Cisco Cisco IOS Software Release 12.4(4)T
1120
Caveats for Cisco IOS Release 12.4T
OL-8003-09 Rev. Z0
Resolved Caveats—Cisco IOS Release 12.4(9)T3
•
CSCsh39318
Symptoms: A router may crash when the configured route limit is exceeded. When this situation
occurs, the following error message is generated:
occurs, the following error message is generated:
%MROUTE-4-ROUTELIMIT (x1): [int] routes exceeded multicast route-limit of
[dec] - VRF [chars]
Conditions: This symptom is observed on a Cisco 10000 series that is configured for Multicast VPN
but is platform-independent.
but is platform-independent.
Workaround: There is no workaround.
•
CSCsh50275
Symptoms: In a DMVPN setup with spoke having overlapping ISAKMP profiles and DPD enabled,
IKE quick mode fails due to ISAKMP profile mismatch. After IKE SA expiry, the IKE SA rekey
triggered by ISAKMP keepalives does not use any ISAKMP profile while initiating the SA. With
overlapping ISAKMP profiles present, the IKE SA might end up attaching to the incorrect ISAKMP
profile instead of the one configured on the corresponding tunnel interface and the one used by
original IKE SA, subsequently causing the quick mode to fail due to profile mismatch. The only way
to bring them out from that stage is by clearing Phase 1 SA.
IKE quick mode fails due to ISAKMP profile mismatch. After IKE SA expiry, the IKE SA rekey
triggered by ISAKMP keepalives does not use any ISAKMP profile while initiating the SA. With
overlapping ISAKMP profiles present, the IKE SA might end up attaching to the incorrect ISAKMP
profile instead of the one configured on the corresponding tunnel interface and the one used by
original IKE SA, subsequently causing the quick mode to fail due to profile mismatch. The only way
to bring them out from that stage is by clearing Phase 1 SA.
Conditions: This symptom occurs during DMVPN testing.
Workaround: There is no workaround.
•
CSCsh54729
Symptoms: When Cisco Tunneling Control Protocol (CTCP) is enabled on a Cisco IOS VPN hub
without any crypto maps configured, CTCP sessions can be formed and leaked if any VPN clients
try to connect over CTCP.
without any crypto maps configured, CTCP sessions can be formed and leaked if any VPN clients
try to connect over CTCP.
Conditions: This symptom occurs when Cisco Tunneling Control Protocol (CTCP) is enabled on a
Cisco IOS VPN hub without any crypto maps configured.
Cisco IOS VPN hub without any crypto maps configured.
Workaround: Disable CTCP when no crypto maps are configured.
•
CSCsh58082
Cisco devices running an affected version of Internetwork Operating System (IOS) which supports
Session Initiation Protocol (SIP) are affected by a vulnerability that may lead to a reload of the
device when receiving a specific series of packets destined to port 5060. This issue is compounded
by a related bug which allows traffic to TCP 5060 and UDP port 5060 on devices not configured for
SIP.
Session Initiation Protocol (SIP) are affected by a vulnerability that may lead to a reload of the
device when receiving a specific series of packets destined to port 5060. This issue is compounded
by a related bug which allows traffic to TCP 5060 and UDP port 5060 on devices not configured for
SIP.
There are no known instances of intentional exploitation of this issue. However, Cisco has observed
data streams that appear to be unintentionally triggering the vulnerability.
data streams that appear to be unintentionally triggering the vulnerability.
Workarounds exist to mitigate the effects of this problem on devices which do not require SIP.
This advisory is posted at
•
CSCsh94526
Symptoms: When acct-stop is received for a non-radius-proxy (normal IP) user, the router
configured for SSG crashes.
configured for SSG crashes.
Conditions: This symptom occurs because SSG should be configured in radius- proxy mode. The
ssg wlan reconnect command should also be configured.
ssg wlan reconnect command should also be configured.
Workaround: There is no workaround.