance.
Workaround: Use a flat policy map, if possible.
Symptom: Tunnel interface QoS tail drop counter reported at physical interface. Service policy is applied on the tunnel 5432. Drops are seen on the output of the show policy-map tunnel 5432. Drops are seen on the physical interface over which the tunnel is built. NO drops are seen on the Tunnel interface. From the output below OQD is 0 for the tunnel interface
Conditions: When packets are dropped on a tunnel interface, the output of the show platform hardware qfp act interface all statistics drop_summary command and show interface summary would only show the dropped packets against the phsyical interface, which made it difficult to determine which tunnel the packets were being dropped on.
Workaround: There is no workaround.
Symptom: Byte-based queue-limit does not work correctly when fair-queue is configured.
Conditions: Using fair-queue feature simultaneously. The issue can happen on ASR 1000 Router. The issue is found on 15.3(3)S.
Workaround: Use packet-based queue-limit instead of byte-based queue-limit.
Symptom: When per-tunnel QoS is configured on a DMVPN hub, the ESP memory may become exhausted due to a memory leak. This could cause the ESP to reload.
Conditions: If there are a large number of DMVNP spokes and the spokes flap, then memory on the ESP is allocated and not freed. This could cause the memory exhaustion on the ESP and thus case the ESP to reload.
Workaround: One could monitor the ESP memory usage and if it is getting low, then reboot the ESP during a mainance window. The command show platform software memory qfp-control-process qfp act brief | inc I/F can be used to determine if memory is being consummed due to this issue.
Symptom: Using a performance monitor when the cache size is set to its default value may cause an error during the Cisco In-Service Software Upgrade (ISSU) process. An error in the console log will indicate a failure to update the monitor cache size.
Conditions: Occurs under the following conditions:
– Applicable to all Cisco IOS XE platforms.
– Occurs when running ISSU, which provides transparent router software upgrade or downgrade.
– May occur when doing either one of the following: - Upgrading from Cisco IOS XE 3.10 or earlier to IOS XE 3.11 or later version - Downgrading from IOS XE 3.11 (or later) to a version earlier than 3.11
Workaround: A preventive workaround and typical use case is to configure the cache size manually rather than using the default. If using the default cache size, use the following workaround to avoid the error:
2. Run the system upgrade or downgrade.
3. Re-attach the service policy.
Symptom: The cache size computed for an Easy Performance Monitor (EZPM) context when running on ESP100 or ESP200 supports 10G rate while it should support 15G.
Conditions: An ASR1K Router with ESP100 or ESP200 installed. Configure EZPM monitor context. Attach the monitor to an interface.
Workaround: The user can override the default value computed by EZPM.
Symptom: When configuring Input MPLS aware FNF (under interface config, mpls flow mon MON_NAME in) it can happen that FNF will cease to function due to cache entry leak/exhaustion.
Conditions: This can only occur with Input MPLS FNF and moreover only will occur with certain labels. In particular it will occur for MPLS labels for which the output of the show plat hard qfp active feature cef-mpls prefix mpls label num command does not have an IPV4 adjacency.
Workaround: There is no workaround other than to realize that this will only happen for MPLS FNF, Input FNF (not Output FNF), and for MPLS labels that no not have the IPV4_ADJACENCY.
Symptom: fman-fp crashes @ fman_fnf_object_walk.
Conditions: Test the avc_serviceability feature with ESP160.
Workaround: There is no workaround.
Symptom: ASR is seen to crash.
Conditions: Occurs under the following conditions:
1. Flow exporter defined with the Management interface GigabitEthernet0 configured as source.
2. An FNF record is configured to collect URL name.
3. FNF monitor using the above record and exporter is configured on an interface with MTU greater than 1500 bytes.
4. A packet with URL greater than 1500 bytes hits the monitor.
Workaround: Do not configure the Management interface as flow exporter source.
Symptom: Issue with Dual Collector FNFV9 in ASR 1002x only one collector is collecting and the second one is not. Happens when monitor has two collectors. The monitor is detached from interface and attached again immediately. Only one of the collector will continue to work correctly.
Conditions: Under flow-monitor provisioning.
Workaround: Apply each flow monitor with a gap of 5secs. If monitor was removed, wait for 5 secs before bringing it back.
Symptom: After ISSU process AOR and dependent fields are not working. Also, sampler granularity may be different from the configured.
Conditions: Happens sometimes.
Workaround: Remove AVC configuration and apply it again after the ISSU process is finished.
Symptom: FNF fields collect connection delay response to-server histogram. Shows wrong values.
Conditions: ASR1000 platform FNF fields "collect connection delay response to-server histogram all” are configured.
Workaround: There is no workaround.
Symptom: AVC metrics are wrong.
Conditions: One only performance monitor is configured on interface. AOR is enabled at policy level.
Workaround: There is no workaround.
Symptom: When an MPLS egress interface is configured with a flow monitor that matches/collects BGP next hop, The FNF field BGP_NEXT_HOP should be the IP address of the PE-router, which generated the topmost label however, it is currently set to 0.
Conditions: MPLS egress interface on the PE router configured with a flow monitor that matches/collext BGP next hop.
Workaround: There is no workaround.
Symptom: FNF monitors updates are failing at ESP.
Conditions: Unconfigure the FNF monitor and configure again.
Workaround: There is no workaround.
Symptom: The AVC Sum Duration metric is incorrect on the Utlra platform.
Conditions: AVC Sum Duration metric is enabled via one of the AVC/EZPM tools (e.g. ART), and is assigned to an interface on an Ultra platform (however it works fine on ASR).
Workaround: There is no workaround.
Symptom: Occasional crash/traceback and router reload when performing config-replace while both performance monitor/s (e.g. EzPM) and native FNF monitors are assigned to the same interface.
Conditions: Performing a config-replace to a clean config (i.e. doesn't assign performance monitors or native FNF monitors), while there are both performance monitors (e.g. EZPM) and native FNF monitors assigned to the same interface in the current running config.
Workaround: First unassign either or both the performance monitors and the native FNF monitors before performing the config-replace. In that case, the config-replace works okay.
Symptom: CPP core not generated when FP crash happens.
Conditions: Perform SPA OIR with Unicast/Multicast/Broadcast storm control on 32K EFPs
Workaround: There is no workaround.
Symptom: FP reloads with the corefile reporting a GIF_CSR32_GIF_LOGIC_ERR_LEAF_INT__INT_FBLK_CNT_LOW interrupt.
Conditions: This issue only applies to ASR1002-X, ESP100 and ESP200. This crash occurs when the amount of available QFP packet buffer memory falls below 3% of the total available. This can only happen if there is a combination of heavy traffic and a flood of control packets. An example action that could cause a flood of control packets is an OIR of the carrier card when using a scaled EVC-EOMPLS configuration.
Workaround: There is no workaround.
Symptom: Observing cpp_driver crash @ cpp_dsf_spi_get_status.
Conditions: On executing the show platform hardware cpp active infrastructure txspi 0 status command.
Workaround: There is no workaround.
Symptom: The show platform hardware qfp active datapath utilization command displays wrong data. When high priority traffic (ip precedence 6,7) is sent, the counters against Input Non-Priority rows increment. When low priority traffic (ip precedence 0,1,2,3,4,5) is sent, the counters against Input Priority rows increment.
Conditions: This can occur when using ESP100.
Workaround: There is no workaround.
Symptom: Ping fails with packet size larger than 10000 with MPLS over mGRE.
Conditions: Configure the MPLS over mGRE and MPLS MTU MAX, Ping jumbo packet and mGRE peer side is also an IOS-XE based service router(ASR1K/ISR4400/CSR1000V)
Workaround: Remove mpls mtu max.
Symptom: COS markings not seen properly on the dot1q interface.
Conditions: The issues are seen if fragment happened in data plane on the dot1q interface.
Open Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.12S
This section documents the open issues in Cisco ASR 1000 Series Aggregation Services Routers Release 3.12S.
Symptom: Complete or near-complete loss of traffic over an MLPPP bundle.
Conditions: If an MLPPP bundle is currently attempting to pass traffic beyond the physical bandwidth of the bundle and a new member-link is added, or an existing member-link is flapped a sudden and persistent loss of traffic for that bundle can occur.
Workaround: Configure a basic QoS policy that contains at minimum a class-default traffic police or shape restriction. Attach this policy as an output policy to the MLPPP bundle.
Symptom: The tracebacks were seen on Standby RP for this one time while bringing up GTP sessions.
Conditions: Just bring up the dhcp initiated GTP sessions and the tracebacks were seen on standby RP.
Workaround: There is no workaround.
Symptom: The "not supported on this platform" error message is displayed when doing platform CAC configuration on ESP-5 platform.
Conditions: Set following platform CAC configuration on ESP-5 platform: FP CPU - FP MEM -CC MEM.
Workaround: Do not set following platform CAC configuration on ESP-5 paltform: FP CPU, FP MEM, and CC MEM.
Symptom: DPSS session is not cleared from the router when the dpss application ends gracefully. The session get cleared automatically after approx 3 mins.
Conditions: During this time, application with same application name cannot reconnect.
Workaround: Perform one of the following:
– Run the following one stop session all command on router to clear the session immediately.
– Wait for the session to get cleaned automatically
– Terminate the application ungracefully (Ctrl + C)
Symptom: Multiple tracebacks seen pertaining to uRPF component cannot allocate more memory. No functional issues are seen i.e. no session drops.
Conditions: TB is seen on Scaled Setup of 128K Autheticated Sessions and 256K Walkby sessions.
Workaround: Lower the session scale during RP Switchover. Tested 107K Authenticated Sessions, 223K Walkby Sessions with no issues.
Symptom: On ASR 1006 system, on the DMVPN hub, with 2K ipv4 tunnel over IPv6 transport.
Conditions: When do clear crypto session on hub and spoke twice, ESP crashed.
Workaround: There is no work around.
Symptom: Set egress interface MTU to less than 256. Send packets of size greater than 256. Packets were not dropped by UUT as "IpFragErr", but pass through successfully.
Conditions: Set MTU to 100 on the UUT egress interface, which is the same interface to which a crypto map is attached. DF Bit is set in the security-association for that crypto map. From end host, send packets of size 1000. Packets get fragmented to smaller packets of size 256 first, then encrypted. All the fragmented packets will have DF bit set in IP header. These fragmented packets should be dropped at the egress interface.
Workaround: Send packets of size lesser than MTU.
Symptom: Following error message is seen in log:
Conditions: Traffic with over subscription shows the TBAR drops. Eventually, all the traffic dropped.
Workaround: Increase anti-replay window size to 20sec.
Symptom: ASR1K can drop site-2-site IPSec packets with specific pad-lengths. The packets are size 47 bytes n*64 (where n is >=1)
Conditions: Site-2-site IPSec tunneled packets from 3rd-party CPE (not been seen with Cisco IOS based CPE as remote IPSec tunnel endpoints). The packet-sized being dropped are 111bytes in length (or 64-byte increments added to 111bytes).
Workaround: There is no workaround.
Symptom: Flow count value is incorrect in the show platform software ipsec F0 inventory command.
Conditions: Flow count values are incorrect for GETVPN Configuration.
Workaround: There is no workaround.
Symptom: Ping fails to go through the v4 over v6 mixed-mode tunnel.
Conditions: When Mixed-mode tunnel is configured and VPN connection is established.