New and Enhanced Software Features for Cisco IOS XE Gibraltar 16.11.x

New and Enhanced Features for Cisco IOS XE Gibraltar 16.11.1a

  • 10G CWDM SFP+ support

  • Cisco Unified Border Element Smart Licensing—Cisco Unified Border Element Smart Licensing—Cisco Smart Software Licensing provides a simple cloud-based solution for managing and tracking the use of your licenses and entitlements across your business. License requirements for the use of CUBE trunk sessions are reported to Cisco Smart Licensing.

    For a more detailed overview on Cisco Licensing, go to

  • Channel-Based Metrics Measurement—Configures the performance monitors used by PfRv3 to employ a data collection method combining metadata and traffic sampling to provide traffic metrics.

  • Consent Token for Shell Access—Consent Token is a time-bound multi-factor authentication mechanism for secure access to Cisco devices. When you try to access the Secure Shell on a Consent-Token-enabled device, the device generates an authentication challenge. You must obtain the response to this challenge from a Cisco Authorized personnel through an out-of-band mechanism such as email or phone call, and enter the response on the device to gain access to the Secure Shell. Secure Shell access is revoked after the time interval you specified while requesting access.

  • Dynamic Application Policy Routing—Dynamic Application Policy Routing (DAPR) dynamically steers overlay and underlay egress application traffic flows between multihomed sites connected over RAR links (virtual-access interfaces). This feature extends the existing path management solution of PfRv2 to virtual access interfaces. DAPR routes your traffic based on policy criteria such as link preference and load balancing to meet performance requirements such as delay and jitter.

  • Enhanced Policy Based Routing and Site Manager—The Enhanced Policy-based Routing (ePBR) routing enables application-based routing. Application-based routing provides a flexible, device-agnostic policy routing solution, while also ensuring application performance.

  • FlexVPN IKEv2 Dynamic Route Tagging—The IKEv2 Dynamic Route Tagging feature enables a tag value for automatically-learned (connected) routes. It also helps to apply this tag value on hub site during installation.

  • FlexVPN Event Trace—Displays event trace messages for FlexVPN.

  • IPFIX support for ETA—IP Flow Information Export (IPFIX) protocol is another way for transmitting traffic flow information over the network. Support for ipfix keyword in flow destinations was added.

  • IPv6 Object Group ACL—This feature extends object group-based policy application to IPv6 ACLs. The Object group for access control list (ACL) allows you to classify users, devices, or applications into groups and apply those groups to ACLs to create access control policies for those groups. Object group-based ACL approach reduces configuration size, makes ACLs easily readable and easier to manage, thus minimizing complex and larger ACL configurations.

  • MACsec exception reports for invalid keys and replay attacks—You can use the show mka policy command to verify the XPN configuration. If you do not want to include icv-indicator in MKPDUs, use the no include-icv-indicator command in the MKA policy.

  • MACsec varialble length CKN and optional support for ICV—Use the platform macsec logging replay protection command in global configuration mode to configure the packet count global configuration mode to configure the packet count.

  • PfRv3 Intelligent Load Balance—The PfRv3 Intelligent Load Balance feature detects the remote bandwidth overrun at the earliest possible. It helps to reduce the packet drop caused by per tunnel QoS and increases the bandwidth utilization.

  • PKI - EST CA Certs on Reykey—This feature enables client devices to obtain CA certificate automatically as part of rekey. The CA certificate certifies a new public key for a device.

  • Programmability—The following programmability features are introduced in this release:

    • Kill Telemetry Subscription—he ability to delete a dynamic model driven telemetry dynamic subscription using either:

      • The clear telemetry ietf subscription Cisco IOS command, or

      • The <kill-subscription> RPC

    • NETCONF and RESTCONF Service Level Access Control Lists: Enable you to configure an IPv4 or IPv6 access control list (ACL) for NETCONF and RESTCONF sessions.

      Clients that do not conform to the configured ACL are not allowed to access the NETCONF or RESTCONF subsystems. When service-level ACLs are configured, NETCONF and RESTCONF connection requests are filtered based on the source IP address.

    • YANG Data Models: For the list of Cisco IOS XE YANG models available with this release, navigate to

      Revision statements embedded in the YANG files indicate if there has been a model revision. The file in the same GitHub location highlights changes that have been made in the release.

  • Removal of Weak Encryption Types 0, 5, and 7 in AAA—Support has been added for auto-conversion of weak password types 0 and 7 to encrypted password type 6. Configure AES password encryption feature and primary encryption key to auto-convert password types 0 and 7 to password type 6.

  • Security Readiness Criteria (SRC) Closure—Refer to the following documents for information about this feature: Security Readiness Criteria (SRC) closure for Cisco Unified Border Element—SRC is a program to meet a set of security criteria before releasing the product offering to the customers. SRC helps to prioritize security requirements that are necessary to reduce the associated risk.

  • Show commands for ETA—Simplified show commands to display ETA configurations, flow statistics, and export statistics for quick troubleshooting.

  • show interface gigabitethernet accounting—The show command output was modified to display the number of packets of each protocol type that have been sent through all configured interfaces.

  • show platform resources - Display bootflash and harddisk Details for RP modules—With this feature, you can use the show platform resources command to view utilization of boot flash and hard disk of a Route Processor.

  • Source interface support for ETA Netflow records—Support for source-interface interface-name for ETA Netflow records was added.

  • Specific License Reservation—With Specific License Reservation, you can deploy a Smart License on a device without directly connecting it to the Cisco Cloud.

    For a more detailed overview on Cisco Licensing, go to

  • Support certificate CN/SAN validation—Server Identity Validation on Cisco Unified Border Element—Cisco Unified Border Element supports server identity validation through Common Name (CN) and Subject Alternate Name (SAN) fields in the server certificate during client-side SIP/TLS connections. Validation of CN and SAN fields of the server certificate ensures that the server-side domain is a valid entity.

  • VxLAN Static Routing—Provides a method for connecting multiple servers in a data center to an enterprise edge router, using one-to-many static routes and point-to-multipoint (P2MP) VxLAN tunnels.

  • Web User Interface—Supports an embedded GUI-based device-management tool that provides the ability to provision the router, simplifies device deployment and manageability, and enhances user experience. The following features are supported on Web User Interface from Cisco IOS XE Gibraltar 16.11.1:

    • Nat Statistics

    • IPv6 Support for AAA

    For information on how to access the Web User Interface, see Configure the Router for Web User Interface section.

  • ZBFW HSL using Source Interface Capability—Zone-based Firewall supports export of logged data record to an external collector using NetFlow Version 9, where the collector parses and interprets the data record based on the template. Zone-based firewall uses the High Speed Logging (HSL) capability to generate NetFlow data through the log flow-export v9 udp destination command under the parameter-map type inspect-global configuration.

Resolved and Open Bugs for Cisco IOS XE Gibraltar 16.11.x

About the Cisco Bug Search Tool

Use the Cisco Bug Search Tool to access open and resolved bugs for a release.

The tool allows you to search for a specific bug ID, or for all bugs specific to a product and a release.

You can filter the search results by last modified date, bug status (open, resolved), severity, rating, and support cases.

Resolved Bugs for Cisco IOS XE Gibraltar 16.11.1a

All resolved bugs for this release are available in the Cisco Bug Search Tool through the Resolved Bug Search.

Caveat ID Number



SNMP with Extended ACL


Watchdog crash after "% AAA/AUTHEN/CONT: Bad state in aaa_cont_login()."


NAT MIB not populated when using traditional NAT


Byte counters for physical interface and subinterface don't match


Router shows "Flash disk quota exceeded" during the reload, but it still has 60% of free memory left


Router crashes when DMVPN tunnel moves accoss ports


qWLC-Sanity: interface down due to %EZMAN_RM-3-SERDES_AUTOTUNE_FAIL-R0/0: Failed on lane 54


Several OID from CISCO-CLASS-BASED-QOS-MIB stop working when performing upgrade to Denali-16.3.x


CPP 0 failure Stuck Thread resulting in Unexpected Reboot


EEM: event mat mac-address not triggered on router with NIM-ES2-8-P


ASR1001 has crashed with cgm_avlmgr_find_node


When configured vlan unlimited with port-channel subinterface, statistics does not increment


CPP crash on L2TP router


H225 gatekeeper request dropping under "ALG PARSER" with ZBF


NAT ALG ASR1K does not translate call id 0 of PPTP client correctlly.


ASR1001-X: interface LED remains amber after shut/no shut on the interface


Packet throughput drops down when enable tunnel visibility with single tcp flow(>1MPPS)


Provide Passthrough Reason in IOS-XE for AppNav


ASR1002-X router crashed in cpp_qm_event_collapse_hl_node


IOS-XE FIPS mode is enabled by default in QFP even if it is not enabled in CLI


ASR1k with stateful nat conf, mapping ID got locked after vrf delete


MAC filtering incorrectly set on builtin ports of ISR4300


debug platform condition start causes keepalive failures with Vasi interface


ASR1k unexpected crash when appNav holds a stale pointer.


EPA-1X100GE/CPAK-100G-SR4 stays in a down/down state after a reset.


Packet trace does not work with re-injected UTD packets


Crash after service-policy APPNAV change on WAAS instance


The OID - adslAtucCurrOutputPwr returns incorrect output.


CDP over EVC is not working


LAN Switches does not learn the right ED upon OTV failover


DNS ALG will not work when trying to match specific destination hosts


"sdavc_ppdk.pack force" command not accepted during boot up


GetVPN TBAR failure does not generate syslogs


Path of Last Resort Sending Probes in Standby State


ASR1001X @incorrect traffic statistics reported of port-channel sub interface using SNMP.


ASR1001-X: Investigate "license request failed , err=0x22" seen at Manufacturing test


PLR channel is not muted for some time


VASI NAT: FTP ALG translation is sometimes failed


ASR1K - No kernel/coredump generated with watchdog reload event


AVC license should be activated only in case of smart licensing model


Dash i2c Kernel message outputted during boot up


Crash due to Memory corruption in ISR4k


ASR1001-X : netconf interface goes into oper down state afer reboot tests


Channel with wrong label may be created on hub border


ASR 1009/1013 (ESP200) will drop traffic when setting police rate over 67.104gbps


standby router shows warning message as image is missing when image in present in active and standby


cBR-8 crash after issuing show platform hardware qfp active infrastructure bqs


double exception in ipv4_nat_icmp_lookup_embedded


Hoot-n-holler multicast traffic marked with DSCP 0


ASR1K not reachable by Unicast on Port-Channel Sub interfaces when EVC + Sub-interface is configured


Unable to remove command 'ip nat inside destination'


ESP crash due to fatal error


Modification to ZBFW access-lists do not reflect in TCAM


ASR1001X - when using VRF NAT port used for ftp data is not freed


Ingress ping crash on asr1001x when packet size > 9K


Traffic fails after changing Copper SFP to Fiber SFP on 1GE built-in interface.


Invalid throughput level in the "show version" output


IOS XE 16.08.01 - monitor capture missing packets (TCP ACKed unseen sgmts)


Fixed ISR: Increase Maximum Configurable VLAN# and STP# from 32 to 63


IOS-XE : IPv6 ACL for Tunnel QoS not matched


WAAS Policy Configuration push may caused AppNav Class-maps programming issue in TCAM


ASR1000-6TGE / ASR1000-2T+20X1GE in status Unknown after Active RP3 OIR


Quick RP3 recovery after the Punt Path XAUI link goes down


Crash due ZBF + NAT


Crash observed on ASR1002-X @ fnf_age_recalculate_record_len with AVC performance monitor config


"%FMFP-3-OBJ_DWNLD_TO_DP_FAILED:fman_fp_image:xxx" appears when configured "ip port-map" on ISR44xx.


ICMP unrechables are not sent to the client on C1117 platform


IPSEC in DOWN-NEGOTIATING on HSRP Standby router with local-address config


CPP-mcplo-ucode crash while encrypting SIP packets with ALG NAT for SIP


Polaris Router - CPUHog - SNMP ENGINE crashed with Watchdog timeout


Signaling interface inactive on "show snmp mib ifmib ifindex de" on IOS 16.6.3


Traceback seen when attempting to recover sw port from bpduguard err-disable state


Router crash when clearing ip nat translations


ASR1001-HX 10GE SFP+ ports may operate as 1000Mbps


lacp max-bundle rejected with Aggregate PortChannel subinterface QoS


%Error formatting harddisk: (I/O error) - 0913 Polaris dev image


ACL dropping packets after updating it - %CPPEXMEM-3-NOMEM


Small clock changes or time drifts can cause GETVPN TBAR drops (Crypto-DP)


ASR1002-X crash due to ccp_cp_svr going into lockdown state.


Host crashes the DSP if ipv6 commands are configured under Service-Engine [Purge ipv6 config option]


Active RP crash at __be_datagram_done


Crash due to communication failure - IPC (Inter-Procedure Call) messages between DSP and RP.


ASR1k crash due to QoS in case of 4k subscribers per subinterface


Traceroute not working when sourced from NAT Inside interface


An IOS-XE router crashes after umbrella is configured.


Router crash occurs while running Dell software update


Ethernet FRR switchover takes more than 200ms on EPA10 and EPA100 if remote Rx fiber is pulled


Out of Band DTMF Events Not Passing to CUCM via SCCP When Using IOS MTP


Unable to reconfigure VTY lines on ISR4221 once deleted


show facility-alarm status doesn't reflect actual port state of cellular interface


show interface output reports incorrect bandwidth


Removal of loopback interface causes router to crash and erases the conf register settings


IOS-XE ISAKMP deletes new SPI if rx new SPI packet before installation is done


Lowering the severity of Harddisk Missing Alarm from Major to Info


Crash in cpp_bqs_rm_yoda_proc_pend_fc_cb


FMANFP-6-IPACCESSLOGP message have IP address byte reversed


QFP crashes with a HW interrupt


Crashed while checking condition debug


RP3 Punt Interface May Drop Traffic Due to VLAN Filter Hardware


EIGRP session is not coming up if the dynamic PBR is applied on interface


Int index is 0 for the Cellular inteface in the exported flow


SUP Crash after running the command " show plat hard qfp act infr bqs debug qmrt_dump "


Correction to Quick RP3 recovery after the Punt Path XAUI link goes down


%QFPOOR-4-TOP_EXMEM_USER reports negative memory allocation


Call is not getting connected in Forking Re-INVITE scenario


Show call media forking match failed


DataPlane crash observed in MMOH call flow

Open Bugs for Cisco IOS XE Gibraltar 16.11

All open bugs for this release are available in the Cisco Bug Search Tool through the Open Bug Search.

Caveat ID Number



router crashed while running system test script during configuring Tunnel interface


BFD flaps everytime with dynamic tunnel creation in DMVPN


ASR1006X linecard down after Active RP3 OIR


DMVPN Phase 2 shortcut triggered from a spoke behind PAT may end up in stuck DNX state


SNG_AO unavailable alarms are not clearing after removing the monitor-load feature under policy


PKI "revocation check crl none" does not fallback if CRL not reachable


Stuck CPP Thread while processing H323 packet


IOSXE - firewall corrupts half open list


FXS - no busy tone is generated on remote-onhook condition with call pickup scenario


IPSec-Session count in "show crypto eli" reaches max causing VPN failure


Router configured with ZBFW reloads with a last reload reason of LocalSoft


Streaming CRCs seen with GLC-GE-100FX VID: V02 on ISR4k

Related Documentation