Cisco Cisco MGX-FRSM-HS2 B Serial Frame Service Module 發佈版本通知
7
Release Notes for Catalyst 6500 Series SSL Services Module Software Release 1.x
OL-3396-03
Limitations and Restrictions
Limitations and Restrictions
This section describes general limitations and restrictions:
•
Although Cisco IOS release 12.1(13)E and later supports 4096 VLANs, the SSL software supports
only the normal-range VLANs (2 through 1005). Limit the SSL Services Module configuration to
the normal-range VLANs.
only the normal-range VLANs (2 through 1005). Limit the SSL Services Module configuration to
the normal-range VLANs.
•
The SSL software does not monitor the health of the real (HTTP) servers. If a real server goes down,
the system shows that the service status is up until Cisco IOS software retries and fails ARP after
the default timeout period.
the system shows that the service status is up until Cisco IOS software retries and fails ARP after
the default timeout period.
Workaround 1: If you know that the HTTP server is down, enter the no inservice command for the
corresponding SSL proxy service.
corresponding SSL proxy service.
Workaround 2: If you are using the SSL Services Module with a Content Switching Module
(CSM), configure health monitoring on the CSM. (CSCdy83210)
(CSM), configure health monitoring on the CSM. (CSCdy83210)
•
The client (SSL) and server (HTTP) connections that were bound during data transfer show up as
four connections in the TCP connection table if both connections are in TIME_WAIT state.
(CSCdy69930)
four connections in the TCP connection table if both connections are in TIME_WAIT state.
(CSCdy69930)
•
With an open TCP connection, when the associated SSL proxy service is deleted and configured
again using the same name, the association between the SSL proxy service and the previous open
TCP connection is lost. Deleting and creating the same SSL proxy service creates in a new service
ID for the same service name. (CSCdy68548)
again using the same name, the association between the SSL proxy service and the previous open
TCP connection is lost. Deleting and creating the same SSL proxy service creates in a new service
ID for the same service name. (CSCdy68548)
•
When configuring private VLANs, the SSL Services Module VLAN must be different from the
primary or secondary VLAN on the client or server. If the SSL Services Module VLAN is the same
as the primary or secondary VLAN on the client or server, the SSL interface may drop the traffic
coming from the private VLAN. (CSCdy86258)
primary or secondary VLAN on the client or server. If the SSL Services Module VLAN is the same
as the primary or secondary VLAN on the client or server, the SSL interface may drop the traffic
coming from the private VLAN. (CSCdy86258)
•
The SSL Services Module supports only one route per VLAN. If you add multiple routes using the
ssl-proxy vlan command, only the last route entered is added. (CSCdy44647)
ssl-proxy vlan command, only the last route entered is added. (CSCdy44647)
•
In SSL software release 1.1, when saving the configuration to NVRAM, if a power failure or module
reset occurs, you might lose part or all of the contents in NVRAM, including the private keys stored
in the private configuration file. In SSL software release 1.2, the automatic backup of configuration
to NVRAM feature resolves this limitation. (CSCdy51023)
reset occurs, you might lose part or all of the contents in NVRAM, including the private keys stored
in the private configuration file. In SSL software release 1.2, the automatic backup of configuration
to NVRAM feature resolves this limitation. (CSCdy51023)
•
Do not use any routing protocols on the SSL Services Module. Although you can configure Routing
Information Protocol (RIP), we do not recommend it. The module supports administrative VLAN
for all management (non-SSL) traffic. (CSCdz23816)
Information Protocol (RIP), we do not recommend it. The module supports administrative VLAN
for all management (non-SSL) traffic. (CSCdz23816)
•
ARP requests at line rate to the SSL Services Module result in traceback messages being displayed,
warning that the module is receiving heavy traffic in its control plane, which is not a normal
condition. Avoid sending wire-speed traffic to a services module. (CSCdz36033)
warning that the module is receiving heavy traffic in its control plane, which is not a normal
condition. Avoid sending wire-speed traffic to a services module. (CSCdz36033)
•
The SSL Services Module is not Federal Information Processing Standards (FIPS) certified in SSL
software release 1.x.
software release 1.x.
•
If there is more than one level of certificate authority, only the lowest level certificate authority
trustpoint that is authenticated and enrolled is exported in PEM files.
trustpoint that is authenticated and enrolled is exported in PEM files.
Workaround: Export the enrolled trustpoint to a PKCS12 file. All levels of CA trustpoints in the
certificate chain will be automatically included in the same file. (CSCea75462)
certificate chain will be automatically included in the same file. (CSCea75462)