|
|
Table Of Contents
Release Notes for Cisco Multiprocessor WAN Application Module with Cisco IOS Release 12.3(5a)B
Determining the Software Version
Upgrading to a New Software Release
New Hardware and Software Features in Cisco IOS Release 12.3(5a)B
New Hardware and Software Features in Cisco IOS Release 12.3(3)B1
New Hardware and Software Features in Cisco IOS Release 12.3(3)B
New Hardware Features in Cisco IOS Release 12.3(1a)BW
New Software Features in Cisco IOS Release 12.3(1a)BW
Open Caveats—Cisco IOS Release 12.3(5a)B
Resolved Caveats—Cisco IOS Release 12.3(5a)B
Resolved Caveats—Cisco IOS Release 12.3(3)B1
Resolved Caveats—Cisco IOS Release 12.3(3)B
Obtaining Technical Assistance
Release Notes for Cisco Multiprocessor WAN Application Module with Cisco IOS Release 12.3(5a)B
Cisco IOS Release 12.3(5a)B
These release notes are for Cisco IOS Release 12.3(5a)B running on the Cisco Multiprocessor WAN Application Module (MWAM) in the Cisco 7600 Internet router. These release notes are updated as needed to describe new features, memory requirements, hardware support, software platform deferrals, and changes to the microcode and related documents.
For a list of the software caveats that apply to Cisco IOS Release 12.3(5a)B, see the "Caveats" section.
To see the release notes for Cisco IOS Release 12.3, see the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123relnt/xprn123/index.htm.
Contents
This document contains the following sections:
•
Caveats
•
•
Introduction
The Cisco Multiprocessor WAN Application Module (MWAM) is a Cisco IOS software application module that you can install into Cisco 7600 series Internet routers. The MWAM allows you to run multiple instances of Cisco Ethernet Service Aggregation applications, such as L2TP Network Server (LNS) and Service Selection Gateway (SSG) application software.
System Requirements
This section describes system requirements for MWAM with Cisco IOS Release 12.3(5a)B.
Hardware Requirements
MWAM with Cisco IOS Release 12.3(5a)B requires the following hardware components:
•
•
•
A Hardware-Software Compatibility Matrix is available on CCO for users with CCO login accounts. This matrix allows users to search for supported hardware components by entering a Cisco platform and Cisco IOS release. The Hardware-Software Compatibility Matrix tool is available at the following URL:
http://www.cisco.com/cgi-bin/front.x/Support/HWSWmatrix/hwswmatrix.cgi
Software Requirements
MWAM with Cisco IOS Release 12.3(5a)B requires the following software components:
•
•
–
–
Cisco IOS Release 12.3(5a)B is a special release that supports Cisco IOS Release 12.(3)1 and the same features that are in previous Cisco IOS Release 12.2 releases, with the addition of MWAM platform support.
Memory Requirements
The MWAM provides two processor complexes that are equipped with 1 GB memory shared between two processors (512 MB each). The remaining processor complex is equipped with 512 MB memory shared between two processors (256 MB each). The total memory capacity for the MWAM is 2.5 GB.
The MWAM memory is not configurable.
Determining the Software Version
To determine the version of Cisco IOS software running on your router, log in to the router and enter the show version EXEC command:
Router# show versionCisco Internetwork Operating System SoftwareIOS (tm) MWAM Software (MWAM-G4JS-M), Version 12.3(5a)B, RELEASE SOFTWARE (fc1)TAC Support: http://www.cisco.com/tacCopyright (c) 1986-2002 by cisco Systems, Inc.Upgrading to a New Software Release
For information on upgrading to a new software release, see the product bulletin Cisco IOS Software Upgrade Ordering Instructions located at:
http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/957_pp.htm
For information on upgrading images on the MWAM, refer to the Cisco Multiprocessor WAN Application Module Installation and Configuration Notes for the Cisco 7600 Series Internet Router.
Note
Upgrading ROMMON Software
A ROMMON software upgrade is not required for Cisco IOS Release 12.3(5a)B. To perform the ROMMON software upgrade, use the procedure provided in the MWAM User Guide.
New Features
The following is a list of the new hardware and software features supported by the MWAM on the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3B.
New Hardware and Software Features in Cisco IOS Release 12.3(5a)B
There are no new hardware features supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(5a)B.
The following new software features are supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(5a)B.
•
•
•
These features are provided by a new release of the application partition on the MWAM. For more information, see the Cisco Multiprocessor WAN Application Module Installation and Configuration Notes for the Cisco 7600 Series Internet Router at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/cfgnotes/servmod/esa_mwam.htm.
New Hardware and Software Features in Cisco IOS Release 12.3(3)B1
There are no new hardware or software features supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(3)B1.
New Hardware and Software Features in Cisco IOS Release 12.3(3)B
There are no new hardware features supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(3)B.
The following new software features are supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(3)B:
•
•
•
•
Attribute Screening for Access Requests Feature
Supported Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The Attribute Screening for Access Requests feature allows you to configure a list of outbound "accept" RADIUS attributes on your network access server (NAS) for authorization and authentication purposes. Based on the accept list, the NAS:
•
•
RADIUS NAS-IP-Address Attribute Configurability
Supported Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The RADIUS NAS-IP-Address Attribute Configurability feature allows you to configure an arbitrary IP address to be used as RADIUS attribute 4, NAS-IP-Address, without changing the source IP address in the IP header of the RADIUS packets. You can use this feature for situations in which service providers are using a cluster of small network access servers (NASs) to simulate a large NAS to improve scalability. This feature allows NASs to behave as one, single RADIUS client from the perspective of the RADIUS server.
SSG Default DNS Redirection
Supported Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG Default DNS Redirection feature allows you to configure a default Domain Name System (DNS) domain in a service profile. When you configure a default DNS domain, all DNS queries that do not match a service with a specific domain name are redirected to the DNS server for a default service.
SSG Enhancements
Supported Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG Enhancements feature describes Layer 2 Tunneling Protocol (L2TP) enhancements for authentication, service logon, and the interface between the Service Selection Gateway (SSG) and the Subscriber Edge Services Manager (SESM). For Release 12.3(3)B, SSG enhancements include a new Account-Info vendor specific attribute (VSA), an Account-Accept VSA, and a Service-Accept VSA.
The SSG interacts with the SESM through a Remote Authentication Dial-in User Service (RADIUS) interface. SSG Enhancements describe the enhancements to the RADIUS interface to allow a separate Mobile Station ISDN Number (MSISDN) and Challenge Handshake Authentication Protocol (CHAP) for service logon. The SSG Enhancements documentation also describes error codes in the SSG response to the SESM.
For more information, see the SSG Enhancements feature at the following URL:
SSG Permanent TCP Redirection
Supported Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG Permanent TCP Redirection feature enables Service Selection Gateway (SSG), in conjunction with Cisco Subscriber Edge Services Manager (SESM), to provide service selection support to users whose web browsers are configured with HTTP proxy servers. This feature supports plug-and-play functionality in public wireless LANs.
SSG TCP Redirect Enhancements
Supported Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The TCP Redirect feature is enhanced to allow access lists to be associated with server groups. You can use this enhancement to limit the kind of traffic that is redirected based on the source or destination IP address and/or TCP ports. You can also use it to redirect different sets of users to different dashboards for unauthenticated user and unauthorized service redirection.
For more information, see the SSG TCP Redirect Enhancements feature at the following URL:
SSG Transparent Auto-Logon
Supported Platforms: MWAM on Cisco Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG Transparent Auto-Logon (TAL) feature enables the Service Selection Gateway (SSG) to authenticate/authorize users based on IP packets received from the user. SSG authorizes users by using information from the Authentication, Authorization, and Accounting (AAA) server when a first IP packet is received from the user.
Users can be activated on SSG through web-based login procedures using Service Edge Subscriber Management (SESM), RADIUS Proxy, and PPP session termination. The Transparent Auto-Logon feature provides an additional activation method. Transparent Auto-Logon provides SSG services to a user who is authorized based on the source IP address of packets received on a downlink interface of SSG, without any previous authentication phase.
For more information on the Transparent Auto-Logon feature, see the following URL:
New Hardware Features in Cisco IOS Release 12.3(1a)BW
This section describes the new hardware feature supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(1a)BW.
MWAM on Catalyst 6500/Cisco 7600 Platform
The MWAM provides three SiByte (700MHz) processor complexes. Two of the processor complexes enable dual processors while the third processor complex enables only one processor because of the memory configuration.
Each SiByte complex has a 1 Gigabit Ethernet (GE) interface to the switch fabric. This connection appears as a GE interface from the Cisco Supervisor Engine 2. The MWAM connects to the Catalyst 6500/Cisco 7600 bus for data and control traffic.
For more information, see the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/cfgnotes/servmod/esa_mwam.htm
New Software Features in Cisco IOS Release 12.3(1a)BW
This section describes new software features supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(1a)BW.
IP Pool Backup
Supported Platforms: MWAM on Cisco Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The IP Pool Backup feature introduces two new interface configuration commands, peer pool backup and peer pool static, which allow you to define alternate sources for IP address pools in the event the original address pool is not present or is exhausted.
The peer pool backup command is useful in large-scale dial-out environments with large numbers of independently controlled authentication, authorization, and accounting (AAA) servers that can make it difficult for the network access server (NAS) to provide proper IP address pool resolution in the following cases:
•
•
The peer pool backup command uses the local pool names configured with the peer default ip address pool interface configuration command to supplement the pool names supplied by AAA. You can solve the problems of pool name resolution and specific local pool exhaustion by configuring backup pool names on a per-interface basis using the peer default ip address pool and peer pool backup interface configuration commands.
The peer pool static command controls attempts by the pool software to load dynamic pools in response to a pool request from a specific interface. These dynamic pools load at system startup and refresh whenever you specify a pool name (that is not configured on the NAS) for IP address allocation. Because you can use the peer pool backup interface configuration command to change the behavior of the NAS in response to a missing pool name, you can use the peer pool static command to control attempts to load all dynamic pools when the AAA-supplied pool name is not an existing local pool name.
Multilink PPP Minimum Links Mandatory
Supported Platforms: MWAM on Cisco Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
Multilink PPP allows multiple PPP links to be established in parallel to the same destination. Multilink PPP is often used with dialup lines or ISDN connections to increase the amount of bandwidth between points.
Use the Multilink PPP Minimum Links Mandatory feature to configure the minimum number of links in a Multilink PPP (MLP) bundle required to keep that bundle active. To enable this feature, enter the ppp multilink min-links links mandatory command. When you configure this command:
•
•
•
PPPoE Session Limit Per NAS Port
Supported Platforms: MWAM on Cisco Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
Using the PPPoE Session Limit Per NAS Port feature, you can limit the number of sessions on a specific virtual circuit (VC) or VLAN configured on an L2TP access concentrator (LAC). The NAS port is either an ATM VC or a configured VLAN ID.
A RADIUS server customer profile database maintains the PPPoE session limit per NAS port. This customer profile database connects to a LAC but is separate from the RADIUS server that the LAC and L2TP Network Server (LNS) use for the authentication and authorization of incoming users. When the customer profile database receives a preauthorization request from the LAC, it sends the PPPoE per NAS port session limit to the LAC.
When you configure the LAC for SSS preauthorization using the s-subscriber access pppoe pre-authorize command, the LAC accepts or rejects the current call based upon the configured PPPoE per NAS port session limit and the number of calls currently on the NAS port.
You can configure other types of sessions limits on the LAC such as session limit per VC, per VLAN, per MAC, or a global session limit for the LAC. PPPoE per NAS port session limit overwrites session limit per VC and per VLAN local configurations. If the PPPoE per NAS port session limit fails to download, the configured session limits per VC and per VLAN serve as backup configurations.
Each user connected to the LAC has a user profile in the customer profile database that contains the NAS-IP-Address (Attribute 4) and the NAS-Port-ID (Attribute 5). During SSS preauthorization, the LAC queries the customer profile database using the username. This username defines a Cisco AV pair for the PPPoE per NAS port session limit. When a match occurs, the customer profile database sends the PPPoE per NAS port session limit in the user profile.
RFC 2867 RADIUS Tunnel Accounting
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The RFC 2867 RADIUS Tunnel Accounting feature introduces six new RADIUS accounting types that are used with the RADIUS accounting attribute Acct-Status-Type (attribute 40), which indicates whether an accounting request marks the beginning of user service (start) or the end (stop). These new accounting types are designed to support the provision of compulsory tunneling in dialup networks; that is, these attribute types allow you to better track tunnel status changes.
This feature also introduces two new commands—vpdn session accounting network (tunnel-link-type records) and vpdn tunnel accounting network (tunnel-type records)—that help identify the following events:
•
•
•
•
Note
Note
Service Selection Gateway
Supported Platforms: MWAM on Cisco Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
Service Selection Gateway (SSG) is a switching solution for service providers who offer intranet, extranet, and Internet connections to subscribers using broadband access technology such as xDSL, cable modems, or wireless to allow simultaneous access to network services.
For more information about SSG, see the following URL:
SSG Autologoff Enhancement
Supported Platforms: MWAM on Cisco Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG Autologoff Enhancement feature configures Service Selection Gateway (SSG) to check the MAC address of a host each time that SSG performs an Address Resolution Protocol (ARP) ping. If SSG finds that the MAC address of the host has changed, SSG automatically initiates the logoff of that host. This prevents unauthorized reuse of IP addresses (spoofing). SSG MAC address checking also detects the assignment of a host IP address to a different host before the original hosts initiates a logoff and clears its host object. This prevents session reuse by a second host.
ARP Ping
The ARP is an Internet protocol used to map IP addresses to MAC addresses in directly connected devices. A router that uses ARP, broadcasts ARP requests for IP address information. When an IP address is successfully associated with a MAC address, the router stores the information in the ARP cache.
When SSG Autologoff is configured to use ARP ping, SSG periodically checks the ARP cache tables. If a table entry for a host is:
•
•
When SSG MAC address checking is configured, SSG checks the MAC address of a host when an ARP ping is performed. If SSG detects a different host MAC address, it initiates an automatic logoff of that host.
Note
ARP request packets are smaller than Internet Control Message Protocol (ICMP) ping packets, so we recommend that you configure SSG Autologoff to use ARP ping in scenarios where hosts are directly connected.
SSG Complete ID
Supported Platforms: MWAM on Cisco Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
SSG Complete ID provides enhancements to the current interaction mechanism that is used between SSG and SESM, allowing SSG to pass along the following additional information:
•
•
•
•
•
This allows SESM to offer greater customization of Web portals, specifically by locations. Each hotspot can now have its own branded portal.
SSG Open Garden Configuration Enhancements
Supported Platforms: MWAM on Cisco Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The Service Selection Gateway (SSG) is a Cisco IOS feature and implements Layer 3 service selection through selective routing of IP packets to destination networks on a per subscriber basis. Out of the many features SSG has, Open Garden is one of the features, which is very useful for service providers to provide trial-based services to the customers.
An open garden is a collection of web sites that a user can access as long as the user has physical access to the network. The user does not need to provide any authentication information before accessing the Web sites in the open garden.
Currently, SSG open garden services can be configured and managed on the router, even though they are similar to normal SSG (subscribed) services. The modifications being proposed allow open garden services to be defined and managed on the RADIUS server as well.
SSG L2TP Dialout
Supported Platforms: MWAM on Cisco Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG L2TP Dialout feature enhances SSG tunnel services and provides a dialout facility to users. Many Small Office Home Offices (SOHOs) use the Public Switched Telephone Network (PSTN) to access their intranet. SSG L2TP provides mobile users with a way to securely connect to their SOHO through the PSTN.
To provide SSG L2TP Dialout, SSG requires a digital number identification service (DNIS) number for the SOHO to which the user wants to connect, the address of the L2TP Access Concentrator (LAC) closest to the SOHO, and configured tunnel parameters to establish a tunnel to the LAC.
Users can access SSG L2TP Dialout by selecting the dialout service using Cisco Subscriber Edge Services Manager (SESM) from the list of subscribed services or by using a structured username. The user must provide the DNIS number when using either method of connecting to the dialout service.
SSG Prepaid Enhancements
Supported Platforms: MWAM on Cisco Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
SSG Prepaid
The SSG Prepaid feature allows SSG to check a subscriber's available credit to determine whether to connect the subscriber to a service and how long the connection can last. The subscriber's credit is administered by the billing server as a series of quotas representing either a duration of use (in seconds) or an allowable data volume (in bytes). A quota is an allotment of available credit.
To obtain the first quota for a connection, SSG submits an authorization request to the authentication, authorization, and accounting (AAA) server. The AAA server contacts the prepaid billing server, which forwards the quota values to SSG. SSG then monitors the connection to track the quota usage. When the quota runs out, SSG performs reauthorization. During reauthorization, the billing server may provide SSG with an additional quota if there is available credit. If no further quota is provided, SSG logs off the user.
For more information, see the following URL:
SSG Prepaid Enhancements
SSG Prepaid Enhancements introduces prepaid tariff switching, simultaneous volume and time based prepaid billing, and postpaid tariff Switching.
SSG Prepaid Idle Timeout
Supported Platforms: MWAM on Cisco Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG Prepaid Idle Timeout feature enhances the SSG Prepaid feature by enabling SSG to return residual quota to the billing server from services that a user is logged into but not actively using. The quota that is returned to the billing center can be applied to the quota for the services the user is actively using.
When SSG is configured for SSG Prepaid Idle Timeout, a user's connection to services can be open even when the billing server returns a zero quota, but the connection's status is dependent on the combination of the quota and the idle timeout value returned. Depending on the connection service, SSG requests the quota for a connection from the billing server once the user starts using a particular service, when the user runs out of quota, or after the configured idle timeout value has expired.
The SSG Prepaid Idle Timeout feature enhances handling of a returned zero quota from the billing server. If a billing server returns a zero quota, and non-zero idle timeout, this indicates that a user has run out of credit for a service. When a user runs out of credit for a service, the user is redirected to the billing server to replenish the quota. When the user is redirected to the billing server, the user's connection to the original service or services is retained. Although the connection remains up, any traffic passing through the connection is dropped. This enables a user to replenish quota on the billing server without losing connections to services or having to perform additional service logons.
Using the SSG Prepaid Idle Timeout feature, you can configure SSG to reauthorize a user before the user completely consumes the allocated quota. You can also configure SSG to not pass traffic during reauthorization. This prevents revenue leaks in the event that the billing server returns a zero quota for the user. Without the SSG Prepaid Idle Timeout feature, traffic passed during reauthorization represents a revenue leak if the billing server returns a zero quota for the user. You can prevent this type of revenue leak by configuring a threshold value, causing SSG to reauthorize a user's connection before the user completely consumes the allocated quota for a service.
SSG Prepaid Idle Timeout enhances SSG to inform the billing server upon any connection failure. This enables the billing server to free quota that was reserved for the connection that failed and to apply this quota immediately to some other active connection.
SSG PTA-MD Exclusion Lists
Supported Platforms: MWAM on Cisco Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
Beginning in Cisco IOS Release 12.2(8)B, the option of passing the entire structured username in the form `user@service' to PPP for authenticating an SSG request became available. The entire structured username can be passed to PPP through the use of a PTA-MD exclusion list; if an entire structured username should be passed to PPP, the domain (the `@service' portion of the structured username) should be added to a PTA-MD exclusion list. The PTA-MD exclusion list can be configured on the AAA server directly or via the router CLI. Structured usernames are parsed for authentication unless a PTA-MD exclusion list is configured for the particular domain requesting a service.
For additional information on SSG PTA-MD Exclusion Lists, see the following URL:
SSG Range Command for Bind Statements
Supported Platforms: MWAM on Cisco Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
SSG Range Command for Bind Statements creates a A "range" command for SSG BIND statements. This is useful when provisioning RBE subscribers en masse, as it allows for streamlined provisioning and configuration with a decreased CPU load.
SSG Service Profile Caching
Supported Platforms: MWAM on Cisco Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG Service Profile Caching feature enhances the authentication process for SSG services by allowing users to authenticate a service using the service profile cached in SSG.
When SSG Service Profile Caching is not enabled, an authentication, authorization, and accounting (AAA) transaction is required to download a service profile each time an SSG subscriber logs onto the service. The other SSG subscribers already logged onto the service also have their service parameters automatically refreshed as a result of this AAA transaction. In many cases, this automatic refresh causes unnecessary traffic in SSG and on the AAA server.
The SSG Service Profile Caching feature creates a cache of service profiles in SSG. A service profile is downloaded from the AAA server and then stored in the SSG service profile cache as a service-info object. Subsequent SSG subscribers hoping to use that service are authorized by the SSG service profile cache provided that service profile remains in the cache. To ensure that the service profiles in the SSG service profile cache remain updated, the SSG service profile cache automatically refreshes the service profiles by downloading the service profiles from the AAA server at user-configured intervals (the default is every 120 minutes). SSG service profile caches can also be refreshed manually at any time. Service profiles that are not being used by any SSG subscriber are removed from the SSG service profile cache.
SSG Support of NAS Port ID
Supported Platforms: MWAM on Cisco Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
This feature supports the NAS-Port attribute in the authentication packet. This allows the authentication server to use consistent policies while authenticating PPPoX users and RFC1483 users. Currently, NAS-Port attribute is sent only for PPPoX users.
With this feature, SSG sends nas-port information for certain IP users in the authentication-request and accounting-request packets.
SSG Suppression of Unused Accounting Records
Supported Platforms: MWAM on Cisco Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG Suppression of Unused Accounting Records feature provides the ability to turn off those accounting records that are not needed on the router.
SSG Unconfig
Supported Platforms: MWAM on Cisco Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
SSG Unconfig
The SSG Unconfig feature enhances your ability to disable SSG at any time and releases the data structures and system resources created by SSG when SSG is unconfigured.
The SSG Unconfig feature enhances several Cisco IOS commands to delete all host objects and to delete a range of host objects. You can also delete all service objects or connection objects. The show ssg host command has been enhanced to display information about an interface and its IP address when Host-Key mode is enabled on that interface.
System Resource Cleanup When SSG Is Unconfigured
When you enable SSG, the SSG subsystem in Cisco IOS acquires system resources that are never released, even after you disable SSG. The SSG Unconfig feature enables you to release and clean up system resources when SSG is not in use by entering the no ssg enable force-cleanup command.
SSG Unique Session ID
Supported Platforms: MWAM on Cisco Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
SSG does not currently support a totally unique accounting session ID in the RADIUS accounting records. The SSG Unique Session ID feature provides a unique format in the RADIUS accounting records in order to be compatible with a customer's existing backend billing systems.
Caveats
Caveats describe unexpected behavior in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious.
For a list of caveats for Cisco IOS software releases 12.3, see the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123relnt/xprn123/123mcavs.htm
Note
Caveats for 12.2(14)ZA2 (and higher)
For a list of caveats for 12.2(14)ZA2 (and higher), see the release notes at the following URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5012/prod_release_note09186a0080145494.html
Open Caveats—Cisco IOS Release 12.3(5a)B
This section documents possible unexpected behavior by Cisco IOS Release 12.3(5a)B and describes only severity 1 and 2 caveats and select severity 3 caveats.
Open SSG Caveats
•
While attempting to create 65000 host objects with two services, the SSG failed after creating 40000 host objects.
Workaround: There are no known workarounds.
•
SSG with TAL configuration does not use all parameters provided by AAA server in the Access Accept. This is required when SSG needs to create a host object (HO) that is deleted after timeout.
Workaround: There are no known workarounds.
•
When downstream traffic from the service network is sent as multiple packets to the same connection object before sending packets to the next connection object, processor usage is much less than if packets are sent consecutively to different connection objects (even though the rate of traffic sent for both the cases is the same).
Workaround: There are no known workarounds.
•
The test case is running with 2 pass-through services and one tunnel service:
–
–
–
Packets from hosts that are not in pass-through service #1 or pass-through service #2 and that are sent to the subscriber IP address are passed to the subscriber through the tunnel interface. The reply packet from the subscriber is then sent through the tunnel. Both packets are billed in the tunnel service.
Workaround: The test runs without fault using only one pass-through service and one tunnel service.
Open MWAM Caveats
•
The processor control (PC) in the MWAM may become unreachable when packets are sent through one of the Sibyte processors at a very high rate.
Workaround: There are no known workarounds.
•
The PC in the MWAM becomes unreachable when packets are sent through one of the Cisco IOS processors from a traffic generator at a high rate (30% of the line rate, 446,429 frames/sec).
Workaround: There are no known workarounds.
•
When a Cisco 7600 chassis with four MWAMs using the centralized configuration storage feature is reloaded, the MWAM reboot task to load the centralized configuration from the Cisco supervisor engine boot flash takes 7 minutes.
Workaround: There are no known workarounds.
•
In rare cases, the PC may freeze without any error message on the console. There are no keepalive messages at the processors, and it is not possible to session to the any of them.
Workaround: There are no known workarounds.
•
During an RPR+ switchover on a dual Cisco supervisor chassis, the RPR+ operation can stall when the SFM-capable 48-port 10/100 Mbps RJ45 line card (WS-X6548-RJ-45) fails to go on line. The line card is automatically powered down, and the RPR+ process does not execute a timely switchover to the second Cisco supervisor engine. The system can be offline for up to 5 minutes before recovering. The line card recovers and powers on without operator intervention.
The user can observe the following failure messages (module 9 is the WS-X6548-RJ-45 card):
%OIR-SP-3-PWRCYCLE: Card in module 9, is being power-cycled off(Module not responding to Keep Alive polling)SP: oir_notify_online: Failed to send online notification: slot 9The user can observe the following recovery messages:
%DIAG-SP-6-DIAG_OK: Module 9: Passed Online Diagnostics%OIR-SP-6-INSCARD: Card inserted in slot 9, interfaces are now on lineWorkaround: There are no known workarounds.
•
On rare occasions after an MWAM is reset, IP connectivity does not occur between the MWAM processors and the Cisco Supervisor Engine 2, or any outside devices. This problem may occur after you issue the hw-module module <#> reset command from the Cisco supervisor engine.
Workaround: Reset the MWAM again from the Cisco supervisor engine.
•
On rare occasions, the MWAM displays a minor error in response to the show module command after the Cisco supervisor engines switch activity for a failover condition:
SK-sup-2#sho module~snipped~Mod Online Diag Status--- -------------------1 Pass2 Pass4 Minor Error5 Pass6 Pass8 Pass9 Minor ErrorWorkaround: There are no known workarounds.
•
Traffic flowing from an MWAM interface into a VLAN exceeds the policing limits defined by the policy applied to the VLAN.
When an MWAM internal interface is defined to be part of a specific VLAN using the mwam module <module-num> port <port-num> allowed-vlan command, and the VLAN has a QoS policy applied to the input which contains a police policy, the traffic coming from the MWAM exceeds this policing definition.
Workaround: There are no known workarounds.
•
MWAM configuration mode is switched from supervisor mode to local mode after the MWAM is reloaded. This occurs when the radius-server unique-ident <#> command is configured on MWAM processors.
Workaround: There are no known workarounds.
Resolved Caveats—Cisco IOS Release 12.3(5a)B
All the caveats listed in this section are resolved in Cisco IOS Release 12.3(5a)B. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Previously, there was a vulnerability in the Transmission Control Protocol (TCP) that allowed resetting of an established TCP connection. This has been fixed.
•
Previously, there was a vulnerability in the Transmission Control Protocol (TCP) that allowed resetting of an established TCP connection. This has been fixed.
Resolved SSG Caveats
•
Previously, there was a drift of time in the interim accounting records generation, over a period, when compared to the configured interval. This has been fixed.
•
Previously, some packets were dropped when writing to NVRAM. This occurred during periods of high traffic when saving the configuration or performing other NVRAM write operations. This has been fixed.
•
An unexpected reload sometimes occurred when the following message appeared. This has been fixed.
%ALIGN-1-FATAL: Corrupted program counterpc=0x0, ra=0xXXXXXXXX, sp=0xXXXXXXXX%ALIGN-1-FATAL: Corrupted program counterpc=0x0, ra=0xXXXXXXXX, sp=0xXXXXXXXXUnexpected exception, CPU signal 10, PC = 0x0•
A timer wheel failed when the same timer was started from both the process level and the interrupt level. This occurred on n a Cisco router that was running Network Address Translation (NAT). This has been fixed.
•
Memory allocation from the I/O memory pool sometimes failed (MALLOCFAIL). This occurred on a Cisco router that receives excessive multicast control traffic. This has been fixed.
•
You could not always configure the maximum transmission unit (MTU) on a virtual template. This has been fixed.
•
The default number of missed keepalives required to bring down a PPP link changed from 5 to 3 in releases that had integrated the software for CSCdt94888. To restore the original default behavior, configure keepalive 10 5 on the interface.
•
The service selection gateway (SSG) sent duplicate Acct-Session-Id in the SSG connection accounting record. The same session ID was used in the user accounting record. This occurred when using Cisco IOS Release 12.2(16)B2 and Release 12.3(4)T. This has been fixed.
•
When a VPDN session was disconnected by an authentication failure, the VPDN syslog message (%VPDN-6-AUTHENFAIL) and the history failure table were not logged. A record was overwritten by normal causes (%VPDN-6-CLOSED, Result 1, Error 0). This occurred when using Cisco IOS Release 12.3(3)B and Release 12.3(4)T with VPDN logging enabled. This has been fixed.
•
When the ip radius source-interface global configuration command was configured on a PPP over Ethernet (PPPoE) server, the interface address sometimes was not set in the RADIUS NAS-IP-Address [4] attribute. This occurred in Cisco IOS Release 12.3(2), Release 12.3(2)T, Release 12.3(3)B, or Release 12.3(4)T, in Cisco routers that functioned as PPPoE servers, and that had the radius-server attribute nas-port format format global configuration command enabled with the value d for the format argument. This has been fixed.
•
The individual AAA periodic accounting update messages (RADIUS accounting messages with Acct-Status-Type=Watchdog) generated by a Cisco IOS gateway for each call leg (TDM and IP) of the same voice call was sometimes sent to the RADIUS server more than 5 minutes apart due to the randomized timer algorithm used by the AAA message transmit function. This occurred when the aaa accounting update newinfo periodic command was configured. This has been fixed.
•
When ip address negotiate was configured on an interface and the customer's address was not successfully negotiated with the peer, no address was assigned to the customer's interface, which could cause problems with IP/CEF forwarding. This has been fixed.
•
The memory held by the SSGCmdQueue process increased continuously when SESM users logged on and logged off. This occurred in SSG deployments when SESM users logged on and logged off. This has been fixed.
•
Without any global RADIUS servers configured, an access-request was sent to the server defined in the AAA test server group. This occurred without a radius-server key defined and the error message "No radius servers defined" was displayed. This did not occur in Cisco IOS Release 12.2(13.7)T.
This was a configuration problem. The user was warned when a server that had not been defined was added to the server group.
router(config)#aaa group server radius bogusrouter(config-sg-radius)#server 10.1.1.1 ?acct-port UDP port for RADIUS accounting server (default is 1646)auth-port UDP port for RADIUS authentication server (default is 1645)<cr>router(config-sg-radius)#server 10.1.1.100:55:48: %RADIUS-4-NOSERV: Warning: Server 10.1.1.1:1645,1646 is not defined.The behavior remained undefined if the user did not correct the configuration. This has been fixed.
•
SSG sometimes did not send a calling station ID in the connection accounting records to a local and a remote AAA server. This occurred when a client logged on by using a proxy service with MSISDN. This has been fixed.
•
A Time Drift in Interim Accounting update was seen for SSG connection accounting packets. This occurred with 10 Host Objects and a Connection Accounting interval of 300. After 4 days of testing, a time drift was seen in the Interim accounting update packets. This has been fixed.
•
PPPOA sessions sometimes were not established. This occurred on a Cisco router with CEF or PXF enabled and when the encapsulation was changed while no VC was defined. This has been fixed.
•
Unauthorized service users were not redirected. This occurred under the following conditions:
–
–
–
•
For prepaid services, the initial authorization to obtain quota occurred during the time a user was logged on to a service. This enabled prepaid services to be configured so that the initial authorization occurred only when the user started sending traffic on that connection. This has been fixed.
•
When a new image was loaded on an MWAM, if either of the processors of a complex previously had configurations in the startup-configuration that were not recognized by the new image, then the complex sometimes kept resetting continually. This has been fixed.
Resolved MWAM Caveats
•
SNMP query for CISCO-FLASH-MIB did not populate values. The fields of the CISCO-FLASH-MIB were not populated for the flash devices dedicated to each of the processors of the MWAM. When the CISCO-FLASH-MIB of a MWAM processor was queried, the fields of this MIB incorrectly appeared as if there was no flash device for this processor. This has been fixed.
•
After reloading a switch containing ten MWAMs, it was no longer possible to upgrade the MP or AP images. All attempts failed with the following message. This has been fixed.
stress-6500a#copy tftp: pclc#6-fs: Address or name of remote host [64.102.16.25]? Source filename [users/gferris/mwam/c6svcmwam-js-mz.geo_t_030924.1-2-2-1.dev.bin]? Destination filename [users/gferris/mwam/c6svcmwam-js-mz.geo_t_030924.1-2-2-1.dev.bin]? Accessing tftp://64.102.16.25/users/gferris/mwam/c6svcmwam-js-mz.geo_t_030924.1-2-2-1.dev.bin... Loading users/gferris/mwam/c6svcmwam-js-mz.geo_t_030924.1-2-2-1.dev.bin from 64.102.16.25 (via Vlan111): ! %Error opening pclc#6-fs:users/gferris/mwam/c6svcmwam-js-mz.geo_t_030924.1-2-2-1.dev.bin (Error Sending Request) stress-6500a#•
(Duplicate of CSCec79587) When simultaneous hw-module reset commands were issued from the Cisco supervisor engine, some of the MWAMs did not respond correctly. When the reset was issued, the following message appeared. This has been fixed.
Oct 1 01:49:20: SP: The PC in slot 7 is shutting down. Please wait ... If the problem occurs, the following messages are displayed: Oct 1 01:52:20: SP: shutdown_pc_process:No response from module 7 Oct 1 01:52:20: %C6KPWR-SP-4-DISABLED: power to module in slot 7 set off (Reset) *Oct 1 01:52:19: %C6KPWR-SP-STDBY-4-DISABLED: power to module in slot 7 set off (Reset)•
Under certain circumstances a processor sometimes reloaded when deleting a file from the boot flash partition. This has been fixed.
•
Any debug messages between the MWAM processors and the PC that displayed on the processor console did not appear in the Remote Console and Logging (RCaL) debug information. For example, the heart beat debug message from the processors to the PC did not appear in the RCaL debug information. This has been fixed.
•
The reload all command from the PC failed with the following message. This has been fixed.
root@mwam-5#reload allGlobal Reset: Unable to Initialize BootManager: Can't open device•
The MWAM did not have persistent log files for debugging purposes after the Cisco router reloaded or failed. This has been fixed.
•
The show log upgrade command displayed the upgrade log of an AP upgrade when the user was in the MP. However, the command did not display the upgrade log of an MP upgrade when the user was in the AP. This has been fixed.
•
The show processor command on the PC did not differentiate Cisco IOS reload operations from the PC, user reload operations, and unexpected reload operations. This has been fixed.
•
The MWAM could not be shut down or reloaded. If a reload was issued, the module was eventually reset by the Cisco supervisor engine; if a shutdown was issued, the module remained in the other state indefinitely. This has been fixed.
•
After a Cisco supervisor engine switchover, one or more MWAM processors failed to become active. This has been fixed.
•
When NTP was used in MWAM processors for time synchronization, the time sync was lost with the NTP server when the MWAM reloaded. Individual processor reloading did not cause any problems. This has been fixed.
Other Caveats
This section includes caveats listed in previous release notes that are regarded as resolved because they are either unreproducible, they were reported in error, or they do not affect the behavior of the Cisco router. If a caveat listed in this section causes problems, contact Cisco customer service.
•
MWAM VLAN interfaces stopped responding when the Cisco 7609 router was rebooted. Ping packets sent from the Cisco supervisor engine to the MWAM failed. We have been unable to reproduce this problem.
•
When multiple MWAMs were reset at the same time using the hw-module module slot_number reset command, on rare occasions the MWAM failed to boot (remain in a PwrDown state) and the following message displayed on the supervisor console. We have been unable to reproduce this problem.
SP: oir_disable_notice: slot12: lcp failed to go onlineResolved Caveats—Cisco IOS Release 12.3(3)B1
All of the caveats listed in this section are resolved in Cisco IOS Release 12.3(3)B1. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
Resolved SSG Caveats
•
The SSG system showed traceback and reload messages with unexpected exception, CPU signal 10, and PC = 0x613F1C10. This occurred when a user was cleared by the CLI or was disconnected by switching off the CPE. This has been fixed.
•
The user was unable to log into a service on SSG. This condition was caused by a password mismatch between SESM and SSG in the test setup.
•
SSG failed to send a re-authorization request after a Quota Time expiry for connection with QT60, QV0 and Idle 0. This has been fixed.
•
The user was unable to log on to tunnel and proxy services. This was caused by a password mismatch between SESM and SSG in the test setup.
•
SSG unexpectedly reloaded when logging in to the home office (HO) with Challenged Handshake Authentication Protocol (CHAP). This has been fixed.
•
SSG unexpectedly reloaded for proxy service authorization. This occurred when SSG tried to allocate memory for a proxy service authorization packet. This has been fixed.
•
The SSG had no console or telnet access after data traffic was started. The SSG did not reload and had to be power-cycled. This has been fixed.
•
The SSG failed during a TCP redirect for unauthenticated users. This has been fixed.
•
With PZI60 and L60 in the service profile, the SSG sent Interim accounting updates alternatively to a local and prepaid server. This has been fixed.
•
A Cisco router with the SSG application sometimes reloaded. This occurred with a Cisco MSID access request when the access accept from a AAA was delayed and the access response did not contain CDMA Realm. This has been fixed.
•
A Cisco router that terminated both PPP over Ethernet (PPPoE) and PPP over ATM (PPPoA) sessions sometimes failed to switch traffic downstream toward the subscriber using Cisco Express Forwarding (CEF) for a period of up to three minutes. This occurred when the PPPoE and PPPoA sessions used different virtual templates and when subinterfaces were enabled. Only some subscribers were affected. This has been fixed.
•
The Calling-Station-Id was not sent in connection accounting records. This occurred for proxy service logon with MSISDN. This has been fixed.
•
The wrong Calling-Station-ID was sent to the LNS during tunnel service creation. When a different Calling-Station-ID was received from the SESM for tunnel service logon, the SSG should have used this Calling-ID for tunnel service creation with the LNS. However, the SSG was incorrectly sending the host logon Calling-ID to the LNS for tunnel creation. This has been fixed.
•
The RADIUS attributes that contained the CALLING and CALLED numbers were not in the service account records. This has been fixed.
•
When an HSRP SNMP query was performed on a router with an HSRP group configured on a subinterface, the router stopped responding and eventually reloaded. This did not occur for HSRP groups configured on major interfaces. This has been fixed.
•
When the ip radius source-interface command was configured on the PPP over Ethernet (PPPoE) server, the interface address was not set in the RADIUS NAS-IP-Address [4] attribute. This has been fixed.
•
If the number of sessions exceeded the configured session limit on the L2TP network server (LNS), subsequent session requests caused a memory leak in the L2TP management daemon. This has been fixed.
•
(Duplicate of CSCeb65615) The PPP idle timer on a virtual access interface reset with uninteresting outbound traffic that was defined with the ip idle-group <acl> out command. The ACL that defined the uninteresting traffic found no matches even though the output traffic was uninteresting. This has been fixed.
•
(Duplicate of CSCeb82500) The PPP timeout AAA inbound command did not prevent outbound packets from resetting a per-user idle timer. This has been fixed.
•
The SSG upstream counter statistics for the connection object were incorrect. This occurred when the SSG TCP redirect feature was enabled. This has been fixed.
•
Accounting On packets that were sent by an Access Zone Router (AZR) that had had a cold restart (for example, the power was turned off and then on again) sometimes were not acknowledged by an SSG. This occurred on an SSG that was configured with a basic RADIUS proxy setting. This has been fixed.
Resolved MWAM Caveats
•
MWAM processors were reloaded when receiving traffic at 100% of processor capacity. This occurred when sending downstream traffic on processors configured in a cluster. This has been fixed.
•
The Cisco IOS software on MWAM processors did not support NTP and other clock commands. The processors synchronized their clocks from the PC, which in turn synchronized with the supervisor clock. The supervisor clock was linked to an NTP clock source.
When the show clock command was entered, the clock value was displayed both on the Cisco supervisor engine and an MWAM processor. The values of the Cisco supervisor engine and the processor clocks were different by a couple of seconds. This has been fixed.
•
The MWAM processor/complex sometimes reloaded when many VRFs were being configured and unconfigured, and data flows to these networks were on. This has been fixed.
•
Copying a file from bootflash: to bootflash: did not work on the MWAM. This has been fixed.
•
If the ROMMON needed to be upgraded during the configuration of the Remote Console and Logging (RCaL) on the MWAM, the user was not notified by a console message. This has been fixed.
Resolved Caveats—Cisco IOS Release 12.3(3)B
All of the caveats listed in this section are resolved in Cisco IOS Release 12.3(3)B. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
Resolved SSG Caveats
•
SSG made authorization requests towards a prepaid server even though the connection could not be activated. This has been fixed.
•
A Cisco router that had a Quality of Service (QoS) service policy attached to an interface sometimes generated memory alignment errors or reloaded unexpectedly because of a bus error during normal mode of operation. This occurred when the policy map of the service policy had a set action configuration and when traffic was being processed. This has been fixed.
•
When a VPDN session was terminated by a PPP authentication failure, a VPDN syslog message (%VPDN-6-AUTHENFAIL) and a history failure table were not logged. This occurred when VPDN logging was enabled in Cisco IOS Release 12.2(16)B and Release 12.3(1). This has been fixed.
•
SSG forwarded accounting requests that were retransmitted from RADIUS clients even though it was waiting for a response from the AAA server. SSG also forwarded additional retransmitted requests for each forwarded request. This has been fixed.
•
In hybrid mode, when a reset [15/16] was issued from SP (CatOS, hybrid mode), the reload time displayed was incorrect. This occurred on the Cisco Catalyst 6000. This has been fixed.
•
Enhanced Interior Gateway Routing Protocol (EIGRP) hello messages were sometimes sent from a virtual-access interface when they should not have been sent. This occurred on a Cisco router that had the passive-interface default or passive-interface virtual-template interface-number router configuration command enabled. This has been fixed.
•
An auto-domain RADIUS-proxy user logon caused the router to fail. This occurred if the primary service logon failed to authenticate the user. Any wrong tunnel parameters in the tunnel profile could also cause the router to fail. This has been fixed.
•
When a telnet connection timed out while waiting for a username, the router reported that the connection was closed and generated two accounting stop records. This occurred when the router was configured to send accounting start and stop records for a privileged EXEC connection, and the aaa accounting send stop-record authen fail command was configured. This has been fixed.
•
During the bootup process, a RADIUS server was marked as Dead because it did not respond to system accounting requests. When PPP sessions were established and the L2TP Network Server (LNS) rebuilt its routing information, the LNS was able to access and receive back responses from the RADIUS server. However, the LNS did not change the status of the RADIUS server to UP, even after the configured dead time elapsed. This has been fixed.
•
When SSG control error debugs were enabled, a "Stale network routes" error message appeared. This occurred if exclude networks (E) were configured in the service profile and if the user logged on to this service and did an account logoff. This has been fixed.
•
A virtual access interface was not freed when a client session was torn down. Instead, the client session was momentarily disconnected and then re-connected. This has been fixed.
•
The router unexpectedly reloaded at sb_timer_intr_handler. This has been fixed.
•
After authentication completed, LCP renegotiation at the L2TP Network Server (LNS) caused a session to enter the wt-sss state. This occurred in Cisco IOS releases 12.3 B in which the software for CSCeb30098 was included. Output from the show vpdn command indicated that the session was in the wtsss state and unless the L2TP Access Concentrator (LAC) tore down the session, it remained in that state. This has been fixed.
•
The set commands caused the router to reload in some circumstances. In addition, the set cos policy-map class configuration command also caused the router to reload. This occurred when a service policy with the set command was configured on an interface. This has been fixed.
•
When a PPPoE user logs in for a second time, the user could not connect to the service. This occurred in Cisco IOS Release 12.3(3)B when the PBHK was enabled and the PPP session was created as a non-SSG PPP user session. This has been fixed.
•
SSG hosts were not cleared when the PPP session for that user went down. This occurred when SSG bound the PPPoX interface dynamically as the downlink interface (the ssg direction downlink command was configured under a virtual template interface) and the user behind the PPPoX interface logged in through the web dashboard (SESM). The show ssg host command indicated that memory was low. This has been fixed.
•
A Cisco router terminating both PPPoE and PPPoA sessions sometimes failed to CEF-switch traffic downstream toward the user when different virtual templates were used for the two types of sessions. Subinterfaces were enabled. This has been fixed.
•
The input queue of the Gi0/0 interface on MWAM module, used by a SiByte processor running the SSG application, became full if a AAA server failure occurred. From that point on, no traffic was forwarded between the MSFC and the subinterfaces configured on Gi0/0 from within the SSG application on the SiByte (for example, ping operations between MSFC and subinterfaces on Gi0/0 failed). This has been fixed.
•
When you configured and attempted to use an authorization or accounting method list that referred to a server group, and the server group did not contain servers and had never contained any servers since the router started up, error and traceback messages appeared. This occurred in Cisco IOS releases 12.2B and 12.3B. This has been fixed.
•
PPPoE sessions were not established when some debug operations were enabled on the LAC. This occurred when lcp re-negotiation was configured in the virtual template on the LNS side. This has been fixed.
•
SSG did not perform as expected and often failed when the total number of connections to the router were 64,000. This has been fixed.
•
When a user connected to a service with certain networks, SSG did not forward the user traffic to the service. Instead, SSG dropped the upstream packets from the user. This has been fixed.
•
While using SSG, executing the show align command indicated that a spurious memory access had occurred. This has been fixed.
•
Some sessions were not established when using aa15snap encapsulation. This has been fixed.
•
Abnormal termination of output from the show vpdn command resulted in spurious access. This has been fixed.
•
Cisco A-V pair 31 (Calling-station-id) was missing from accounting records to a prepaid server when SSG RADIUS-proxy users were accessing prepaid service. This occurred only when no explicit calling station ID was available to SSG. This has been fixed.
•
The accounting of input and output bytes/packets for a service connection was incorrect. Only upstream traffic was accounted for that service access; downstream traffic from that service was accounted for another service connection. This occurred when a user did autologon to 2 no-NAT/passthrough services. This has been fixed.
•
SSG failed when downstream traffic to an SSG host logged onto a proxy service using NAT. This occurred after a host logged off a service and immediately the same or another host with the same NAT-provided IP address logged on to the proxy NAT service. This has been fixed.
•
A memory leak occurred when an SSG subscriber accessed a home office and the user was logged on to a tunnel service. This occurred on the Cisco 3745 router. This has been fixed.
•
A traceback message appears for each authorization retry in the timeout quota in SSG. This has been fixed.
•
Each time an SSG user logged in or logged out, a traceback message appeared. This has been fixed.
•
When a user logged off from a prepaid service, a spurious memory access occurred. This occurred only in Cisco IOS Release 12.3(3)B. This has been fixed.
•
The SSG router failed when the router was running out of memory and TCP-Redirect was configured. This has been fixed.
•
In response to a service logon request, the SSG sent the IP address, assigned by a service for an SSG connection, as a Framed-IP attribute in the access-accept to the SESM. This hid the Framed-IP of the host in the access-accept. This has been fixed.
•
Any new access-requests from NAS(GGSN) were not processed by SSG when SSG_dummy_pool filled up. This has been fixed.
•
When a connection to the LNS failed (for example, the LNS was restarted and failover to the redundant LNS occurred), the SSG needed more time than expected to send L2TP HELLO packets to tear down the control connection and re-establish the tunnel to the redundant LNS. During this period several L2TP HELLO packets were sent to the LNS. This has been fixed.
Resolved MWAM Caveats
•
Displaying the name of the MWAM image failed from the supervisor console. This has been fixed.
•
Cannot copy a file to the boot flash of the MWAM CPU with an existing name.
Copying a file to the bootflash:partition of an MWAM processor with a destination filename that already exists on this partition failed. A copy could not be made to a file that already existed. The following error message displayed. This has been fixed.
%Error opening bootflash:/running-config (File exists)•
MWAM traffic shaping did not function with MWAM Gigabit Ethernet interfaces. Traffic shaping configurations on MWAM gig0/0 interface had no affect. The driver for MWAM gig0/0 interface did not support traffic shaping. This has been fixed.
•
When an MWAM was removed from a slot, the MWAM configuration files remained with the MWAM. A replacement MWAM in the same slot had to then be fully reconfigured. Also, when an MWAM was moved from one slot to another, the configuration files moved with the MWAM instead of being associated with the original slot. This has been fixed.
•
An SNMP query for the variable chassisType(1.3.6.1.4.1.9.3.6.1) incorrectly returned a -1 for the MWAM module. This has been fixed.
•
Entering the copy running-config startup-config command from the MWAM console failed to write the configuration to the standby Cisco supervisor engine. This has been fixed.
•
When a chassis reloaded and contained multiple MWAMs that were running in the supervisor configuration mode (for example, MWAM configurations were stored on the supervisor boot flash), some of MWAM processors sometimes did not receive their configurations from the supervisor boot flash. This has been fixed.
MIBs
No new or modified MIBs are supported by the Cisco MWAM.
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
Related Documentation
The following sections describe the documentation available related to the Cisco Multiprocessor WAN Application Module. These documents consist of hardware and software installation guides, Cisco IOS configuration guides and command references, system error messages, and other documents.
Documentation is available as printed manuals or electronic documents.
Platform-Specific Documents
These documents are available for the Catalyst 6500/Cisco 7600 series platforms on Cisco.com and the Documentation CD-ROM:
•
•
–
–
–
•
–
–
–
Catalyst 6500 Series Switch Documentation is available at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/index.htm
Cisco 7600 Series Routers Documentation is available at the following URL:
http://www.cisco.com/en/US/products/hw/routers/ps368/products_installation_guides_books_list.html
Obtaining Documentation
These sections explain how to obtain documentation from Cisco Systems.
World Wide Web
You can access the most current Cisco documentation on the World Wide Web at this URL:
Translated documentation is available at this URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.
Ordering Documentation
You can order Cisco documentation in these ways:
•
http://www.cisco.com/cgi-bin/order/order_root.pl
•
http://www.cisco.com/go/subscription
•
Documentation Feedback
You can submit comments electronically on Cisco.com. In the Cisco Documentation home page, click the Fax or Email option in the "Leave Feedback" section at the bottom of the page.
You can e-mail your comments to bug-doc@cisco.com.
You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883We appreciate your comments.
Obtaining Technical Assistance
Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.
Cisco.com
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.
Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you with these tasks:
•
•
•
•
•
If you want to obtain customized information and service, you can self-register on Cisco.com. To access Cisco.com, go to this URL:
Technical Assistance Center
The Cisco Technical Assistance Center (TAC) is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC Web Site and the Cisco TAC Escalation Center.
Cisco TAC inquiries are categorized according to the urgency of the issue:
•
•
•
•
The Cisco TAC resource that you choose is based on the priority of the problem and the conditions of service contracts, when applicable.
Cisco TAC Web Site
You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to this URL:
All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:
http://www.cisco.com/register/
If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC Web Site, you can open a case online by using the TAC Case Open tool at this URL:
http://www.cisco.com/tac/caseopen
If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC Web Site.
Cisco TAC Escalation Center
The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
Before you call, check with your network operations center to determine the level of Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, have your service agreement number and your product serial number available.
Posted: Tue Apr 27 20:42:43 PDT 2004
All contents are Copyright © 1992--2004 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
