Cisco ios 15.0 1 m3
SSH to the router and then try to configure Tcl script. Multiple demandNbrCallDetails traps generated. Multiple demandNbrCallDetails traps are generated for connect under normal conditions. This symptom is observed when the scheduler interval command is configured. Remove the scheduler interval command. Sometime calls are dropped if there are active calls on the DSP. The following errors are displayed in the logs: This symptom is observed under all conditions.
A Cisco router reboots unexpectedly at intermittent intervals. A Cisco router cannot communicate with the on-board Cisco V. This communication failure prevents the router from connecting externally via the modem. This symptom is observed on a Cisco router while it is booting up and causes occasional failure. This prevents the committed information rate CIR from getting updated on the output interfaces.
This affects Cisco AnyConnect clients. This fix uses SSL fragmentation record-splitting. Google Chrome browser v Mozilla Firefox v Use a Clientless browser to start the client.
This works only in some Cisco IOS releases. Uninstall the update. Workaround 3: Use rc4. This is a less secure encryption option. Hence, use it only if it meets your security needs. To use rc4, then you configure the following commands: Workaround 4: Use AC 2. Workaround 5: Use older versions of Mozilla Firefox v9. AnyConnect users receive the following error message: The AnyConnect event log displays the following error message snippet: An unauthenticated, remote attacker could exploit this vulnerability by attempting a reverse SSH login with a crafted username.
Successful exploitation of this vulnerability could allow an attacker to create a DoS condition by causing the device to reload. Repeated exploits could create a sustained DoS condition. Devices that are not configured to accept SSHv2 connections are not affected by this vulnerability. A Cisco V. Configure the no ppp microcode command under the async interface. When a VC bundle is configured and traffic is passed at a high rate, the output packet counters may show an incorrect and very large value.
The show interface command displays proper output. Configuring the sgbp test commands as given in the "Steps to reproduce" enclosure. This will result in the S,G states expiring in the upstream routers and may result in traffic loss. The symptom is observed when the static-group join is configured on the RPF interfaces and the output interface list of the mroute is NULL.
Add a local join by using ip igmp join-group for the same group and source, so that it adds a local interested receiver and sends a periodic join upstream. The symptom is observed if several tunnels with crypto protection are being shut down on the router console and the show crypto sessions command is executed simultaneously on another terminal connected to the router.
Wait until the tunnels are shut down before issuing the show command. All the vulnerabilities described in this document are caused by packets in transit on the affected devices when those packets require application layer translation. This advisory is posted at http: This symptom is observed on some platforms with an onboard crypto engine. Use a software crypto engine. Also, the symptom is not observed with an AIM.
The symptom is observed when a banner command is in the configuration. Affected devices would need to be configured to process SIP messages for these vulnerabilities to be exploitable. There are no workarounds for devices that must run SIP; however, mitigations are available to limit exposure to the vulnerabilities. These vulnerabilities are:. The symptom is observed when a dialer interface has moved out from standby mode. A buffer leak is experienced with "traffic-export" configured. All conditions are not completely known yet. This eliminates the risk for crosstalk since the gateway blocks all rogue audio out to the PSTN with this command.
This will allow the command to be used in all VoIP environments. Additional information on Cisco's security vulnerability policy can be found at the following URL:. This symptom occurs when the running configuration contains the following depending on the Cisco IOS release:. When you remove the above configuration using the no snmp-server user command, the router crashes. A small number of Cisco routers have been observed to unexpectedly restart due to software-forced crashes, repeatedly. While the root cause is being investigated, units that are experiencing this problem should be replaced. There is no audible crackling in the RTP stream.
Set codec packetization to 80 bytes on dial-peer or voice-class codec. There is no change in functionality or behavior from a user perspective. The Rommon is capable of verifying images signed using both v1. As such no workaround is necessary from a usability perspective, the image boots and runs as expected. However, it will not be in compliance with FIPS requirements. Packet loss is seen when the service policy is applied on the tunnel interface. The show hqf interface command output shows drops in a particular queue with the following:. The above value of indicates an ATM driver issue.
Once the issue is seen, the tunnel interface transitions to the down state. Feb 24 VSA shim: After that, all encrypted traffic is dropped. Crypto debugs debug crypto isakmp, etc. The only way to recover is to reboot the router. When the interface becomes wedged, all incoming traffic from the tunnel drops. Anyconnect fails to connect to a Cisco IOS headend. The Anyconnect event log shows the following error:. This symptom is observed with Anyconnect 3. This symptom is observed with a platform that acts as an H. This does not seem to result in any impact apart from intermittently lost accounting messages.
Input queue: When sending calls between two SIP endpoints, alphanumeric characters non-numeric are stripped when forwarding the invite to the outgoing leg. A hardware crypto engine may fail to decrypt packets. An "invalid parameter" error is seen after decryption. Software encryption works fine. This symptom occurs during the load test when the show mrcp client session active command is used.
This symptom is observed when video is enabled under the phone profile. Disable video under the phone profile; the two options to disable are "Cisco Camera" and "Video Capabilities. The Cisco crashes due to a bus error and the crash points to access to free internal structures in ipsec. This symptom occurs when tunnel flap is observed before the crash.
Using a c VSA in a In a Force a rekey after removing the shared policy from any shared tunnels by using the clear crypto session command or resetting all the tunnels. The router crashes when removing the virtual PPP interface. Remove the pseudowire command from under the virtual-ppp interface command before removing the interface. Then, all IP connectivity and console connectivity to the router is lost. When you remove the 3G module from the system, energywise works as expected. You can shut down power modules using the above configuration.
As soon as the 3G card is installed in slot 2 or 3 and the energywise level is set to zero, the service module shuts down and the entire router crashes.
EOL/EOS for the Cisco IOS Software Release (1)M - Cisco
It has no IP connectivity and the console is inactive. The only workaround is a hard reset along with removal of the card. A device that is configured with NAT crashes. However, some cases report that the crash still occurs after redirecting SIP traffic elsewhere. Both SNR and mobile phones do not answer the call and the call is forwarded to voice mail. Maximum tunnel limit of reached for Crypto functionality with securityk9 technology package license.
Vulnerability Trends Over Time
The show webvpn session context all command output shows no or very few active sessions. This issue is seen only on ISR G2 platforms. Trunk DNs can act as if busy such as by triggering CFB even though they have no calls and show commands for ephone-dns or ports report nothing unusual. With the fix for CSCtf, clear text packets destined for the router and coming into a crypto-protected interface are not switched when VSA is used as the crypto engine. This symptom occurs with packets destined for the router and coming in on an interface with the crypto map applied and VSA as the crypto engine.
Periodic DPD is configured, and multiple IPsec SAs exist with the peer with outbound traffic flowing on each of them without any inbound traffic. If a child policy is attached to a parent policy twice, the router will reload if the child policy configuration is removed. Do not attach the same child policy twice in the same parent policy.
Use a different policy instead. As a result, the packet could arrive at the forwarding plane after the ARP entry has already been removed or before the ARP entry has been created. The output of the show mfib table command on a line card may show tables not in "sync" state, and instead in "disconnecting" or "connecting" state for some time minutes.
In this state the multicast forwarding tables are not being updated and may be out of sync with the active RP. This symptom is observed on line cards or the redundant RP on a distributed router. It is usually associated with conditions of high CPU due to large numbers of routing updates in a scaled configuration. The clear mfib table command may clear the problem. Alternatively, the affected line cards may need to be reloaded. Often the problem will be accompanied with error messages relating to MFIB connectivity to the multicast routing information base. When configuration changes are performed within a multicast-enabled VRF that cause the PIM register tunnel interface to go down and come up again, spurious memory access appears when traffic is sent at the same time.
This symptom occurs when traffic is sent while configuration changes are being made. A crash occurs because of a SegV exception after configuring the ip virtual-reassembly command. The conditions are still under investigation. Reload the router to alleviate this symptom temporarily.
One possible workaround would be set up an EEM script to reload the device at night. In this case, the reload should occur at 3: For example the following syntax may vary depending on the versions used:. On Cisco series routers, the following warning message might display on the console:. Chassis power is not good in the PSU 1. Under rare conditions, the power supply sometimes sends a false alarm status to the system, even though the system power is working fine. This symptom is observed on a dual RP Cisco series router with linecards after multiple reloads or SSO switchovers.
The vulnerability is caused when packets in transit on the vulnerable device require translation on the SIP payload. A workaround that mitigates the vulnerability is available. A Cisco router crashes when using the show crypto session detail command after using the clear crypto session command. This symptom is observed when the router is running any form of tunnel protection, SAs have been cleared, and the user executes a show command. Wait a few moments 30 seconds between the show command and the clear command. Packet drops occur on low-rate bandwidth-guarantee classes, even if the offered rate is less than the guaranteed rate.
This symptom is observed when highly extreme rates are configured on the classes of the same policy. An example of extreme rates would be a policy-map with 3 classes: With multiple next-hops configured in the "set ip next-hop" clause of route-map, when the attached interface of the first next-hop is down, packets are not switched by PBR using the second next-hop. This symptom is observed only for packets switched in software and not in platforms where packets are policy-base routed in hardware. This symptom is observed with route-map configuration, as follows:.
The symptom is observed when using a TCP connection.
Cisco IOS Software Release 15.0(1)M
This symptom is observed with PI14 image testing. The fundamental issue involves the selective ack SACK feature. The router crashes with the "ip sla icmp jitter" operation. This symptom is observed when the "ip sla icmp jitter" operation is running with a high number of packets, along with voice and data traffic. To recreate the symptom, when the status of the ip sla is "OK," enter the no ip sla schedule command, then enter the no ip sla operation-number command.
This symptom is observed when the clear ip subscriber command is entered. The Cisco AnyConnect 3. It fails with the following error:. Invalid Archive. A Cisco router is forced to reload after a few days of encryption and decryption while processing high traffic. This symptom is observed when the server clock time drifts too far away from the local clock time.
Table Of Contents
This symptom is observed when creating a subinterface with encapsulation and vrf forwarding commands. A client is assigned an IP address from an incorrect pool when it reconnects with a different profile. This symptom is been observed in a setup where two clients are behind a NAT router. When one client-connection is broken and the server is not made aware of this, then the client reconnects with a different group, the IP address assigned is not from the correct pool.
Xauth user information remains in "show crypto session summary" output. Use the "save-password" feature without interactive Xauth mode to avoid sending the different username and password during P1 rekey. A Cisco router fails to decrypt a packet, and for all packets received, the following message is logged:. In "sh crypto ipsec sa," the counter which increases is the " recv errors.
The Ttunnel interface has a crypto ipsec profile. Transport mode is being used. Packets received on this tunnel are not properly decrypted. MPLS lookup unexpected". Clicking on the Citrix bookmark causes multiple windows of the browser to open. The web page tries to refresh itself a few times, and finally the browser window hangs. A router configured with "atm route-bridged ip" on an ATM subinterface may drop multicast traffic, and in some cases, may undergo a software-initiated reload due to memory corruption.
This symptom is also evidenced by the presence of an incomplete multicast adjacency on the ATM subinterface. This symptom is observed on ATM subinterfaces that are configured with "atm route-bridged ip" and forwarding multicast traffic. Configure the ip pim nbma-mode command on the point-to-point ATM subinterfaces. Ingress-NetFlow Output features: This symptom occurs only when the "callmonitor" CLI under "voice service voip" is configured.
After reload or on a freshly upgraded router, Ping fails when the MTU is set above bytes on the FastEthernet 4-WAN interface of a Cisco series router connected directly to another router. Router ping Packet sent with the DF bit set This issue is consistently seen with subinterface configurations based on the Fa4 interface.
Configure bridge-group under that xconnect interface. The Stateful Inspection feature is enabled after reload when an "ip nat outside" statement is configured on two interfaces, which results in packets being punted to the CPU. This causes overall performance degradation. This symptom is observed when two outside NAT interfaces are configured and "no ip nat service nbar" is configured on the interface. Configure "ip nbar protocol discovery" on the interface. When a flat bandwidth policy is attached to a serial subinterface via frame-relay map-class, all packets are dropped and no traffic goes through.
This symptom occurs with a flat policy attached to frame-relay interface with traffic shaping enabled. Remove traffic shaping from the interface and attach a hierarchical policy. Disable ip route-cache and ip route-cache cef on the tunnel source interface. After a Cisco IOS upgrade, any permanent licenses are erased and evaluation licenses do not work.
Mar 30 Specified license store doesn't exists. This will affect functionality that depends on the clock to be accurate for example, certificates to make secure connections or calls. This issue may be service impacting and is easily reproducible. Reconfigure the virtual-template interface such that the ip nat inside command is applied first, followed by other commands. A local user created with a one-time keyword is removed after unsuccessful login attempts.
A one-time user should be removed automatically after the first successful login, not after failed logins. A Cisco router reloads and the crashinfo file indicates a cache error. This was a hardware corrected cache error that should not result in a router reload. Sup is not affected. NPE- G2 is not affected. NSE is not affected. While rare, there is no specific trigger for this failure other than having a single bit parity error on ECC memory.
The router will reload and continue normal operation. The fix prevents a crash after a single bit parity error occurs on ECC memory. This symptom does not cause a parity error or actually cause the crash. This symptom is just to add an error handler for the specific case of a single bit correctable parity error in ECC memory. The crash results from the parity error itself. The following is an example of the beginning of a crashinfo collection for a hardware corrected cache error:. Packet loss can be viewed as follows:. When removing the tunnel interface with CDP enabled, tracebacks are generated.
CDP does not come up in all interfaces. CDP tries to send a packet over a deleted tunnel interface causing the issue. Example of an inbound SIP invite that contains a Diversion field such as this:. Modify the diverting name associated with the redirecting device so that it does not contain a comma. A dynamic IP ACL is created when a session comes up and is together with the policy private route created according to the "Ascend-Private-Route" downloaded from the user profile.
Caveats for Cisco IOS Release 15.0M
When the session goes down, the route is cleared but the dynamic ACL is not cleared:. The symptom is observed with routes downloaded from the radius server. Call forward does not work. A Cisco AS crashes due to a watchdog timeout. The serial interfaces of the device are configured with "autodetect encapsulation xxx" and the router system clock has been updated:. This symptom is observed upon bringing up and clearing radius- proxy sessions. A Cisco router crashes when the user telnets and Transmission Control Block is cleared for that session before entering the password.
Do not clear the Transmission Control Block for a session before entering the password. A router processing an unknown notify message may run into a loop without relinquishing control, kicking off the watch dog timer and resulting in a software-based reload. The symptom is observed when an unknown notify message is received. The symptom is observed when the router is configured with a dial peer and with SNMP. A dial peer is most likely required to reproduce the issue, but it is possible that a different UDP protocol other than SNMP could also cause the symptom.
Once a call failure occurs, all the calls placed later will fail with a UDP socket connection error. Under sip-ua, configure "connection-reuse" which is a hidden command. Configure the use of TCP. Packets are dropped in excess of the configured rate for hierarchical policies, with shaper in the parent policy. The symptom is observed only with HQoS policies flat policies are not affected. With Reverse Route Injection RRI configured with the reverse-route command, if the crypto map is applied to a multi-access interface e.
The symptom could occur when the upstream device does not support proxy arping. If a router is reloaded with a GRE tunnel interface configured with tunnel protection and a dialer interface as the tunnel source, the crypto socket is not created and IPSec is not triggered. This symptom is observed on a Cisco router with a GRE tunnel interface configured with tunnel protection and a dialer interface as the tunnel source.
After the reload, remove and reapply the tunnel protection on each tunnel interface. The output of "sh ip inspect statistics" shows negative or irrelevant values and the following log is generated:. XNE1 and the following configuration:. Downstream traffic to the subscriber is not forwarded. Only upstream counters are increasing. The symptom is observed with the show sss session detail command with PXF output. Call is originated by After a simulated failover of an L2L tunnel, a Cisco series router with VSA will fail to encrypt traffic for a period of time, typically for several minutes.
VSA will then begin to encrypt traffic correctly. The issue only affects virtual-template interfaces. This symptom is observed when a QoS Policy string length exceeds characters. Ensure that the QoS policy string length is less than characters. The SPI value is shown as 0x0, hence the ipsec sa validation is failing. This symptom is observed when the crypto profiles are being applied.
The symptom is not observed with simple crypto maps. No sequence available" displays on PfR BR. The symptom is observed in a scale setup with many PfR application prefixes and when PfR optimizes the application prefixes. The symptom is observed when changing IVRF on a virtual-template when there are about active sessions. When the Radius server sends attributes with no information empty VSA strings , it produces an unexpected reload on the router.
The problem is more likely as traffic load increases. Further problem description: During investigation the router would also occasionally hang instead of crash. With the fix for this symptom the hangs were not seen. PKI debugs show the following message:. This symptom is observed when the VRF-aware IPsec feature is used and vrf-label is configured under trustpoint; for example, crypto pki trustpoint yni-u10 enrollment url http: Successful exploitation causes the affected device to reload. After a reload of one router, some or all of the BGP address families do not come up. The output of show ip bgp all summary will show the address family in NoNeg or idle state, and it will remain in that state.
In order to see this problem, ALL of the following conditions must be met:. In Cisco IOS, such ip access-lists typically use the keyword 'established' or "eq bgp". Remove the configuration "neighbor x. Configure "neighbor x. Configure a very short keepalive interval such as one second on the non-reloading device using the neighbor x. Configure graceful restart using the command neighbor x.
You can also use clear ip bgp x. This is a day one problem in the Cisco IOS multisession implementation which impacts single-session capable peers. CSCsv fixes a similar problem for some but not all situations where "neighbor x. The effect of this fix is as follows: The keepalive is not required, but will cause the established session to be torn down if appropriate.
Bad magic number in chunk header" and "chunk name is BGP 3 update" messages. Disable multicast routing on VRFs participating in BGP or reduce the number of extended communities used as route-target export. Have the Cisco in passive mode as well. Do not use receive-only mode on the keyserver. This is seen when the WAN link goes down and causes recursion between multiple tunnels using tunnel protection. That is, there are tunnel 0 and tunnel 1. After the WAN link goes down, the routing table shows a link to the tunnel 0 destination through tunnel 1 and the tunnel 1 destination is through tunnel 0.
Change the tunnel source to be the physical WAN interface so that when the WAN link does go down, the tunnels are brought down immediately. Change the routing protocol so that the router in question does not have recursive routing when the link goes down. If possible, create a floating null route for the tunnel destinations that is less preferred than the route normal route to the tunnel destination, but more preferred than the route that gets installed after the WAN link goes down. This symptom is observed sporadically while traffic is running on a performance monitor policy at the time when a user initiates the CLI show command.
The symptom is observed on CUCM 4. When the traffic to encrypt matches the first sequence of a crypto map, starting its crypto ACL with a deny statement, the traffic is dropped whether or not this deny statement is a subset of the permits contained in that crypto ACL or not. Also, the limitation of 14 denies in an ACL due to the jump behavior does not seem to be present. Configure a nexthop static route with permanent keyword. Make the nexthop IP address unreachable e. Change the configuration in such a way that nexthop is reachable. Configure a new static route through the same nexthop IP address used in step 1.
Delete all the static routes through the affected nexthop and add them back. Clear the route on the PE router using clear ip route vrf xxx x. NAT traffic is getting process switched when you configure "nat entry" or you reload the router. The symptom is observed when there are redundant paths to the CPE. AnyConnect client fails to connect.
The following error messages may be seen:. Use no bgp route-map-cache. This will not cache the route-map cache results and the symptom will not be observed. Route control of prefix and application are out-of-order thereby making application control ineffective. As a result, an "Exit Mismatch" message will be logged on the MC and the application will be uncontrolled for a few seconds after it is controlled.
For example:. The no redistribute connected command is not being backed up to the standby. The symptom is observed when the policy is attached to ethernet subinterfaces. The symptom is observed on a Cisco router when QoS pre-classify is enabled. Cisco IOS Software contains a vulnerability in the IP version 6 IPv6 protocol stack implementation that could allow an unauthenticated, remote attacker to cause a reload of an affected device that has IPv6 enabled.
The vulnerability may be triggered when the device processes a malformed IPv6 packet. There are no workarounds to mitigate this vulnerability. Complete the workaround by configuring "national reserve 1 1 1 1 1 1" and flapping the port one more time. If modem calls are not required, "no network-clock-participate" can also be used as a workaround. This symptom is observed when policy is used in Ethernet subinterface. The symptom is observed in the presence of VOIP phones using multicast applications with the session protocol multicast dial-peer configuration command.
Even if tunnel protection is configured, crypto socket is not opened. This symptom is observed when IPSec stateful failover for tunnel protection is configured. This symptom is observed when a multicast server is multiple hops away from multicast clients. The symptom is observed with voice calls and VOIP in use. It is seen when Flexible NetFlow is configured. Switch off Flexible NetFlow although that leaves memory consumption in place and CPU higher than normal or reboot the router.
One-way audio, which moves from one port to another when the router is rebooted. This symptom only affects PVDM3. Configure conference bridge that is associated with SCCP. The exact numbers to be used to force these ports to be in use will depend on the individual platform. No detrimental consequences or effects on the correct operation of the router are observed; however, thousands of these error messages may appear on the console. This symptom is observed on Cisco AS platforms during VoIP calls, and is more evident when the router is handling multiple calls.
Table 1. End-of-Life Announcement Date. The date the document that announces the end of sale and end of life of a product is distributed to the general public. April 1, End-of-Sale Date. The last date to order the product through Cisco point-of-sale mechanisms. The product is no longer for sale after this date. Last Ship Date: OS SW. Actual ship date is dependent on lead time. July 1, The last date that Cisco Engineering may release any final software maintenance releases or bug fixes for Release After this date, Cisco Engineering will no longer develop, repair, maintain, or test the product software.
The last date that Cisco Engineering may release bug fixes for Vulnerability or Security issues found on Release Press ESC to close. Total number of vulnerabilities: How does it work? Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk.
It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. The attacker could also cause an affected system to reload, resulting in a denial of service DoS condition. The vulnerability is due to a buffer overflow condition in the DHCP relay subsystem of the affected software. A successful exploit could allow the attacker to execute arbitrary code and gain full control of the affected system or cause the affected system to reload, resulting in a DoS condition.
Cisco Bug IDs: Cisco IOS