Cisco Cisco IOS Software Release 12.4(4)T
1187
Caveats for Cisco IOS Release 12.4T
OL-8003-09 Rev. Z0
Resolved Caveats—Cisco IOS Release 12.4(6)T10
Workaround: Use process switching and allow the GRE traffic.
•
CSCsk26973
Symptoms: A router that is running NHRP leaks memory when many incomplete cache entries are
created. The incomplete cache entries can be verified by typing the show ip nhrp command and
looking for “type incomplete”. The memory leaked can be seen by examining the output of the show
chunk command and looking for “NHRP Cache”.
created. The incomplete cache entries can be verified by typing the show ip nhrp command and
looking for “type incomplete”. The memory leaked can be seen by examining the output of the show
chunk command and looking for “NHRP Cache”.
Conditions: This symptom could occur when traffic to nonexistent or non- responding addresses are
forwarded by the router over the DMVPN/NHRP cloud.
forwarded by the router over the DMVPN/NHRP cloud.
Workaround: There is no workaround.
•
CSCsk73104
Cisco IOS contains multiple vulnerabilities in the Data-link Switching (DLSw) feature that may
result in a reload or memory leaks when processing specially crafted UDP or IP Protocol 91 packets.
result in a reload or memory leaks when processing specially crafted UDP or IP Protocol 91 packets.
Cisco has released free software updates that address these vulnerabilities. Workarounds are
available to mitigate the effects of these vulnerabilities.
available to mitigate the effects of these vulnerabilities.
This advisory is posted at
•
CSCsk75098
Symptoms: A Cisco 7200 NPE-G2 router with a VSA encryption card, terminating IPSec EasyVPN
Dynamic Virtual Tunnel Interfaces, exhibits high CPU utilization during IKE and IPSec rekeys,
potentially causing some tunnels to go down.
Dynamic Virtual Tunnel Interfaces, exhibits high CPU utilization during IKE and IPSec rekeys,
potentially causing some tunnels to go down.
Conditions: This symptom is observed on a Cisco 7200-G2 router with a VSA card, acting as an
IPSec HUB, terminating EasyVPN DVTI remote-access IPSec tunnels into VRFs. At high tunnel
scale (more than 1000 tunnels), the CPU can spike close to 100 percent during IKE and/or IPSec
rekey, potentially causing traffic and tunnels to drop.
IPSec HUB, terminating EasyVPN DVTI remote-access IPSec tunnels into VRFs. At high tunnel
scale (more than 1000 tunnels), the CPU can spike close to 100 percent during IKE and/or IPSec
rekey, potentially causing traffic and tunnels to drop.
Workaround: Do not use more than 1000 RA EasyVPN DVTI tunnels on a Cisco 7200. Or switch to
Legacy EasyVPN tunnels (with dynamic crypto maps).
Legacy EasyVPN tunnels (with dynamic crypto maps).
•
CSCsk99530
Symptoms: The MPLS forwarding table has an untagged outgoing entry for a VPNv4 prefix in a
CSC case.
CSC case.
Conditions: This is an LDP/IGP (OSPF etc.) based CSC-PE. The VPNv4 prefix shall have a
local/redistributed (PE-CE OSPF etc.) path as well as an iBGP path. If the CE path is toggled and
then there is a LABEL ONLY change from the iBGP neighbor, the issue will be seen. BGP will end
up programming “Untagged” for the local/redistributed prefix, overwriting what is given by LDP.
local/redistributed (PE-CE OSPF etc.) path as well as an iBGP path. If the CE path is toggled and
then there is a LABEL ONLY change from the iBGP neighbor, the issue will be seen. BGP will end
up programming “Untagged” for the local/redistributed prefix, overwriting what is given by LDP.
Workaround: There is no real workaround. To clear the problem, issue a clear ip route command
for the vrf-prefix in question. If there are redundant paired PEs, make sure to clear the problem on
both routers with the clear ip route command.
for the vrf-prefix in question. If there are redundant paired PEs, make sure to clear the problem on
both routers with the clear ip route command.
•
CSCsl14635
Symptoms: T38 negotiation is failing for an incoming UPDATE request that has a T38 offer.
Conditions: This symptom occurs when the voice gateway is running Cisco IOS Release 12.4(15)T
and is processing incoming Session Initiation Protocol (SIP) calls. When the SIP call is active and
an UPDATE request is received that contains a T38 offer, the UPDAE request is rejected. The
switchover from voice to fax fails.
and is processing incoming Session Initiation Protocol (SIP) calls. When the SIP call is active and
an UPDATE request is received that contains a T38 offer, the UPDAE request is rejected. The
switchover from voice to fax fails.
Workaround: Fax over T38 works fine when midcall INVITE is used for T38 negotiation.