- Introduction
- System Requirements
- Limitations and Restrictions
-
- Release 3.17S Features and Important Notes
- Release 3.16S Features and Important Notes
- Release 3.15S Features and Important Notes
- Release 3.14S Features and Important Notes
- Release 3.13S Features and Important Notes
- Release 3.12S Features and Important Notes
- Release 3.11S Features and Important Notes
- Release 3.10S Features and Important Notes
- Release 3.9S Features and Important Notes
- Release 3.8S Features and Important Notes
- Release 3.7S Features and Important Notes
- Release 3.6S Features and Important Notes
- MIBs
- Related Documentation
- Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.10S
- Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.9S
- Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.8S
- Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.7aS
- Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.7S
- Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.6bS
- Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.6S
- Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.5S
- Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.4S
- Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.3S
- Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.2S
- Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.1S
- Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13S
Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13S
This chapter provides information about the caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13S.
Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.10S
This section contains the following topics:
Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.10S
All resolved bugs for this release are available in the Cisco Bug Search Tool through the Resolved bug search. This search uses the following search criteria and filters:
|
|
---|---|
Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.9S
This section contains the following topics:
Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.9S
All resolved bugs for this release are available in the Cisco Bug Search Tool through the Resolved bug search. This search uses the following search criteria and filters:
|
|
---|---|
Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.8S
This section contains the following topics:
- Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.8S
- Open Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.8S
Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.8S
All resolved bugs for this release are available in the Cisco Bug Search Tool through the Resolved bug search. This search uses the following search criteria and filters:
|
|
---|---|
Open Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.8S
All open bugs for this release are available in the Cisco Bug Search Tool.
Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.7aS
This section contains the following topics:
Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.7aS
All resolved bugs for this release are available in the Cisco Bug Search Tool through the Resolved bug search. This search uses the following search criteria and filters:
|
|
---|---|
|
|
---|---|
Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.7S
This section contains the following topics:
- Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.7S
- Open Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.7S
Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.7S
All resolved bugs for this release are available in the Cisco Bug Search Tool through the Resolved bug search. This search uses the following search criteria and filters:
|
|
---|---|
Open Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.7S
All open bugs for this release are available in the Cisco Bug Search Tool.
Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.6bS
This section contains the following topics:
Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.6bS
All resolved bugs for this release are available in the Cisco Bug Search Tool through the Resolved bug search. This search uses the following search criteria and filters:
|
|
---|---|
|
|
---|---|
Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.6S
This section contains the following topics:
- Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.6S
- Open Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.6S
Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.6S
All resolved bugs for this release are available in the Cisco Bug Search Tool through the Resolved bug search. This search uses the following search criteria and filters:
|
|
---|---|
Open Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.6S
All open bugs for this release are available in the Cisco Bug Search Tool.
Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.5S
This section contains the following topics:
- Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.5aS
- Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.5S
- Open Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.5S
Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.5aS
All resolved bugs for this release are available in the Cisco Bug Search Tool through the Resolved bug search. This search uses the following search criteria and filters:
|
|
---|---|
|
|
---|---|
ASR1002-X with harddisk installed stuck in crash and reboot cycle |
|
Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.5S
All resolved bugs for this release are available in the Cisco Bug Search Tool through the Resolved bug search. This search uses the following search criteria and filters:
|
|
---|---|
Open Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.5S
All open bugs for this release are available in the Cisco Bug Search Tool.
|
|
---|---|
ATM 3xOC3 SPA failed to program with IFCFG_CMD_TIMEOUT error |
Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.4S
This section contains the following topics:
- Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.4S
- Open Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.4S
Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.4S
All resolved bugs for this release are available in the Cisco Bug Search Tool through the Resolved bug search. This search uses the following search criteria and filters:
|
|
---|---|
Open Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.4S
All open bugs for this release are available in the Cisco Bug Search Tool.
Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.3S
This section contains the following topics:
- Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.3S
- Open Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.3S
Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.3S
All resolved bugs for this release are available in the Cisco Bug Search Tool through the Resolved bug search. This search uses the following search criteria and filters:
|
|
---|---|
Open Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.3S
All open bugs for this release are available in the Cisco Bug Search Tool.
Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.2S
This section contains the following topics:
- Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.2S
- Open Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.2S
Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.2S
All resolved bugs for this release are available in the Cisco Bug Search Tool through the Resolved bug search. This search uses the following search criteria and filters:
|
|
---|---|
Open Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.2S
All open bugs for this release are available in the Cisco Bug Search Tool.
Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.1S
This section contains the following topics:
- Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.1S
- Open Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.1S
Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.1S
All resolved bugs for this release are available in the Cisco Bug Search Tool through the Resolved bug search. This search uses the following search criteria and filters:
|
|
---|---|
Open Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13.1S
All open bugs for this release are available in the Cisco Bug Search Tool.
Caveats in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13S
This section contains the following topics:
- Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13S
- Open Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13S
Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13S
This section documents the resolved issues in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13S.
Symptom: The device reload when we grant certificates. crypto pki server <> grant all
Conditions: This symptom is observed when configured for crypto
Workaround: There is no workaround.
Symptom: ISSU between incompatible images goes through.
Conditions: This symptom occurs for images between ISSU-break.
Workaround: There is no workaround.
Symptom: Call threshold counter on an interface is not cleared. Seen in the output of "show call threshold status" command.
Conditions: IOS voice gateway with interfaces enabled to use the Call Threshold feature. Call is established over an interface and routing changes cause the disconnect message to be received on a different interface on the gateway.
Workaround: Reload the gateway to clear it permanently. or If not over a gigabitethernet interface, issue the "clear call threshold interface <interfacetype> <port>" command to clear the call.
Symptom: During regular operations, a Cisco router running Cisco IOS release 12.4(24)T and possibly other releases experiences a crash. The crash info will report the following: %SYS-2-FREEFREE: Attempted to free unassigned memory at 4A001C2C, alloc 4180794C, dealloc 417616B0, %SYS-6-BLKINFO: Attempt to free a block that is in use blk 4A001BFC, words 134, alloc 4180794C, Free, dealloc 417616B0, rfcnt 0,
Conditions: This symptom is not observed under any specific conditions.
Workaround: There is no workaround.
Symptom: On recieving 200 OK with PAI, the connected number sent on the ISDN leg is the original called number and not the phone number answering the call.
Conditions: When remote-party-id is dislabed under sip-ua
Workaround: Enable remote-party-id under sip-ua
Symptom: encpas counter in "show crypto ipsec sa" may occasionly show incorrect value
Conditions: IPSec tunnels configured and used on the device
Workaround: There is no workaround
Symptom: A Cisco router running Cisco IOS Release 15.3(1)T may crash with a bus error immediately after issuing the 'write memory' command. Example: 14:44:33 CST Thu Feb 14 2013: TLB (load or instruction fetch) exception, CPU signal 10, PC = 0x228B2C70
Conditions: This symptom occurs while updating the router's running configuration with the 'write memory' command. It has been seen while updating various different commands such as, those under 'call-manager-fallback' ip route statements interface sub-commands
Workaround: There is no workaround.
Symptom: enhance crypto-engine packet drop cause
Conditions: There are no know conditions
Workaround: There is no workaround.
Symptom: AFW memory corruption
Conditions: AFW process crashes, when Request URI or other header string is of size greater than 1k
Workaround: N/A AFW process crashes, when string retrieved from container is of size greater than 1k. Mempool is created with 1k chunk size. Refer to CSCue97118.The issue is resolved in sip stack for this scenario. However we may hit this issue in AFW for some other corner cases (stress tests).
Symptom: Router outputting %SCHED-3-THRASHING: Process thrashing on watched queue 'Crypto IPC'. -Process= "Crypto IKMP", ipl= 6, pid= 360 followed by a traceback
Conditions: Was observed both on ASR and ISR during an OCSP revocation check for a revoked certificate during an GDOI registration. Might affect regular ISAKMP connections too.
Workaround: enabling path-mtu-discovery on the router with : ip tcp path-mtu-discovery has given good results.
Symptom: An ISR/ISRG2/ASR router configured in a DMVPN setup may fail to create SAs during a rekey or new tunnel establishment.
Conditions: This symptom is observed when the router is configured as a DMVPN hub or spoke.
Workaround: There are no known workarounds. Try reloading the router to recover from the failure state. (Please note: the router may still run into this condition after a reload).
Symptom: A crash is seen on a Cisco router.
Conditions: The device crashes with gw-accounting and call-history configured. The exact conditions are still being investigated.
Workaround: Perform the following workaround:
1) Completely remove gw-accounting
2) Disable call-history using the following commands: gw-accounting file no acct-template callhistory-detail
Symptom: Customer may see the following error messages: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level %SYS-2-MALLOCFAIL: Memory allocation of 80 bytes failed from0x5CEEBCC, alignment 0 Pool: Processor Free: 196745624 Cause: Interrupt level allocation Alternate Pool: None Free: 0 Cause: Interrupt level allocation -Process= "<interrupt level>", ipl= 3, pid= 147 %IPMCAST_RPF-3-INTERNAL_ERROR: An internal error has occured while obtaining RPF information (No memory available to create pathinfo for RPF lookup)
Conditions: There are no know conditions
Workaround: There is no workaround.
Symptom: Self bound traffic dropped by firewall
Conditions: NAT64 is configured and traffic is sent from IPv6 client (in) to IPv4 egress interface of UUT (self)
Workaround: There is no workaround.
Symptom: When CUBE received malformed form header it crashed
Conditions: Long form header cause cube to crash
Workaround: There is no workaround.
Symptom: Below mentioned internal IEC error seen in CUBE logs. Jul 22 14:50:28.377 IST: %VOICE_IEC-3-GW: CCAPI: Internal Error (Invalid arguments): IEC=1.1.180.1.9.6 on callID -1 CUBE#sh voice iec description 1.1.180.1.9.6 IEC Version: 1 Entity: 1 (Gateway) Category: 180 (Software Error) Subsystem: 1 (CCAPI) Error: 9 (Invalid arguments) Diagnostic Code: 6
Conditions: This IEC error would be seen while processing incoming SIP REFER for call transfer along with local consumption of REFER ('no supplementary-service sip refer' CLI) i.e CUBE is consuming REFER locally and generating INVITE to transfer target.
Workaround: There is no workaround.
Symptom: 3925 voice xml gateway crashed
Conditions: vxml configured: vxml tree memory 500 vxml version 2.0
Workaround: There is no workaround.
Symptom: A memory leak is observed on a Cisco device due to IPSec which causes free memory to deplete to an extent where the device becomes unreachable.
Conditions: This symptom occurs when IPSec scaling is high.
Workaround: Reduce scaling of IPSec sessions.
Symptom: Low performance for AVC 2.0 on ESP100 setup
Conditions: There are no know conditions
Workaround: There is no workaround.
Symptom: WIll see the memleaks when trying to use https application
Conditions: Leaks will seen only when trying to use https applications like webauth, web_exec etc over secure communication (https)
Workaround: Disable https(secure communication) and use http for http request.
Symptom: Can not update audio file using the "audio-prompt load" command.
Conditions: Using the B-ACD TCL scripts and loading the audio files from the local flash.
Symptom: After reload of DMVPN spoke fails MM-Key Exchange. Hub will show CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from x.x.x.x failed its sanity check or is malformed
Conditions: 1921 IOS router Use the ; character at the beginning of the master encryption key. i.e. key config-key password-encryption <enter> new key:;cisco123 confirm key:;cisco123
Workaround: Change the key so that ; is not the first character. #key config-key password-encrypt Old key:;cisco123 New key:cisco123 Confirm key:cisco123
Symptom: EoMPLS performance downgrade
Workaround: There is no workaround.
Symptom: show crypto gdoi group <group-name> gm pubkey shows all groups instead of the group indicated in the command.
Conditions: GM has more than 1 group configured.
Workaround: There is no workaround.
Symptom: Bindings are present after unconfiguring Static NAT mappings
Conditions: static NAT mappings with route-map
Workaround: There is no workaround.
Symptom: GetVPN GM gdoi policy installation fails.
Conditions: This symptom is observed after reboot.
Workaround: Issue the command clear crypto gdoi after the reboot.
Symptom: ASR1K:fn_crl_checking: Failed to clear gms database from KS.
Conditions: ASR1K:fn_crl_checking: Failed to clear gms database from KS.
Workaround: There is no workaround.
Symptom: Enhancement request to improve datapath IPSEC debugs in XE3.11 and above
Conditions: Use of datapath IPSEC debugs
Workaround: There is no workaround.
Symptom: IPSEC event-tracer messages can't be used for troubleshooting since most of them have no contextual information avalaible [ peer ip or sesssion ID]
Conditions: Troubleshooting ikev2 networks by leveraging ipsec event-trace
Workaround: Uses ipsec debugs instead when ever it's possible
Symptom: After adding SCCP/DSPFarm configuration and reloading the router, the NMS device reports that a configuration change has occurred because the config is displayed in a different order. This causes false alarms on the NMS.
Conditions: -IOS router with SCCP and DSPFarm configurations -Tested on 15.1(4)M and later -Other IOS versions are affected too.
Workaround: There is no workaround.
Symptom: instead of triggering modem passthrough in srst mode modem relay is been triggered
Conditions: ios gateway runninbg 151-4M6 and modem passthrough configured for fax
Workaround: Remove the V.150.1 Modem relay configuration at VG2xx by configuring "no stcapp register capability <port>" and restart the SRST and VG2xx so that SRST does not remember the earlier MR capability of VG and it gets the fresh VG device capability which would be Modem paasthru with ?no stcapp register capability <port> ? configuration at VG.
Symptom: Crypto Routes not getting populated under proper heading
Conditions: crypto route must get populated in proper vrf headings
Workaround: There is no workaround.
Symptom: CUBE receives incoming SIP reinvite (due to SIP session refresh) and changes SDP version although there is no change in SDP attributes SDP version changes from 8863 to 8864
Conditions: Setup where this issue has been seen Rightfax - CUCM -- CUBE -- SIP SP
Workaround: There is no workaround.
Conditions: When doing multiple call transfers with REFER
Workaround: There is no workaround.
Symptom: When a long very long Refer-To header is received, router crashes
Conditions: Long Refer-To header
Workaround: There is no workaround.
Symptom: Payload verification failed for fax calls not received fax calls
Conditions: TGW is sending re INVITE due to not receiving fax
Workaround: Do not use trancoded call.
Symptom: IOS routers can sometimes create duplicate IPSec SA pairs. This decreases platform scalability. Traffic flow is not affected.
Conditions: This was observed in IOS 15.2(4)M4, 15.2(4)M5, 15.3(3)M1. Other versions can be affected as well.
Workaround: There is no workaround.
Symptom: Video call legs are not displayed when video call is active
Conditions: Issue is seen when 2 Phones are in a video call over SIP Trunk
Workaround: There is no workaround.
Conditions: Bring up a crypto session and delete it
Workaround: There is no workaround.
Symptom: Unable to get a DSP resources for a Transcoded call.
Conditions: During mid-call when there is a change in codec or DTMF or Hold/Resume with SRTP-RTP call then this issue will be seen. This is applicable only with LTI transcoding.
Workaround: There is no workaround.
Symptom: Midcall REINVITE is passed through when the UCM side puts a call on hold from a Video capable device.
Conditions: A video capable Device connects an audio only call via the ASR CUBE where the UCM facing dial-peers have " voice-class sip midcall-signaling passthru media-change" configured.
Workaround: If the calls routing via UCM to ASR CUBE does NOT require video capabilities, modify the SIP Trunk's Region settings on the UCM where it doesn't allow any video Bandwidth so the capabilities will never be transmitted to ASR.
Symptom: Hung Calls with SIP SPI with Refer Consume Load
Conditions: Description: observing hung calls with Refer Consume CVP load test. Hung calls observed with SIP SPI Steps to reproduce: 1. Configure max connection with 3 Refer to Dial-peer & outbound dial-peer towards CVP. 2. Run Load with 1000 calls for few hours. CPS: 10 CHT: 100 secs Total Number of active calls : 750 Issue observed with max-conn with multiple dial-peers
Workaround: Use dial-peers without max-conn
Symptom: After switch over to standby, IF-MIB count for cvCallVolMediaOutgoingCalls OID is less.
Workaround: There is no workaround.
Symptom: ELC MDR:%MDR-3-RESTART_FAILED: SIP1: mdr_cc_client.sh: Failed
Conditions: When one of the ELC in disable state
Workaround: There is no workaround.
Symptom: write bus access failed with fpd upgrade
Conditions: FPD bundled upgrade
Workaround: There is no workaround.
Symptom: FP crash while testing PPoE sessions
Conditions: Applying nat settings to CGN mode
Workaround: There is no workaround.
Symptom: On configuring the telephony-service for the first time onto the router, IP phones do not register despite of the correct configuration on the voice gateway. We have also seen where after a restart the same issue occurs where the IP phones fail to restart however the gateway is configured correctly. This can also happen with SRST fallback using port 2000.
Conditions: Configuring Telephony-service for the first time on the router or after a router restart. Device tested with a 2901 and 2851 running IOS version 15.1(4)M6. IP phones can be any IP phone where they are trying to register on port 2000
Workaround: 1. Under 'telephony-service' run a shut/no shut and check that the port has been opened. OR 2. under "Telephony-service" run "no ip address.. " and then re-configure the same ip address again. run 'show control-plane host open-ports' and check for port 2000 and the IP of CME.
Symptom: A PKI client (ASR router) fails auto renewal of the certificate if 'auto-enroll regenerate' is configured in the trustpoint.
Conditions: A router configured with a trustpoint that has regenerate enabled and a 'usage' key being used for the trustpoint.
Workaround: Remove the regenerate keyword.
Symptom: when flapping mpls mldp with scale v4 setup, the lspvif interface disappears in "show ip mfib" output, and packets are dropped.
Workaround: There is no workaround.
Symptom: BADPAIR message generated.
Conditions: During DTMF interwork change
Workaround: There is no workaround.
Symptom: Callers receiving general voice-mail greeting when forwarded to CUE voice-mail
Conditions: If one "voice register dn" is forward all, or, forward unregistered to another voice register DN that is also forward all or forward unregistered to CUE voice-mail, there is no Diversion header in the SIP INVITE to CUE. This results in CUE returning the general voice-mail greeting.
Workaround: There is no workaround.
Symptom: The Shadow timer is not seen on the standby router. Even if we make the standby router active, the timer does not start.
Conditions: Two routers in HSRP configured as CA servers in redundancy with auto rollover configured as described in http://www.cisco.com/en/US/customer/prod/collateral/iosswrel/ps6537/ps6586/ps6638/ps6664/configuration_guide__c07_621400.html
Workaround: In case the Standby router becomes Active, Auto-rollover would not work as the Shadow certificate generation timer is not seen on it. In such a case, we may manually rollover the CA server on the Standby router (now Active) to generate the Shadow CA certificate and the Shadow keypair. To manually rollover, run the command: "crypto pki server server_name rollover".
Symptom: ASR1006 with RP2 running ES version based of Version 15.3(1)S crash with Segmentation Fault
Conditions: This symptom is observed after two weeks of uptime and during normal load condition.
Workaround: Workaround is to reboot the box to recover from the situation.
Symptom: On an ASR1000 series router, the ESP can crash when packet trace is enabled.
Conditions: Conditional debug and packet-trace is enabled.
Workaround: There is no workaround.
Conditions: Seen when executing "no ip cef load-sharing algorithm include-ports destination" with high throughput about 10Gbps
Workaround: There is no workaround.
Symptom: When we add multiple ports on the crypto acl on the primary KS the GM gets the acl without the ports. No syslog is generated on KS1 to show it does not support them and a new TEK is generated.
Conditions: Happens at all times.
Workaround: This is not a supported feature and it should not be used.
Symptom:For MPLSoDMVPN/FlexVPN feature specific G-ACh (Generic associated channel) type number need to be allocated by IETF for NHRP. Currently an experimental number is used. A CLI will be provided to configure the G-ACh type number so that the same can be configured on the old routers when we have specific G-ACh type number allocated for NHRP. refer RFC5586 MPLS Generic Associated Channel
Conditions: There are no know conditions
Workaround: There is no workaround.
Symptom: 894X show UTC time instead of configured olson timezone. 894X SCCP phones uses tzdatacsv.csv and not tzupdater.jar as Olson timezone database but on configuring Olson time-zone CME updates the 894X phone configuration file with tzupdater.jar instead of tzdatacsv.csv. Sample erroneous configuration file for 894X: <tzdata> <tzolsonversion>2013g</tzolsonversion> <tzupdater>tzupdater.jar</tzupdater> </tzdata> <devicePool> <dateTimeSetting> <dateTemplate>M/D/YA</dateTemplate> <timeZone>Mexico Standard/Daylight Time</timeZone> <olsonTimeZone>Europe/Prague</olsonTimeZone> </dateTimeSetting>.
Conditions: There are no know conditions
Workaround: There is no workaround.
Symptom: On a GETVPN KS (Key Server), if there is a registration interface configured for the GDOI group, then GM registration to that group will fail with the following log message reported on the KS: %GDOI-1-UNREGISTERED_INTERFACE: Group getvpn-grp received registration from unregistered interface
Conditions: A registration interface is configured on the Key Server.
Workaround: Remove the registration interface configuration from the Key Server.
Symptom: Supervisor not able to monitor Agent conversation Remotely where CCE-CVP at higher version and RSM at 9.1(1)
Conditions: There are no know conditions
Workaround: There is no workaround.
Symptom: c3900 as RSVP agent crashed "%SYS-6-STACKLOW: Stack for process SCCP Application running low, 0/12000"
Conditions: IOS Image: 153-3.M1 CUCM Image: 10.0.1.10000-24 C3900 router configured as RSVP-Agent for CUCM feature e2eRSVP crashed under extended traffic load (3 days). The traffic was running at a rate of 250 concurrent RSVP sessions. Topology: Phone-A----------(Cluster-1)----------- SIP Trunk ------------(Cluster-2)--------Phone-B | | | | | sccp sccp | | | | | RTP------------(RSVP-Agent1)---------- IP/RSVP---------(RSVP-Agent-2)---- rtp Cluster-1 CUCM controls rsvp-agent-1 [c3800] Cluster-2 CUCM controls rsvp-agent-2 [c3900] --> Calls are made between Cluster-1 and Cluster-2 in both directions. Type of calls: Basic, and supplementary Services (Hold-resume, Transfers, Conferences)
Workaround: There is no workaround..
Symptom: Handling and Printing Multiple subscribe messages, CUBE crashed.
Conditions: Handling and Printing Multiple subscribe messages
Workaround: Don't Enable Debugs
Symptom: Standby CUBE crashed while handling Agent transfer.
Conditions: This symptom is observed when an agent transfers the call to another agent.
Workaround: There is no workaround.
Symptom: MDR RECONCILE: Failed to complete WARM sync
Workaround: There is no workaround.
Symptom: Outbound calls over SIP trunk to provider fails.
Conditions: SIP IP phone (99xx) ------> CME ---------> SIP Trunk --------> ITSP Cisco IOS - 15.3(3)M and 15.4(1)T versions.
Workaround: Downgrade Cisco IOS version to 15.2(4)M.
Symptom: CUBE crashed doing a "per-call shut".
Conditions: This symptom is observed when you configure CUBE for PCD buffer logging.
Workaround: There is no workaround.
Symptom: Traceback appears on standby RP during SPA OIR
Conditions: T1 channels are configured. Then a random t1 channel is deleted and spa soft oir is done.
Workaround: There is no workaround.
Symptom: In an IOS PKI HA setup, when the CA server is deleted on the Active router, the Standby router also prompts for confirmation, if logged in through Console. The following prompt is observed: % CA certificate, Keypair, CRL and database files will be deleted. Do you wish to continue? [yes/no]: Ideally, this should be seen on the Active router only. If the administrator is logged in through SSH or TELNET, the prompt is not seen and the CA server is not deleted on the Standby router.
Conditions: Two routers in HSRP (running 15.4(1)T or higher)configured as CA servers in redundancy as described in http://www.cisco.com/en/US/customer/prod/collateral/iosswrel/ps6537/ps6586/ps6638/ps6664/configuration_guide__c07_621400.html and the CA server is deleted on the Active router.
Workaround: When deleting the CA server on the active router, log on to the standby router as well, and answer 'yes' on the Standby router.
Symptom: ASR1K DSP MIB "cdspCardObjects" are not working after the RP2 switchover happens for various reasons.
Conditions: When RP switch over happens.
Workaround: workaround is to do a hw-module stop/start on the SPA-DSP cards.
Symptom: Incorrect primary and Secondary Dial-tone
Conditions: Cptone DE is configured under FXS ports
Workaround: Step1: Router# test voice tone DE dialtone 1 425 0 -200 -200 -240 0 0 0 200 300 200 300 200 800 0 0 Step2: Router# test voice tone DE 2nd_dialtone 1 425 0 -200 -200 -240 0 0 0 200 300 200 300 200 800 0 0 Step3: shut the voice-port Step4: Unshut the voice port
Symptom: Hung FPI session will be seen after agent answer and disconnect.
Conditions: Hung FPI session will be seen after agent answer and disconnect.
Workaround: There is no workaround.
Symptom: IKEv2 SA does not come UP
Conditions: IKEv2 configured with Virtual-Template
Workaround: configure tunnel mode auto
Symptom: 3905 SIP show UTC time instead of configured olson timezone. 3905 SIP phones uses tzdatacsv.csv and not tzupdater.jar as Olson timezone database but on configuring Olson time-zone CME updates the SIP 3905 configuration file with tzupdater.jar instead of tzdatacsv.csv.
Conditions: There are no know conditions
Workaround: There is no workaround.
Symptom: Immediately after the 200 OK is sent in response to the Re-Invite the ITSP sends a BYE as they expected the origin version id to increment. The lack of incrementation cause the call to be torn down by the ITSP.
Conditions: This problem was observed in the following scenarios : - Switchover from voice to fax - Change in codec for voice calls SDP content-length size is different in initial outgoing Invite to perform call setup than it is in 200 OK response to an inbound Re-Invite which causes the origin (o=) version in the SDP not to increment. CUBE however sees the content-length sizes as the same size. Previous SDP content-length was 250, 399 was the current SDP content-length: SIP/Info/sipSPICheckForSDPModification: prev send SDP size = 399, curr send SDP size = 399 SIP/Info/sipSPICheckForSDPModification: prev send SDP and curr send SDP are same /SIP/Info/sipSPIHandleSDPOwnerVersionIDChange: SDP owner_version ID not incremented..
Workaround: There is no workaround.
Symptom: Path-confirmation check failed on CUBE in DTMF_DO-EO scenarios
Conditions: Configure CUBE for dynamic pass through - DTMF in DO-EO scenario
Workaround: There is no workaround.
Symptom: SIP phones not able to dial out when registered to CME 10.0 with IOS version 15.3(3)M1 With output "Ip Trust List Authentication failed for Incoming Request, method = INVITE" when debug ccsip all enabled in the router.
Conditions: Voice router running in IOS version 15.3(3)M1, with IP address trust list enabled (default configuration) under voice service voip
Workaround: *) Disable "ip address trusted authenticate" *) Add SIP phone IP address to IP trust list. *) Downgrade the IOS version
Symptom: %CMCC-3-SIP_MDR_FAIL: SIP0: because ESI verification failed
Workaround: There is no workaround.
Symptom: When there is a policy change (either KS or GM) in Pre-PAL, the Cisco ASR 1000 router registers again. This is because in TCAM, SA cannot be inserted or moved. An ACL merge was done in the ACE driver, and reregistration was triggered from there. Post-PAL, ACL merge intelligence is moved to a control plane. ACL is changed and change flow priority occurs. The SA is inserted with second priority which cannot be handled by the device.
Conditions: This symptom occurs when an ACL changes on the KS or the GM.
Workaround: There are four workarounds: 1. Manually clear GetVPN registration on the Cisco ASR 1000 router using <CmdBold>clear crypto gdoi<noCmdBold>. 2. If permit ACL is appended to KS ACL or if ACL is removed from the bottom of KS ACL, then there is no flow priority change, and no issue is observed. The limitation with this workaround is that the group configuration on KS has only one SA. If "deny ACL" is added, a few packet drops are observed. 3. EEM script which monitors Rekey Syslog and clears the registration. This is the same as Workaround 1 but is automatically done. The disadvantage of this workaround is that Rekey syslog is same during normal rekey and policy change rekey. Hence reregistration occurs through normal rekey too. Sample EEM script: event manager applet GM_RE_REG event syslog occurs 1 pattern ".*GM_RECV_REKEY.*" action 10 syslog priority warnings msg "EEM trigger workaround for CSCum08864" action 20 cli command "enable" action 30 cli command "clear cry gdoi" pattern "Are you sure you want to proceed" action 40 cli command "yes" 4. The ACL is swapped on KS with the new ACL and Rekey is done. The Cisco ASR 1000 GM will reregister. A small packet drop during reregistration is observed.
Symptom: Memory leak observed in CUBE for BWCAC call-flow
Conditions: This issue is observed when initial INVITE is rejected by CUBE due to BWCAC criterion.
Workaround: Not known at this point of time.
Symptom: Router is getting crashed with basic call while MP4A-LATM codec is used.
Conditions: This symptom is observed when MP4A-LATM codec is used in the dial-peers.
Workaround: There is no workaround.
Symptom: ipsec sas are not coming up for ezvpn split acl
Conditions: ezvpn with split interface ipsec sas do not come up
Workaround: There is no workaround.
Symptom: FP Crashed for RTP-SRTP Call
Conditions: When RTP-SRTP call initiated.
Workaround: There is no workaround.
Symptom: CUBE crashed when debugs enabled for srtp passthrough call
Conditions: With service log backtrace configured
Workaround: There is no workaround.
Symptom: Key Server (KS) fails to send rekey & Group Member (GM) fails to process rekey when "clear crypto gdoi ks members" is executed on the KS after changing the IPsec ACL with Suite-B configured on the KS. Secondary KSs don't show any TEKs after changing crypto ACL.
Conditions: Key Server (KS) has Suite-B configured with a certain IPsec ACL. Change the IPsec ACL on the KS so that the new ACL has no overlapping entries as the old ACL and issue "clear crypto gdoi ks members" on the Primary KS.
Workaround: Issue "clear crypto gdoi" on the GMs to force their re-registration.
Symptom: When a Peer sends a certificate with no CDP, the IOS PKI client will try to retrieve the CRL through SCEP [GetCRL] directed to CA, based on enrollment url value, however in case of enrollment profile [with a valid enrollment url], it complains that the enrollment url is not present
Conditions: IOS PKI Client configured with an Enrollment profile, which has enrollment url and authentication url to communicate with the CA using SCEP.
Workaround: a) configure the enrollment URL under the trustpoint directly instead of using it through enrollment profile or b) configure the CA to embed a CDP in the client certificates [an HTTP Server or SCEP URL]. Peer will need to be reenrolled afresh. SCEP URL looks like: crypto pki server IOS-CA cdp-url http://10.106.72.139/cgi-bin/pkiclient.exe?operation=GetCRL [Note: Before typing in ? next to pkiclient.exe in the URL above, type Ctrl V]
Symptom: No counter to show the ATM VC IFM call out and response
Workaround: There is no workaround.
Symptom: Transfer scenarios fail with ANAT and VCC (No DSP) configured
Conditions: Issue is observed for DODO
Workaround: Apply DOEO configurations
Symptom: cefcFRURemoved traps are not generating for different SPA Cards.
Conditions: While testing hard OIR on CISCO-ENTITY-FRU-CONTROL-MIB
Workaround: There is no workaround.
Symptom: Called name not updated to the ephone
Conditions: Call Flow: CME -> INVITE CME <- 100 Trying CME <- 183 with no called name in RPID CME <- 183 with called name in RPID In such a scenario called name in not updated by CME.
Workaround: There is no workaround.
Symptom: When SIP Gateway sends INVITE to CVP, no response is received and call fails. CVP logs report the following error: CVP_9_0_SIP-3-SIP_CALL_ERROR Exception in invitation: com.dynamicsoft.DsLibs.DsSipParser.DsSipParserException: No closing boundary found. for INVITE:
Conditions: This symptom is observed in the call Flow: PRI - > Ingress GW >> SIP >> CVP IOS: 15.1.4M3 CVP: 9.0.1 SIP Profiles applied to outbound dial-peer or globally with SDP header rule manipulation, regardless of whether the rule is applicable to the message or not. "signaling forward unconditional" configured under 'voice service voip' or inside the dial-peer SIP Gateway sends malformed SIP INVITE when "Content-Type: application/x-q931" has to be tunneled. The "--uniqueBoundary" is not properly closed causing interoperability issues with CVP. --uniqueBoundary Content-Type: application/x-q931 Content-Disposition: signal;handling=optional Content-Length: 48 ^B^AI^E^D^B^@^P^X^Da^@^C^B ^B.........................................................................................................................................................................................................................................................................................................................
Workaround: Perform the following workaround: 1. Configure a 'dummy' SIP Profile with no rules and apply it to the outbound dial-peer: voice class sip-profiles 3 ! dial-peer voice x voice voice-class sip profiles 3 2. In non-CVP call flows or if Courtesy CallBack (CCB) is not required the following can be configured under voice service voip or dial-peer: - signaling forward conditional - signaling forward none 3. Remove SIP Profiles completely from the call flow (dial-peer and Globally).
Conditions: SIP ALG traffic with FW and NAT
Workaround: There is no workaround.
Symptom: Older version v1.8 is currently bundled with FPD for Jacaranda
Conditions: New version v1.9 is available
Workaround: There is no workaround.
Symptom: MAC Accouting Reconstruction of AVL tree takes long time
Conditions: Triggered on scaled MAC accouting during MDR replay
Workaround: There is no workaround.
Symptom: Run the refer consume case without TCL for 4 hours (10 cps & 2 mins hold time), then stop calls, wait for 15 mins to call gets cleared. Afer that observed hung calls & did test crash to get the info related to hung calls. Now, new active is handling calls, make new call, cube is rejecting the call with 488
Conditions: Issue observed only when switch over happens.
Workaround: There is no workaround.
Symptom: Router crashes during call transfer in SRST mode
Conditions: Call transfer in SRST mode, including SCCP phones
Workaround: There is no workaround.
Symptom: while making h323 call,audio packets which are passing via ASR router not receiving at the endpoints.
Conditions: ASR router is configured with NAT Firewall
Workaround: There is no workaround.
Symptom: IOSD crash at ipv6_intf_mtu on flexvpn client
Conditions: Flapping flexvpn client configured with ipv6 on tunnel interface.
Workaround: There is no workaround.
Symptom: "ip load-sharing per-packet" is enabled on ASR1K
Conditions: There are no know conditions
Workaround: There is no workaround.
Symptom: GM re-registers to the KS after not receiving a rekey. The KS does not reset the counters for rekey Acks missed by the GM after the GM re-registers. This results in the GM being deleted after missing three rekeys, even though its registered.
Conditions: This symptom is observed when WAN failure and recovery on the GM interrupting rekey ACKs to reach back the KS.
Workaround: There is no workaround.
Symptom: High CPU utilization is seen on 2921 platform running 15.3(3)M1 while sending 2Mbps traffic.
Conditions: This symptom is observed with GETVPN crypto-map configured on the outbound interface send 2 Mbps of UDP based traffic, TBAR (time based anti-replay was turned on).
Workaround: Turn off TBAR (time-based anti-replay).
Symptom: ucode crash @dtl_poll_pending_tickle with 'ip nat sett mode cgn'
Conditions: ucode crash @dtl_poll_pending_tickle with 'ip nat sett mode cgn'
Workaround: There is no workaround.
Symptom: ucode crash@ipv4_nat_cgn_mode_dp_rel_mem on changing nat mode
Conditions: In a scaled setup on changing nat mode
Workaround: There is no workaround.
Symptom: DOEO call fails for ILBC codec(rtp-nte) with ANAT enabled.
Conditions: This symptom is observed when following conditions are met: 1. DOEO call 2. ANAT enable at outgoing leg 3. ilbc codec is configure for outgoing leg.
Workaround: This issue is not observed for DODO. <B>Symptom: DOEO call fails for ilbc codec(rtp-nte) with ANAT enabled
Conditions: When following conditions meet 1. DOEO call 2. ANAT enable at outgoing leg 3. ilbc codec is configure for outgoing leg.
Symptom: After a KS reload, or a network split or a coop configuration change or any condition that forces a GM to re-register to a different KS in a coop the snmpwalk for object cgmGdoiGmEntry will not return any values for that GM in the previously registered KS.
Conditions: In a coop if the GM re-registers to a new KS the snmpwalk -v 2c -c wells old_KS_IP 1.3.6.1.4.1.9.9.759.1.2.2.1 command will not return information for that GM on the KS the GM was previously registered at.
Workaround: There is no workaround.
Symptom: Path-confirmation check failed on CUBE in SRTP-RTP call
Conditions: Configure CUBE for SRTP-RTP call
Workaround: There is no workaround.
Symptom: CUBE crashes for SIP-H323 Transcoding call.
Conditions: The issue is seen while running regression for Cisco IOS Release 15.3(3)M1.9.
Workaround: There is no workaround.
Symptom: For a SIP - TDM call, early dialog caller-id update does not work
Conditions: Setup and call scenario: Sipp-----------GW---------------Callgen For an SIP UPDATE request received during ringback ( Early Dialog), caller-id update should be sent in a FACILITY message on the TDM leg. The FACILITY message with caller-id update is not seen to be sent on the TDM leg.
Workaround: There is no workaround.
Symptom: SCB leak seen when the Refer Call with error condition is run under laod
Conditions: Refer Call flow which fails
Workaround: There is no workaround.
Symptom: Under certain conditions, a DSP will hang in certain call scenarios including REFER passthrough.
Conditions: This symptom is observed under heavy load.
Workaround: There is no workaround.
Symptom: Packets dropped while IPV4 to IPV6 translation with size above 1252.
Workaround: Decrease the IPV4 mtu size to 1252.
Symptom: Traceback may be seen with sip/sunrpc/rtsp/rcmd/msrpc
Workaround: There is no workaround.
Symptom: SNMP Query on the object dot3StatsDuplexStatus is shown as unknown.
Conditions: While testing Ether-Like MIB for ASR1000-6TGE.
Workaround: There is no workaround..
Symptom: many packets are dropped for NatIn2out cause
Conditions: PAT, interface overload
Symptom: GM reloads unexpectedly when enabling V6-crypto map on an interface with VRF-aware GDOI configs on the latest XE3.12 throttle images
Conditions: Seen on all ASR platforms, with latest XE3.12 throttle base images This is 100% reproducible and extremely service impacting. This happens only when you enable "ipv6 crypto map" which has a local GM deny ACL associated with it. Enabling v4-crypto map is fine
Workaround: Do not use the local GM ACL for IPV6 crypto map. This may not be a feasible workaround in the field.
Symptom: SIP SRST and adding more than one alias commands, only 'alias 1' command creates a dial-peer. voice register global mode srst system message SRST Active max-dn 20 max-pool 20 ! voice register pool 1 id network 1.1.1.0 mask 255.255.255.0 alias 1 1111 to 4444 alias 2 2222 to 4444 voice-class codec 1 Only the alias 1 dialpeer gets created and calls to that extension will work (as long as you also have the correct translation rule as per docs).
Conditions: CME in SIP-SRST mode.
Workaround: Use translation-rules to achieve this behavior. <B>Symptom: SIP SRST and adding more than one alias commands, only 'alias 1' command creates a dial-peer. voice register global mode srst system message SRST Active max-dn 20 max-pool 20 ! voice register pool 1 id network 1.1.1.0 mask 255.255.255.0 alias 1 1111 to 4444 alias 2 2222 to 4444 voice-class codec 1 Only the alias 1 dialpeer gets created and calls to that extension will work (as long as you also have the correct translation rule as per docs).
Conditions: 2900 series router running SIP SRST running version c2951-universalk9-mz.SPA.152-4.
Workaround: There is no workaround.
Symptom: CUBE 180 w/o SDP and 200OK need to send CPA details in MIME
Conditions: when CPA event to process with dialer
Workaround: There is no workaround.
Symptom: No FPI session created
Workaround: There is no workaround. None
Symptom: SNMP Query on dot3StatsDuplexStatus is shown as unknown on SPA-5X1GE-V2.
Conditions: While testing Ether-like MIB for SPA-5X1GE-V2.
Workaround: There is no workaround.
Symptom: An increasing number of TEKs are generated every 30 seconds.
Conditions: This symptom occurs under the following conditions: 1. Change the Group Identity on the Secondary KS causing encryption failure. Change the Group Identity on the Primary KS. All the GMs are deleted from the KSs. 2. Restore the Secondary Key Server. Wait for it to come up as Primary for the Group : GETVPN-GROUP-1. 3. Restore the Primary Key Server with Group : GETVPN-GROUP-1. 4. This creats a new TEK policy every 30 seconds from the newly elected Primary Key Server KS2. The sequence number for rekey remains 1. 5. KS1 is restored to be the primary role. 6. After the existing TEKs from KS2 are expired, it behaves normally.
Workaround: There is no workaround. <B>Symptom: Increasing number of TEK generated every 30 secs
Conditions: 1. Change the Group Identity on the Secondary KS causing encryption failure, Change the Group Identity on the Primary KS. All the GMs are deleted from the KSs. 2. Restore the Secondary Key Server. Wait for it to come up as Primary for the Group : GETVPN-GROUP-1 3. Restore the Primary Key Server with Group : GETVPN-GROUP-1 4. This is creating a new TEK policy every 30 sec from the newly elected Primary Key Server KS2. The sequence number for rekey remains 1. 5. KS1 is restored to be the primary role. 6. After the existing TEKS from the KS2 are expired it behaves normally.
Workaround: There is no workaround.
Symptom: memory usage keep increase
Conditions: config ATM PVC bundle interface
Workaround: There is no workaround.:
Conditions: remove ip nat setting mode and run "sh pl hard qfp ac statistics drop"
Workaround: There is no workaround.
Symptom: CUBE fails to perform 407 Error Message Passthrough if it receives a 100 Trying before the 407 Proxy Authentication Required and sends a 503 Service Unavailable to the UAC.
Conditions: ITSP sends a 100 Trying before the 407 Proxy Authentication Required
Workaround: Receive the 407 Proxy Authentication Required as first response to an Invite
Symptom: ASR1K:GM1 did not have 1 recovery registration to group GDOI_GROUP_1.
Conditions: Issue is newly seen only in ASR routers and not in ISR.
Workaround: There is no workaround.
Symptom: "488: Not acceptable media" message seen for DOEO ANAT calls with ILBC codec.
Conditions: This symptom is observed when following conditions are met: 1. DOEO 2. ANAT calls 3. ILBC codec (Did not test for other codecs)
Workaround: This symptom is not observed for DODO.
Symptom: One way audio incoming calls redirected through CVP.
Conditions: Call flow: ------------ Caller----G711----TDM GW----SIP-----ASR1K----SIP-----CUSP----SIP----CVP(Vz0)----IP-IVR | | -----SIP---CVP (BAMS) | |--------SIP---CUCM---Agent Phone (G729 only) Initially the caller is connected to IP-IVR, both ingress and egress leg of the CUBE is doing G711. Call is connected to the IP-IVR, then CVP sends a refer to the VXML GW for playing prompts and ringback tone etc. When the call is transferred to the agent, CUBE negotiated G729 at the sip level with the CVP, but because of mid-call signalling block on the ingress side, continue with the G711. Hence xcoder is invoked on the CUBE to handle G729 to G711 and vise versa, but CUBE is still sending G711 media to the agent phone side while the agent phone is sending G729 media to the CUBE.
Workaround: There is no workaround.
Symptom: 183 session progress is blocked by the sip gateway
Conditions: 183 session Progress is received with SDP and Require:100 rel header and "block 183 sdp absent" is configured
Workaround: There is no workaround.
Symptom: A router may crash due to a bus error when running "show sccp connections sessionid".
Conditions: This has been observed on a 3900e router running 15.3(2)T. SCCP features are configured on router.
Workaround: There is no workaround.
Symptom: Incorrect NHRP mapping information for a hub can be propagate throughout the DMVPN network and cause data packet forwarding via a spoke-hub-spoke path even when a spoke-spoke direct path has been built and the sending nodes "thinks" it is sending on the direct path.
Conditions: A DMVPN spoke node is mis-configured with the correct tunnel IP address, but the wrong NBMA address for a hub (hub1). In this case the incorrect NBMA address would be for a different hub (hub2). Hub1 is configured to be both a hub and a spoke. I.e. it can be the end-point for spoke-spoke tunnels.
Workaround: Fix the spoke that has the incorrect mapping and then shutdown the hub (hub1) that "thinks" it is behind NAT. This hub must be left in a down state for long enough to ensure that any copy of the mis-configured mapping times out on all nodes in the DMVPN network. In most cases two times the NHRP hold time should be sufficient.
Symptom: SUBSCRIBE received from CVP after BYE and NOTIFY with subscription-state : terminates is send by CUBE.
Conditions: This symptom is observed when SUBSCRIBE IS recieved after call is terminated with BYE.
Workaround: There is no workaround.
Symptom: CUBE drops Method Notify (OOB Notify DTMF) in SIP to SIP call flows, when 183 Session Progress without SDP is received just after 183 Session Progress with SDP. For Example: CUCM --> SIP --> CUBE ---> ITSP When Cube receives 183 Session (with SDP) from ITSP, it sends out Method Notify back to CUCM. ITSP sends another 183 Session (without SDP), at this point, CUBE strips out NOTIFY towards CUCM. This causes CUCM to disable DTMF on this call.
Conditions: There are no know conditions
Workaround: Add method Notify manually on the first leg using a SIP Profile. voice class sip-profiles 99 response 183 sip-header Call-Info remove response 183 sip-header Call-Info add "Call-Info: <sip:10.1.1.1:5060>;method=\"NOTIFY;Event=telephone-event;Duration=500\""
Conditions: Conditional debugging and packet tracing is enabled on join interface for OTV.
Workaround: There is no workaround.
Symptom: BGP performance will be slower on RP2 on 15.4(02)S release or newer images.
Conditions: Large scale BGP routes
Workaround: Use Image 15.4(01)S or older.
Symptom: memory leak in CPP List Hdr Chunk
Conditions: Flapping flexvpn sessions
Workaround: There is no workaround.
Symptom: When REFER based transfer failed with 503 in NOTIFY, CUBE tried to bridge the call, but CUBE retransmit REFER again even though got 503 service error :
Symptom: CUBE doesn't send mp4a-latm fmtp attributes in early dialog UPDATE
Conditions: This issue is observed in DO-EO call with flow-around configured and the SDP negotiation happens in early dialog.
Workaround: If SDP is negotiated in confirmed dialog, then this issue is not seen.
Symptom: Intermittently, if a root's CRL to validate Sub does not get downloaded [Internal or External failures], and the CRL by Sub gets downloaded, the following message will be seen: [Debug crypto isakmp and Debug crypto pki m/t/v/c] ISAKMP (35845): adding peer's pubkey to cache ISAKMP:(35845): processing SIG payload. message ID = 0 %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.
Conditions: This symptom occurs in Cisco IOS configured with the IKEv1, Authentication mode RSA-SIG [Certificates]. PKI Infrastructure is as follows: Root -> Sub -> ID - Root and Sub Trustpoint have "revocation-check crl none". - Sub has "chain-validation continue Root".
Workaround: Disable Revocation-check and Chain-validation under Sub Trustpoint.
Symptom: This is an Enhancement request on PKI Split-VRF Feature. Enrollment profile only allows us to source the enrollment traffic from a specific VRF, however it does not allow us to control the source-ip/interface
Conditions: PKI Split VRF Feature, where one is allowed to configure VRF for enrollment through enrollment profiles, and VRF for CRL checking through Trustpoint.
Workaround: There is no workaround.
Symptom: Large IPSEC packets get dropped when fragmentation is done after IPSEC encapsulation.
Conditions: This symptom is not observed under any specific conditions.
Workaround: There is no workaround.
Symptom: CUBE HA pair crashes with crashinfo file being generated.
Conditions: 3945E CUBE routers running as a redundant pair on IOS 15.2(1)T2.
Workaround: There is no workaround.
Symptom: IOS will fail to match the certificate map intermittently
Conditions: IOS PKI using certificate maps, to authorize the Peer certificates or override CDP. In this case: - if a certificate map is written on a PC, with upper case letters in them: Ex: crypto pki certificate map HR-Users 10 subject-name co ou = HR-Users - and this is a part of the configuration that is merged with the running config through IOS file-system [directly from flash or FTP/TFTP/HTTP etc], IOS retains the upper case letters. [contrary to certificate maps written through CLI, always converts everything to lower case letters]
Workaround: A) - copy the certificate maps [that have upper case letters in them] to a notepad - remove the certificate maps [that have upper case letters in them] - paste the certificate maps, through IOS CLI - wherever these cert maps were being called, they will stay intact, and this change will take effect immediately or B) - The certificate map needs to enter IOS in a manner that IOS would insert it if you were to enter it in a CLI I.e. Make sure the external config generators generate the certificate map in such a way that everything is in lower case, and it has white spaces between DN OID, '=' and the value.
Symptom: Traceback appears in the common setup affecting the test
Conditions: Attaching service policy to zone pair security
Workaround: There is no workaround.
Symptom: Astro is not being initialized in ROMMON
Conditions: Initialize ASTRO ECSR in ROMMON
Workaround: There is no workaround.
Symptom: channel group wil link id > 4 is not configurable.
Conditions: whiel configuring the vlan based load balance
Workaround: Use only link id 1-4
Symptom: ASR crashes with no known trigger in CCSIP_SPI_CONTROL process.
Conditions: It is an error scenario where crash occurs when router is not able to send ACK for 200 OK where branch parameters differ. CUBE INVITE | INVITE (Via branch=ABC) ----------------------------->| ----------------------------------------> | 200 OK (Via branch=DEF) | <----------------------------------------- | Cube fails to send ACK to 200 OK for some reason and causes a crash
Workaround: There is no workaround. <B>Symptom: ASR crashes ith no known trigger in CCSIP_SPI_CONTROL process
Conditions: It is an error scenario where crash occurs when router is not able to send ACK for 200 OK where branch parameters differ. CUBE INVITE | INVITE (Via branch=ABC) ----------------------------->| ----------------------------------------> | 200 OK (Via branch=DEF) | <----------------------------------------- | Cube fails to send ACK to 200 OK for some reason and causes a crash
Workaround: There is no workaround.
Symptom: observing cpp_cp_svr crash
Conditions: Interface Flap with Model4 QoS under Oversubscribe load
Workaround: There is no workaround.
Symptom: Part of the "MCSA Requst Parameters" are not updated when showing gtp pdp details
Conditions: When issuing show gtp pdp related commands with "detail" option
Workaround: There is no workaround.
Symptom: The test gtp commands are diasabled
Conditions: Issue test gtp commands.
Workaround: There is no workaround.
Symptom: Tracebacks @ ipnat_establish_alias seen with IPsec and NAT64 configs
Conditions: While bringing up IPsec sessions.
Workaround: There is no workaround.
Symptom: Memory leak at SRTP Keys in Dolby Feature.
Conditions: Memory leak seen in SRTP Call
Workaround: There is no workaround.
Symptom: "token" CLI is getting missed under Crypto pki.
Conditions: UUT is loaded with 15.4(1.20c)CEL5.5.
Workaround: There is no workaround.
Symptom: observing cpp_cp_svr crash
Conditions: on unconfiguration of IPHC scaled configuration
Workaround: There is no workaround.
Symptom: NIM Card type details are not specific in show command port details
Conditions: card type details are not specific in "show voice port x/x/x" in dynamo3 FXS cards. It is just mentioned as "NIM-FXS" in the show command output.
Workaround: There is no workaround.
Symptom: ASR router crash with iosd punting packet to port-channel with ERSPAN configured on the router
Conditions: port-channel and ERSPAN configured on the router
Workaround: There is no workaround.
Symptom: multiple crashes witnessed due to memory being freed.
Conditions: There are no know conditions
Workaround: There is no workaround.
Symptom: entPhysicalContainedIn of NIM Module is showing the spa bay on ASR1001-X Chassis.
Conditions: While testing EntityMIB for ASR1001-X Chassis.
Workaround: There is no workaround.
Symptom: packet dropped at interface
Conditions: encap change on tunnel
Workaround: remove the tunnel interface and config it again.
Symptom: clean up fail in fhs testing
Conditions: Tracebacks are seen
Workaround: There is no workaround.
Symptom: CPUHOG messages and watchdog timeout crashes are observed on an ASR1000 series router running DMVPN.
Conditions: This has been observed on a router with a very large NHRP table (10-20k individual entries) with a very high number (thousands) of child entries per parent entry.
Workaround: Reduce the number of child entries per parent entry through the use of supernetting.
Symptom:VG224 responds with a different RTP port each time for multiple StationPortReq messages from CUCM for the same call. Seen in 15.1(4)M7
Conditions: CUCM sending multiple StationPortRequest to VG VG224 registered SCCP to CUCM
Workaround: There is no workaround.
Symptom: Modem Relay call fails with new NIM FXS card on O2 platform
Conditions: Modem Relay call fails
Workaround: There is no workaround.
Symptom: Invalid input after saving 68 byte feature config & reloading router
Conditions: Invalid input after saving 68 byte feature config & reloading router
Symptom: shutdown one tunnel interface,the chassis crash
Conditions: Step 1 :Setup dmvpnv3 scenario with two spokes Step 2 :On spoke 2,tunnel100 and tunnel200 are a pair of DMVPN tunnels Step 3: unconfigure "maximum-paths ibgp *" to make the two tunnels with one route to hub Step 4: add spoke to spoke traffic and after the traffic is contronlled by cent,shutdown tunnel100,the crash will be hit
Workaround: make sure the configuration is right
Symptom: When REFER is received on CUBE and CUBE send to ITSP where ITSP did not respond to the REFER and CUBE try to Resume the call Memory Leak seen.
Conditions: When REFER is received on CUBE and CUBE send to ITSP where ITSP did not respond to the REFER and CUBE try to Resume the call Memory Leak seen.
Workaround: There is no workaround.
Symptom: Reload the router, and check the system clock [it should be an authoritative source of time: show clock ? no * is printed before the clock]. However, 'show crypto pki timer' will not show the renew timer for the trustpoint.
Conditions: IOS is configured as SCEP client, with an auto-enroll timer. Also, instead of 'enrollment url' under the trustpoint, an enrollment profile is configured.
Workaround: Re-enter the 'auto-enrol <>' command under the trustpoint to trigger the renew timer.
Symptom: The fields in the result of "show gtp apn stats" are not updated correctly
Conditions: Issuing "show gtp apn stats" command.
Workaround: Try to get similar info from "show gtp path stat"
Symptom: An ASR 1002-X router might crash and reload writing a core file in the process.
Conditions: ASR1002-X running IOS XE in a NAT-HA B2B scenario
Workaround: There is no workaround.
Symptom: Some of the fields in "show gtp statistics" result are not updated.
Conditions: Issue "show gtp statistics" command.
Workaround: There is no workaround.
Symptom: Invalid offers getting processed
Conditions: Invalid offers getting processed
Workaround: There is no workaround.
Symptom: Configuring "no aqm-register-fnf" doesn't disable the command in the router's running and startup configurations.
Conditions: The problem was observed in the following sequence : (1) Configure "no aqm-register-fnf" (2) Execute "show run", the command "aqm-register-fnf" is removed (3) Execute "show run" again, the command "aqm-register-fnf" re-appears
Workaround: There is no workaround.
Symptom: Active ESP reloads when churning ISG sessions
Conditions: Churn both regular and walk-by ISG sessions at scale.
Workaround: There is no workaround.
Symptom: Major alarm observed on ASR1001
Conditions: After upgrade to XE3.10.2
Workaround: There is no workaround.
Conditions: registration succeeds and crashes
Workaround: There is no workaround.
Symptom: On standby RP, the remote restart counters on gtp paths are not synced from active RP and remain 0.
Conditions: After a back to back RP switchover
Workaround: There is no workaround.
Symptom: No way audio (Silence) issue is noticed on transcoded SIP-SIP calls on CUBE after mid-call codec change.
Conditions: IOS Relase 15.3(3)M1 and above Issue happens only under following condition. 1. Transcoder is allocated on CUBE for DTMF Interworking (Audio Codec Used on both inleg and outleg are same) 2. Due to supplementary services like "Hold" or "Transfer", one of the call leg negotiates different audio codec (Since the transcoder already allocated for DTMF interworking, it takes care of audio transcoding) 3. Later when the call is "Retrived" or "Transfer" is completed, both the call legs on CUBE negotiates same audio codec and transcoder needs to be updated for DTMF Interworking. At this point, CUBE fails to update transcoder causing no-way audio issues
Workaround: 1. Try using the same DTMF method on both inleg and outleg, so that there is no transcoder allocation 2. Use same codec throughout the call Considering the following call flow PSTN -> SIP -> CUBE -> SIP -> CUCM -> IP Phone 1. Call was made from PSTN to IP-Phone via CUBE 2. Initial call gets established as G711 (alaw or ulaw) and CUBE allocates local transcoder for DTMF Interworking ( inband-voice to rtp-ntp) Media Path : PSTN [Codec-G711ulaw, DTMF-raw tone(inband-voice)] -> CUBE -> [Local Transcoder] -> [Codec-G711ulaw, DTMF- rtp-nte] -> IP-Phone 3. IP Phone places the call hold and this triggers call to be connected with MoH which is capable of streaming only G729 media Media Path : PSTN [Codec-G711ulaw, DTMF-raw tone(None)] -> CUBE -> [Local Transcoder] -> [Codec-G729, None] -> MoH Server 4. When IP Phone "Resume" or "Transfer" the call, the codec changes from G729 to G711ulaw. Media Path : PSTN [Codec-G711ulaw, DTMF-raw tone(inband-voice)] -> CUBE -> [Local Transcoder] -> [Codec-G711ulaw, DTMF- rtp-nte] -> IP-Phone 5. At this point, CUBE fails to update transcoder with updated media capability causing no-way audio
Symptom: Traceback appears in the section test
Conditions: Issuing more harddisk:tracelogs/ with debug packet trace enabled
Workaround: There is no workaround.
Symptom: When "crypto gdoi ks rekey" is issued on the KS with multiple groups, the GM does not receive the rekey
Workaround: There is no workaround.
Symptom: CUBE is not sending 200 OK for PRACK SDP when CPA enabled
Workaround: Add some delay between 18X to 200 Ok
Symptom: When CED/ANSam/2100Hz answer tone is detected in the early media phase of the call, the gateway does not switchover and starts sending distorted audio to the originating fax. Fax transmission fails.
Conditions: This symptom is observed when modem passthrough nse codec g711ulaw is used as the fax protocol. Fax -> VG224 --SCCP--> CUCM -SIP--> 3945 GW--ISDN T1 PRI-->PSTN 3945 IOS: 15.1.4M5 VG224:15.1.4M2
Workaround: Perform the following workaround: - Use 'progress_ind' to strip PI=8 if the Early Media is opened via an ISDN ALERTING message: (config-dial-peer)#progress_ind alert strip - Check with Carrier if they can avoid opening early media for Fax/Modem calls.
Symptom: fman-fp log report traceback when loading fp card
Conditions: load or reload fp card
Workaround: There is no workaround.
Symptom: Incorrect internal and external Dialtone for CPTONE DE.
Conditions: Cptone DE is configured under FXS ports
Workaround: Step1: Router# test voice tone DE dialtone 1 425 0 -200 -200 -240 0 0 0 65535 0 0 0 0 0 0 0 Step2: Router# test voice tone DE 2nd_dialtone 1 425 0 -200 -200 -240 0 0 0 200 300 200 300 200 800 0 0 Step3: shut the voice-port Step4: Unshut the voice port
Symptom: Traffic stats check failed after shutdown in Manual LB with multiple backup link configed
Conditions: Traffic loss is seen for PC_EVC_Manual_Loadbalance test
Workaround: There is no workaround.
Symptom: DMVPN spoke (ISR) gets stuck in NHRP state after config-unconfig-reconfing with TP.
Workaround: Reboot the router.
Symptom: Memory leak seen when CME will xfer the call followed by idivert.@ sippmh_parse_hi_token
Conditions: while doing idivert
Workaround: There is no workaround.
Symptom: Traceback @fp_ipsecmgr_init
Conditions: With policy-map configured on the egress GRE tunnels, perform RP switchover
Workaround: There is no workaround.
Symptom: ASR1002 running asr1000rp1-adventerprisek9.03.04.06.S.151-3.S6.bin crashes at crypto ipsec update peer path mtu
Conditions: There are no know conditions
Workaround: There is no workaround.
Symptom: MODEM Relay cannot be configured on VG224
Conditions: VG224 used for modem relay calls.
Workaround: There is no workaround.
Symptom: CME Crashed while Inbound SIP profile added globally.
Conditions: This symptom is observed when inbound SIP profile is added.
Workaround: Do not configure inbound sip profile.
Symptom: "No match found" message on the console.
Conditions: On issuing "show plat hard qfp act feat nat data port <proto>"
Workaround: There is no workaround.
Symptom: reINVITE failure - hung calls
Workaround: There is no workaround.
Symptom: No way audio (silence) issue is noticed on transcoded SIP-SIP calls on CUBE when supplementary services like Hold/Resume or Call Transfer is invoked. Issue is observed with both SCCP based transcoding and LTI (Local Transcoding Interface) based transcoding. When using SCCP Based Transcoding, "show sccp connection" output looks as below during no-way audio issue (Mode - Inactive, rport - Empty, ripaddr - Empty, conn_id_tx - Empty) CUBE-2#show sccp connections sess_id conn_id stype mode codec sport rport ripaddr conn_id_tx 65545 36 xcode inactive g729 16414 0 :: 65545 40 xcode inactive g711a 16412 0 :: When using LTI based transcoding, "show dspfarm dsp active" shows no entry of the call during no-way audio CUBE-2#show dspfarm dsp active SLOT DSP VERSION STATUS CHNL USE TYPE RSC_ID BRIDGE_ID PKTS_TXED PKTS_RXED Total number of DSPFARM DSP channel(s) 0
Conditions: IOS Release 15.3(3)M Issue happens only under following condition. 1. When "midcall-signaling passthru media-change" is configured on CUBE 2. There is change in codec in one of the call leg after invoking supplementary services like Hold/Resume or Transfer
Workaround: 1. Disable "midcall-signaling passthru media-change" Voice service voip Sip no midcall-signaling passthru media-change 2. Use same codec through-out the call (Avoid change in codec behavior by controlling supported codec list)
Symptom: FP Crashed while DTMF info message received for SRTP Passthrough call
Conditions: DTMF INFO received
Workaround: FP Crashed while DTMF info message received for SRTP Passthrough call
Symptom: On CUBE if MTP invoked for the call Forking packets showing 0 :
Conditions: On CUBE if MTP invoked for the call Forking packets showing 0 :
Workaround: There is no workaround.
Symptom: CUBE crashed while handling Flow around Call.
Conditions: CUBE crashed while handling Flow around Call.
Workaround: no Media flow around on CUBE
Symptom: qfp ipsec debug message format changed
Conditions: There are no know conditions
Workaround: There is no workaround. none
Symptom: IPsec configured router sees unauthenticated router in INIT stage of ospfv3
Conditions: Configure one router with ospfv3 auth and other router with no authentication
Workaround: There is no workaround.
Conditions: Deactivation of a container.
Workaround: There is no workaround.
Symptom: when a crl is downloaded using "cry pki crl download url <url1> and no command is done on same, memory leak is seen for cd p
Conditions: when a crl is downloaded using "cry pki crl download url <url1> and no command is done on same
Workaround: There is no workaround.
Symptom: when ASR1K receive a fragmented jumbo packets(pkt1:2002,pkt2:9000),router will report an refrag error and traceback.
Conditions: jumbo packet and VFR via CLI
Workaround: There is no workaround.
Symptom: When there is a dialer interface getting dynamic IP, SIP control and media binding is failing with that interface.
Conditions: IOS should be 15.1.2T or later (to configure binding at dial-peer level)
Workaround: Configure static IP for the dialer interface.
Symptom: Kingpin crashes @ cmcc_2kp_cli_show_plim_status_cb
Conditions: Kingpin crashes while issuing "show plat hard slot 0 plim status int"
Workaround: There is no workaround.
Symptom: Traceback when IPV6 traffic is transiting through ATM sub-interface
Conditions: Configuration of "atm route-bridged ipv6" configured at ATM sub-interface level
Workaround: There is no workaround.
Symptom: Some sip packets drop with B2B CGN BPA setup
Conditions: Some sip packets drop with B2B CGN BPA setup
Symptom: On CUBE there is a port leak seen for each audio video call negotiated to audio call.
Conditions: This symptom is observed when audio Video M line offer answered with only audio m line.
Workaround: Send answer with both audio m line and video, if video not supported send port 0. <B>Symptom: On CUBE there is a port leak seen for each audio video call negotiated to audio call
Conditions: When audio Video M line offer answered with only audio m line.
Workaround: send answer with both audio m line and video, if video not supported send port 0
Symptom: O2 router crashes with non-default firmware intermittently
Conditions: O2 router crashes with non-default firmware intermittently
Symptom: CUBE reloads intermittently while handling SIP call forking scenario.
Conditions: In SIP Call forking scenario, an INVITE sent from CUBE is routed to multiple SIP endpoints and multiple SIP provisional responses such as 183 Session Progress with different To tags are received.
Workaround: There is no workaround.
Symptom: CUBE's media anti-trombone feature does not work correctly when combined with the pass-thru content sdp feature. When the two features are enabled CUBE will return the wrong SDP on one call leg and does not properly switch from media flow-through to media flow-around.
Conditions: This was seen on 15.4(1)T with both media anti-trombone and pass-thru content sdp enabled.
Workaround: There is no workaround.
Symptom: ucode crash with sip traffic
Conditions: after doing couple of events like redudancy reload multiple times and with SIP traffic
Workaround: There is no workaround.
Symptom: Caller id is not received intermittently on FXO ports. we have dangling dsm_handle associated with this port and it is preventing from sending further dsp messages to start caller id. Mar 24 16:18:22.054: [0/1/1] htsp_start_caller_id_rx:BELLCORE Mar 24 16:18:22.054: htsp_start_caller_id_rx htsp->dsm_handle 2AC5E96C
Conditions: The symptom has been observed on IOS 150-1.M7, with PVDM3.
Workaround: Router reload fixes the issue.
Symptom: Slow memory leak in small/middle I/O buffers. This can be identified by looking at the output of "show buffer" and "show buffer usage" commands You'll see the number of small and middle buffers incrementing to very high values VG224-1#sh buffer | inc peak Small buffers, 104 bytes (total 1116, permanent 50, peak 1242 @ 00:00:17): Middle buffers, 600 bytes (total 1937, permanent 25, peak 2217 @ 00:00:16): The output of 'show buffer usage' will show the SCCP Application as a Resource User of the buffers and increasing until memory is exhausted. Caller pc : 0x6238D4C8 count: 4454 Resource User: SCCP Appli count: 4455 Once memory is exhausted, telnet sessions will fail to establish. Console access may still be available.
Conditions: VG224 registered to CUCM and defined as a SCCP controlled gateway. This is seen when the CUCM rejects the registration attempts of the VG224 FXS ports due to it reaching the " Maximum Number of Registered Devices" value as defined in the CUCM Service Parameters. This can occur when devices fail-over from the primary to secondary CUCM and the proper device sizing has not been followed as per the CUCM SRND. Too many devices attempt to register and CUCM starts to reject their attempts.
Workaround: Ensure that in fail-over scenarios, the number of devices that attempt to register to CUCM don't exceed the number set in "Maximum Number of Registered Devices" service parameter.
Symptom: Issues with source VLAN numbers while using with ERSPAN.
Conditions: VLAN greater than 1005 were not displayed in the running config. There is no service impact.
Workaround: There is no workaround.
Symptom: Memory Leaks seen at nhrp_cts_data_from_pak_wrapper
Conditions: The leaks are seen on the spoke of a DMVPN setup. The leaks are observed on booting up 15.4(2.8)T image
Workaround: There is no workaround.
Symptom: Packet-trace statistics sometimes appear to report out-of-sync counts.
Conditions: Using packet-trace in IOS-XE3.11.
Workaround: There is no workaround..
Symptom: entity alias mapping and if table entry missing for USB ports in ASR1002-X built-in RP
Conditions: ASR1002-X running with asr1002x-universalk9.03.08.01.S.153-1.S1.SPA.bin
Workaround: There is no workaround.
Symptom: End to end ping fails for normal ATM and CC ATM
Conditions: Breakage on mcp dev
Workaround: There is no workaround.
Symptom: Bogus counter reported by crypto engine
Conditions: When SHA384 algorithm, bogus counter is seen during show platform hardware crypto-device context output
Workaround: There is no workaround.
Symptom: client bypass-policy is not enabled while configuring "default client bypass-policy" in the GM gdoi group.
Conditions: client bypass-policy is not enabled while configuring "default client bypass-policy" in the GM gdoi group when the client bypass-policy is already disabled.
Workaround: There is no workaround.
Symptom: One-way audio when using SRTP when the master key begins with 00.
Conditions: Using any release that contains the fix for bug: CSCtj15884.
Workaround: Put the call on hold and then resume. This will renegotiate the keys and restore two way audio.
Symptom: One way audio when Agent blind-transfers a call from PSTN (h.323 gateway) to a second DN, which then CFNA's to Unity
Conditions: - the issue seems to be a race condition. - the call flow/scenario that seems to cause the race condition is as follows-
Workaround: use consultive transfer
Symptom: Outputs of the IPSEC event-monitor does not always include a session-id or local/remote peer ID
Conditions: After the fact troubleshooting of IPSEC sessions by looking at the recorded events
Workaround: There is no workaround.
Symptom: BFD state down while config isis/ospf
Conditions: Bfd neighbors state down on POS interface with isis/ospf configuration.
Workaround: There is no workaround.
Symptom: Multiple PTP stream creation happens on performing IOSD kill switchover, because of that PTP slave clock alwys stuck in ACQUIRING state
Conditions: IOSD kill switchover
Workaround: There is no workaround.
Symptom: Control falls to Priviliged Exec mode
Conditions: When "exit" command is issued from voice register global
Workaround: There is no workaround..
Symptom: GTP path is created even when create pdp fails.
Conditions: By removing the ggsn address from gtp config or any other scenarios which lead to pdp creation failures
Workaround: There is no workaround.
Symptom: DSCP values are set for the VoIP signalling and media packets using the "ip qos dscp" command under the dial-peer. The default value, in the absence of explicit configuration, should be "af31" for signalling and "ef" for media. When setting dscp values for signaling/audio/video under the dial-peer the media packets are marked with AF11 instead of AF33 with the following configuration ip qos dscp af11 media ip qos dscp af21 signaling ip qos dscp af33 video rsvp-none
Conditions: This occurs when configuration is applied on dial-peer with the following call flow and IOS CALL FLOW CTS endpoint - SIP - CUCM -SIP - CUBE -SIP- SME -SIP- ISDN Video Gateway CUBE Platform/IOS c2900-universalk9-mz.SPA.153-3.M1.bin
Workaround: Apply the qos configuration on the interface using class map and policy map.
Symptom: "Show ephone register summay" command doesnot display ephones with ephone-tags beyond 165.
Conditions: There should be ephones configured with tag 165 onwards.
Workaround: Configure all the ephones with tags ranging below 165.
Symptom: GTP Local interface cannot be removed even when there're no active pdps
Workaround: use "no gtp" to unconfigure the whole gtp and then reconfigure
Symptom: Trans on active and standby are not synced
Workaround: There is no workaround.
Symptom: iWAG-GTP does APN name resolution through DNS before using locally configured APN level ggsn address.
Conditions: When "ip domain lookup is enabled"
Workaround: There is no workaround.
Symptom: Ring off/on period is not changed even we configure ring cadence as followings. - cptone KR - ring cadence pattern01 or - cptone KR - ring cadence define 20 40 or - cptone KR - ring cadence define 20 40 20 40 ======================= Apr 10 14:13:51.521: htsp_timer_stop3 htsp_setup_req Apr 10 14:13:51.521: htsp_process_event: [2/0, FXSLS_ONHOOK, E_HTSP_SETUP_REQ]fxsls_onhook_setuphtsp_progress Apr 10 14:13:51.525: [2/0] c2400_set_sig_state_intercept: ABCD=0, timestamp=0, sys_time=10443319 Apr 10 14:13:51.525: [2/0] c2400_get_ring_cadence: cadence: 2000, 4000, 0, 0, 0, 0 <<<<< Apr 10 14:13:51.525: [2/0] htsp_set_caller_id_tx calling num=2701 display_info= called num=1068 Apr 10 14:13:51.525: [2/0] Caller ID String 80 13 01 08 30 34 31 30 31 34 31 33 02 04 32 37 30 31 08 01 4F AE Apr 10 14:13:51.525: [2/0] voice port htsp_set_caller_id_tx_time: ring cadence not suitable for caller id. on_time_first=1000 off_time_first=2000 on_time_second=0 off_time_second=0 <<<<< Apr 10 14:13:51.529: [2/0] c2400_get_ring_cadence: cadence: 2000, 4000, 0, 0, 0, 0 <<<<< Apr 10 14:13:51.529: [2/0] c2400_set_sig_state: ABCD=0, timestamp=0, sys_time=10443319htsp_call_feature:feature 12
Conditions: VG224-MP 15.1(4)M5 cptone KR
Workaround: There is no workaround.
Symptom: show Modem Relay statistics output doesnot show any parameters
Conditions: show Modem Relay statistics output doesnot show any parameters
Workaround: There is no workaround.
Symptom: Call Flow: PSTN -H.323-GW - 3rd Party IVR System. When using payload type 97 & 96 for RTP-NTE with H.323, gateway is found to set Marker bit as false, which caused 3rd party IVR not to recognize DTMF inputs provided by Caller.
Conditions: Call Flow: PSTN -H.323-GW - 3rd Party IVR System.
Workaround: There is no workaround.
Symptom: "Badly formed RTP" drop counter increases unexpectedly. This issue is recovered by reloading the SBC.
Conditions: This issue is seen with tele-presence call.
Symptom: There is a time difference printed in the CSV files generated by the hunt group stats reports. While the file shows that the collection of statistics took place at 8pm for example, the actual data shown is from 2-3 hours prior of that time, it could even be more some times. For example: 20:00:01 EST Tue Apr 15 2014 EPHONE HUNT GROUP STAT 1 Tue 16:00 - 17:00 HuntGp 2 0 0 0 0 0 0 0 0 0 0 0 0 1 Tue 16:00 - 17:00 Agent 3001 0 0 0 0 0 0 1 7 7 0 0 0 1 Tue 16:00 - 17:00 Agent 3002 0 0 0 0 0 0 1 4 4 0 0 0 This is happening due precise time condition checks while generating csv file.
Conditions: B-ACD is being used for call queuing. 'statistics collect' enabled inside ephone-hunt The following commands are included inside telephony-service: hunt-group report url prefix <URL> hunt-group report url suffix <number> to <number> hunt-group report every <Hours> hours
Workaround: There is no workaround.
Symptom: Inbound and outbound calls through FXO ports are disconnecting always if "supervisory disconnect anytone" command is present in the FXO Voice-port. If we remove the command, calls would work without any issues. However, in 151-3.T1 calls would work fine with "supervisory disconnect anytone" command present in the voice-port. CSCum09273 fixed the issue with inbound calls through FXO port. Outbound calls are still not working.
Conditions: When "supervisory disconnect anytone" command is configured under voice-port
Workaround: Remove "supervisory disconnect anytone"
Symptom: crypto-register packet-count CLI does not work on ASR1001-X platform
Conditions: transmitted and received packets always shows the same value
Workaround: There is no workaround. none
Symptom: Traceback at cpp_mma_policy
Conditions: Flapping Flexvpn sessions with AVC service-policy applied via Radius
Workaround: There is no workaround.
- CSCuo38818 After configuring this command under ephone for static member, it is observed that sporadically it doesn't provide tone while logging in/out while ephone actually logs in/out in ephone-hunt. Also sometimes, ephone provides tone but doesn't log in/out in ephone-hunt. <B>Symptom: The login/logout status for a particular DN is not in sync between Ephone hunt group and Voice hunt group. If ephone hunt group shows the status of the DN as logged in, voice hunt group shows as logged out, or vice versa. Thus, always the status on the phone is updated as "logged out of hunt group"
Conditions: Same DN should be part of ephone hunt group and voice hunt group. And under the ephone hunt group, members logout and/or auto-logout should be configured.
Workaround: Do not configure members logout and auto-logout, when same DN is associated with ephone hunt group and voice hunt group simultaneously. :
Workaround: There is no workaround.
Symptom: when ping xtr to pxtr, the pxtr response message is LSB disabled,the packet was seen on punt path
Conditions: There are no know conditions
Workaround: it's random,sometimes will be hit, sometimes is not.
Symptom: A crash is seen causing a system reload. The crash occurs in the Crypto IKMP process: Exception to IOS Thread: Frame pointer 0x3CEFFB58, PC = 0x164CC518 UNIX-EXT-SIGNAL: Segmentation fault(11), Process = Crypto IKMP
Conditions: This issue occurred after the following debug: debug cry condition peer subnet XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX The exact conditions are still being investigated.
Workaround: There is no workaround. known
Symptom: CPA event is enabled for non cpa dsp profile and transcoded calls.
Conditions: For basic Transcoded call, CPA event is send as enabled even for non CPA dsp profile configuration.
Workaround: There is no workaround.
Symptom: The dynamic L2L peer will successfully bring up, both phase-1 and phase-2 although the isakmp profile does not cater to this new peer.
Conditions: IOS L2L end-point catering to dynamic peers, with a dynamic crypto map, under which we have: a) an isakmp profile that does not match the isakmp identity of this new peer b) no crypto ACL [i.e. no 'match address' statement] Note: a crypto ACL can be configured under the dynamic map, that is either an exact or a super-set mirror image of the peer's crypto ACL, although this is not mandatory.
Workaround: There is no workaround..
Note Note: The non-matching isakmp profile blocks the peer if the dynamic map has a 'match address' statement.
Symptom: The following are the issues identified with unicast and multicast rekey, re-transmission even trace 1. The order of rekey received and ack sent on the GM was out of order, with rekey ack event showing up first. 2. Ip address of source and destination showed up as 0.0.0.0 3. Seq number showed up as either 0 or very large number.
Conditions: Standard GETVPN deployment.
Workaround: There is no workaround.
Symptom: Redundant Gatekeeper setup and high CPU is experienced from time to time during the GUP un-registeration operation.
Conditions: Traceback= 0x9434BECz 0x942BEC0z 0x942BFE8z 0x942C03Cz 0x9457E08z 0x93FE7CCz 0x94022F0z 0x4DD7EACz 0x4DBDD18z
Workaround: There is no workaround.
Symptom: ROMMON get_mac_addr and IOSXE IDPROM access fail on booting standby RP2.
Conditions: External USB thumb drive used on RP2.
Workaround: Remove external USB thumb drive on RP2.
Symptom: timestamp is garbage when show performance monitor history
Conditions: timestamp is garbage when show performance monitor history
Workaround: There is no workaround.
Symptom: CUBE use early dialog Record-Route on ACK message.
Conditions: CUBE receive another Record-Route on 180 and 200
Workaround: There is no workaround.
Symptom: Path-confirmation check failed on CUBE in SRTP-RTP call
Conditions: Configure CUBE for SRTP-RTP call
Workaround: There is no workaround.
Symptom: DGT value displayed wrongly on FNF cache.
Conditions: The issue is seen intermittently on Overlord platform.
Workaround: There is no workaround.
Symptom: Incomplete kernel core file with filename ending in.TEMP_IN_PROGRESS.
Conditions: Active RP kernel core dump in dual RP2 systems.
Workaround: There is no workaround.
Symptom: fman fp crash @in cpp_nat_client_ctrl_cmd_send_a
Conditions: on reloading router with attached config
Workaround: There is no workaround.
Symptom: CUBE response both 481 and 200
Conditions: Receive PRACK with wrong Rack header
Workaround: There is no workaround.
Symptom: Unexpected CANCEL message sent from CUBE
Workaround: There is no workaround.
Symptom: Invalid cause code '0' sent in 503 response to INVITE received by CUBE
Conditions: Configure the CUBE for PCD buffer logging as per the enclosed configs
Workaround: There is no workaround.
Symptom: ESP crash at cpp ace delete
Conditions: 10K flexvpn sessions up with traffic and then RP switchover down
Workaround: There is no workaround.
Symptom: FP-Crashes@vc_show_alias_aom_cb
Conditions: while configuring encapsulation aal5mux ip in atm sub-interface
Workaround: There is no workaround.
Symptom: Incorrect RTP connections seen for calls from SCCP-Jabber Video Phone
Workaround: There is no workaround.
Symptom: Confidence levels sent to ASR server from VXML gateway in the MRCPv2 messages are not the expected values. The values may appear to have had their leading zero after decimal place removed/trimmed.
Conditions: MRCPv2 Incoming confidence level in VXML document is less than 0.10
Workaround: Do not use a confidence level value smaller than 0.10 in VXML documents. Do not provide a confidence level that has a leading zero after the decimal point ex) 0.05
Symptom: Ucode crash occurs with UWS-WAN_XE311 profile.
Conditions: while verifying NAT64 with traffic on.
Workaround: There is no workaround.
Symptom: ESP80 may crash when tearing down PPP sessions on LNS at scale.
Conditions: Tearing down PPP sessions on LNS.
Workaround: There is no workaround.
Symptom: In a configuration where both Root and Sub have revocation check enabled, IOS PKI Client falls back to the older behavior of inheriting the Root trustpoint policy [while downloading CRL during cert validation] in the following situations: a) Both Root and Sub-CA CRLs are not yet downloaded b) Root CRL is available and Sub CRL is not yet downloaded
Conditions: IOS PKI Client configured with chain-validation: crypto pki trustpoint Root-CA vrf mgmt source-interface eth0/0 revocation-check crl crypto pki trustpoint Sub-CA vrf secure source-interface eth0/1 revocation-check crl chain-validation continue Root-CA
Workaround: There is no workaround.
Conditions: High cpp data path utilization
Workaround: There is no workaround.
Symptom: clid network-number not honored.
Conditions: Call flow:- PSTN T1PRI---- Cisco GW -- -T1PRI--PSTN Ver:- 151-4.M5 Details Cisco IOS GW receives incoming call through T1 PRI, IOS matches the incoming dial-peer completes digit manipulations. And matches the outbound dial-peer which is destined towards PSTN circuit. The outbound dial-peer is configured with clid network-number "XXXX'. Ideally Calling number should be changed based on clid network-number configuration, but it is not getting honored.
Workaround: Use translation profile instead of clid network-number.
Symptom: Build breakge on xe313_throttle
Conditions: ABS daily build on xe313_throttle
Workaround: There is no workaround.
Symptom: smp packets should not be via LAN interface when FIB updating
Conditions: smp packets should not be via LAN interface when FIB updating
Workaround: There is no workaround.
Symptom: Multiple registration requests are observed on GM
Conditions: Multiple registration requests are observed on GM when the ACL on the KeyServer is modified and rekey is issued
Workaround: There is no workaround.
Conditions: High data path utilizations
Workaround: There is no workaround.
Symptom: Traceback was seen in overlord platform during call termination
Workaround: There is no workaround.
Symptom: A memory corruption crash on ASR.The crash is related to SIP Gateway.
Conditions: There are no know conditions
Workaround: There is no workaround.
Symptom: tunnel holddown timer value is not stored in running or startup config and is not preserved on reload
Conditions: There are no know conditions
Workaround: There is no workaround.
Symptom: CPP crash caused by sessions renegotiating authentication and applying QOS
Conditions: Having many CPE renegotiating authentication
Workaround: There is no workaround.
Symptom: Memory leak in MallocLite
Conditions: ASR running 03.07.05S
Workaround: There is no workaround. at this time
Symptom: A router will crash with a segmentation fault in IOSD: UNIX-EXT-SIGNAL: Segmentation fault(11), Process = CCSIP_SPI_CONTROL
Conditions: There are no know conditions
Workaround: There is no workaround.
Symptom: The ESP module in an ASR1000 series router may reload unexpectedly.
Conditions: This has been observed on an ASR1002 running 15.3(3)S2 (03.10.02.S)
Workaround: There is no workaround. at this time
Symptom: SIP GW fails to send dtmf digits after NOTIFY msg
Conditions: SIP GW fails to send dtmf digits after NOTIFY msg while testing with failed image
Workaround: There is no workaround.
Symptom: Large multicast packets are not reaching the receiver.
Conditions: Using IPv6 VFR with multicast
Workaround: There is no workaround.
Symptom: master channel Operational state is not-available on USD
Open Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.13S
This section documents the unexpected behavior that might be seen in Cisco ASR 1000 Series Aggregation Services Routers Release 3.13S.
Symptom: This is an enhancement request IOS IKEv2 VPN server in ikev2 cluster supports ipv4 address in the redirect payload. As per RFC 5685 section “9.2. REDIRECT”: “FQDN of the new VPN gateway” is a valid payload and should have an option to mention redirect-FQDN. If FQDN is not used then “Untrusted certificate warning” will appear even if gateway have valid trusted certificate installed.
Conditions: ** FQDN is used to connect to the VIP address of cluster ** Trusted valid wild card certificate installed on the gateway or subject alt name contain the FQDN equal to physical IP address of the gateway.
Workaround: Add in ipv4 addresses of all the gateways in the cluster in the SAN attribute of the certificate.
Symptom: SAs are not synced after rekey failover test
Conditions: After issuing clear crypto sa standby, show crypto ipsec sa standby | include Status should show the status of both the active and standby router's
Workaround: There is no workaround.
Symptom: DMVPN tunnels down followed by traffic loss
Conditions: This condition is observed when setting scale configuration for DMVPN tunnels.
Workaround: There is no workaround.
Symptom: dynamic tunnels are not formed after clearing crypto session
Conditions: The issue observed during clearing of crypto session with Traffic running.
Workaround: There is no workaround.
Symptom: On the ASR1k router, with DMVPN setup ( hub ---- spoke), ipv4 traffic go through one DMVPN tunnel. ESP100 on hub router crashed every 2 hours.
Conditions: This symptom was observed with DMVPN setup ( hub ---- spoke), ipv4 traffic go through one DMVPN tunnel. ESP100 on hub router crashed every 2 hours.
Workaround: There is no workaround.
Symptom: Traceback NAT-3-HA_BULK_SYNC_FAIL seen doing redundancy switchover
Conditions: Traceback was observed while performing redundancy switchover and while changing NAT modes.
Workaround: There is no workaround.
Symptom: SIP-SIP DO-DO Transcoded Coded Video Call failing
Conditions: This symptom is observed in image versions are 15.4(2.11)T and 15.4(2.13)T
Workaround: There is no workaround.
Symptom: After chassis reload the standby RP was stuck in booting.
Conditions: RP in slot R1 is active and we reload the chassis
Workaround: Reload the router again.
Symptom: Some SIP flows get classified as unknown in NBAR for Linux.
Conditions: This is relevant for NBAR linux 3.13 and 3.14.
Workaround: There is no workaround.
Symptom: default interface error with virtual-reassembly max-fragments configuration like ip virtual-reassembly max-fragments 64 timeout 60
Conditions: This symptom is observed when no ip virtual-reassembly max-fragments 64 timeout 60 or default interface with ip virtual-reassembly max-fragments 64 timeout 60
Workaround: issue no ip virtual-reassembly instead of no ip virtual-reassembly max-fragments 64 timeout 60
Symptom: Traceback cpp_cent_handle_rc_tc_modify might thrownout when reset border router with scale of traffic-classes like 120K.
Conditions: This symptom is observed when you reset border router quickly with scale of traffic-classes like 120K.
Workaround: Shut and then no shut BR with longer time interval like 5~10s.
Symptom: cisco-phone maybe missclassifed by 1 packet to sip cisco-jabber-audio maybe missclassifed by 1 packet to unknown.
Conditions: This symptom may occur when there is cisco-jabber-audio or cisco-phone traffic in RP2-ESP160 platform.
Symptom: Output of: show flow exporter option application table contains extra characters (spaces or ') in the output
Conditions: This symptom is observed when FNF record contains application name recognition field, parsing of the command output in an automated scripts might fail
Workaround: There is no workaround.
Symptom: Crash with "debug voip fpi error" under load
Conditions: Enable "debug voip fpi error" and start the load at 10 cps - 100 sec call hold time. Cube, immediately starts crashing.
Workaround: There is no workaround.
Symptom: 012859: May 28 18:15:44.567 IST: %CPPOSLIB-3-ERROR_NOTIFY: F0: cpp_cp: cpp_cp encountered an error -
Conditions: Traceback observed with the following call flow:
Topology: CUCM ---> SIP ---> CUBE ---> CVP | --------> Media Sense Call flow: 1. CUCM Call CVP via cube. 2. VXML on CVP answers the call & negotiates g711ulaw (rtp-nte) - g711ulaw (inband) Now cube starts the leg with Media sense & forks both leg audio 3. Then CVP transfers the call using REFER back to CUBE 4. CUBE consumes the refer & sends the triggered INVITE to refer-to leg. Refer-To negotiates the g711-g729r8. Now cube starts the leg with Media sense & forks both leg audio
Workaround: There is no workaround.
Symptom: Not all mka sessions brought up
Conditions: This symptom is observed after you reload the router
Workaround: There is no workaround.
Symptom: IPv6 GETVPN data plane traffic dropped
Conditions: In GETVPN VRF-lite configuration, after un-confgured and then re-configure VRF definition.
Workaround: There is no workaround.
Symptom: error overridden is not done.
Conditions: There are no know conditions
Workaround: There is no workaround.
Symptom: Testcases failed since incorrect number of call_legs are obtained.
Conditions: There are no know conditions
Workaround: There is no workaround.
Symptom: Crashes while changing PAP BPA settings.
Conditions: There are no know conditions
Workaround: There is no workaround.
Symptom: HTTPS POST request fails
Conditions: Back to back HTTPS POST request
Workaround: There is no workaround.
Symptom: Crashes while changing PAP BPA settings.
Conditions: There are no know conditions
Workaround: There is no workaround.
Symptom: %GDOI-5-GM_FAILED_TO_INSTALL_POLICIES: messages are seen on GM while removing the crypto map from the interface(no crypto map) and configuring a new crypto map to the interface.
Conditions: %GDOI-5-GM_FAILED_TO_INSTALL_POLICIES: messages are seen on GM while removing the crypto map from the interface(no crypto map) and configuring a new crypto map to the interface.
Workaround: There is no workaround.
Symptom: observing degradation for LISP feature with XE3.13 and latest mcp_dev image
Conditions: There are no know conditions
Workaround: There is no workaround.
Symptom: The following message, that should appear if the key cannot be found in the IKEv2 keyring is not shown if a debug crypto condition is enabled. IKEv2:% Getting pre-shared key from profile keyring IKEv2_KEYRING IKEv2:% key not found. IKEv2:Failed to initiate sa
Conditions: Key cannot be found in the keyring debug crypto ikev2 enabled debug crypto condition enabled.
Workaround: There is no workaround.
Symptom: The GM is not able to process the rekey from the KS when "crypto gdoi ks rekey" is issued on the KS. the syslog IPSEC-3-RECVD_PKT_NOT_IPSEC is generated on the GM.
Conditions: When no client bypass policy is configured and a local ACL is not configured on the GM, the GM is not expected to received the rekey from the KS.
Workaround: After GETVPN config change, if there is issue with rekey, issue "clear crypto gdoi". It will let group member re-register.
Symptom: CSL Licenses are not presented with their correct status.
Conditions: This occurs following the enabling and disabling of Smart Licensing.
Workaround: If you reload the system in CSL mode, the problem is resolved.
Symptom: traffic through the PPP sessions drops
Conditions: While testing VRF Lite coexistance with ServiceProvider NAT for LNS
Workaround: There is no workaround.
Symptom: Crash with FTP traffic while B2B NAT redundancy switchover.
Conditions: There are no know conditions
Workaround: There is no workaround.
Symptom: Crash observed on clearing fw sessions in B2B HA
Conditions: Stateful traffic flowing through the router
Workaround: Shutdown inside and outside interfaces
Symptom: Unable to delete route-map NAT dynamic mapping in B2B HA even with no translations on the box
Conditions: There are no know conditions
Workaround: Use the 'no ip nat ___ force'
Symptom: under full scale 2000 branches,with 32k channel each border router, and 160,000 traffic class; on hub MC BR some channel status fail to sync, on hub MC it is ?Operational state: Not-Available(Channel in Initial state)?, but on hub BR the channel is Channel RX state: reachable Channel TX state: reachable
Conditions: There are no know conditions
Workaround: shutdown/no shutdown hub BR to trigger the channel status update to MC
Symptom: RTP Packet to DSP payload not seen
Conditions: RTP Packet to DSP payload not seen in dagger proto when making SIP call
Workaround: There is no workaround.
Symptom: On an IOS FlexVPN hardware client that's also configured as a DHCP server, when it receives 2 DNS server entries through IKEv2 configuration attributes, it can only import the first DNS server entry passed down from the FlexVPN server into DHCP.
Conditions: This problem is seen when a FlexVPN client is configured to import all DHCP options.
Workaround: There is no workaround.
Symptom: Traffic encrypt/decrypt fails with UWS-GETVPN profile
Conditions: while sending traffic and verifying Dataplane counters of a group.
Workaround: There is no workaround.
Symptom: All the 4000 tunnels didnt come up on Initiator after rekey
Conditions: All the 4000 tunnels should nt come up on Initiator after rekey
Workaround: There is no workaround.
Symptom: Installation of Reg/Rekey policies from KS for group & gm identity has failed
Conditions: policy should not installed from KS for group & gm identity
Workaround: There is no workaround.
Symptom: When the “no crypto ikev2 proposal default” command is present in the startup-config, it is no present in the running-config after reload. On the console, the following error is generated at boot time: % Cannot remove as proposal is in use.
Conditions: “no crypto ikev2 proposal default” must be configured
Workaround: Re-enter the command after each boot.
Symptom: With crypto enabled on tunnel interfaces which is used by KWAAS to reach WCM, the registration which is https requests fail. but with Crypto disabled the registration is successful.
Conditions: IWAN performance and as part of advanced profile we have following features enable WAAS, PFRv3, AVC, Crypto, DMVPN, QOS, NBAR. Installed CCO image of KWAAS with XE3.13 throttle image. KWAAS image - ISR-WAAS-5.3.5a.5.ova XE3.13 image -isr4400-universalk9.BLD_V154_3_S_XE313_THROTTLE_LATEST_20140626_070148-ext.SSA.bin
Workaround: Remove crypto and then enable cms and things work fine and you will be able to import SSL AO without any issues. Once the AO is installed/imported crypto can be reinstalled once again.
Symptom: When the Group member (ASR) registers to the key server, after the installation policies syslogs, trace messages are seen.
Conditions: The group member and key server have GETVPN configurations.The group member registers to the key server
Workaround: There is no workaround.
Symptom: When a GETVPN GM receives an ESP packet with an invalid SPI, it generates an erroneous syslog with the following format: "CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /x.y.z.w, src_addr= a.b.c.d, prot= 50"
Conditions: When a GETVPN GM receive an ESP packet with invalid SPI
Workaround: There is no workaround.
Symptom: 1) No output is seen in the output “show performance monitor history interval all” after applying input ACL deny TCP rule on interface GigabitEthernet0/0/1 in UUT and sending the traffic from Pagent to UUT. 2) In TC_8 Current Cache entries not incremented to the value 10 in the output of Command “show performance monitor cache” after applying input ACL deny TCP rule on interface GigabitEthernet0/0/1 and sending traffic from Pagent to UUT. These behavior is observed on ASR1k Platform.
Conditions: 1) Configure static route and performance-monitoring in UUT. 2) Configure traffic stream on pagent with route-change drop option. 3) Configure ACL TCP deny rule on UUT. 4) Start sending traffic from pagent to UUT side. 5) check out the output of CLI “show performance monitor history interval all” and Counter packets value in each interval. The counter packets aggregated value must be 500. Unconfigure static route and performance-monitoring on UUT. Repeat the above steps for MMA traffic drop with flow aggregated and input ACL deny and check the output of “show performance monitor cache”. The current cache entries should reach the expected value 10 after 8 polls.
Workaround: There is no workaround.
Symptom: "show isakmp stats" should show counters for "ISAKMP cannot process that SA." "IKE message from x.x.x.x has no SA and is not an initialization offer?
Conditions: There are no know conditions.
Workaround: There is no workaround.
Symptom: Parsing error in custom notify payload
Conditions: peer should send custom notify with empty SPI and data
Workaround: There is no workaround.
Symptom: The 'Period Used' timer value is not consistent after several SSO switchover.
Conditions: An HA/SSO environment, along with enabled Suite licenses are needed.
Workaround: Do not perform any SSO switchover.
Symptom: - IOS sending multiple periodic DPDs at once for the same IKE session - peer responding to DPDs one by one resulting in IOS throwing below message due to received response not related to most recent DPD Jul 15 13:52:35.432: ISAKMP:(1001):R-U-THERE-ACK sequence number 0x7AA2567 does not correspond to expected value 0x7AA2568
Conditions: - on-demand DPDs configured (no matter if on-demand or periodic) - multiple IPsec SAs - loss of decrypts on those multiple SAs at the same time
Symptom: Configure IPv6 address on the BDI interface.
Conditions: Support IPv6 Forwarding and existing IP protocols.
Workaround: There is no workaround.
Symptom: Crash is seen after the call starts
Conditions: the stcapp summary is seen for the voice port.
Workaround: There is no workaround.
Symptom: the total rate (offered rate - drop rate) in "show policy-map interface" does not match with the total out rate in "show interface". It seems like the drop rate in the grandparent class and parent class is different of show policy-map interface randomly.(child class is fine) But it does match with the result of IXIA real-time traffic rate with show interface.
Conditions: Environment Generate rate: 6.5Mbps from Gi0/0/1.70(connect to IXIA port 7) to Gi0/0/0.1990 ( connect to IXIA port 8). Packet size: 1340Byte Drop rate: 1.5Mbps in the class-map class-default.