This section lists severity 1 and 2 caveats for Cisco IOS Release 12.0. Caveats describe unexpected behavior or defects in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious.
If you have an account with CCO, you can use Bug Navigator II to find caveats of any severity for any release. Bug Navigator II is at http://www.cisco.com/support/bugtools, or from CCO, select Software & Support: Technical Tools: Bug Toolkit II.
When hardware compression is enabled, packets are normally fastswitched. If the user turns off fastswitching then turns it back on, fastswitching remains disabled.
The workaround is to re-configure compression. For example, issue the no compression command followed by the compression stac command.
VIP cards do not have an accurate sense of time, and therefore Netflow exports, for example, are not synchronized.
Currently Generic Traffic Shaping and Frame Relay Traffic Shaping is not supported with turbo (Optimum/CEF) switching modes. You need to disable these turbo switching modes to make traffic shaping work over the interface. This fix allows turbo switching modes to co-exist with traffic shaping.
The disconnect-cause and disconnect-cause-ext attributes are missing in the TACACS+ network accounting stop record.
Online insertion and removal (OIR) on the Cisco 7500 series router using a 12.0 release may cause OUTPUT STUCK and CYBUS COMPLEX RESTARTS.
If a router is under very high CPU load, and an OIR of a VIP card is attempted, various IPC error messages indicating an "out of buffer" situation will be printed.
Additionally, messages indicating that IPC acks are received for messages not sent will be printed.
Under certain conditions, DECnet does not send triggered routing updates after an adjacency comes up. If (periodic) routing updates are sent out frequently (default frequency being 40 seconds), this is not an issue, since an update gets sent out in a short time, and routes are learned. However, if the routing update timer has been configured to be a large value, then routes may not be learned for a long time.
The workaround is to configure a smaller value for the routing update timer.
The input queue on the Token Ring interfaces may overflow and accept no additional packets. The workaround is to increase the interfaces' input queue or reload the router. You could use this command, for example:
An interface on a HSSI 1 port (PA-H or H1T+) card may go down/down and display the following error message (XXXX represents the affected interface):
%MUSELIX-1-STOPFAIL: XXXX: Stop Failed at disable port %MUSELIX-1-STARTFAIL: XXXX: Start Failed at enable port MUESLIX-1-FAILURE_CAUSE: SerialX/X:
Issuing the commands shutdown and no shutdown have no effect.
When encapsulation is changed on a PRI interface, B-channel interfaces are set in the up state. This causes the first call to the B-channel to fail, but subsequent calls to that channel work after the first failure. As a workaround, when changing encapsulation on a PRI interface, you must first use the shutdown command on the interface before configuring the new encapsulation.
A router may reload when traffic shaping is configured on an ATM interface.
Removing an ATM Deluxe card from a Cisco 7200 router and inserting an ATM Lite card in the same slot can cause the router to fail.
An RSP-based router fails when configuring SMDS encapsulation after viper alignment detection.
With a high load and with compression turned on, the CT1 PA interface may occasionally become "output stuck" and cause a system restart.
When ATM Lite tries to transmit a packet with multiple particles, in some applications such as L2F, particles after the third in the packet may not be 32-bit aligned. This will cause the ATM Lite's transmitter to stall. Once it happens, issuing the commands shut followed by no shut will get it out of the stall state until the next such packet arrives. A workaround is to run L2F in process switching mode.
A new configuration command, ip spd mode aggressive, is available. When configured, all IP packets that fail sanity check, such as those that generate "bad checksum not version 4," and "bad TTL" messages, will be dropped aggressively to guard against bad IP packet spoofing. The show ip spd command displays whether aggressive mode is enabled or not. SPD random drop in RSP is supported.
When enabled, SPD now works as follows:
When the ip spd modeaggressive command is issued, IP packets that fail sanity checks are classified as aggressive droppable packets.
When the IP input queue reaches SPD minimum threshold (specified by ip spd queue min-thresholdn command), all aggressive droppable packets are dropped immediately, while normal IP packets (not high-priority SPD packets) are dropped with increasing probability as the length of the IP input queue grows.
When the IP input queue reaches SPD maximum threshold (specified by ip spd queue max-thresholdn command), all normal IP packets are dropped at 100 percent.
The default SPD minimum threshold is 10, while the default maximum threshold is 75.
To avoid an input interface that takes too many router resources, new packets (SPD or non-SPD) received from that interface are dropped when the interface has more than the input hold queue limit of input packets floating somewhere in the router.
Occasionally a router in standby state responds incorrectly to a proxy ARP request. It puts the virtual MAC address in the ARP data field, which is correct. But it also puts the virtual MAC address in the MAC header, which is incorrect. The effect of doing this is that a switch may associate the virtual MAC with the wrong port, and packets are no longer sent to the active router.
If the active and standby routers are on different ports on a switch, the switch learns the virtual MAC address from both of them and may thrash its MAC layer cache.
The workaround is to disable proxy ARP.
Router may fail when executing the command show ip routenetwork.
Multicast assert does not correctly prune router interfaces when no host reports are received from a VLAN.
NAT will only translate the first address entry in an NBNS group name response message. Other group name address entries will not get translated and therefore the NetBios client will ONLY be able to reach the first group address host, since it would be using an Inside Local address from the outside for the other members of the NBNS group name.
Packets might not be forwarded correctly and may cause problems if fancy queuing (for example, fair-queue) is enabled along with the Compression Service Adapter (CSA).
Using the physical-layer async command on low-speed serial interfaces (either asynchronous or synchronous), the fast switching process increases by approximately 10 percent.
A Cisco 7200 router configured to route IP packets over ISDN with encryption only works in process-switch mode.
Encrypted TCP sessions are pausing when passing over an MPP bundle as soon as two or more members in the bundle become active. This behavior can ONLY be observed when building a TCP session between hosts on the LAN interface of two routers connected via encrypted MPP. Current workaround is to switch off fast-switching on the LANs.
A VIP token ring interface does not encrypt/decrypt IP packets containing a routing information field (RIF), even though the initial encryption connection setup with the remote router is successful.
Encryption/decryption for Token Ring IP packets without a RIF continues to function normally.
A router cannot handle TCP flows according to the QoS weight defined after a reload or using the wr mem or conf mem commands.
When the traffic between the PA-12E/2FE port adapter and the CPU is high and the PCI bus is overloaded, a DEC21140 can get underrun and overrun errors. This is due to PCI congestion. The traffic is affected momentarily, then restored.
Bell 103 communication does not work on the analog Microcom modems in answer mode.
When using a Kerberized Telnet to communicate between two Cisco routers, the credentials may not be forwarded.
Modems failing during trainup show up as ATH detected even when Mica is in answer mode. Even after a call is successful, Cisco IOS shows that the call was hung up due to ATH detection
A Cisco 1600 router fails when IPSEC is configured over an ISDN link. This is caused by the IP route-cache which is enabled by default on all interfaces. Disable fastswitching on the dialer interface and the router will stop failing. However, TCP packets now get out of order.
If you configure a loopback, then unconfigure it, then OIR an AIP card with 10.3(17), IOS remembers the old configuration:
a syslog message is logged to indicate the loopback is up
in some cases, the command show ip route connected will list the loopback
If an ATM PVC is deleted on a point-to-point interface and a new PVC is created, and the new PVC has a different VCD than the old, CEF will drop packets that should be transmitted on that interface. The interface configuration commands no pvc followed by pvc will produce this behavior, as will no atm pvcvcd followed by atm pvcdifferent-vcd. This can be corrected by issuing shutdown followed by no shutdown for the affected interface.
When you turn off IP routing and reenable IP routing, CEF does not come on by default on platforms like the Cisco 12000 (GSR).
The system is not responding to BECNs correctly when the Frame Relay interface is a channelized interface on a Cisco 7500 series router.
When IP fastswitching is enabled on a Cisco 1600 router with BRI interfaces, it is possible to cause the router to fail under the following conditions:
The ISDN connection is being brought up and down repeatedly;
The clear ip cache command is invoked during this period repeatedly, in conjunction with the connection being disconnected.
Running Frame Relay over ISDN on a Cisco 3640 router initially worked, but started to fail when the interface input queue became full and all incoming packets were dropped. The interface input queue wedge problem cannot be resolved by a lock or unlock, but needs to have the router reloaded.
The show CMNS command is no longer available.
A Cisco 3640 router rejects incoming calls even though there are free channels and available modems. Both ISDN and analog incoming calls are rejected with the message "Incoming call rejected, exceeded max calls."
A router configuration using autoinstall over a Frame Relay link may fail. Autoinstall loads the router configuration file from a TFTP server at boot time. This occurs when NVRAM has no configuration and you elect not to enter a configuration from the console, but to proceed with autoinstall. When the autoinstall media access to the TFTP server is Frame Relay, the function fails. This problem does not occur with older software releases such as Cisco IOS Release 11.3 or 11.3T.
The expiration of a response timer (T200) can cause Layer 2 to disconnect, and not re-connect until the router is re-loaded.
When configuring XOT keepalives on the X.25 route statements, a router might restart with following (decoded) traceback:
c3640-js-mz.113-6.1.symbols read in Enter hex value: 0x605FF664 0x605FF664:xot_update_keepalive(0x605ff644)+0x20 Enter hex value: 0x606094F8 0x606094F8:x25swt_verify_call(0x606092e4)+0x214 Enter hex value: 0x6060D880 0x6060D880:x25swt_process_incoming_call(0x6060d840)+0x40 Enter hex value: 0x6060D7CC 0x6060D7CC:x25swt_flagged_wakeup(0x6060d704)+0xc8
Under unusual circumstances that include protocol processing delays induced by debug reporting, X.25 switching operations can cause the router to reload.
To find the serious open defects for Release 12.0(1):
Read the open caveats for Release 12.0(2). These are caveats still open from Release 12.0(1) or discovered after Release 12.0(1) was shipped.
Read the resolved caveats for Release 12.0(2). These are caveats that were open for Release 12.0(1) and resolved by the time Release 12.0(2) shipped, or discovered and resolved after Release 12.0(1) was shipped.
According to the ITU specification (page 60 Note II), the router needs to act on the SEIZURE signal between 100 to 200 msec. We do this around 150 milliseconds, within spec.
However, for Croatia, it has been confirmed by the switch manufacturer as well the PTT HPT, that the typical value needs to be 50 msec, maximum 60 msec. Therefore, we need to adjust our parameters for Croatia.
On Cisco 5200 and 5300 access servers, assertion failures can result in the servers failing.
An access server may fail when MICA runs out of buffers (prints out NO_BUF messages on console) and a lot of EXEC sessions are running. This problem has been observed with the latest 56K modems.
A Cisco AS5300 may fail to place a call and issue the message "no signalling channel is available for outgoing call", because of certain sequences of shutdown and no shutdown on T1 controllers, if controllers have both CAS and PRI configured. The workaround is to always configure no shutdown on controllers with CAS first.
When you configure a channel group, unconfigure the channel group, and then configure a PRI group with Release 11.3 T and later, a bus error occurs.
The failed call count does not include unanswered calls.
The absolute-timeout line configuration command does not accept a value for the timeout parameter.
Appletalk subinterfaces on SMDS return the wrong SMDS address when an AARP request is sent. The router returns the SMDS address associated with the first subinterface regardless of which subinterface is associated with the AARP request.
Disabling a subinterface will turn off AppleTalk route-cache for all subinterfaces on that interface.
Enable the subinterfaces' AppleTalk route-cache after disabling one of the subinterfaces by issuing the interfacesubinterfaceappletalk route-cache command.
Cisco 1003 routers sharing S bus frequently have problems. Even though diagnostics show that the router is responding to IDCKREQ from the ISDN switch, these responses are lost in collisions and never seen by the ISDN switch.
LANE clients may drop with the message, "SNMP CPUHOG processing GetNext IfEntry" on the ATM subinterfaces. In some cases numerous subinterfaces were defined, which were not numbered sequentially. A partial workaround is to issue the command no snmp-server sparse-table, which lessens the frequency of occurrence.
When configuring traffic-shape groups under interfaces, the second traffic-shape group will not show in running-config or startup-config if options are not added to the command as the first statement.
Cisco 1005 router may report the following message repeatedly:
System was restarted by bus error at PC 0x6013425C, address 0xD0D0D6D Stack trace from system failure: FP: 0x611ECEB8, RA: 0x6013425C FP: 0x611ECED0, RA: 0x60134F00 FP: 0x611ECF60, RA: 0x601F4594 FP: 0x611ECF90, RA: 0x6013F46C FP: 0x611ECFB8, RA: 0x6016C7CC FP: 0x611ECFD0, RA: 0x60161B58 FP: 0x611ED008, RA: 0x6016BC5C FP: 0x611ED060, RA: 0x6019FA70
There may be a problem on the VIP in regards to fragmentation of packets that can cause the DMA engine to stall (and cause the VIP to fail). The message "DMA receive error" may be displayed.
There is no workaround.
Under noisy line conditions a giant packet followed by a runt packet on a serial line will cause a Cisco 2600 router to fail.
A router becomes unresponsive when a query router history is attempted and the history table is empty.
With RSP HSA, issuing the command write memory may not correctly update the ROM monitor BOOT variables on the slave processor.
The workaround is to verify that the BOOT variables have been correctly written by issuing the show bootvar command on the master after every write memory command, and reissuing the write memory command as many times as necessary.
After a user dials into a Cisco AS5200 and is passed to the TACACS+ server and is authenticated, the access-list that is passed back to the router by the TACACS+ server is not applied to the async interface by the router. There is no workaround.
A Cisco MC3810 with both Multi-Flex Trunk (MFT) and Digital Voice Module (DVM) installed may see T1 clock slips on the T1 controllers under certain circumstances. Clock slips are reported when viewing the T1 controller statistics with the exec command show controller t1.
When the Cisco MC3810 is configured with both T1 controller 0 and 1 set for clock source line and the proper global configuration command network-clock-select has been entered, the MC3810 system clock will synch with one of the T1 controller clocks while temporarily setting the other controller to loop timing. The problem is that even though the secondary T1 controller reports loop timing as seen with show controller t1, the system clock is still being driven by both T1 controllers. This will occur even though there may only be one active T1 line connected to the MC3810 or even when the unused T1 controller is administratively shutdown.
The workaround for this problem is to set one of the controllers for either loop or internal through the controller subcommand clock source.
Crashinfo may not be saved when certain types of memory corruption occur.
SNMP memory may leak when SNMP ping is enabled.
Using traffic shaping with custom queuing may drop too many packets.
If a network management application were to add an entry in the ping MIB table, not activate the entry, and then delete it before it is aged out of the MIB by the five minute timer, the router could fail.
The aaa accounting nested configuration command is not available from the configuration parser.
X.25 CSTATE would occasionally run out of stack space, causing an unscheduled reload of the router.
A router will not be able to connect to mainframe, if the modename is less than 8 characters.
Timeslot one appears to get into a hung state at the framer level and endlessly sends a ABCD=F. This is only seen when doing a tdm-group and a cross-connect for timeslots 1-x.
NTP on Cisco 2600 and 3800 platforms does not stay synchronized. After some amount of time the clock will wander and NTP will become unsynchronized. Removing the NTP configuration and adding the NTP configuration back will cause the router to synchronize again, but later it will become unsynchronized.
A workaround is to issue the command ntp clock-period 17208078
Cisco 1600 is not able to receive multicast packets for different groups at wire speed. This causes the Cisco 1600 Ethernet driver to miss packets.
A workaround is to configure static multicast groups.
If a router is configured to support Layer3 switching with in and out access filters on the HSSI interface and Frame Relay IETF encapsulation, subsequently trying to configure SMDS encapsulation will cause the router to fail.
Issuing the command no traffic-shape group causes the router to fail.
V.120 users can now configure autocommand ppp negotiate under VTYs correctly.
Starting with Cisco IOS Release 11.3(5.1)T, a reverse-telnet connection that receives a telnet BREAK sequence will fail to send an EIA/TIA-232 (RS232) BREAK to the associated async line. An outgoing telnet connection that receives a telnet BREAK sequence will also fail to output a BREAK condition, and this instance of the problem has existed for quite some time.
RSP range registers set correctly to enforce 2MB limit on MEMD access.
An APPN router may display a single conloser CP-CP session. This CP-CP session cannot be deactivated by issuing the appn stop cp-cp command. As a workaround, stopping the APPN link will clear this problem.
While control units are being removed by router or end device activity, issuing the show bsc command may cause the router to fail.
While DLSw with FST encapsulation is configured on a router, the following error message with traceback may appear:
00:39:38: %SYS-2-INPUTQ: INPUTQ set, but no IDB, ptr=ADDD9C -Traceback= 148D3A 572A 4DF4 110064 17DAA2 17B0DA 14CC 10005B4 10047DA
If DLSw is configured to use TCP as the transport, and if the following conditions are met, a TCP packet coming from the peer could get stuck in the TCP buffers of the router. A TCP packet may get stuck when there are no keepalives between the peers (like in an ISDN connection), there is not heavy traffic between the peers using the DLSw pipe, and a packet coming from the peer is 1 to 3 bytes in excess of the MSS (Maximum Segment Size) of the receiver.
Under these conditions, the receiving TCP does not give the assembled packet to DLSw, until another packet arrives.
A possible workaround is to adjust the MAXDATA (MAX PIU) of the end node to the value of MSS-16 bytes (allowing 16 bytes for the DLSw header) in the case of SNA.
A Token Ring LEC configured for HSRP and multiring IP, will potentially respond to IP RIF packets received via the BUS, even though it is not the intended recipient for such packets. This happens when IP packets with a RIF are sourced by other LECs on a Token Ring ELAN and targeted at remote devices which are one or more SRB hops away from the ELAN. The LEC fails to filter these packets, thereby causing IP looping problems in Token Ring LANE environments. This problem occurs on the Cisco 4700, 7200 and 7500, RSP7000 platforms.
APPN auto-activate on demand works only once in Release 11.2 and does not function at all in Release 11.3. There is no workaround.
Router fails when BSC receives a frame through BSTUN while it is in the process of transmitting a frame on the BSC line.
When bisync is running on a branch router connected to an NCR5085 cash machine, if a corrupted acknowledgment is received from the ATM XA machine, under unusual conditions you may see the input queue on the serial interface connected to the ATM machine get into a wedged state. If the serial interface is in this state, issuing the show interface command will display the value of input queue as 75/75. A workaround to get the interface working again is to shutdown the interface and bring it back up by issuing the command shutdown followed by no shutdown. An additional workaround is to schedule the shutdown/no shutdown by increasing the interface input hold queue size by issuing the command hold-queue 150 in under the bisync interface.
A Cisco 2600 running Cisco IOS Release 11.3(5)T and later, configured for BSTUN/Frame Relay may lose a portion of the Frame Relay configuration and the encapsulation may change from Frame Relay to BSTUN (You can see that the configuration has changed by issuing the show interface command). This causes the Frame Relay link to go down when the router is reloaded. There is no workaround.
A Cisco 4500 router configured with a Token Ring LE Client adds 6 extra bytes when fastswitching routed protocol packets from a Token Ring LEC ATM interface to the packets' target (output) interface. Although this problem is known to occur with IP packets, it potentially exists for other routed protocols which are fastswitched in from a Token Ring LANE interface and fastswitched out to the packets' target interface.
An APPN router may reload with the following traceback error in the show stack log capture:
System was restarted by error - a Software forced crash, PC 0x601EED8C
Stack trace from system failure: abort(0x601eed84)+0x8 crashdump(0x601ed76c)+0x18 Pexit(0x608dc608)+0x88 LP_lpid_deallocate(0x608db3e8)+0x68 psp01b(0x608117b0)+0x9c psp00(0x60810b10)+0x230
An APPN router may reload with a SegV exception in psp00 after the following message is displayed in a rare race condition:
%APPN-6-APPNSENDMSG: APPN Allocate 613D1F8C to NETA.MVS1 timed out for TP "001.
System was restarted by error - a SegV exception, PC 0x606AE270
An APPN router enlarges its LFSID table from a small model to a large model if greater than 12 SIDLs are active for a specific SIDH. The large LFSID table requires substantially more memory.
The resolution to CSCdk54687 increases the number of entries in the small LFSID table to the maximum number of SIDLs which fit into this table. This requires no additional memory per link, but increases the number of SIDLs supported in the small LFSID table. Thus, in customer networks which typically support 17 LUs/PU, the APPN router may use significantly less memory.
DLUR routers will incorrectly update the max-btu-size for links to Type 2.1 nodes.
FDDI PA will now have a software address filter at VIP level to filter out unwanted multicast packets. This helps performance and also unnecessary entries in netflow tables.
A router coded as a primary SDLC interface may send an erroneous frame causing the secondary device to send a FRMR.
When a 100Mbps interface on the Cisco 3600, configured for ISL encapsulation, is modified, the interface may cause carrier loss and ISL trunk flapping.
When you attach some routers, such as a Cisco 2500 or 4000, directly to a switch that is configured for autosense, the switch will detect the port as being full duplex, but the routers only support half duplex. The Token Ring interface on the router will show up/up but only broadcast traffic will pass. On the switch you will see line errors incrementing at a very high rate. A ping issued from the router to a local device on the ring with the switch will fail.
A workaround is to manually set the switch to half-duplex.
After a reboot, or cbus complex restart, there is a small chance (one in several thousand) that one or more T1s in a CT3 IP won't come back up properly. There are a very specific set of symptoms for this failure:
The line comes up at both ends, so all is well physically.
No T1 alarms or performance monitoring errors are detected.
Line protocol will be down (assuming keepalives are enabled).
The far end router will count large numbers of CRC errors in its relevant show interface counters.
The near end router (i.e. the relevant CT3IP interface) will not show any errors in its counters.
The T1 number is 1-20 (T1s 21-28 are not affected by this problem).
Once in this state, issuing the command microcode reload or reloading the router is the only way out of this state.
All IOS versions that support CT3IP have recently been modified to include more details in the hardware version string displayed in the output of the show controller t3 command. Prior to firmware version 2.8.0 this display would merely show a H/W Version of 5 as seen in this example:
router#show cont t3 0/0/0 T3 0/0/0 is up. CT3 H/W Version: 5, CT3 ROM Version: 1.2, CT3 F/W Version: 2.7.0
After upgrading to an IOS image that includes firmware version 2.8.0 or later, the above display will be enhanced to include more hardware version details as seen in these two examples:
router#show cont t3 T3 0/0/0 is up. CT3 H/W Version : 5.0.0, CT3 ROM Version: 1.2, CT3 F/W Version: 2.8.0
router#show cont t3 T3 0/0/0 is up. CT3 H/W Version : 5.0.1, CT3 ROM Version: 1.2, CT3 F/W Version: 2.8.0
Hardware versions 5.0.0 and 5.0.255 are subject to this caveat. Hardware version 5.0.1 is not. (If you see a hardware version of 5 with no additional numbers, update your software to a more recent version).
Certain type of terminal adaptors (for example, NEC) may toggle lots of control lines during the DTR pulsing. These line status changes will interrupt the port adaptor 8T/4T+ controller and cause a reset of the line by the IOS driver. Thus the DTR pulse is shortened.
A router with bridging enabled on an ATM interface (AIP) may continually reboot. A router at the end of the PVC may fail with a software forced failure. This caveat was first identified in Cisco IOS Release 11.1(18.1)CA.
Beginning in Cisco IOS Release 11.3(4), a Cisco 4500 configured for SRB may not remove IP frames from an FDDI ring. This causes IP frames to circulate around the ring until the TTL expires. This problem is seen when two or more Cisco 4500 are configured for SRB on the same ring.
EIP interfaces on a Cisco 7500 running 11.2.13 will start flapping then go into up/down state. A typical shut, no shut will not bring them back. You must do a microcode reload to stabilize the box. Or a reload of the box will also normalize the status.
From enclosure: Release-note
A problem was discovered with routers running EIP micro-code version 20.3 or earlier, when EIP interfaces receive resets while passing the traffic and suffers a tx collision.
Symptom: EIP interface line protocol will flap (line protocol goes from up to down state repeatedly) and eventually lock up.
Workaround: Microcode reload periodically (every day during maintenance time period), or upgrade EIP microcode to latest version
Beginning with Cisco IOS Release 11.3(5.1), a Cisco 1600 configured with Frame Relay encapsulation may fail in Frame Relay compression (FRF.9).
HSSI3 H2T microcode will not rx/tx unless both rx/tx clocks present, because the HSSI3 code waits for the a chip reset to be done at the beginning of the code. However, chip reset is only done at boot time, or during online insertion/removal (OIR).
Fast Ethernet PA full duplex interfaces bounce up and down when configured in Fast Etherchannel (FEC). A workaround is to use the PAs in half-duplex mode when they are FEC members or unconfigure FEC.
The PA-A1 ATM adapter cannot transmit OAM cells. There is no workaround.
If CEF switching is enabled and an IP address is assigned to an ISL subinterface, if the subinterface is deleted but the same IP address is assigned to another interface, the router can fail.
Under some circumstances the PA-A3 may cause an RSP restart with an output stuck message.
A Fast Ethernet interface may hang under extreme traffic stress on a Cisco 7200 platform when used with ATM interface.
When CEF switching is enabled and Fast Ethernet interfaces are configured for flow switching, CEF-FLOW switching will fail on FEIP, if ISL is configured. Packets will be fast switched instead. There is no workaround.
When using CiscoWorks to manage a PA-MC-T3, it is mistakenly represented by CT3IP.
A Cisco 3600 may not send keepalive messages when keepalive is set
After issuing the command no distance eigrp 255 255, the inaccessible routes may not be restored to the routing table. A workaround is to issue the command clear ip eigrp neighbors on the interfaces of the affected routes.
A router running Cisco IOS Release 11.3(3) and later, configured with a policy route map on a BRI interface, may not forward packets to the next hop as specified in the set ip next-hop command.
The following conditions must exist for policy routing to fail:
ip policy route-mapname is configured on a BRI interface
the destination exists in the ip cache table of the policy router
A workaround is to issue a clear ip cache command, or remove fast switching by issuing the no ip route-cache command.
NetBIOS over TCP/IP port 139 is not getting translated.
The router displays console error messages during periods of high serial line utilization. Error messages are of the form:
%SYS-3-CPUHOG: Task ran for 2672 msec (87/71), Process = IP Input
On a Cisco 2600 series router running the c2600-is-mz_113-3a_T1 image and the NAT protocol, NAT works until the translation table times out. Only a reload of the router every 24 hours resolves the problem.
Routers with equal cost (redundant) paths between two Enhanced IGRP neighbors may experience problems with redistribution of static routes with a specified next hop. This problem only affects redistribution of static routes with a next hop specified and equal cost links with the next hop on one of the links.
The interface connected to the same net as the "next hop" must come up after the redistribution in order to see the problem.
The problem can be corrected by issuing the clear ip route * command.
DVMRP prunes received over a point-to-point link other than a tunnel, are silently ignored when they are sent to a unicast address. A workaround is to build a tunnel with the DVMRP neighbor.
The command clear ip routenet will remove a connected route from the routing table which will not be properly reinstalled. This is a regression introduced in 12.0 by CSCdk01482
A workaround is to issue the commands shutdown followed by no shutdown if the net is lost.
If a received update has an as-path loop and/or any other bad attribute (for example, bad nexthop), when running under soft reconfiguration inbound, the clean copy of the paths will be left around (received-only). This will bring back the denied path if the command clear neighbor soft in is issued, and might alter path selection.
A packet translated by NAT in the fast path may fail input ACL check if it is bumped for process switching.
A Cisco MC3810 reloads with error "CPU exception: reason = FORCE_CRASH(959fd4)", if policy routing is configured.
Beginning in Cisco IOS Release 11.3(5) and 11.3 (5)T, DNS A RR responses will be dropped by NAT, if the packet is going from NAT outside to NAT inside, and the inside source mapping has an access-list which permits any, and the embedded IP address is an OUTSIDE GLOBAL address.
If you have demand circuit (including virtual links) and external LSAs on a router, the router will fail within 20-25 mins.
The only workaround is not to use demand circuit and virtual links.
When the number of (S,G) entries for IP multicast routing goes above 2730, the line card of GSRs or the VIP card of RSP may reload due to memory corruption.
The symptom of this bug is a repetitive pattern of unicast address, multicast address, followed by 4 long words (usually holding zeroes or very low count) in corrupted memory blocks.
The following records are other instances of the same caveat:
CSCdk47461 vip redzone crash
CSCdk48461 Software forced reload at SYS-6-MTRACE: mallocfree
CSCdk58110 VIP crash with SYS-3-BADBLOCK: Bad block pointer 603D6058
CSCdk60767 Memory corruption in get_buffer
This router reload will not happen in images which have the CSCdj87399 fix.
A BGP session may be reset when the same password is re-applied to the session. Also, password configuration for a peer-group may reset all the sessions of a box. There is no workaround.
DNS NS records that have glue records translated have the TTL of the glue records set to 0. The TTL of the NS record is not set to 0. Thus the DNS server will have a NS record for a DNS zone but no glue records. The next time the DNS server needs to contact the remote DNS server it will fail because it has a NS record cached but no IP address to reach it.
Static routes for 0.0.0.0 do not redistribute into other routing protocols.
There is no known workaround.
If the ip pim send-rp-announce command is configured when a router runs out of memory, the router may fail. The workaround is to unconfigure this command if the router is known to be at risk of running out of memory.
A router may fail if the distribute-list out command is configured with IS-IS as the routing protocol. For example:
router protocol distribute-list acl out isis
This failure can occur when configuring any IP routing protocol.
The distribute-list command does not work with IS-IS, so the specification of IS-IS routing protocol in the distribute-list command is invalid. The failure occurs because the invalid input is not handled correctly.
Workaround is to avoid specifying IS-IS routing protocol when configuring the distribute-list out command.
If two Cisco 7500 series routers are connected to many Ethernet interfaces with EIP interface processors, and are running HSRP on many of these interfaces, the HSRP configuration may take several minutes to determine the active and standby routers after a router reloads. During this period of instability, the CPU load on the router approaches 100 percent.
The workaround is to replace the EIP interface processors with VIP interface processors and Ethernet port adapters. A less effective workaround is to reduce the number of HSRP groups, or to increase the HSRP hello and hold time. Cisco recommends using no more than 24 HSRP EIP interfaces. VIPs have been approved at 80 HSRP interfaces.
CPU intensive tasks like OIR, or commands like config net, and debug, that print a lot of output have provoked router failures in some customer installations. It is believed that a high background CPU load can also provoke the failure.
A software forced failure occurs because of a process watchdog timeout in ipc_cbus_process(). The IPC input process, ipc_cbus_process(), was not suspending until it had drained its entire input IPC message queue. This resulted in the process running too long, and suffering a process watchdog timeout.
The full-duplex command will not work on the 1FE PA. There is no workaround.
The logging syncronous command can cause logging to stop. The recommended workaround is to remove this command.
A PA-T3 port adapter may go into loopback after a router reload. A workaround is to issue the commands shutdown followed by no shutdown, or the clear interface command.
The router reloads when configuring the crypto key and named-key commands. The router will boot up after the reload, but it does not load the configuration from NVRAM even though the configuration register is set to 0xE002.
The CT1-PA and CE1-PA, when configured with the compress stac command, in a system with a CSA-PA (hardware compression PA), will experience memory leakage in the pool manager. When available memory goes down to a low value (less than 1M), the router will fail.
There is no real workaround. However, unplug CSA-PA from the system and software compression will be used instead. There is no memory leak with a CT1-PA and software compression.
On a Cisco 7500 platform, this will cause the output to be stuck.
When you telnet into one router, then from that router to another, and if both telnet sessions are encrypted and kerberized, then the second telnet console may receive garbled characters. The commands entered in this session will take effect on the second router, but their output is illegible.
When multiple KDCs were configured, there was no way to control the timeout such that failover can occur. This caused common client applications to fail before the next KDC is contacted. There is no workaround.
To resolve this caveat, the following two commands were added:
kerberos timeoutseconds---Communications with the KDC will use this timeout. The range is from one to ten seconds, and the default is 5 seconds.
kerberos retryretries---Communications with the KDC will retry this many times. The range is one to five retries, and the default is 4 retries.
These commands will show up in the configuration when not set to their default values.
Attempting to encrypt to a phantom router causes memory leaks.
Sometimes the modemcap defined for a modem might not be applied to the modem before allocating the modem for a new call.
Various reloads pointing to inspect option of IOS firewall.
If Bisync is configured (encapsulation bstun command) with ASCII characters (bsc char-set ascii command) on the first port of a serial WIC (1T, 2T or 2A/S) in WIC slot 0 of a Cisco 2600 series, only the first character of each frame will be received, and the BSTUN tunnel will not get established. Other encapsulations are not affected, and using the EBCDIC character set with Bisync works correctly.
A work-around for this is to use a different serial port: either the second serial port (port 1) on a 2T or 2A/S WIC in WIC slot 0 or any serial port in WIC slot 1. If you have only one serial WIC, moving it from WIC slot 0 to WIC slot 1 will fix this problem.
If you are using NFAS with a backup D-channel and the primary D-channel goes down, modem calls might fail to be accepted into the access-server. Enabling the debug modem csm command displays the "dchan_idb state is not up" error message.
A router will fail right after the user configures an S/T BRI interface into the 128k leased-line mode. There is no workaround.
After 32767 encryption connection setup attempts, encryption connection setups may not complete. The workaround is to reload the router.
CBAC fails to create the dynamic ACLs to allow the establishment of FTP data channels if the FTP client sends command terminated with a single carriage return character (instead of carriage return and linefeed characters). The symptom of this problem is that the FTP client will hang after issuing commands that require the exchange of port (in order to set up a data channel between client and server) like ls, get and put.
The cablelength configuration command for the CT1 module is missing in the Cisco 2600 platform for Release 11.3T.
On a Cisco 2600 platform issuing the commands shutdown followed by no shutdown, or clear interface bri, to an BRI interface on the MBRI-NM will not bring up the ISDN D-channel layer 2. The ISDN layer 2 will shows that it attempts to send the line set up frame, but reports that the other end will not respond correctly. This is because the interface will hang and there will be no more frames transmitted.
The only workaround for this problem is to not issue these commands. If interface needs to be reset then the router needs to be reloaded.
If an interface is configured for both NAT outside and encryption, all incoming packets targeted at the router are forced to the encryption engine, regardless of whether or not they are (or should be) encrypted. All non-encrypted packets are then dropped by the encryption engine.
When attempting to dial out on a Cisco 3600 using the digital modems and a single port T1 Network Module, the outbound call will fail with "No Answer". Inbound calls function correctly. Outbound dialing with T1 CAS and a dual-port T1 Network Module works correctly.
If the TCP keepalive timer is configured, the router may fail in random places in the TCP stack due to corruption of the TCP control block.
When the link(s) between redundant ATM ARP-servers breaks, then the ARP-servers keep trying to contact each other to repopulate the ARP cache.
Due to excessive signalling the CPU load on the routers and ATM switches can rapidly reach 99%.
The workaround is to use only one ARP server or to put them on very stable links.
There is a limitation of 25 encryption maps on an any VIP. This limit is likely to be reached when encrypting many serial lines on the VIP using a fractional T1 or E1 port adaptor.
An Ethernet interface running Tag Switching and CEF, may get into a state where the IP packets are not forwarded properly.
The problem occurs when a CEF entry is improperly pointing at a Tag data structure. To check whether this is the problem, issue the command show adjacency detail for the next hop on the failing route. In the failure case, the packet counts on the IP adjacency will not be increasing, but those on the TAG adjacency will.
A workaround is to disable Tag switching on the interface
On run-from-flash systems, issuing the command copy flash tftp will incorrectly invoke the flash load helper code.
In some situations, FTP file transfers would fail due to an internal error.
The Explorer bit, in the TRISL header, may be incorrectly set for Non-Specific Routed (NSR) frames. Normally, the Catalyst 5000 and 3900 ignore this bit for NSR, but sometimes it causes some problems. Specifically, IP pings for NSR frames fail at times.
If an encryption map is applied to a dialer interface, dialer pools are used, and a dialup interface (for example, BRI) is used as the physical interface, then when that dialup interface is unbound from the dialer it may cause a system reload or mis-alignments. A workaround is to not use dialer pools.
The length field in the MAC Management Message Header for the SYNC message is computed incorrectly. A workaround is to use a modem that has the Broadcom Chip set. Because the SYNC message is a well known size, the Broadcom chip set can read the CMTS Timestamp without looking at the length field.
On VIP interfaces where CEF is required to run encryption, a connection cannot be initiated from the VIP side. A workaround is to initiate the connection from a peer router (if the peer has a non-VIP interface). Encryption will work properly in this case.
On non-VIP interfaces with CEF enabled, encryption will not work properly, and packets will be sent in the clear. CEF must be disabled for encryption to work.
Note that this caveat affects only self-generated packets. In real world environments, packets are usually forwarded to a router for encryption. In this situation these packets will not be affected by this caveat.
On a Cisco 2500 platform, you might fail to get CA certificates when enrolling a certificate with Entrust VPN.
In Release 11.2P and 11.3 when Fast Ethernet subinterfaces are configured for encryption, if the encryption map is only applied to the main interface and the IP address is configured in the subinterface, the packets could be switched in the clear. In Release 12.0, enabling CEF could cause the packets to get dropped.
Cisco AS5200 and AS5300 routers with MICA modems that are configured with the commands async mode dedicated and async mode interactive may fail with a bus error. On the AS5300 the failure is preceded with a "%ALIGN-1-FATAL" log message on the console. The cause seems to be a lot of PPP calls connecting and disconnecting.
If you configure output rate-limiting with distributed CEF enabled, on an interface that does not exist, you will cause a system restart.
Radius implementation for MS-CHAP does not comply with the latest specification from Microsoft.
POET output drops at low data rates with two PAs in VIP2. If you use a sub-rate POET interface together with a full-rate POET on the same VIP, VIP2 or VIP2-50, you will cause the full-rate POET to drop outbound packets. This will occur with an externally clocked sub-rate POET. There is no workaround, except to move the sub-rate POET or clock the sub-rate POET at 44.726 Mbps.
Also see CSCdj86266 for a similar problem with HSSI interfaces.
After a platform Cisco 3600 or 2600 platform is powered off and powered on, the ATM25 Network Module stops transmitting packets. Because a new image is loaded and an old image was previously on this platform, the problem will not be noted. This caveat appeared in Cisco Releases 11.3(05.1)T and 12.0(00.2)T and was resolved by Releases11.3(6)T and 12.0(1.1)T.
Generic traffic shaping is not working on the Ethernet interface of a Cisco 2600.
Packets larger than 1010 bytes will fail to be transmitted on the BRI interface of a Cisco 7200 when WFQ is enabled (default queuing).
A workaround is to enable FIFO queuing on the interface.
If an Ethernet or FDDI interface goes down for any reason other than administrative shutdown (for example, a cable is pulled), when the interface comes up, CEF adjacencies that existed before the down event will not come up. This will result in dropping packets.
Clearing the ARP table will workaround the problem.
The router might reload when using the default state-table or no state-table commands. There is no workaround, besides avoiding using these commands. Also, confirm the existence of a particular state-table before deleting it.
Router displays an error message:
42-1-NO_RING_DESCRIPTORS: No more ring descriptors available on 3 slot.
Afterwards, ports on the VPM are no longer usable.
When trying to configure a multipoint ATM-DXI interface, the router will only allow one atm-dxi map statement per VPI. For instance, if two ATM-DXI PVCs are defined on a multipoint interface (VPI/VCI 0/50 and 0/51), the router will only allow one atm-dxi map command for VPI 0.
The error message "Address already in map" appears when the second map command is entered.
Packets coming in on a tunnel interface from a Token Ring interface on a Cisco 2500 or 4000 platform will be duplicated.
Disable fast switching on outgoing interface of unencapsulated packet.
Online insertion/removal (OIR) of a linecard caused the router to fail.
HSRP uses an incorrect MAC address to refresh the CAM on a switch or the MAC cache on a learning bridge.
This can lead to loss of connectivity or possibly duplicate packets.
A router running lots of subinterfaces and distributed-CEF, may experience memory fragmentation problems due to excessive fibidb/fibhwidb download to linecards.
Connected host prefixes could remain in the linecard as invalid entries even when the interface is shutdown. This could happen if the interface down event was preceded by a full CEF download.
Issuing the clear cef linecard command will fix this problem.
An LLC2 connection coming in from TR-ISL on a router and that should pass by way of DLSw can experience a setup failure. The debug command will indicate "DLSw: failure - sap entry is not valid".
The workaround is to configure TR-ISL multiring on the FE subinterface although this is not normally required for SRB traffic.
The VIP fails when FEPA is configured for ISL and in the other bay a CT1 PA is installed. It is suspected that this problem can occur for FEPA+ISL along with any PA supporting subinterfaces.
This problem did not occur for FEPA+ISL and Serial PA.
While booting a router, the following traceback may appear:
followed by a traceback message, and some VPM ports become unusable.
In certain circumstances, when an encryption map is applied to an interface, removed, and subsequently reapplied, an RSP/VIP will reload.
If a ground-start link is initiated by the fxo port of a Cisco 3600, the secondary dialtone returned by the connecting fxs port does not get passed through to a handset connected to the Cisco 3640 loop-start fxs port.
The use of an MBRI card in a Cisco 3600 or 2600 with PPP encapsulation may cause packets to be dropped when CEF and L2F are enabled.
Turning on PVC OAM management on PA-A3 on the Cisco 7200 may cause the PA to crash if there is AAL5-NLPID PVC. The only workaround is to turn PVC OAM management off.
When the PA-A3 has physical layer errors at the 96th fifteen-minute stats report interval, a memory overrun error will occur.
PA-A3 may stop receiving under stress with some CRC errors on VCs. Issuing the clear interface command can restore the service.
A router may report memory allocation failures caused by SAP general request storms, even though there is enough memory for the software image. If IPX Enhanced IGRP is configured, please also refer to CSCdk44590.
When using IPX Enhanced IGRP incremental SAP updates (RSUP), the server tables between two or more Enhanced IGRP neighbors may become inconsistent. Specifically, the problem may occur when as few as three dozen servers go away at the same time, while the routes to those servers remain in the routing table, and if there are multiple Enhanced IGRP neighbors or paths to a neighbor. The "down" flash update for some of the recently downed servers isn't being sent out all interfaces, so some devices have the servers removed and others do not.
A workaround is to clear the IPX Enhanced IGRP neighbors on the unit which shows these servers remaining in the table.
A Cisco 2500 router configured with the command debug x25 events, will fail as it opens an X.25 VC for IPX, XNS, Vines, or DECnet.
IPXWAN does not work when a Cisco 4500 or 7200 router is booted or reloaded with IPXWAN configured as the master of the IPXWAN link (its Local IPXWAN Node ID or IPX Internal Network Number is larger than that of the router at the other end of the WAN link).
You will see messages like these after IPXWAN debugging is enabled by issuing the command debug ipx ipxwan:
00:06:45: IPXWAN: Rcv TIMER_REQ on Serial5/0/72000:0, NodeID 0, Seq 1 00:06:45: IPXWAN: Rcv TIMER_REQ NodeID 7500 as SLAVE asking for unnumbered on Serial5/0 00:07:05: IPXWAN: Rcv TIMER_REQ on Serial5/0/72000:0, NodeID 0, Seq 2 00:07:05: IPXWAN: Rcv TIMER_REQ NodeID 7500 as SLAVE asking for unnumbered on Serial5/0h 00:07:25: IPXWAN: Rcv TIMER_REQ on Serial5/0/72000:0, NodeID 0, Seq 0 00:07:25: IPXWAN: Rcv TIMER_REQ NodeID 7500 as SLAVE asking for unnumbered on Serial5/0
Workaround: After the router is rebooted, issue the following interface commands:
no ipx ipxwan
ipx ipxwan parameters.
As an alternative, create a another pseudo IPXWAN interface which would allow IPXWAN to function after reloads; for example:
! interface Loopback0 no ip address no ip directed-broadcast ! interface Tunnel0 no ip address no ip directed-broadcast ipx ipxwan 0 unnumbered dtp-11 tunnel source Loopback0 tunnel destination 188.8.131.52
Router gradually loses memory when running IPX Enhanced IGRP with ipx sap-incremental commands configured on its interface(s). The memory leak occurs when SAP general requests are received on the interfaces. By default, ipx sap-incremental is enabled on non-LAN interfaces which are configured for IPX Enhanced IGRP.
It is most easily seen by issuing the command show proc mem, and watching the growth of the "Holding" memory by the "IPX SAP In" process:
PID TTY Allocated Freed Holding Getbufs Retbufs Process 44 0 14265416 201472 8360984 21924 0 IPX SAP In
Also, memory is being allocated to large number of IPX SAP PH, IPX NDB PH, and IPX USV processes, as shown by the command show memory summary.
A workaround is to remove IPX SAP incremental by issuing the command no ipx sap-incremental eigrp from the IPX interfaces.
A VIPs CPU load may go to 99% after an online insertion/removal (OIR) event. Only a system reload or microcode reload will clear the problem.
Conditions Under Which the Problem Occurs: Any event that generates a media_hw_reset() such as changing an MTU size or clearing the ATM interface
Signalling or ATM SVC applications such as LANE or static map refuse to create an SVC because they think it still exists. Clearing the ATM interface does not fix the problem.
A workaround is to issue the commands shutdown followed by no shutdown, to clear all the state information at the signalling layer of the interface.
Voice over IP calls cause the router to reload if PPP Multilink is enabled on the BRI interface. A workaround is to force a UDP checksum on the dial peer, or to remove the PPP Multilink.
MS Callback server functionality in Cisco Access Servers is not working with configurations involving Async/ISDN interfaces configured with Dialer Profiles.
When the SERVICE messages are exchanged with the Routers for ISDN PRI interfaces, if the B-channels are transitioned from Out-of-service state to In-service state the B-channel count does not get updated. This can prevent the router from dialing out or accepting incoming voice/modem calls. The remote callers get a fast busy signal.
On Cisco 3600 Platforms, modems may repeatedly not be able to connect on the B-channel. The modems do not trainup and the calls get disconnected.
DDR with dialer dtr does not reset DTR to a down state after an unsuccessful call attempt. Unsuccessful in this case means that DDR is triggered, DTR is raised, but the modem/TA attached to the serial port never connects, so that DCD does not come up.
This can be verified by viewing show dialer to ensure that the dialer state is idle, and then show interface serial x to check the state of DTR.
When packets are bridged while a VC gets torn down, an incorrect VC value (zero) may be recorded in the bridge table entry. As a result, packets will be dropped. This happens because the VC value gets set to zero before the sub-interface gets brought down. The workaround is removing the invalid bridge entry by issuing the "clear bridge" command.
Fast port adapters (for example, FDDI, ATM, POSIP, and FE) on a VIP2 might see some performance degradation if the fast PA is on one VIP2 bay and other bay is empty.
A router using Cisco IOS Release 11.3(5.2) and later, with APPN and ATM configured, may experience software forced crashes with the following trace:
Frame Relay SVCs may fail on multipoint subinterfaces.
A router will leak memory when both AAA and Radius/TACACS+ are configured on the router.
A workaround is to issue the command aaa accounting update periodicvalue at startup time. Set value to a large number to avoid lots of periodic update accounting records.
multilink max-links does not work for L2F projected interfaces. This also applies for AAA user profiles which use the "max-links" TACACS+ attribute or Port-Limit and Ascend-Maximum-Channels RADIUS attributes.
Router may fail when the command show dialer is issued while calls are connecting and disconnecting.
Router may fail when running VPDN L2F sessions over ISDN.
LANE client may be dropped on Cisco 7200. The workaround is to disable the SSCOP quick poll.
An attempt to switch an incoming call, when all outgoing channels are in use, causes a memory leak.
You cannot send break signal to a device connected to the async port on a Cisco 2511, through a PAD connection.
The router may reload when exiting a PAD connection. The problem first appeared in Cisco IOS interim release 11.3(6.3).
Autoselect functions on VTY lines are not supposed to work, and should be disallowed.
A Cisco 1600 will fail or reboot when Multilink PPP is negotiated on a link.
Under some circumstances when using X.25 switching the router may reload.
One example is when a Call is switched to an XOT destination, which is then Cleared (when no Call Confirm was received).
The Cisco 2600 series of routers with ISDN configurations -- both Basic Rate ISDN (BRI) and Primary Rate ISDN (PRI) interfaces -- can reload with a watchdog timeout when the ISDN interfaces are active/operational.
This problem occurs only on Cisco 2600 series routers running IOS release 11.3(6.2)T and later, 12.0(1) and 12.0(1)T.
There is no work-around for this problem.
A router running translated X.25 to Virtual Async connections (PPP/IPX) may reload. This appears to be an infrequent occurrence.
Enabling IP Multicast prevents LANE from populating multicast MAC addresses. As a result, it prevents IP routing protocols to work properly on LANE interfaces. The workaround is to disable IP Multicast.