Cisco IOS Release 12.2(16)BX2

These release notes for the Cisco 10000 series router support Cisco IOS Release 12.2(16)BX2, which provides Service Selection Gateway features for the Cisco 10000 series router. These release notes are updated as needed to describe new features, memory requirements, hardware support, software platform deferrals, and changes to the microcode and related documents.

Cisco recommends that you view the field notices for this release to see if your software or hardware platforms are affected. If you have an account on Cisco.com, you can find field notices at http://www.cisco.com/warp/customer/tech_tips/index/fn.html. If you do not have a Cisco.com login account, you can find field notices at http://www.cisco.com/warp/public/tech_tips/index/fn.html.

Inheritance Information

To review the release notes for Cisco IOS Release 12.0(20)ST, go to the following URL:

To review the release notes for Cisco IOS Release 12.2, go to the following URL:

System Requirements

Cisco IOS Release 12.2(16)BX2 requires that you have the performance routing engine (PRE), part number ESR-PRE2 installed in the Cisco 10000 chassis. To verify which PRE is installed in the router, use the show version command.

Upgrading to a New Software Release

For general information about upgrading to a new software release, refer to Software Installation and Upgrade Procedures located at the following URL:

New and Changed Information

The following section lists the new software features supported by the Cisco 10000 series router for Cisco IOS Release 12.2(16)BX2:

For information about new features supported on the Cisco 10000 router in other releases, see the appropriate release notes at the following URL:

New Features—Cisco IOS Release 12.2(16)BX2

The following new feature and enhancements are supported on the Cisco 10000 router in Cisco IOS Release 12.2(16)BX2:

Half-Duplex VRF

The Half-Duplex VRF (HDVRF) feature provides scalable hub and spoke connectivity for subscribers of a multiprotocol label switching-based virtual private network (MPLS VPN) service. These subscribers connect to the provider edge (PE) router of the wholesale service provider, and they use the same or different services (for example, the same or different VRFs). The HDVRF feature prevents local connectivity between subscribers at the spoke PE router and ensures that a hub site provides subscriber connectivity. Any sites that connect to the same PE router must forward intersite traffic using the hub site. This ensures that the routing done at the spoke site is always access side interface to network side interface, or network side interface to access side interface, and never access side to access side.

SSG Enhancements for Overlapping Service Definitions

Overlapping services are services for which the route prefix of one service matches or is contained within the route prefix of another service. For example, the service definition 172.16.253.0/24 overlaps with the service definition 172.16.0.0/16 because the prefix 172.16 is contained in both definitions. The definition 0.0.0.0/0 overlaps all other possible services.

In releases prior to Cisco IOS Release 12.2(16)BX2, the Cisco 10000 router does not allow users to be subscribed to a service if that service overlaps another service to which a different user is subscribed.

To enable service providers to use existing overlapping definitions, the Cisco 10000 router provides the following SSG enhancements:

•

Service Translation—Translates overlapping service definitions to a set of non-overlapping service definitions.

•

Expansion of Service IDs—Expands the number of service IDs supported from seven to 15. The router uses service IDs to determine which services a user is subscribed to and how to police the user traffic.

To enable service translation on the router, enter the ssg service-overlap command in global configuration mode. This command indicates to the router to use the translated network sets to provide the desired network behavior.

Limitations and Restrictions

This section describes limitations and restrictions for the following areas. Be sure to review these limitations and restrictions before you use the Cisco 10000 router.

ssg bind direction Command Not Supported

Instead of the ssg bind direction command, which will now return an error, use the new ssg direction command. See the feature module SSG Direction Command for Interfaces and Ranges for more information.

L2TP Tunnel Authorization

Cisco 10000 router supports Layer 2 Tunneling Protocol (L2TP) tunnel authorization. However, RADIUS does not provide attributes for such parameter values as L2TP tunnel timeouts, L2TP tunnel hello intervals, and L2TP tunnel receive window size. When the Cisco 10000 router does not receive a RADIUS attribute for a parameter, the router uses the default value.

Broadband Aggregation Groups

Cisco IOS Release 12.2(15)BX or later does not support the configuration of broadband aggregation (BBA) groups using RADIUS. You must configure BBA groups manually.

ATM PXF Queuing

If you intend to disable Asynchronous Transfer Mode (ATM) parallel express forwarding (PXF) queuing, to ensure reliable operation you must enter the no atm pxf queuing command before you configure any virtual circuits (VCs) on an interface. If you have already configured VCs on an interface and you need to change the mode of ATM PXF queuing, remove the VCs from the configuration and then change the ATM PXF queuing mode.

Dynamic Bandwidth Selection

The Cisco 10000 series router does not support dynamic bandwidth selection (DBS) on virtual path (VP) tunnels.

QoS Service Policy on a Virtual Access Interface

If you apply an output Quality of Service (QoS) service policy on a virtual-access interface, and that virtual access interface is L2TP tunneled (when the router is configured as an L2TP Network Server [LNS], for example) and the service policy indicates that the type of service (ToS) or Differentiated Services Code Point (DSCP) bits should be set (with the set ip command, for example), the router sends the packets as-is, without changing the IP Precedence bits or DSCP bits. The outer header gets the correct value, but the inner header is not changed.

CISCO-VPDN-MGMT MIB

SNMP limits the size of Virtual Private Dialup Network (VPDN) template names to 128 characters. This affects the functionality of the CISCO-VPDN-MGMT MIB. Due to this restriction, if any template name (cvpdnTemplateName) in the cvpdnTemplateTable exceeds 128 characters, you cannot use an SNMP getmany request to retrieve any table entries. Instead, you must use individual getone requests to retrieve each template name that does not exceed 128 characters. For more information, refer to the Cisco 10000 Series Internet Router Broadband MIB Specifications Guide.

AAA Method Lists

Cisco IOS Release 12.2(14)BX supports a maximum of 99 authentication, authorization, and accounting (AAA) method lists. If you configure more than 99 AAA method lists using the aaa authentication ppp or aaa authorization network command, traceback messages appear on the console.

Unshaped UBR PVCs

Cisco IOS Release 12.2(15)BX or later releases supports a maximum of 8000 unshaped unspecified bit rate permanent virtual circuits (UBR VCs) on the OC-12 ATM line card. An unshaped UBR PVC is a PVC that has no rate configured on it. You can configure up to 16,000 shaped UBR PVCs per port on the OC-12 line card if you configure the PVCs with a shaped rate of less than 299 Mbps.

Shaped UBR PVCs

The Cisco 10000 series router does not support shaped UBR in atm pxf queuing mode.

Controlling the Rate of Logging Messages

It is important that you limit the rate that system messages are logged by the Cisco 10000 series router. This helps to avoid a situation in which the router becomes unstable and the CPU is overloaded. To control the output of messages from the system, use the logging rate-limit command.

This rate-limits all messages to the console to 10 per second, except for messages with critical priority (level 3) or greater.

For more information on the logging rate-limit command, refer to the Cisco IOS Configuration Fundamentals Command Reference.

Testing Performance of High-Speed Interfaces

Cisco IOS software running on the Cisco 10000 series router has multiple queues for all classes of traffic over high-speed interfaces. The software selects a queue based on the source and destination address of the packet. This ensures that a traffic flow always uses the same queue and the packets are transmitted in proper order.

When the Cisco 10000 series router is installed in a real network, the high-speed interfaces work efficiently to spread traffic flow equally over the queues. However, using single traffic streams in a laboratory environment might result in less-than-expected performance.

Therefore, to ensure accurate test results, you should test the throughput of the gigabit Ethernet, Packet Over SONET (POS), or ATM uplink with multiple source or destination addresses.

Tip

To determine if traffic is being properly distributed, use the show pxf cpu queue command.

Important Notes

This section provides important information about the following items for Cisco IOS Release 12.2(16)BX2:

Interoperability with Test Equipment

Interoperability issues exist when using the Spirent Adtech AX/4000 with ATM connections. These conditions will not occur in a live network deployment, and only affect lab testing.

The Adtech appears to interpret packet padding, instead of ignoring it (reference ITU-T I.363.5 08/96).

Keepalive packets for PPPoA sessions are often dropped, causing sessions to drop. This behavior occurs especially when the Cisco 10000 has PPPoA and PPPoEoA on the same ATM line card, with three or more virtual path identifiers (VPIs) configured. The content of the padding in this configuration causes the Adtech to ignore the PPPoA keepalives.

More broad incompatabilities were resolved in Adtech version 4.51. This current interoperability is a more specific configuration.

Provisioning for Scaling

The following configuration parameters enhance scalability on the Cisco 10000 router:

To configure the Cisco 10000 series router for high scalability, be sure to configure the configuration parameters as described in the sections that follow.

CISCO-ATM-PVCTRAP-EXTN-MIB

The Cisco 10000 router does not support the CISCO-ATM-PVCTRAP-EXTN-MIB for large numbers of permanent virtual circuits (for example, 32,000 PVCs). To exclude the Cisco-ATM-PVCTRAP-EXTN-MIB from the Simple Network Management Protocol (SNMP) view and enhance scalability, configure the following commands in global configuration mode:

	Command	Purpose
Step 1	Router(config)# snmp-server view view-name oid-tree included	Creates or updates a view entry. The view-name argument is a label for the view record that you are updating or creating. The name is used to reference the record. The oid-tree argument is the object identifier of the ASN.1 subtree to be included from the view. Specify a valid oid-tree from where you want to poll the information. The included argument configures the OID (and subtree OIDs) specified in the oid-tree argument to be included in the SNMP view.
Step 2	Router(config)# snmp-server view view-name ciscoAtmPvcTrapExtnMIB excluded	Configures the CISCO-ATM-PVCTAP-EXTN-MIB OID (and subtree OIDs) to be explicitly excluded from the SNMP view. You must specify the oid-tree as shown in the command line. The view-name argument must match the view-name you specified in step 1.
Step 3	Router(config)# snmp-server community string [view view-name] [ro \| rw] [access-list-number]	Sets up the community access string to permit access to SNMP. The string argument is a community string that acts like a password and permits access to the SNMP protocol. The view-name argument must match the view-name you specified in step 1.

Example 1 shows how to create or modify the SNMP view named myview to include the information polled from the Internet oid-tree and to exclude the CISCO-ATM-PVCTRAP-EXTN-MIB oid-tree. The community access string named private is set up and access to SNMP is read-only (ro) access.

For more information about the snmp-server view and snmp-server community commands, see the Cisco IOS Configuration Fundamentals and Network Management Command Reference, Release 12.3.

PPPoA Sessions with IP QoS Static Routes

To scale to 32,000 PPP over ATM (PPPoA) sessions with IP quality of service (QoS) enabled, you must limit the number of IP QoS static routes to 4,000 unidirectional QoS static routes.

AAA Authentication on the NME Port

If you use AAA authentication on the Network Management Ethernet (NME) port, set both the in and out interface hold queues to 4096. For example:

Call Admission Control

We recommend that you set the Call Admission Control (CAC) to a maximum of 95. For example:

Enhancing Scalability of Per-User Configurations

To enhance scalability of per-user configurations without changing the router configuration, use the ip:vrf-id and ip:ip-unnumbered RADIUS attributes. These per-user vendor specific attributes (VSAs) are used to map sessions to VPN routing and forwarding (VRF) and IP unnumbered interfaces. The VSAs apply to virtual access subinterfaces and are processed during PPP authorization.

In releases prior to Cisco IOS Release 12.2(16)BX1, the lcp:interface-config RADIUS attribute is used to map sessions to VRFs. This per-user VSA applies to any type of interface configuration, including virtual access interfaces. Valid values of this VSA are essentially any valid Cisco IOS interface command; however, not all Cisco IOS commands are supported on virtual access subinterfaces. To accommodate the requirements of the lcp:interface-config VSA, the per-user authorization process forces the Cisco 10000 router to create full virtual access interfaces, which consume more memory and are less scalable.

In Cisco IOS Release 12.2(16)BX1 and later releases, the ip:vrf-id is used to map sessions to VRFs. Any profile that uses the ip:vrf-id VSA must also use the ip:ip-unnumbered VSA to install IP configurations on the virtual access interface that is to be created. PPP that is used on a virtual access interface to be created requires the ip:ip-unnumbered VSA. An Internet Protocol Control Protocol (IPCP) session is not established if IP is not configured on the interface. You must configure either the ip address command or the ip unnumbered command on the interface so that these configurations are present on the virtual access interface that is to be created. However, specifying the ip address and ip unnumbered commands on a virtual template interface is not required because any pre-existing IP configurations are removed when the ip:ip-vrf VSA is installed on the virtual access interface. Therefore, any profile that uses the ip:vrf-id VSA must also use the ip:ip-unnumbered VSA to install IP configurations on the virtual access interface that is to be created.

These per-user VSAs can be applied to virtual access subinterfaces; therefore, the per-user authorization process does not require the creation of full virtual access interfaces, which improves scalability.

Setting VRF and IP Unnumbered Interface Configurations in User Profiles

Although the Cisco 10000 router continues to support the lcp:interface-config VSA, the ip:vrf-id and ip:ip-unnumbered VSAs provide another way to set the VRF and IP unnumbered interface configurations in user profiles. The ip:vrf-id and ip:ip-unnumbered VSAs have the following syntax:

You should specify only one ip:vrf-id and one ip:ip-unnumbered value in a user profile. However, if the profile configuration includes multiple values, the Cisco 10000 router applies the value of the last VSA received, and creates a virtual access subinterface. If the profile includes the lcp:interface-config VSA, the router always applies the value of the lcp:interface-config VSA, and creates a full virtual access interface.

Whenever you specify a VRF in a user profile, but you do not configure the VRF on the Cisco 10000 router, in Cisco IOS Release 12.2(15)BX, the router accepted the profile. However, in Cisco IOS Release 12.2(16)BX1 and later releases, the router rejects the profile.

Setting VRF and IP Unnumbered Interface Configuration in a Virtual Interface Template

You can specify one VSA value in the user profile on RADIUS and another value locally in the virtual template interface. The Cisco 10000 router clones the template and then applies the values configured in the profiles it receives from RADIUS, resulting in the removal of any IP configurations when the router applies the profile values.

Redefining User Profiles to Use the ip:vrf-id and ip:ip-unnumbered VSAs

The requirement of a full virtual access interface when using the lcp:interface-config VSA in user profiles can result in scalability issues, such as increased memory consumption. This is especially true when the Cisco 10000 router attempts to apply a large number of per-user profiles that include the lcp:interface-config VSA. Therefore, when updating your user profiles, we recommend that you redefine the lcp:interface-config VSA to the scalable ip:vrf-id and ip:ip-unnumbered VSAs.

Example 3 shows how to redefine the Loopback 0 interface using the ip:ip-unnumbered VSA.

Inserting a New Line Card

Unlike other Cisco routers, if you insert a new or different line card into a Cisco 10000 chassis slot that previously had a line card installed, the line card initially reports that it is administratively up.

Caveats for Cisco IOS Release 12.2(16)BX2

Caveats describe unexpected behavior in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious. Severity 3 caveats are moderate caveats, and only select severity 3 caveats are included in the caveats document.

For information on caveats in Cisco IOS Release 12.2(16)BX2, see the following sections:

Open Caveats—Cisco IOS Release 12.2(16)BX2

For information about open caveats in other Cisco IOS releases, see the appropriate release notes document at the following URL:

Table 1 Open Caveats in Cisco IOS Release 12.2(16)BX2
Caveat	Description
CSCdy79740	If 32,000 PPPoA sessions, 99 VRFs, RADIUS authentication, and the per vrf aaa case command are configured on the Cisco 10000 series router, and you insert or remove a line card, the PPPoA sessions disconnect within 45 seconds of the online insertion and removal (OIR) event. When this happens, the following traceback message might appear on the console: `[%IPRT-4-ROUTECOUNTNEGATIVE]` Workaround: There is no workaround for this problem.
CSCea35508	The throughput of Frame Relay traffic might be up to 5 percent lower than the maximum possible throughput. Workaround: There is no workaround for this problem.
CSCea37019	The Cisco 10000 series router displays a bus fault error when Automatic Protection Switching (APS) is configured on the OC-12 ATM line card. Workaround: There is no workaround for this problem.
CSCea37038	If APS is configured using the aps force atm slot/subslot/port from protect command on the 4-port OC-3 line card or the single-port OC-12 ATM line card, and a signal failure is received on the port of either line card, the output of the show interface atm slot/subslot/port command might indicate the interface is up instead of down. Workaround: Clear the force state as soon as the port has been designated as working, by entering the aps clear atm slot/subslot/port command.
CSCea37133	When you configure automatic protection switching (APS) switchover on the 4-port OC-3 ATM line card, entering the show controller atm slot/subslot/port command for the ATM port displays a signal degrade status for both the protection port and the working port. Workaround: Wait more than 2 minutes to allow the signal degrade status to clear or use the aps signal-degrade BER threshold 6 command or the aps signal-degrade BER threshold 7 command for the ATM interface.
CSCea45943	In a Cisco 10000 chassis with redundant PREs, after a switchover from the primary PRE to the secondary PRE, the traffic rate of the single-port OC-12 ATM line card is low. Workaround: There is no workaround for this problem.
CSCea46149	If you connect a test analyzer to the 6-port channelized T3 line card, and you configure a T1 under a T3 controller, and the line card and the test analyzer are both set to Extended Superframe (ESF) framing, the T1 does not start up. Workaround: There is no workaround for this problem.
CSCea52741	If the Cisco 10000 series router reloads unexpectedly, any On-Demand Address Pools (ODAP) subnets allocated from the Cisco Network Registrar (CNR) remain marked as Leased (at the CNR). Workaround: There is currently no workaround to this problem. However, if this should occur, the subnets are released when the Lease time expires, or they may be released manually through the CNR Command Line Interface (CLI).
CSCea66654	Channelized interfaces with access control lists (ACLs) configured might show an incorrect ACL status even after the ACL is removed from the interface by entering the no ip access acl-name command. This occurs if the interface is rechannelized and the removed ACL is reconfigured on the interface. Workaround: There is no workaround for this problem.
CSCea67815	When you disable 32,000 sessions over 10,000 L2TP tunnels on a Cisco 10000 series router configured as an LNS with RADIUS AAA accounting enabled, the router might terminate the remaining sessions due to the overwhelming number of RADIUS records generated by this event. If this occurs, the following message might appear on the console: `%ALIGN-3-TRACE` Workaround: There is no workaround for this problem.
CSCea70951	A memory allocation error occurs when you attempt to scale a large number of users (for example, 4000 PPPoA Service Selection Gateway [SSG] sessions). All of the connections are established and the show ssg command displays all of the sessions as logged in and active. However, when sessions are dropped, a memory allocation error appears. Workaround: There is no workaround for this problem.
CSCea72016	The channelized OC-12 line card undergoes a watchdog reset when unconfiguring six channelized OC-12 line cards set up with 768 T1s each. This occurs only with a very specific large channelized card setup. This does not occur with five or less channelized OC-12 line cards. Workaround: Unconfigure fewer OC-12 channelized interfaces at one time.
CSCea73477	Packet counters and debug messages on the Cisco 10000 series router cannot be used to accurately count or view Interim Local Management Interface (ILMI) keepalive messages. This is because basic ILMI configurations generate bursts of ILMI transactions between the Cisco 10000 series router and adjacent ATM switches. For example, if you connect an OC-3 ATM line card that is installed in a Cisco 10000 series router to a Cisco LS1010 ATM switch, and you enable debugging using the debug atm ilmi command, the packet counters for the ILMI PVC increment to match the bursts of packets. Workaround: There is currently no workaround for this problem. However, this problem does not affect the performance or operation of the router.
CSCea78861	If you enter the ip verify unicast rpf command for a virtual template, the calls-per-second rate is reduced. Workaround: There is currently no workaround for this problem. However, this problem only reduces the calls-per-second rate and does not affect the performance of the router.
CSCea81015	If you configure the management Ethernet port (fastethernet 0/0/0) on the PRE (Part Number ESR-PRE2) front panel using the ip address dhcp command, the port does not acquire an IP address. Workaround: Configure the fastethernet 0/0/0 interface with a static IP address.
CSCeb01499	The following traceback message displays in the log after you enter the hardware subslot shutdown, no card, and no hardware subslot shutdown or card 24che1t1 mode t1 commands: `May 2 23:31:53: %IPCGRP-3-SYSCALL: System call for command 409 (slot4/0) : ipc_send_rpc_blocked failed (Cause: retry queue flush)-Traceback= 6046B1EC 6046B4C0 6046BD5CMay 2 23:31:54: %IPCOIR-4-REPEATMSG: IPC handle already exists for 4/0` Workaround: There is no workaround for this problem.
CSCeb26165	While the Cisco 10000 series router terminates PPP sessions and uses RADIUS accounting, the router generates both Accounting-Stop and Accounting-Off messages when you enter the reload command. Workaround: There is no workaround for this problem.
CSCeb33056	The Cisco 10000 series router frequently displays the following interprocess communications (IPC) queue full message: `00:15:49: %IPCGRP-6-NBLKCMD_Q_FULL: Nonblocking IPC command queue full (60 commands) <---` Workaround: There is no workaround for this problem.
CSCeb35104	Configurations with a very large number of subinterfaces (for example, 32,000) might experience slow PPP over Ethernet over ATM (PPPoEoA) session clearing. Workaround: There is no workaround for this problem.
CSCeb36330	When a range of VCs are configured for autoprovisioning, if you shut down one of the VCs in the range by using the pvc-in-range command, the following message scrolls on the console until you start the VC again: `Jun 11 09:09:33.215: %ATM-5-UPDOWN: Interface ATM3/0/0.100, Changing autovc 3/101 to ADMIN_DOWN` Workaround: There is no workaround for this problem.
CSCeb51344	RADIUS configurations that use lcp: in the VSAs are not usable when they are downloaded and are to be VRF-aware on the Cisco 10000 series router. When downloading routes from RADIUS that are configured using Internet Engineering Task Force (IETF) attributes, sessions are established as expected and the routing table lists the routes as per-user routes. Workaround: There is no workaround for this problem.
CSCeb53208	The Cisco 10000 router creates PPP sessions without allocating a virtual circuit connection identifier (VCCI). Workaround: There is no workaround for this problem.
CSCeb53474	With TACACS configured on the Cisco 10000 series router, the secondary PRE (part number ESR-PRE2) console attempts TACACS authentication using the Fa0/0/0 interface. Before notifying the user that the secondary console is unavailable, the secondary PRE incorrectly attempts to contact the TACACS server for user authentication. The secondary PRE should not attempt to contact the TACACS server or it should try to contact the TACACS server using the primary PRE. Workaround: There is no workaround for this problem.
CSCeb77168	If two users are logged into the router, and one user begins a save of the system configuration to removable flash media while another user initiates a system reload, the configuration file on the removable media becomes corrupted and no file operations are possible on the file (erase, copy, and overwrite do not work). Workaround: Reformat the removable media after saving any pertinent files to another location, or delete the corrupted file from a PC.
CSCeb77178	If you want to store a configuration locally on removable flash media disk0 and you are using the boot config statement and the boot config environment variable to point to the same configuration file on disk0, the file is not automatically synchronized to disk0 on the redundant PRE (sec-disk0). In the event of a failure, the backup PRE would not have access to the current configuration file. Workaround: Store the configuration file on a remote server. Or manually copy the configuration file stored on disk0 to sec-disk0 whenever a configuration change is made.
CSCec23078	The parallel express forwarding (PXF) engine might fail due to invalid commands being issued to the PXF. This occurs when an L2TP Network Server (LNS) receives a large IP packet from the IP cloud, the destination IP address is a PPP session to a DSL customer, and netflow is enabled on the ingress interface. The size of the packet received from the trunk and going into the L2TP tunnel must exceed the tunnel minimum transmission unit (MTU) so that fragmentation occurs. Workaround: Disable netflow on the LNS.
CSCec24597	When configuring a constant bit rate permanent virtual circuit (CBR PVC) using a test script, a traceback message appeared and the router did not create the CBR PVC. Workaround: There is no workaround for this problem.
CSCec61602	A memory leak occurs when a large number of SSG users are logged in and SSG accounting is enabled. Using the show memory summary command, the number of free bytes for processor and I/O memory diminishes rapidly and with 32,000 sessions, the memory can diminish to zero after approximately 24 hours. Workaround: Disable SSG accounting.
CSCin46447	When you disable SSG traffic policing on the router by entering the no ssg qos police user and the no ssg qos police session commands, the router continues to police the traffic for the existing host/connection. Workaround: There is no workaround for this problem.

Resolved Caveats—Cisco IOS Release 12.2(16)BX2

This section describes caveats that were fixed in Cisco IOS Release 12.2(16)BX2.

For information about caveats fixed in other Cisco IOS releases, see the appropriate release notes document at the following URL:

If the primary PRE failed, and the primary PRE switched over to the secondary (redundant) PRE, ODAP subnets that had been allocated to the previously active primary PRE remained marked as Leased by the Access Registrar (AR). This has been fixed.

If you performed a tftp copy of a running configuration greater than 5 MB to a trivial file transfer protocol (TFTP) server, the copy failed. This has been fixed.

If you opened two configuration sessions on the PRE (Part Number ESR-PRE2) from two console devices, a failure message appeared on the console devices stating that simultaneous configuration was not supported. This has been fixed.

When SSG traffic was redirected because users were not authorized for services, CPU usage was high and throughput was limited. This is expected behavior for the amount of traffic stress on the route processor (RP).

Traceback messages appeared while configuring static multicast routes. This has been fixed.

When an ATM interface was configured as unnumbered, the Cisco 10000 series router did not forward routed bridge encapsulation (RBE) traffic to RBE clients because the router configuration was incorrect.

The Cisco 10000 router supports the Dynamic Host Configuration Protocol (DHCP) relay agent information option (Option 82) feature when ATM RBE is used to configure DSL access. The DHCP server must be configured on the router. The ip helper-address command must be configured on the ATM interface and the dhcp relay command must be configured to communicate with the DHCP server. The loopback interface is part of the VRF.

(Duplicate of CSCea34048) The Cisco 10000 series router did not create the virtual access interface (VAI) if the RADIUS user profile included Frame-Compression attribute-value pair (AVP). If the AVP for compression was removed from the user profile, the router created the VAI. This has been fixed.

Nested policies configured on the main interface of the Gigabit Ethernet (GE) line card did not work. Nested policies configured on GE subinterfaces did work properly.

Nested policies are intended to be used only on subinterfaces and not on main interfaces. A nested policy is not necessary to shape off the main interface. Nested policies are functional only on subinterfaces such as IEEE 802.1Q VLAN GE subinterfaces and ATM VCs.

On the 8-port DS3/E3 ATM line card, F5 Operation, Administration, and Maintenance (OAM) Rate Limiting did not properly drop the OAM cells that exceeded the rate limit.

The Cisco 10000 router does not support the OAM Rate Limiting feature for Cisco IOS Release 12.2(16)BX.

During sweep ping testing of the 8-port DS3/E3 line card, a single ping failure occurred. This has been fixed.

When a VC class had an autoppp encapsulation configured, if you created a new VC class by entering the vc-class command or you made changes to an existing VC class, the Cisco 10000 series router deleted all of the VCs that were included in the VC class with autoppp encapsulation and then created the VCs again. This has been fixed.

When a service policy was configured in a virtual template, the following error message appeared as the session was being established:

This was not an error condition. This message was an obsolete message. The service policy was applied as expected. This has been fixed.

When you hot swapped an 8-port DS3/E3 ATM line card with a 1-port OC-12 POS line card, the following traceback message appeared. The Cisco 10000 series router properly provisioned the 1-port OC-12 POS line card.

After you issued a debug qos-set command, the debug output of the command was not disabled with the no debug all command and it did not appear in the output of the show debug command. This has been fixed.

When a user profile on the RADIUS server included the AV-pair Framed-Compression = None, the virtual interface was created on the router. The fix that enabled the virtual interface (CSCeb41285) caused another issue. When the router negotiated the parameters for the session with the RADIUS server, a full VAI was created if the AV-pair Framed-Compression existed in the user profile.

This is expected behavior for the Framed-Compression command. The None option is used to turn off VJ header compression and it always creates full VAIs.

(Duplicate of CSCec71906) The PPPoEoA call setup rate with per-user ACLs did not exceed 22 calls per second (cps), which was significantly lower than the expected performance of 50 cps. This has been fixed.

If you loaded a Field Diagnostics image from disk0, the router could fail. This has been fixed.

When a service policy was applied to the interface, traffic was dropped in the default queue. Reloading the router fixed the problem. This has been fixed.

When deleting an explicitly configured default queue from the service policy, the default queue was deleted in the PXF. This resulted in packets being dropped when they were sent to the default queue. If the complete service policy was then removed from the interface, the packet priority queue was the only queue present in the PXF for the interface. All traffic was dropped. This has been fixed.

When starting up 32,000 sessions, SYS-3-CPUHOG messages for the Simple Network Management Protocol (SNMP) engine sometimes appeared. This occurred when the Cisco 10000 router was polling SNMP MIBs.

The Cisco 10000 router does not support CISCO-ATM-PVCTRAP-EXTN-MIB for a large number of PVCs (for example, 32,000 PVCs). Therefore, you must exclude the CISCOATMPVCTRAPEXTNMIB oid-tree from the SNMP view. To do this, enter the following commands in global configuration mode:

The PXF failed when the Cisco 10000 router functioned as an L2TP Network Server (LNS). This occurred only when a packet was reassembled, multihop tunnel-switched, and then fragmented going into the other L2TP tunnel. This has been fixed.

A software watchdog event occurred while defragmenting Dynamic ACL memory allocations. This has been fixed.

A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.

All Cisco products which contain TCP stack are susceptible to this vulnerability.

Other Caveats

This section includes caveats listed in previous release notes that are regarded as resolved because they are either unreproducible, they were reported in error, or they do not affect the behavior of the Cisco 10000 series router. If a caveat listed in this section causes problems, contact Cisco customer service. See the "Obtaining Technical Assistance" section.

The LNS sends keepalives at an incorrect interval. We have been unable to reproduce this problem.

Previously, it was reported that the output of the show controller e1 command showed the status of the E1 controller on the 24-port channelized E1/T1 line card as down when it was actually up. We have been unable to reproduce this problem.

In rare circumstances, if you enter the hw-module slot slot shutdown command followed by the no card command, the router reloads unexpectedly. This problem rarely occurs and you are unlikely to experience it. We have been unable to reproduce this problem.

A client was unable to ping the SSG access side downlink interface. This occurred when an SSG interface was configured as a downlink interface and routing with bridged encapsulation was configured. We have been unable to reproduce this problem.

Multiple memory leaks occurred while testing the Cisco IOS Release 12.2(16)BX image. We have been unable to reproduce this problem.

When 61,500 PPPoEoA sessions were active and SNMP was running in the background, executing the show ios command caused the following traceback message to appear:

Table Of Contents

Release Notes for the Cisco 10000 Series Router for Cisco IOS Release 12.2(16)BX2

Contents