Примечания к выпуску для Cisco Cisco Content Switching Module with SSL
25
Release Notes for Catalyst 6500 Series Content Switching Module with SSL Software Release 2.2(x)
OL-14929-06
Open and Resolved Caveats in Software Release 2.2(2)
When a client sends a SYN packet to a virtual server with the Explicit Congestion Notification
(ECN) and Congestion Window Reduced (CWR) flags set, the CSM-S drops the SYN packet.
(ECN) and Congestion Window Reduced (CWR) flags set, the CSM-S drops the SYN packet.
Workaround: Disable ECN on the client.
•
CSCsl40722
The CSM-S stops servicing load-balanced connections and probes due to a buffer leak.
Workaround: Periodically, enter the show mod csm slot tech-support all | i outstanding
command. If small buffers reach 24500 or medium buffers reach 20000, the buffers are full and you
must reboot the CSM-S.
command. If small buffers reach 24500 or medium buffers reach 20000, the buffers are full and you
must reboot the CSM-S.
Open Caveats in Software Release 2.2(2) for SSL
Note
For a description of SSL caveats resolved in CSM-S software release 2.2(2), see the
.
This section describes the open SSL caveats in CSM-S software release 2.2(2):
•
Configuring NTP on the SSL-M or CSM-S SSL-DC may interfere with the clock synchronization.
Configuring the CSM-S SSL-DC to synchronize its clock using NTP therefore might lead to the
clock going out of synchronization.
Configuring the CSM-S SSL-DC to synchronize its clock using NTP therefore might lead to the
clock going out of synchronization.
Workaround: Do not configure NTP on the CSM-S SSL-DC or the SSL-M. The DC clock
periodically synchronizes with the supervisor engine, so having NTP running on the supervisor
engine is enough to keep the clock in synchronization. (CSCsg55214)
periodically synchronizes with the supervisor engine, so having NTP running on the supervisor
engine is enough to keep the clock in synchronization. (CSCsg55214)
•
SSLM stops accepting new SSL connections because of a depletion of connection IDs on the TCP
processor. Enter the show ssl-proxy stats command. The condition can occur when there is an
approximately 65K difference between the conn alloc counters and dealloc counters under TCP.
Eventually when all the connection IDs are exhausted, the SSLM will not be able to initiate any more
connections to the backend servers.
processor. Enter the show ssl-proxy stats command. The condition can occur when there is an
approximately 65K difference between the conn alloc counters and dealloc counters under TCP.
Eventually when all the connection IDs are exhausted, the SSLM will not be able to initiate any more
connections to the backend servers.
Workaround: Reload the module. (CSCek50983)
•
The SSLM fails to pass the entire POST to a server when the header insert is configured in SSL
proxy service. This occurred with a POST that had a large payload.
proxy service. This occurred with a POST that had a large payload.
Workaround: Remove the header insert configuration from the proxy service. (CSCse31785)
•
When performing a URL rewrite, the location URL in a 302 redirect includes an “80.” For example,
http://192.168.45.10:80/. (CSCse92180)
http://192.168.45.10:80/. (CSCse92180)
•
The location string for URL rewrites is being incorrectly rewritten in some cases. For example, a
URL rewrite rule is given in the configuration for the URL, www.cisco.com, and the redirected
location field contains the following string:
URL rewrite rule is given in the configuration for the URL, www.cisco.com, and the redirected
location field contains the following string:
http://user.microsoft.com/dir/test.jsp?login=https://www.cisco.com
The location string is being incorrectly rewritten as follows:
http://user.microsoft.com/dir/test.jsp?login=httpswww.cisco.com