Примечания к выпуску для Cisco Cisco MGX-FRSM-HS2 B Serial Frame Service Module
53
Release Notes for Catalyst 6500 Series Switch SSL Services Module Software Release 2.x
OL-5277-13
Caveats
•
For manual certificate enrollment, if the URL string ends with a slash (/) after the TFTP server name
or address (for example, tftp://ipaddress/), the system tries to open a file named “.ca” from the TFTP
server.
or address (for example, tftp://ipaddress/), the system tries to open a file named “.ca” from the TFTP
server.
Workaround: Specify the filename in the URL. (CSCea32058)
•
If you import a key pair and a self-signed certificate from a PKCS12 file to a trustpoint and assign
the certificate to a proxy service, installation of the certificate fails after rebooting the system, and
the proxy service remains in the no cert state. (CSCdz20220)
the certificate to a proxy service, installation of the certificate fails after rebooting the system, and
the proxy service remains in the no cert state. (CSCdz20220)
Workaround: After rebooting, delete the trustpoint and import the PKCS12 file again. The proxy
service automatically reinstalls the self-signed certificate.
service automatically reinstalls the self-signed certificate.
•
Cutting and pasting the hexadecimal values of a certificate into the configuration from the terminal
can cause the data entry to fail.
can cause the data entry to fail.
Workaround: Copy the configuration file to the running configuration, or import the certificate
with the key pair using a PKCS12 file. (CSCdz63758)
with the key pair using a PKCS12 file. (CSCdz63758)
•
When upgrading the image, the copy tftp: pclc#mod-fs: command accepts any filename. There is
no image name validation while upgrading the maintenance partition from the application partition
or upgrading the application partition from the maintenance partition. For example, if you attempt
to upgrade the application partition after booting the module in the application partition, the upgrade
fails. (CSCdz23639)
no image name validation while upgrading the maintenance partition from the application partition
or upgrading the application partition from the maintenance partition. For example, if you attempt
to upgrade the application partition after booting the module in the application partition, the upgrade
fails. (CSCdz23639)
•
Cisco Discovery Protocol (CDP) is not supported on the SSL Services Module, however, the CLI is
available. (CSCdz24446)
available. (CSCdz24446)
•
The module might take longer to boot up if there are client NAT pools in the startup-configuration.
The delay is proportional to the number of NAT pools in the configuration. With the maximum
supported number of NAT pools (64), the delay is up to 4 minutes. (CSCdy56573)
The delay is proportional to the number of NAT pools in the configuration. With the maximum
supported number of NAT pools (64), the delay is up to 4 minutes. (CSCdy56573)
•
Exporting a PKCS12 file using FTP can take up to 20 minutes if a file with the same name exists on
the remote host. (CSCdy85233)
the remote host. (CSCdy85233)
•
When query mode is configured and there are multiple trustpoints using the same certificate
authority URL, only one of these trustpoints succeeds in obtaining the whole certificate chain after
a Cisco IOS reboot. (CSCdz03802)
authority URL, only one of these trustpoints succeeds in obtaining the whole certificate chain after
a Cisco IOS reboot. (CSCdz03802)
Workaround: Manually authenticate and enroll these trustpoints after the failure. Turn off query
mode and save the certificates in the NVRAM.
mode and save the certificates in the NVRAM.
•
Syslog messages indicating that proxy services are in the UP state may not be printed for all the
services configured in the system while booting. (CSCdy61618)
services configured in the system while booting. (CSCdy61618)
•
Do not configure the internal port Ethernet0/0. Any configuration on Ethernet0/0 results in
unexpected behavior of the SSL Services Module. (CSCdy72229)
unexpected behavior of the SSL Services Module. (CSCdy72229)
•
If you enter the clear arp command on the SSL Services Module, all the proxy services go into a
“down” state and then go into an “up” state. (CSCdy77843)
“down” state and then go into an “up” state. (CSCdy77843)
•
When query mode is configured, entering the no crypto ca certificate query command on the
running configuration does not stop the periodic polling for certificates. (CSCdy46075)
running configuration does not stop the periodic polling for certificates. (CSCdy46075)
•
When certificate query mode is configured, an “invalid input” message may be displayed on the
console following a fingerprint. This message is displayed when a certificate is read from NVRAM
on Cisco IOS reboot and does not indicate a real error condition. (CSCdy43112)
console following a fingerprint. This message is displayed when a certificate is read from NVRAM
on Cisco IOS reboot and does not indicate a real error condition. (CSCdy43112)
•
On systems that are running Cisco IOS software and are configured with route processor redundancy
plus (RPR+) or stateful switchover (SSO), if you shut down the SSL Services Module after a switch
over (either from the CLI or the SHUTDOWN button on the front panel), the module will not shut
down and its status will remain as “Other”.
plus (RPR+) or stateful switchover (SSO), if you shut down the SSL Services Module after a switch
over (either from the CLI or the SHUTDOWN button on the front panel), the module will not shut
down and its status will remain as “Other”.
Workaround: Reset the module, and then shut down the module. (CSCee37656)