Cisco Cisco Content Switching Module with SSL Notas de publicación
18
Release Notes for Catalyst 6500 Series Switch Content Switching Module with SSL Software Release 2.1(14)
OL-7028-14
Caveats
•
Windows 2000 certificate authorities occasionally reject certificate enrollment requests that are
issued by the SSL Services Module. The problem originated with the SCEP DLL and is fixed on the
.net version of the certificate authority but not on the Windows 2000 version. If this situation occurs,
restart the certificate authority, and issue the enrollment request again. (CSCea53069)
issued by the SSL Services Module. The problem originated with the SCEP DLL and is fixed on the
.net version of the certificate authority but not on the Windows 2000 version. If this situation occurs,
restart the certificate authority, and issue the enrollment request again. (CSCea53069)
•
The SSL Services Module with a virtual TCP policy that is configured with a low TCP maximum
segment size (MSS) value (for example, 256), and with the default SYN timeout on the server side,
might experience a software-forced reset due to exhausted resources if the following events occur
simultaneously:
segment size (MSS) value (for example, 256), and with the default SYN timeout on the server side,
might experience a software-forced reset due to exhausted resources if the following events occur
simultaneously:
–
The real server is unreachable.
–
There is a burst of approximately 26,000 TCP SYN requests to establish a client connection.
–
All connections enter the ESTABLISHED state in TCP before the HTTP requests are sent on
any of the connections.
any of the connections.
–
The HTTP requests are more than three times the size of the negotiated MSS value.
If this situation occurs, do one of the following:
–
Stabilize the real server so that it is reachable.
–
Enable the health probe for a real server on the CSM-S. (CSCed53976)
•
The module might take longer to boot if there are client NAT pools in the startup configuration. The
delay is proportional to the number of NAT pools in the configuration. With the maximum supported
number of NAT pools (64), the delay is up to 4 minutes. (CSCdy56573)
delay is proportional to the number of NAT pools in the configuration. With the maximum supported
number of NAT pools (64), the delay is up to 4 minutes. (CSCdy56573)
•
If you enter the clear arp command on the SSL Services Module, all proxy services go into a down
state and then go into an up state. (CSCdy77843)
state and then go into an up state. (CSCdy77843)
•
When 828 days have elapsed since the CSM-S was booted, the HTTP probe will fail and will stay
in the down state for about 18 minutes. Reboot the CSM-S before 828 days have elapsed.
(CSCso08858)
in the down state for about 18 minutes. Reboot the CSM-S before 828 days have elapsed.
(CSCso08858)
•
When configuring the CSM-S for fault tolerance, we recommend that you configure a dedicated link
for the fault-tolerant VLAN.
for the fault-tolerant VLAN.
Note
Configuring stateful redundancy with the CSM-S in separate chassis requires a gigabit link
between the CSM-S.
between the CSM-S.
Note
CSM-S configuration synchronization is supported if the system uses Cisco IOS software in
the supervisor engine. It is not supported if the system uses Catalyst operating system
software in the supervisor engine.
the supervisor engine. It is not supported if the system uses Catalyst operating system
software in the supervisor engine.
•
The total conns established counter applies only to an active CSM-S. The standby CSM-S might
display the total established connections when there is a fault-tolerance switchover, but the total
conns established counter remains unchanged. (CSCtn16345)
display the total established connections when there is a fault-tolerance switchover, but the total
conns established counter remains unchanged. (CSCtn16345)
Caveats
These sections describe the open and resolved caveats in CSM-S software:
•
•