Cisco IOS Release 12.2(16)BX

These release notes provide information about Cisco IOS Release 12.2(16)BX, which provides Service Selection Gateway features for the Cisco 10000 series Internet router.

These release notes are updated as needed to describe new features, memory requirements, hardware support, software platform deferrals, and changes to the microcode and related documents.

To review the release notes for Cisco IOS Release 12.0(20)ST, go to the following URL:

To review the release notes for Cisco IOS Release 12.2, go to the following URL:

Cisco Security Advisory

Cisco routers and switches that are running Cisco IOS software and that are configured to process Internet Protocol Version 4 (IPv4) packets are vulnerable to a Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets sent directly to the device might cause the input interface to stop processing traffic when the input queue is full. No authentication is required to process the inbound packet. Processing of IPv4 packets is enabled by default. Devices that are running only IP Version 6 (IPv6) are not affected.

System Requirements

Cisco IOS Release 12.2(16)BX requires that you have the performance routing engine (PRE), Part Number ESR-PRE2 installed in the Cisco 10000 chassis. To verify which PRE is installed in the router, use the show version command.

Upgrading to a New Software Release

For general information about upgrading to a new software release, refer to the product bulletin Cisco IOS Upgrade Ordering Instructions.

New Features—Cisco IOS Release 12.2(16)BX

The following new features and improvements are supported on the Cisco 10000 series Internet router in Cisco IOS Release 12.2(16)BX:

Service Selection Gateway

The Cisco 10000 series router supports the following Service Selection Gateway (SSG) features in Cisco IOS Release 12.2(16)BX:

•

Network side—ATM PVCs and subinterfaces, Ethernet interfaces and subinterfaces, POS interfaces, serial and channelized interfaces

The following sections describe the Service Selection Gateway features. For more information on configuring these features, refer to the Cisco 10000 Series Internet Router Service Selection Gateway Configuration Guide.

Single Host Logon

The Single Host Logon feature enables SESM to authenticate subscribers by using the PPP authenticated information from the SSG; a subscriber does not need to log on to the SESM. To log on to a service through the SESM web application, a subscriber enters authentication information once for the PPP session and once for the service.

For non-PPP users, when a subscriber authenticates using the SESM application, the subscriber does not have to log on again for the remainder of the non-PPP session. However, the subscriber still has to log on to services.

SSG Autologoff

The SSG Autologoff feature enables SSG to verify connectivity with each host. SSG checks the status of the connection with each host at configured intervals. If SSG finds that a host is not reachable, SSG automatically initiates the logoff of that host. SSG has two methods of checking the connectivity of hosts: ARP ping and ICMP ping.

SSG Prepaid and SSG Prepaid Idle Timeout

The SSG Prepaid feature allows a user to connect to a service if the user has prepaid for the service. The SSG Prepaid feature is time-based only.

When SSG Prepaid is configured, SSG checks a subscriber's available credit to determine whether to connect the subscriber to the service and how long the connection can last. The billing server administers the subscriber's credit as a series of quotas. These quotas are allotments of available credit and represent the duration of use.

The SSG Prepaid Idle Timeout feature enables SSG to return residual quotas (allotments of prepaid credit) to the billing server from services that a user is logged into but not actively using. The SSG can reauthorize a user before the user completely consumes the allocated quota. The SSG Prepaid Idle Timeout feature also enhances the handling of a returned zero quota from the billing server. A user's connection to services can be open even when the billing server returns a zero quota. The SSG can notify the billing server when a connection fails, enabling the billing server to free quota reserved for the failed connection.

SSG Session and Idle Timeout

The Session-Timeout RADIUS attribute and the Idle-Timeout RADIUS attribute are two mechanisms used to prevent the SSG from continuing to allow traffic to pass from the IP address of a user who has disconnected from the network access server without logging out from the SSG. These attributes specify the following:

•

Session-Timeout RADIUS attribute—Specifies the maximum length of time for which a host or connection object can remain continuously active.

•

Idle-Timeout RADIUS attribute—Specifies the maximum length of time for which a session or connection can remain idle before it is disconnected.

SSG Full Username RADIUS Attribute

The Full Username RADIUS attribute allows SSG to include the user's full username and domain (user@service) in the RADIUS authentication and accounting requests.

Account Login and Logout

SSG sends a RADIUS accounting-request record to the local RADIUS server when a user logs in to or out of the SSG. The Acct-Status-Type attribute included in the accounting-request record indicates if the accounting-request marks the start of the user service or the end of the service.

When a user logs in, SSG sends an accounting-start record to RADIUS. When a user logs out, SSG sends an accounting-stop record.

Service Connection and Termination

SSG also sends a RADIUS accounting-request record to the local RADIUS server when a user accesses or terminates a service. The Acct-Status-Type attribute included in the accounting-request record indicates whether the accounting-request marks the start of the user service or the end of the service.

When a user accesses a service, SSG sends an accounting-start record to RADIUS. When a user terminates a service, SSG sends an accounting-stop record.

PPP Terminated Aggregation

PPP terminated aggregation (PTA) is a PPP selection method in which service selection is based on a structured domain name (for example, username@service.com). PTA terminates the PPP session into a single routing domain. Users can only access one service and users do not have access to the default network or SESM.

The PTA-MD exclusion list allows you to create a set of domains that you want to exclude from SSG processing.

PTA-Multidomain

PTA-Multidomain (PTA-MD) is a PPP selection method in which service selection is based on a structured domain name (for example, username@service.com). PTA-MD terminates the PPP sessions into multiple IP routing domains. SSG features and processing are applied to the user traffic and users can access one or more services at a time. PTA-MD service selection supports a wholesale VPN model where each domain is isolated from the other and has the capability to support overlapping IP addresses.

Web Service Selection

Web service selection enables users to concurrently access multiple on-demand services from a list of personalized services. The Cisco 10000 series Internet router supports the Cisco Subscriber Edge Services Manager (SESM) application for web service selection.

The SESM application provides subscriber authentication, service selection, and service connection capabilities to subscribers of Internet services. Subscribers interact with the SESM web application using a standard Internet browser. They do not need to download any software or plug-ins to use the SESM web pages. After a subscriber successfully authenticates, the SESM web application presents a list of services that the subscriber is currently authorized to use. The subscriber can gain access to one or more of those services by selecting them from a web page. Alternatively, an automatic connection feature might provide automatic connection to services.

SSG AutoDomain

The SSG AutoDomain feature allows users to automatically connect to a service based on the domain part of the structured username specified in an Access-Request. When SSG AutoDomain is configured, user authentication is performed at the service (for example, at the AAA server within a corporate network), instead of at the network access server (NAS).

SSG Open Garden

An Open Garden is a collection of networks or web sites that subscribers can access as long as they have physical access to the network. Subscribers do not have to provide authentication information before accessing the networks in an Open Garden. The network is not restricted by service selection, subscription, or policing.

SSG Port-Bundle Host Key

The SSG Port-Bundle Host Key feature enhances communication and functionality between SSG and SESM by introducing a mechanism that uses the host source IP address and source port to identify and monitor subscribers. With the SSG Port-Bundle Host Key feature, SSG performs port-address translation (PAT) and network-address translation (NAT) on the HTTP traffic between the subscriber and the SESM server.

Exclude Networks

The Exclude Networks feature allows you to specify networks that you do not want users to automatically log on to.

Mutually Exclusive Service Selection

The Mutually Exclusive Service Selection feature restricts a subscriber to accessing only one service at a time in a specified group of services.

Service Profiles and Cached Service Profiles

Service profiles define the services that subscribers can select. Each service that is accessible has a profile that defines the attributes of the service. Service profiles are configured on the RADIUS server or directly on the Cisco 10000 series Internet router. The RADIUS server or SESM downloads the service profiles to the router as needed.

The Cached Service Profiles feature enables SSG to use a cached copy of a service profile instead of downloading the profile from RADIUS every time a user logs on to the service.

SSG Hierarchical Policing

The traffic policing feature limits the transmission rate of traffic entering or leaving a node. In SSG, traffic policing can be used to allocate bandwidth between subscribers and between services to a particular subscriber to ensure all types of services are allocated a proper amount of bandwidth. SSG uses per-user and per-service policing to ensure bandwidth is distributed properly between subscribers (per-user policing) and between services to a particular subscriber (per-session policing). Because these policing techniques are hierarchical in nature (bandwidth can be first policed between users and then policed again between services to a particular user), the feature is called SSG Hierarchical Policing.

Transparent Passthrough

The Transparent Passthrough feature allows unauthenticated traffic to pass through an interface. Interfaces configured as transparent passthrough are treated as Cisco IOS interfaces and not SSG interfaces. The Cisco 10000 series Internet router can receive transparent passthrough traffic on both the access side and the network side. When an interface is configured as transparent passthrough, SSG does not process the traffic to and from the interface or apply SSG features. Instead, Cisco IOS software processes the traffic and applies Cisco IOS features.

Multicast Protocols on SSG Interfaces

SSG supports multicast traffic, which includes normal multicast packets and Internet Group Management Protocol (IGMP) packets. The multicast traffic is separate from the SSG traffic and is routed through normal Cisco IOS processing and features; it is not routed through SSG authentication or features such as per-service statistics or hierarchical policing.

SSG TCP Redirect

The SSG TCP Redirect feature redirects certain user packets to an alternative location that can handle the packets in a suitable manner. This feature works in conjunction with the SESM web interface. SSG TCP Redirect forces subscribers to authenticate before accessing the network or specific services and ensures that subscribers are only allowed to access the services that the service provider wants them to.

For more information, refer to the "Service Selection Gateway" chapter in the Cisco 10000 Series Internet Router Service Selection Gateway Configuration Guide.

VPI/VCI Static Binding to a Service Profile

The VPI/VCI Static Binding to a Service Profile feature allows users accessing SSG through a VPI/VCI or a range of VPI/VCIs to access the server. When a user session arrives on a VPI/VCI or a VPI/VCI range and the session specifies the username but does not specify the domain name, SSG maps the user session to the service to which the VPI/VCI or VPI/VCI range is bound.

RADIUS Virtual Circuit Logging

RADIUS Virtual Circuit (VC) Logging extends and modifies the RADIUS network access server (NAS) port field to carry VPI/VCI information. With RADIUS VC Logging enabled, the Cisco 10000 Internet router (the SSG node) can send NAS port information to the RADIUS server, accurately recording the virtual path interface (VPI) and virtual circuit interface (VCI) of an incoming user or subscriber session. The VPI/VCI of the incoming permanent virtual circuit (PVC) is recorded at the point of entry on SSG, which offers the RADIUS client a unique VPI/VCI for each incoming PVC. This information is logged in the RADIUS accounting record that was created at session startup.

AAA Server Group Support for Proxy Services

The AAA Server Group Support for Proxy Services feature allows you to configure multiple AAA servers for redundancy. The RADIUS Server attribute enables AAA server group support for proxy services. Each group is associated with a service that requires proxy RADIUS AAA. You can configure each remote RADIUS server with timeout and retransmission parameters. When necessary, the SSG performs failover among the servers in the predefined group.

Packet Filtering

The Cisco 10000 series Internet router supports per-user access control lists (ACLs) to prevent users from accessing specific IP addresses and ports. When an ACL attribute is added to a user profile, the attribute applies globally to all the user's traffic.

SSG accepts Cisco IOS ACLs and SSG ACLs. SSG ACLs take precedence over Cisco IOS ACLs when both Cisco IOS and SSG ACLs are configured on the same SSG interface.

An SSG ACL can have a maximum of 8 access-list entries (ACEs). If you use the TCP Redirect feature, TCP Redirect uses one of the 8 ACEs; therefore, you can configure only 7 ACEs.

SSG Unconfig

The SSG Unconfig feature enhances your ability to disable SSG at any time and releases the data structures and system resources created by SSG when SSG is unconfigured.

SSG Unconfig removes SSG allocated resources when you globally disable SSG after it was enabled. When you enable SSG, the SSG subsystem in the Cisco IOS software acquires system resources that are never released, even after you disable SSG. The SSG Unconfig feature enables you to release and clean up system resources when SSG is not in use.

Per-Service Statistics

The Cisco 10000 series Internet router collects statistics about router interfaces and the connections to them in both the input and output directions. Cisco CLI commands, such as show interface, are used to display information about the interfaces. SSG commands, such as show ssg connection, are used to display information about the connection to the router.

Field Diagnostics

Field Diagnostics provides customers with a method of testing and verifying line card hardware problems.

If you would like to perform a hardware diagnostic test on any line card in your Cisco 10000 series router, a Field Diagnostic image can be downloaded free of charge from Cisco Systems and used to test whether the line card problems are indeed due to faulty hardware. The test results will verify whether or not the hardware is faulty.

http://www.cisco.com/univercd/cc/td/doc/product/aggr/10000/tblshoot/fdiags/index.htm

8-Port DS3/E3 ATM Line Card

The 8-port DS3/E3 ATM line card is a full height card that provides eight DS3 or E3 connections to ATM networks. The line card functionality focuses on Layer 2 ATM services and relies on the performance routing engine (PRE, Part Number ESR-PRE2) to provide Layer 3 services. The DS3/E3 ATM line card receives and transmits ATM cells on the physical interfaces while transmitting and receiving packets from the backplane.

–

Supports up to 32,000 VCs per line card, maximum of 4,000 VCs per port, all 16 VCI and 8 VPI bits are available

Mixing DSX3 modes on a per port basis is not supported. When you configure the 8-port E3/DS3 ATM line card for a DSX3 mode, all eight ports of the line card operate in the mode you have selected.

The DS3/E3 ATM line card supports the following throughput rates and ATM framing for the specified DSX3 modes:

Cisco 10000 Series Router MIB Enhancements

Software Features Supported on the Cisco 10000 Series Router

DSX3 Mode	Throughput Rate	ATM Framing
T3 ADM	44200 Kbps	CBIT or M23
T3 PLCP	40700 Kbps	CBIT or M23
E3 ADM	34000 Kbps	G.751 or G.832
E3 PLCP	30600 Kbps	G.751 only

Table 1 lists the leased line features based on Cisco IOS Release 12.0(20)ST, and supported in the Cisco 10000 series router.

Limitations and Restrictions

This section describes limitations and restrictions for the following areas. Be sure to review these limitations and restrictions before you use the Cisco 10000 series router.

L2TP Tunnel Authorization

Cisco 10000 router supports L2TP tunnel authorization. However, RADIUS does not provide attributes for such parameter values as L2TP tunnel timeouts, L2TP tunnel hello intervals, and L2TP tunnel receive window size. When the Cisco 10000 router does not receive a RADIUS attribute for a parameter, the router uses the default value.

Broadband Aggregation Groups

Cisco IOS Release 12.2(15)BX or later does not support the configuration of Broadband Aggregation (BBA) groups using RADIUS. You must configure BBA groups manually.

ATM PXF Queuing

Table 1 Software Features Based on Cisco IOS Release 12.0(20)ST
Administration	Cisco Discovery Protocol (CDP) Simple Network Management Protocol (SNMP)
Availability	Route Processing Redundancy Plus (RPR+)
Encapsulations	Ethernet High-Level Data Link Control (HDLC) Point-to-Point (PPP) Multilink Point-to-Point (MLP)
Multiprotocol Label Switching	Multiprotocol Label Switching Virtual Private Network (MPLS/VPN) edge services 802.1q PXF switching for ARPA encapsulation
Multicast Features	Multicast Static Routes Multicast Routing Monitor (MRM)
Multicast Services	Internet Group Management Protocol (IGMP) Protocol-Independent Multicast (PIM) Distance Vector Multicast Routing Protocol (DVMRP) Cisco Group Management Protocol (CGMP) Unidirectional Link Routing (UDLR) Session Directory Protocol (SDP) Multicast Source Discovery Protocol (MSDP) Border Gateway Protocol (BGP)
Routing Protocols	Border Gateway Protocol (BGP) Intermediate System-to-Intermediate System (IS-IS) Open Shortest Path First (OSPF) Interior Gateway Routing Protocol (IGRP) Enhanced Interior Gateway Routing Protocol (EIGRP) Routing Information Protocol (RIP) Policy Based Routing (PBR)
Security Features	Standard and extended access lists Authentication, Authorization, and Accounting (AAA) Kerberos authentication and client support on Telnet RADIUS authentication Terminal Access Controller Access Control System Plus (TACACS+)

If you intend to disable ATM PXF queuing, to ensure reliable operation you must enter the no atm pxf queuing mode command before you configure any VCs on an interface. If you have already configured VCs on an interface and you need to change the mode of ATM PXF queuing, remove the VCs from the configuration and then change the ATM PXF queuing mode.

Dynamic Bandwidth Selection

The Cisco 10000 series router does not support Dynamic Bandwidth Selection (DBS) on VP tunnels.

QoS Service Policy on a Virtual Access Interface

If you apply an output QoS service policy on a virtual-access interface, and that virtual access interface is L2TP tunneled (When the router is configured as an LNS, for example) and the service policy indicates that the TOS or DSCP bits should be set (with the set ip command, for example), the router sends the packets as-is, without changing the IP Precedence bits or DSCP bits. The outer header gets the correct value, but the inner header is not changed.

CISCO-VPDN-MGMT MIB

SNMP limits the size of Virtual Private Dialup Network (VPDN) template names to 128 characters. This affects the functionality of the CISCO-VPDN-MGMT MIB. Due to this restriction, if any template name (cvpdnTemplateName) in the cvpdnTemplateTable exceeds 128 characters, you cannot use an SNMP getmany request to retrieve any table entries. Instead, you must use individual getone requests to retrieve each template name that does not exceed 128 characters. For more information, refer to the Cisco 10000 Series Internet Router Broadband MIB Specifications Guide.

AAA Method Lists

Cisco IOS Release 12.2(14)BX supports a maximum of 99 authentication, authorization, and accounting (AAA) method lists. If you configure more than 99 AAA method lists using the aaa authentication ppp or aaa authorization network command, traceback messages appear on the console.

Unshaped UBR PVCs

Cisco IOS Release 12.2(15)BX or later supports a maximum of 8000 unshaped UBR VCs on the OC-12 ATM line card. An unshaped UBR PVC is a PVC that has no rate configured on it. You can configure up to 16,000 shaped UBR VCs per port on the OC-12 line card if you configure the VCs with a shaped rate of less than 299 Mbps.

Shaped UBR PVCs

Controlling the Rate of Logging Messages

It is important that you limit the rate that system messages are logged by the Cisco 10000 series router. This helps to avoid a situation in which the router becomes unstable and the CPU is overloaded. To control the output of messages from the system, use the logging rate-limit command.

This rate-limits all messages to the console to 10 per second, except for messages with critical priority (level 3) or greater.

For more information on the logging rate-limit command, refer to the Cisco IOS Configuration Fundamentals Command Reference.

Testing Performance of High-Speed Interfaces

Cisco IOS software running on the Cisco 10000 series router has multiple queues for all classes of traffic over high-speed interfaces. The software selects a queue based on the source and destination address of the packet. This ensures that a traffic flow always uses the same queue and the packets are transmitted in proper order.

When the Cisco 10000 series router is installed in a real network, the high-speed interfaces work efficiently to spread traffic flow equally over the queues. However, using single traffic streams in a laboratory environment might result in less-than-expected performance.

Therefore, to ensure accurate test results, you should test the throughput of the gigabit Ethernet, POS, or ATM uplink with multiple source or destination addresses.

Tip

To determine if traffic is being properly distributed, use the show pxf cpu queue command.

Important Notes

This section provides important information about the following items for Cisco IOS Release 12.2(16)BX:

Provisioning for Scaling

The following configuration parameters enhance scalability on the Cisco 10000 series router:

To configure the Cisco 10000 series router for high scalability, be sure to configure the configuration parameters as described in the sections that follow.

PPPoA Sessions with IP QoS Static Routes

To scale to 32,000 PPPoA sessions with IP QoS enabled, you must limit the number of IP QoS static routes to 4,000 unidirectional QoS static routes.

AAA Authentication on the NME Port

If you use AAA authentication on the NME port, set both the in and out interface hold queues to 4096. For example:

Call Admission Control

We recommend that you set the Call Admission Control (CAC) to a maximum of 95. For example:

Inserting a New Line Card

Unlike other Cisco routers, if you insert a new or different line card into a Cisco 10000 chassis slot that previously had a line card installed, the line card initially reports that it is administratively up.

Open Caveats—Cisco IOS Release 12.2(16)BX

Table 2 Open Caveats in Cisco IOS Release 12.2(16)BX
Caveat	Description
CSCdy79740	If 32,000 PPPoA sessions, 99 VRFs, RADIUS authentication, and the per vrf aaa case command are configured on the Cisco 10000 series router, and you insert or remove a line card, the PPPoA sessions disconnect within 45 seconds of the OIR event. When this happens, the following traceback message might appear on the console: `[%IPRT-4-ROUTECOUNTNEGATIVE]` Workaround: None.
CSCea27261	The network access server (NAS) sends an unwanted Access request for PPP terminated aggregation (PTA). When you configure virtual private dial-up network (VPDN) with RADIUS, a double RADIUS lookup occurs. This decreases performance on a RADIUS server with a large number of additional RADIUS requests. Workaround: None.
CSCea30354	When the 8-port DS3/E3 ATM line card is configured for DS3 ADM or DS3 PLCP DSX3 mode, and the line card is connected back-to-back with another 8-port DS3/E3 ATM line card, the DS3/E3 ATM interface on the first line card counts a large quantity of 00F events when you shut down the interface on the far-end ATM device. Workaround: None.
CSCea35508	The throughput of Frame Relay traffic might be up to 5 percent lower than the maximum possible throughput. Workaround: None.
CSCea37019	The Cisco 10000 series router displays a bus fault error when Automatic Protection Switching (APS) is configured on the OC-12 ATM line card. Workaround: None.
CSCea37038	If APS is configured using the aps force atm <slot/subslot/port> from protect command on the 4-port OC-3 line card or the single-port OC-12 ATM line card, and a signal failure is received on the port of either line card, the output of the show interface atm <slot/subslot/port> command might indicate the interface is up instead of down. Workaround: Clear the force state as soon as the port has been designated as working, by entering the aps clear atm <slot/subslot/port> command.
CSCea37133	When you configure Automatic Protection System (APS) switchover on the 4-port OC-3 ATM line card, entering the show controller atm slot/subslot/port command for the ATM port displays a signal degrade status for both the protection port and the working port. Workaround: Wait more than 2 minutes to allow the signal degrade status to clear or use the aps signal-degrade BER threshold 6 command or the aps signal-degrade BER threshold 7 command for the ATM interface.
CSCea41145	The output of the show vpdn tunnel summary command fails to display tunnels that have no-session timeout (set using the l2tp timeout no-session timeout never command). Workaround: Do not set the no session timeout to never. In the following example, the no-session timeout is set to 30: `router# l2tp timeout no-session 30`
CSCea45943	In a Cisco 10000 chassis with redundant PREs, after a switch-over from the primary PRE to the secondary PRE, the traffic rate of the single-port OC-12 ATM line card is low. Workaround: None.
CSCea46149	If you connect a test analyzer to the 6-port channelized T3 line card, and you configure a T1 under a T3 controller, and the line card and the test analyzer are both set to ESF framing, the T1 does not start up. Workaround: None.
CSCea52741	If the Cisco 10000 series router reloads unexpectedly, any ODAP subnets allocated from the Network Registrar (CNR) remain marked as Leased (at the CNR). Workaround: There is currently no workaround to this problem. However, if this should occur, the subnets are released when the Lease-time expires, or they may be released manually through the CNR Command Line Interface (CLI).
CSCea59894	On the 8-port DS3/E3 ATM line card, ILMI discovery is not complete when the line card is operating in the DS3 ADM and DS3 PLCP DSX3 modes. The ILMI state remains in the WaitDevType state and the line card does not discover the adjacent ATM switch information. When operating in the E3 ADM and E3 PLCP DSX3 modes, the line card properly discovers the adjacent ATM switch values. Workaround: None.
CSCea66307	When a large number (for example, 30,000) of established PPP sessions terminate at the same time, the Cisco 10000 series router can exhaust I/O memory. This causes a loss of other services such as maintaining L2TP tunnels and dropping AAA accounting requests to the RADIUS server. Workaround: None.
CSCea66654	Channelized interfaces with ACLs configured might show an incorrect ACL status even after the ACL is removed from the interface by entering the no ip access acl-name command. This occurs if the interface is rechannelized and the removed ACL is reconfigured on the interface. Workaround: None.
CSCea67815	When you disable 32,000 sessions over 10,000 L2TP tunnels on a Cisco 10000 series router configured as an LNS with RADIUS AAA accounting enabled, the router might terminate the remaining sessions due to the overwhelming number of RADIUS records generated by this event. If this occurs, the following message might appear on the console: `%ALIGN-3-TRACE` Workaround: None.
CSCea70951	A memory allocation error occurs when you attempt to scale a large number of users (for example, 4000 PPPoA SSG sessions). All of the connections are established and the show ssg command displays allof the sessions as logged in and active. However, when sessions are dropped, a memory allocation error appears. Workaround: None.
CSCea72016	The channelized OC-12 line card undergoes a watchdog reset when unconfiguring six channelized OC-12 line cards set up with 768 T1s each. This occurs only with a very specific large channelized card setup. This does not occur with five or less channelized OC-12 line cards. Workaround: Unconfigure fewer OC-12 channelized interfaces at one time.
CSCea73477	Packet counters and debug messages on the Cisco 10000 series router cannot be used to accurately count or view ILMI keepalive messages. This is because basic ILMI configurations generate bursts of ILMI transactions between the Cisco 10000 series router and adjacent ATM switches. For example, if you connect an OC-3 ATM line card that is installed in a Cisco 10000 series router to a Cisco LS1010 ATM switch, and you enable debugging using the debug atm ilmi command, the packet counters for the ILMI PVC increment to match the bursts of packets. Workaround: There is currently no workaround for this problem. However, this problem does not affect the performance or operation of the router.
CSCea77321	If the primary PRE fails, and the primary PRE switches over to the secondary (redundant) PRE, ODAP subnets that had been allocated to the previously active primary PRE remain marked as Leased by the Access Registrar (AR) Workaround: Release the sessions associated with the subnets at the AR.
CSCea78861	If you enter the ip verify unicast rpf command for a virtual template, the calls-per-second rate is reduced. Workaround: There is currently no workaround for this problem. However, this problem only reduces the calls-per-second rate and does not affect the performance of the router.
CSCea78890	If you perform a tftp copy of a running configuration greater than 5 MB to a TFTP server, the copy fails. Workaround: Copy the running configuration to the bootflash and then copy the configuration from the bootflash to the TFTP server.
CSCea81015	If you configure the management Ethernet port (fastethernet 0/0/0) on the PRE (Part Number ESR-PRE2) front panel using the ip address dhcp command, the port does not acquire an IP address. Workaround: Configure the fastethernet 0/0/0 interface with a static IP address.
CSCea82309	If you open two configuration sessions on the PRE (Part Number ESR-PRE2) from two console devices, a failure message appears on the console devices stating that simultaneous configuration is not supported. Workaround: There is currently no workaround.
CSCeb01499	The following traceback message displays in the log after you enter the hardware subslot shutdown, no card, and no hardware subslot shutdown or card 24che1t1 mode t1 commands: `May 2 23:31:53: %IPCGRP-3-SYSCALL: System call for command 409 (slot4/0) : ipc_send_rpc_blocked failed (Cause: retry queue flush)-Traceback= 6046B1EC 6046B4C0 6046BD5CMay 2 23:31:54: %IPCOIR-4-REPEATMSG: IPC handle already exists for 4/0` Workaround: None.
CSCeb08194	When SSG traffic is redirected because users are not authorized for services, CPU usage is high and throughput is limited. Workaround: None.
CSCeb17086	Traceback messages appear while configuring static multicast routes. Workaround: None.
CSCeb21692	A client is unable to ping the SSG access side downlink interface. This occurs when an SSG interface is configured as a downlink interface and routing with bridged encapsulation is configured. Workaround: This occurs when a client is not authenticated and the client tries to ping the SSG downlink interface. After a client is authenticated, the client can ping the SSG downlink interface.
CSCeb26162	In some cases, while the Cisco 10000 series router terminates PPP sessions, the router delays the transmission of the RADIUS Accounting-On message for too long, thus clearing the accounting data on the RADIUS server about the sessions that are already established. Workaround: Reset the PPPoX clients that connect too early.
CSCeb26165	While the Cisco 10000 series router terminates PPP sessions and uses RADIUS accounting, the router generates both Accounting-Stop and Accounting-Off messages when you enter the reload command. Workaround: None.
CSCeb30288	The Cisco 10000 series router might be delayed executing the reload command if AAA accounting configured. During this time packets are not forwarded. Workaround: None.
CSCeb31498	When Dynamic Bandwidth Selection (DBS) is enabled on a VC class, DBS fails and displays the following error message: Jun 5 13:21:19.200: %C10K DBS: validate_params() 2/111, vcd 11, QoS type 5, PCR 50, SCR 38 Jun 5 13:21:19.200: %C10K DBS: validate() QoS update rejected PVC 2/111 on VP tunnel Workaround: None.
CSCeb33056	The Cisco 10000 series router frequently displays the following IPC queue full message: `00:15:49: %IPCGRP-6-NBLKCMD_Q_FULL: Nonblocking IPC command queue full (60 commands) <---` Workaround: None.
CSCeb35104	Configurations with a very large number of subinterfaces (for example, 32,000) might experience slow PPPoEoA session clearing. Workaround: None.
CSCeb36330	When a range of VCs are configured for autoprovisioning, if you shut down one of the VCs in the range by using the pvc-in-range command, the following message scrolls on the console until you start the VC again. `Jun 11 09:09:33.215: %ATM-5-UPDOWN: Interface ATM3/0/0.100, Changing autovc 3/101 to ADMIN_DOWN` Workaround: None.
CSCeb38277	When an ATM interface is configured as unnumbered, the Cisco 10000 series router does not forward RBE traffic to RBE clients. Workaround: None.
CSCeb39292	The Cisco 10000 series router is sometimes unable to sync the configuration between the active and standby performance routing engine (PRE). Workaround: None.
CSCeb41285	The Cisco 10000 series router does not create the virtual access interface (VAI) if the RADIUS user profile includes Frame-Compression AVP. If the AVP for compression is removed from the user profile, the router creates the VAI. Workaround: Do not specify framed-compression none in RADIUS profiles.
CSCeb42938	The following traceback message randomly appears: `00:48:42: %AAA-3-BADMETHOD: Cannot process authorization method 1635568848-Process= "AAA Server", ipl= 0, pid= 58-Traceback= 603B6A1C 603AFE24 603B0C58 603B0D78` Workaround: None.
CSCeb44881	When you run L2TP-related tests on the Cisco 10000 series router using Adtech AX4000 automation scripts, the following traceback messages might appear in the log: `*Jun 19 18:28:23.103: %GENERAL-3-EREVENT: Invalid entry Cached -Traceback= 60BF56F4 60BF6174 60AC88F8 60A6F5C4 60A8E894 60A929FC 60A8CC54 60A8D590` Workaround: None.
CSCeb48599	PPPoE accounting does not work properly for PPP termination and L2TP forwarding when the client uses PPPoE. The Cisco 10000 series router accounts for more packets than are actually sent or received. Workaround: None.
CSCeb48677	Nested policies configured on the main interface of the Gigabit Ethernet (GE) line card do not work. Nested policies configured on GE subinterfaces do work properly. Workaround: None.
CSCeb49776	Multiple memory leaks occur while testing the Cisco IOS Release 12.2(16)BX image. Workaround: None.
CSCeb50036	The first time PPPoX sessions with an access control list (ACL) applied by a virtual template arrive at the Cisco 10000 series router, the router applies the ACL to the sessions and establishes the sessions as expected. However, after the performance routing engine (PRE) fails over to the redundant PRE or after a session disconnects and then reconnects with a large number of sessions, the Cisco 10000 series router attempts to apply the ACL before the session is established, which causes the following error message to appear: `c10k_mc_10008(config-if)#03:29:35: %GENERAL-3-EREVENT: ACL not added to interface.-Traceback= 60BC8FA4 6052E378 603373C0 60348204 603483AC 607B4AD8 607B4018 607B4418` After the Cisco 10000 series router establishes the sessions, the router applies the ACL as expected and the ACL is in effect. Workaround: None.
CSCeb51308	When 61,500 PPPoEoA sessions are active and SNMP is running in the background, executing the show ios command causes the following traceback message to appear: `05:21:32:%SYS-3-CPUHOG:Task ran for 4120 msec (464/222),process = Virtual Exec, PC = 604F8360.` Workaround: None.
CSCeb51344	RADIUS configurations that use lcp: in the vendor specific attributes (VSAs) are not usable when they are downloaded and are to be VRF-aware on the Cisco 10000 series router. When downloading routes from RADIUS that are configured using IETF attributes, sessions are established as expected and the routing table lists the routes as per-user routes. Workaround: None.
CSCeb52236	When using the 8-port DS3/E3 ATM line card, PVCs discovered by ILMI can occasionally experience lower than expected throughput performance. Workaround: None.
CSCeb52243	On the 8-port DS3/E3 ATM line card, F5 OAM Rate Limiting does not properly drop the OAM cells that exceed the rate limit. Workaround: None.
CSCeb53208	The Cisco 10000 router creates PPP sessions without allocating a VCCI. Workaround: None.
CSCeb53344	During sweep ping testing of the 8-port DS3/E3 line card, a single ping failure occurs. Workaround: None.
CSCeb53380	Under some conditions, the call setup rate might be less than the rate achieved with Cisco IOS Release 12.2(15)BX. Workaround: None.
CSCeb53474	With TACACs configured on the Cisco 10000 series router, the secondary PRE (Part Number ESR-PRE2) console attempts TACACs authentication using the Fa0/0/0 interface. Before notifying the user that the secondary console is unavailable, the secondary PRE incorrectly attempts to contact the TACACs server for user authentication. The secondary PRE should not attempt to contact the TACACs server or it should try to contact the TACACs server using the primary PRE. Workaround: None.
CSCeb54544	When a VC class has an autoppp encapsulation configured, if you create a new VC class by entering the vc-class command or you make changes to an existing VC class, the Cisco 10000 series router deletes all of the VCs that are included in the VC class with autoppp encapsulation and then creates the VCs again. Workaround: None.
CSCeb54587	When a service policy is configured in a virtual template, the following error message appears as the session is being established: `Couldn't get main subinterface's tt_if_info from c10k_check_should_policy_be_applied` This is not an error condition. This message is an obsolete message. The service policy is applied as expected. Workaround: None.
CSCeb55625	When you hot swap an 8-port DS3/E3 ATM line card with a 1-port OC-12 POS line card, the following traceback message appears. The Cisco 10000 series router properly provisions the 1-port OC-12 POS line card. `Jul 3 08:48:24.990:%C10K-3-LC_ERR:Slot[8/0] 1oc12pos-1 process_oir_set_image_message:cardtype 0x0 not 0x1.Jul 3 08:48:24.990:%IPCOIR-3-LOADER_SERVER_FAIL:Remote server refused to load slot 8/0*Jul 3 08:48:25.066:%GENERAL-3-EREVENT:c10k_icmp_ipaddr_setup:No c10k_tt_hwsb-Traceback= 60BDBB34 60B8B304 60B8BCFC 60B8B664 605171CC 6051A984 60381210 603813F4 6007938C 6048DA04` Workaround: To prevent the traceback message from occurring, first remove the 8-port DS3/E3 ATM line card from the chassis and then remove the line card from the configuration using the no card <slot #> command. You can then insert the 1-port OC-12 POS line card into the chassis.
CSCin46447	When you disable SSG traffic policing on the router by entering the no ssg qos police user and the no ssg qos police session commands, the router continues to police the traffic for the existing host/connection. Workaround: None.

Resolved Caveats—Cisco IOS Release 12.2(16)BX

A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. BGP MD5 is a valid workaround for this problem.

If you enter the show ip dhcp pool command, and if the output to the console is paused (requiring that you press any key to view the second page of that output), the statistics might be incorrect. This has been fixed.

When a PPPoE over Ethernet sessions is connected to the Cisco 10000 series router and the RADIUS NAS-Port format is format a, NAS-Port[5] is set as Virtual (60000 plus the interface number) in SSG. This has been fixed.

(Duplicate of CSCea34862) When an AAA server group is defined in the startup configuration file, the eboot image c10k2-eboot-mz displays the following message on the console:

The eboot image does not need to support AAA because the eboot image does not initialize the AAA routines. The AAA commands in the startup configuration cause this message to appear during system startup. Ignore the message. Cisco IOS Release 12.2(16)BX supports AAA and it is available when the router is initialized.

If you have an OC-48 line card installed in the Cisco 10000 series router that is transmitting and receiving traffic, and you remove it and install a channelized CT3 line card, and you then remove the channelized CT3 line card and re-insert the OC-48 line card, the POS interface flaps continuously.

The online insertion and removal (OIR) feature for the Cisco 10000 series router does not retain configurations when you insert a different type of line card in the same slot. This is expected behavior.

A memory leak might occur on the Cisco 10000 series router during the installation of per user access control lists (ACLs) that are downloaded from a RADIUS server. This has been fixed.

(Duplicate of CSCea40788) When you use the range command to create an oversubscription of VCs in a virtual path (VP), the Cisco 10000 series router cannot create the VCs due to the oversubscription, and returns an error. The router then stops responding. This has been fixed.

SSG fails after a PPP client attempts to log out. This problem happens when an ACL is configured with a PPP user host key. This has been fixed.

Users cannot log back in after the primary PRE switches-over to the redundant PRE. This has been fixed.

When numerous per-user ACLs are configured on the router, the following error and traceback messages might display if the router is busy deleting the unused ACLs of disconnected sessions.

When a Path Link Mismatch (PLM) alarm exists on the 1-port channelized OC-12 line card or the 4-port channelized OC-3 line card, the show controller command for T1 or E1 controller that is configured for SDH framing does not display the PLM alarm. The alarm does display correctly if SONET framing is configured. This has been fixed.

The Cisco 10000 series router takes longer than expected (approximately 90 minutes) to load the 16M configuration file. The elog file indicated that the fib-get-auto-adjacency_fibidb function was sampled at a large percentage (approximately 11%). This has been fixed.

The Cisco 10000 series router takes longer than expected to load the router configuration. If you enter the show parser stat command while the router is loading the configuration, a lot of cache misses display. This has been fixed.

The Cisco 10000 series router is slow to boot when you add the static route improvement patch code. This has been fixed.

The Cisco 10000 series router is slow to load while you set up subinterfaces. This has been fixed.

After the absolute timeout expires for PPPoE sessions with per user ACLs, the router disconnects the sessions. If you then enter the show pxf cpu access-list security command, numerous "Unneeded ACLs" display. This has been fixed.

A bus error occurs when executing the show pxf cpu access-lists security command after sessions time out and start to disconnect. This has been fixed.

A memory leak might occur in the process AAA Per-User when PPPoE sessions are brought up, then torn down, then brought up again. This has been fixed.

You cannot ping the default network when the ip verify unicast reverse-path command is configured under the Virtual Template. You can only ping the default network when you are logged in to the service. This has been fixed. The routes to a downlink interface and SSG hosts are now added to the service VRF tables, which allows RPF checks for SSG hosts that have not yet logged on to any services.

This does not work with static routes added for RPF checks. Only interface network addresses are added to the SSG VRFs. Static routes for hosts are not added to the SSG VRFs and RPF checks might fail. This can occur if you configure the ip unnumbered command on downlink interfaces with static routes.

SSG adds the route when binding the interface. If you change the interface address after the interface is bound, SSG cannot track the interface.

When a user logs out of a session with accounting, the network access server (NAS) ID is incorrect. This problem occurs with the Accounting Stop packet in a PPPoE configuration. This has been fixed.

The Cisco 10000 series router does not send out a TERMREQ when the router clears a PPPoA virtual access interface. This has been fixed.

The Cisco 10000 series router stops responding when you enter the clear interface virtual-access number command for a PPPoA virtual access interface (VAI) with a conditional debug interface turned on. This has been fixed.

On an ATM interface with UBR traffic shaping configured, the router shapes the traffic incorrectly. This does not occur when you set high thresholds. Be careful not to set the thresholds so high that with typical traffic patterns, the SAR buffer becomes full.

The session connection rate appears to be unacceptably slow when SSG accounting is enabled. This has been fixed.

The connection rate for sessions with SSG accounting enabled are typically 3 to 4 percent higher than the connection rate for sessions with SSG accounting disabled. This is due to the time required for the SSG router to receive the accounting information from RADIUS.

The line cards go down and remain down after the Cisco 10000 series router reloads or a forced failover to the redundant performance routing engine (PRE) is executed. This has been fixed.

The Cisco 10000 series router does not update the QoS shaping parameters for a VC when Dynamic Bandwidth Selection (DBS) is enabled on a VC class.

If you enter the show atm pvc dbs command when a PPPoA session is established, the output from the command indicates that RADIUS is sending the AV pairs, but the shaping parameters for the VC are unchanged. The Cisco 10000 series router does not change the VC and instead displays an error message similar to the following:

The Cisco 10000 series router might stop responding while processing turbo ACLs. This has been fixed.

Other Caveats

This section includes caveats listed in previous release notes that are regarded as resolved because they are either unreproducible, they were reported in error, or they do not affect the behavior of the Cisco 10000 series router. If a caveat listed in this section causes problems, contact Cisco customer service.

The L2TP network server (LNS) sends keepalives at an incorrect interval. We have been unable to reproduce this problem.

Previously, it was reported that the output of the show controller e1 command showed the status of the E1 controller on the 24-port channelized E1/T1 line card as down when it was actually up. We have been unable to reproduce this problem.

In rare circumstances, if you enter the hw-module slot <slot> shutdown command followed by the no card command, the router reloads unexpectedly. This problem rarely occurs and you are unlikely to experience it. We have been unable to reproduce this problem.

Obtaining Documentation

The following sections provide sources for obtaining documentation from Cisco Systems.

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at the following sites:

Documentation CD-ROM

Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.

Ordering Documentation

•

Registered Cisco Direct Customers can order Cisco Product documentation from the Networking Products MarketPlace:

•

Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store:

•

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, in North America, by calling 800 553-NETS (6387).

Documentation Feedback

If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.

To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address:

Attn. Document Resource Connection
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-9883

Obtaining Technical Assistance

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC website.

Cisco.com

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.

Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online technical support, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.

Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.

Technical Assistance Center

The Cisco TAC website is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.

Contacting TAC by Using the Cisco TAC Website

If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC website:

•

P3—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.

•

P4—You need information or assistance on Cisco product capabilities, product installation, or basic product configuration.

In each of the above cases, use the Cisco TAC website to quickly find answers to your questions.

If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following website:

Contacting TAC by Telephone

If you have a priority level 1 (P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following website:

•

P1—Your production network is down, causing a critical impact to business operations if service is not restored quickly. No workaround is available.

•

P2—Your production network is severely degraded, affecting significant aspects of your business operations. No workaround is available.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

•

The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

•

Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

•

Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:

•

iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:

•

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

•

Training—Cisco offers world-class networking training. Current offerings in network training are listed at this URL:

Table Of Contents

Release Notes for the Cisco 10000 Series Internet Router for Cisco IOS Release 12.2(16)BX

Contents