|
|
Table Of Contents
Release Notes for Cisco Multiprocessor WAN Application Module with Cisco IOS Release 12.3(7)T
Determining the Software Version
Upgrading to a New Software Release
New Hardware Features in Cisco IOS Release 12.3(7)T
New Software Features in Cisco IOS Release 12.3(7)T
New Hardware Features in Cisco IOS Release 12.3(5a)B
New Software Features in Cisco IOS Release 12.3(5a)B
New Hardware Features in Cisco IOS Release 12.3(3)B1
New Software Features in Cisco IOS Release 12.3(3)B1
New Hardware Features in Cisco IOS Release 12.3(3)B
New Software Features in Cisco IOS Release 12.3(3)B
New Hardware Features in Cisco IOS Release 12.3(1a)BW
New Software Features in Cisco IOS Release 12.3(1a)BW
Open Caveats—Cisco IOS Release 12.3(7)T
Resolved Caveats—Cisco IOS Release 12.3(7)T
Resolved Caveats—Cisco IOS Release 12.3(5a)B
Resolved Caveats—Cisco IOS Release 12.3(3)B1
Resolved Caveats—Cisco IOS Release 12.3(3)B
Obtaining Technical Assistance
Release Notes for Cisco Multiprocessor WAN Application Module with Cisco IOS Release 12.3(7)T
Cisco IOS Release 12.3(7)T
These release notes are for Cisco IOS Release 12.3(7)T running on the Cisco Multiprocessor WAN Application Module (MWAM) in the Cisco 7600 series router. These release notes are updated as needed to describe new features, memory requirements, hardware support, software platform deferrals, and changes to the microcode and related documents.
For a list of the software caveats that apply to Cisco IOS Release 12.3(7)T, see Caveats.
To see the release notes for Cisco IOS Release 12.3, see http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123relnt/xprn123/index.htm.
Contents
This document contains the following sections:
•
Caveats
•
•
Introduction
The Cisco Multiprocessor WAN Application Module (MWAM) is a Cisco IOS software application module that you can install into the Cisco 7600 Series Internet Routers. The MWAM allows you to run multiple instances of the following Cisco Ethernet Service Aggregation applications:
•
•
•
•
•
•
System Requirements
This section describes system requirements for MWAM with Cisco IOS Release 12.3(7)T.
Hardware Requirements
MWAM with Cisco IOS Release 12.3(7)T requires the following hardware components:
•
•
•
A Hardware-Software Compatibility Matrix is available on CCO for users with CCO login accounts. This matrix allows users to search for supported hardware components by entering a Cisco platform and IOS release. The Hardware-Software Compatibility Matrix tool is available at the following URL:
http://www.cisco.com/cgi-bin/front.x/Support/HWSWmatrix/hwswmatrix.cgi
Software Requirements
MWAM with Cisco IOS Release 12.3(7)T requires the following software components:
•
Note
•
–
–
Cisco IOS Release 12.3(7)T is a special release that supports Cisco IOS Release 12.(3)1T and the same features that are in previous Cisco IOS Release 12.2 releases, with the addition of MWAM platform support.
Memory Requirements
The MWAM provides two processor complexes that are equipped with 1 GB memory shared between two processors (512 MB each). The remaining processor complex is equipped with 512 MB memory shared between two processors (256 MB each). The total memory capacity for the MWAM is 2.5 GB.
The MWAM memory is not configurable.
Determining the Software Version
To determine the version of Cisco IOS software running on your router, log in to the router and enter the show version EXEC command:
Router# show versionCisco Internetwork Operating System SoftwareIOS (tm) MWAM Software (MWAM-G4JS-M), Version 12.3(7)T, RELEASE SOFTWARE (fc1)TAC Support: http://www.cisco.com/tacCopyright (c) 1986-2002 by cisco Systems, Inc.Upgrading to a New Software Release
For information on upgrading to a new software release, see the product bulletin Cisco IOS Software Upgrade Ordering Instructions located at:
http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/957_pp.htm
For information on upgrading images on the MWAM, refer to the Cisco Multiprocessor WAN Application Module Installation and Configuration Notes for the Cisco 7600 Series Internet Router.
Note
Upgrading ROMMON Software
A ROMMON software upgrade is not required for Cisco IOS 12.3(7)T. To perform the ROMMON software upgrade, use the procedure provided in the MWAM User Guide.
New Features
The following is a list of the new hardware and software features supported by the MWAM on the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3B.
New Hardware Features in Cisco IOS Release 12.3(7)T
There are no new hardware features supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(7)T
New Software Features in Cisco IOS Release 12.3(7)T
The following new software features are supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(7)T.
•
•
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d1dfd.html.
•
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801f0f4a.html.
New Hardware Features in Cisco IOS Release 12.3(5a)B
There are no new hardware features supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(5a)B.
New Software Features in Cisco IOS Release 12.3(5a)B
The following new software features are supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(5a)B.
•
•
•
These features are provided by a new release of the application partition on the MWAM. For more information, see the Cisco Multiprocessor WAN Application Module Installation and Configuration Notes for the Cisco 7600 Series Internet Router at http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/cfgnotes/servmod/esa_mwam.htm.
New Hardware Features in Cisco IOS Release 12.3(3)B1
There are no new hardware features supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(3)B1.
New Software Features in Cisco IOS Release 12.3(3)B1
There are no new software features supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(3)B1.
New Hardware Features in Cisco IOS Release 12.3(3)B
There are no new hardware features supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(3)B.
New Software Features in Cisco IOS Release 12.3(3)B
The following new software features are supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(3)B:
Attribute Screening for Access Requests
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
Attribute Screening for Access Requests features allows you to configure your network access server (NAS) to filter attributes in outbound Access Requests to the RADIUS server for purposes of authentication or authorization.
RADIUS NAS-IP-Address Attribute Configurability
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The RADIUS NAS-IP-Address Attribute Configurability feature allows you to configure an arbitrary IP address to be used as RADIUS attribute 4, NAS-IP-Address, without changing the source IP address in the IP header of the RADIUS packets. This feature may be used for situations in which service providers are using a cluster of small network access servers (NASs) to simulate a large NAS to improve scalability. This feature allows the NASs to behave as a single RADIUS client from the perspective of the RADIUS server.
SSG Default DNS Redirection
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG Default DNS Redirection feature allows a default Domain Name System (DNS) domain to be configured in a service profile. When a default DNS domain is configured, all DNS queries that do not match a service with a specific domain name are redirected to the DNS server for a default service.
SSG Enhancements
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
SSG Enhancements describes Layer 2 Tunneling Protocol (L2TP) enhancements for authentication, service logon, and the interface between the Service Selection Gateway (SSG) and the Subscriber Edge Services Manager (SESM). For Release 12.3(3)B, SSG enhancements include a new Account-Info vendor specific attribute (VSA), Account-Accept VSA, and Service-Accept VSA.
The SSG interacts with the SESM, through a Remote Authentication Dial-in User Service (RADIUS) interface. SSG Enhancements describe the enhancements to the RADIUS interface to allow a separate Mobile Station ISDN Number (MSISDN) and Challenge Handshake Authentication Protocol (CHAP) for service logon. The SSG Enhancements documentation also describes error codes in the SSG response to the SESM.
For more information, see the SSG Enhancements feature at the following URL:
SSG Permanent TCP Redirection
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG Permanent TCP Redirection feature enables Service Selection Gateway (SSG), in conjunction with Cisco Subscriber Edge Services Manager (SESM), to provide service selection support to users whose web browsers are configured with HTTP proxy servers. This feature supports plug-and-play functionality in Public Wireless LANs.
SSG TCP Redirect Enhancements
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The TCP Redirect feature is enhanced to allow access lists to be associated with server groups. This enhancement can be used to limit the kind of traffic that is redirected based on the source or destination IP address and/or TCP ports. It can also be used to redirect different sets of users to different dashboards for unauthenticated user and unauthorized service redirection.
For more information, see the SSG TCP Redirect Enhancements feature at the following URL:
SSG Transparent Auto-Logon
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG Transparent Auto-Logon (TAL) feature enables the Service Selection Gateway (SSG) to authenticate/authorize users based on IP packets received from the user. SSG authorizes users by using information from the Authentication, Authorization, and Accounting (AAA) server when a first IP packet is received from the user.
Users can be activated on SSG through Web-based login procedures using Service Edge Subscriber Management (SESM), RADIUS Proxy, and PPP session termination. The Transparent Auto-Logon feature provides an additional activation method. Transparent Auto-Logon provides SSG services to a user who is authorized based on the source IP address of packets received on a downlink interface of SSG, without any previous authentication phase.
For more information on the Transparent Auto-Logon feature, see the following URL:
New Hardware Features in Cisco IOS Release 12.3(1a)BW
The following new hardware feature is supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(1a)BW:
MWAM on Catalyst 6500/Cisco 7600 Platform
The MWAM is built on a base card-to-daughter card configuration. It provides three SiByte (700MHz) processor complexes. Two of the processor complexes enable dual processors while the third processor complex enables only one processor because of the memory configuration.
Each SiByte complex has a 1 Gigabit Ethernet (GE) interface to the switch fabric. This connection appears as a GE interface from the Supervisor module. The MWAM connects to the Catalyst 6500/Cisco 7600 bus for data and control traffic.
For more information, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/cfgnotes/servmod/esa_mwam.htm.
New Software Features in Cisco IOS Release 12.3(1a)BW
The following new software features are supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(1a)BW:
IP Pool Backup
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The IP Pool Backup feature introduces two new interface configuration commands, peer pool backup and peer pool static, which allow you to define alternate sources for IP address pools in the event the original address pool is not present or is exhausted.
The peer pool backup command is useful in large-scale dial-out environments with large numbers of independently controlled authentication, authorization, and accounting (AAA) servers that can make it difficult for the network access server (NAS) to provide proper IP address pool resolution in the following cases:
•
•
The peer pool backup command uses the local pool names configured with the peer default ip address pool interface configuration command to supplement the pool names supplied by AAA. The problems of pool name resolution and specific local pool exhaustion can be solved by configuring backup pool names on a per-interface basis using the peer default ip address pool and peer pool backup interface configuration commands.
The peer pool static command controls attempts by the pool software to load dynamic pools in response to a pool request from a specific interface. These dynamic pools are loaded at system startup and refreshed whenever a pool name not configured on the NAS is specified for IP address allocation. Because the behavior of the NAS in response to a missing pool name can be changed using the peer pool backup interface configuration command, you can use the peer pool static command to control attempts to load all dynamic pools when the AAA-supplied pool name is not an existing local pool name.
Multilink PPP Minimum Links Mandatory
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
Multilink PPP allows multiple PPP links to be established in parallel to the same destination. Multilink PPP is often used with dialup lines or ISDN connections to easily increase the amount of bandwidth between points.
With the introduction of the Multilink PPP Minimum Links Mandatory feature, you can configure the minimum number of links in a Multilink PPP (MLP) bundle required to keep that bundle active by entering the ppp multilink min-links links mandatory command. When you configure this command, all Network Control Protocols (NCPs) for an MLP bundle are disabled until the MLP bundle has the required minimum number of links. When a new link is added to the MLP bundle that brings the number of links up to the required minimum number of links, the NCPs are activated for the MLP bundle. When a link is removed from an MLP bundle, and the number of links falls below the required minimum number of links for that MLP bundle, the NCPs are disabled for that MLP bundle.
PPPoE Session Limit Per NAS Port
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
Using the PPPoE Session Limit Per NAS Port feature, you can limit the number of sessions on a specific virtual circuit (VC) or VLAN configured on an L2TP access concentrator (LAC). The NAS port is either an ATM VC or a configured VLAN ID.
The PPPoE session limit per NAS port is maintained in a RADIUS server customer profile database. This customer profile database is connected to a LAC and is separate from the RADIUS server that the LAC and L2TP Network Server (LNS) use for the authentication and authorization of incoming users. When the customer profile database receives a pre-authorization request from the LAC, it sends the PPPoE per NAS port session limit to the LAC.
The LAC sends a pre-authorization request to the customer profile database when the LAC is configured for Subscriber Service Switch (SSS) pre-authorization. Configure the LAC for SSS pre-authorization using the sss-subscriber access pppoe pre-authorizecommand. When the LAC receives the PPPoE per NAS port session limit from the customer profile database, the LAC compares the PPPoE per NAS port session limit to the number of sessions currently on the NAS port. The LAC then decides whether to accept or reject the current call based upon the configured PPoE per NAS port session limit and the number of calls currently on the NAS port.
You can configure other types of session limits on the LAC including session limit per VC, per VLAN, per MAC, or a global session limit for the LAC. When PPPoE Session Limit Per NAS Port is enabled (that is, when you have enabled SSS pre-authorization on the LAC), local configurations for session limit per VC and per VLAN are overwritten by the PPPoE per NAS port session limit downloaded from the customer profile database. Configured session limits per VC and per VLAN serve as backups in case of a PPPoE per NAS port session limit download failure.
The customer profile database consists of user profiles for each user connected to the LAC. Each user profile contains the NAS-IP-Address (Attribute #4) and the NAS-Port-ID (Attribute #5.) When the LAC is configured for SSS pre-authorization, it queries the customer profile database using the username. When a match is found in the customer profile database, the customer profile database sends the PPPoE per NAS port session limit in the user profile. The PPPoE per NAS port session limit is defined in the username as a Cisco AVpair.
RFC-2867 RADIUS Tunnel Accounting
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The RFC-2867 RADIUS Tunnel Accounting feature introduces six new RADIUS accounting types that are used with the RADIUS accounting attribute Acct-Status-Type (attribute 40), which indicates whether an accounting request marks the beginning of user service (start) or the end (stop). These new accounting types are designed to support the provision of compulsory tunneling in dialup networks; that is, these attribute types allow you to better track tunnel status changes.
This feature also introduces two new commands—vpdn session accounting network (tunnel-link-type records) and vpdn tunnel accounting network (tunnel-type records)—that help identify the following events:
•
•
•
•
Note
Note
Service Selection Gateway
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
Service Selection Gateway (SSG) is a switching solution for service providers who offer intranet, extranet, and Internet connections to subscribers using broadband access technology such as xDSL, cable modems, or wireless to allow simultaneous access to network services.
For more information about SSG, see http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122b/122b_4/122b4_sg/ft_ssg.htm.
SSG Autologoff Enhancement
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG Autologoff Enhancement feature configures Service Selection Gateway (SSG) to check the MAC address of a host each time that SSG performs an Address Resolution Protocol (ARP) ping. If SSG finds that the MAC address of the host has changed, SSG automatically initiates the logoff of that host. This prevents unauthorized reuse of IP addresses (spoofing). SSG MAC address checking also detects the assignment of a host IP address to a different host before the original hosts initiates a logoff and clears its host object. This prevents session reuse by a second host.
ARP Ping
The ARP is an Internet protocol used to map IP addresses to MAC addresses in directly connected devices. A router that uses ARP broadcasts ARP requests for IP address information. When an IP address is successfully associated with a MAC address, the router stores the information in the ARP cache.
When SSG Autologoff is configured to use ARP ping, SSG periodically checks the ARP cache tables. If a table entry for a host is found, SSG forces ARP to refresh the entry and checks the entry again after a configured interval. If a table entry is not found, SSG initiates autologoff for the host. However, if any data traffic to or from the host occurred during the interval, SSG does not ping the host because the reachability of the host during that interval was established by the data traffic.
When SSG MAC address checking is configured, SSG checks the MAC address of a host when an ARP ping is performed. If SSG detects a different host MAC address, it initiates an automatic logoff of that host.
Note
ARP request packets are smaller than Internet Control Message Protocol (ICMP) ping packets, so it is recommended that you configure SSG Autologoff to use ARP ping in scenarios where hosts are directly connected.
SSG Complete ID
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
SSG Complete ID provides enhancements to the current interaction mechanism that is used between SSG and SESM, allowing SSG to pass along the following additional information:
•
•
•
•
•
This allows SESM to offer greater customization of Web portals, specifically by locations. Each hotspot can now have its own branded portal.
SSG Open Garden Configuration Enhancements
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The Service Selection Gateway (SSG) is an IOS feature and implements layer 3 service selection through selective routing of IP packets to destination networks on a per subscriber basis. Out of the many features SSG has, Open Garden is one of the features, which is very useful for service providers to provide trial-based services to the customers.
An open garden is a collection of web sites that a user can access as long as the user has physical access to the network. The user doesn't need to provide any authentication information before accessing the Web sites in the open garden.
Currently, SSG open garden services can be configured/managed on the router itself, even though they are similar to normal SSG (subscribed) services. The modifications being proposed allow open garden services to be defined and managed on the RADIUS server as well.
SSG L2TP Dialout
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG L2TP Dialout feature enhances SSG tunnel services and provides a dialout facility to users. Many Small Office Home Offices (SOHOs) use the Public Switched Telephone Network (PSTN) to access their intranet. SSG L2TP provides mobile users with a way to securely connect to their SOHO through the PSTN.
To provide SSG L2TP Dialout, SSG requires a digital number identification service (DNIS) number for the SOHO to which the user wants to connect, the address of the L2TP Access Concentrator (LAC) closest to the SOHO, and configured tunnel parameters to establish a tunnel to the LAC.
Users can access SSG L2TP Dialout by selecting the dialout service using Cisco Subscriber Edge Services Manager (SESM) from the list of subscribed services or by using a structured username. The user must provide the DNIS number when using either method of connecting to the dialout service.
SSG Prepaid Enhancements
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
SSG Prepaid
The SSG Prepaid feature allows SSG to check a subscriber's available credit to determine whether to connect the subscriber to a service and how long the connection can last. The subscriber's credit is administered by the billing server as a series of quotas representing either a duration of use (in seconds) or an allowable data volume (in bytes). A quota is an allotment of available credit.
To obtain the first quota for a connection, SSG submits an authorization request to the authentication, authorization, and accounting (AAA) server. The AAA server contacts the prepaid billing server, which forwards the quota values to SSG. SSG then monitors the connection to track the quota usage. When the quota runs out, SSG performs reauthorization. During reauthorization, the billing server may provide SSG with an additional quota if there is available credit. If no further quota is provided, SSG logs off the user.
For more information, see http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122b/122b_4/122b4_sg/.
SSG Prepaid Enhancements
SSG Prepaid Enhancements introduces prepaid tariff switching, simultaneous volume and time based prepaid billing, and postpaid tariff Switching.
SSG Prepaid Idle Timeout
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG Prepaid Idle Timeout feature enhances the SSG Prepaid feature by enabling SSG to return residual quota to the billing server from services that a user is logged into but not actively using. The quota that is returned to the billing center can be applied to the quota for the services the user is actively using.
When SSG is configured for SSG Prepaid Idle Timeout, a user's connection to services can be open even when the billing server returns a zero quota, but the connection's status is dependent on the combination of the quota and the idle timeout value returned. Depending on the connection service, SSG requests the quota for a connection from the billing server once the user starts using a particular service, when the user runs out of quota, or after the configured idle timeout value has expired.
The SSG Prepaid Idle Timeout feature enhances handling of a returned zero quota from the billing server. If a billing server returns a zero quota, and non-zero idle timeout, this indicates that a user has run out of credit for a service. When a user runs out of credit for a service, the user is redirected to the billing server to replenish the quota. When the user is redirected to the billing server, the user's connection to the original service or services is retained. Although the connection remains up, any traffic passing through the connection is dropped. This enables a user to replenish quota on the billing server without losing connections to services or having to perform additional service logons.
Using the SSG Prepaid Idle Timeout feature, you can configure SSG to reauthorize a user before the user completely consumes the allocated quota. You can also configure SSG to not pass traffic during reauthorization. This prevents revenue leaks in the event that the billing server returns a zero quota for the user. Without the SSG Prepaid Idle Timeout feature, traffic passed during reauthorization represents a revenue leak if the billing server returns a zero quota for the user. You can prevent this type of revenue leak by configuring a threshold value, causing SSG to reauthorize a user's connection before the user completely consumes the allocated quota for a service.
SSG Prepaid Idle Timeout enhances SSG to inform the billing server upon any connection failure. This enables the billing server to free quota that was reserved for the connection that failed and to apply this quota immediately to some other active connection.
SSG PTA-MD Exclusion Lists
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
Beginning in Cisco IOS Release 12.2(8)B, the option of passing the entire structured username in the form `user@service' to PPP for authenticating an SSG request became available. The entire structured username can be passed to PPP through the use of a PTA-MD exclusion list; if an entire structured username should be passed to PPP, the domain (the `@service' portion of the structured username) should be added to a PTA-MD exclusion list. The PTA-MD exclusion list can be configured on the AAA server directly or via the router CLI. Structured usernames are parsed for authentication unless a PTA-MD exclusion list is configured for the particular domain requesting a service.
For additional information on SSG PTA-MD Exclusion Lists, see http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122b/122b_4/122b4_sg/.
SSG Range Command for Bind Statements
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
SSG Range Command for Bind Statements creates a A "range" command for SSG BIND statements. This is useful when provisioning RBE subscribers en masse, as it allows for streamlined provisioning and configuration with a decreased CPU load.
SSG Service Profile Caching
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG Service Profile Caching feature enhances the authentication process for SSG services by allowing users to authenticate a service using the service profile cached in SSG.
When SSG Service Profile Caching is not enabled, an authentication, authorization, and accounting (AAA) transaction is required to download a service profile each time an SSG subscriber logs onto the service. The other SSG subscribers already logged onto the service also have their service parameters automatically refreshed as a result of this AAA transaction. In many cases, this automatic refresh causes unnecessary traffic in SSG and on the AAA server.
The SSG Service Profile Caching feature creates a cache of service profiles in SSG. A service profile is downloaded from the AAA server and then stored in the SSG service profile cache as a service-info object. Subsequent SSG subscribers hoping to use that service are authorized by the SSG service profile cache provided that service profile remains in the cache. To ensure that the service profiles in the SSG service profile cache remain updated, the SSG service profile cache automatically refreshes the service profiles by downloading the service profiles from the AAA server at user-configured intervals (the default is every 120 minutes). SSG service profile caches can also be refreshed manually at any time. Service profiles that are not being used by any SSG subscriber are removed from the SSG service profile cache.
SSG Support of NAS Port ID
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
This feature supports the NAS-Port attribute in the authentication packet. This allows the authentication server to use consistent policies while authenticating PPPoX users and RFC1483 users. Currently, NAS-Port attribute is sent only for PPPoX users.
With this feature, SSG sends nas-port information for certain IP users in the authentication-request and accounting-request packets.
SSG Suppression of Unused Accounting Records
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG Suppression of Ununsed Accounting Records feature provides the ability to turn off those accounting records that are not needed on the router.
SSG Unconfig
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
SSG Unconfig
The SSG Unconfig feature enhances your ability to disable SSG at any time and releases the data structures and system resources created by SSG when SSG is unconfigured.
The SSG Unconfig feature enhances several IOS commands to delete all host objects, delete a range of host objects. You can also delete all service objects or connection objects. The show ssg host command has been enhanced to display information about an interface and its IP address when Host-Key mode is enabled on that interface.
System Resource Cleanup When SSG Is Unconfigured
When you enable SSG, the SSG subsystem in IOS acquires system resources that are never released, even after you disable SSG. The SSG Unconfig feature enables you to release and clean up system resources when SSG is not in use by entering the no ssg enable force-cleanup command.
SSG Unique Session ID
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
SSG does not currently support a totally unique accounting session ID in the RADIUS accounting records. The SSG Unique Session ID feature provides a unique format in the RADIUS accounting records in order to be compatible with a customer's existing backend billing systems.
Caveats
Caveats describe unexpected behavior in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious.
Caveats for Cisco IOS Releases 12.3 can be found on CCO at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123relnt/xprn123/123mcavs.htm
Note
Caveats for 12.2(14)ZA2 (and higher)
For a list of caveats for 12.2(14)ZA2 (and higher), see the release notes at the following URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5012/prod_release_note09186a0080145494.html
Open Caveats—Cisco IOS Release 12.3(7)T
This section documents possible unexpected behavior by Cisco IOS Release 12.3(7)T and describes only severity 1 and 2 caveats and select severity 3 caveats.
Open SSG Caveats
•
Symptoms: A service login from a Subscriber Edge Services Manager (SESM) may fail if a Service Selection Gateway (SSG) user is a RADIUS proxy Autodomain user.
Conditions: This symptom is observed if the RADIUS proxy user logs into an Autodomain service and the SESM service login fails.
Workaround: Log into the Autodomain service by using the automatic login service that is defined in the user profile. Then log into SESM services.
•
SSG with TAL configuration does not use all parameters provided by AAA server in the Access Accept. This is required when SSG needs to create a host object (HO) that is deleted after timeout.
There are no known workarounds.
•
When downstream traffic from the service network is sent as multiple packets to the same connection object before sending packets to the next connection object, processor usage is much less than if packets are sent consecutively to different connection objects (even though the rate of traffic sent for both the cases is the same).
There are no known workarounds.
•
The test case is running with two pass-through services and one tunnel service:
–
–
–
Packets from hosts that are not in pass-through service #1 or pass-through service #2 and that are sent to the subscriber IP address are passed to the subscriber through the tunnel interface. The reply packet from the subscriber is then sent through the tunnel. Both packets are billed in the tunnel service.
•
Open MWAM Caveats
•
The PC in the MWAM becomes unreachable when packets are sent through one of the IOS processors from a traffic generator at a very high rate (30% of the line rate, 446429 frames/sec).
Workaround: Not available.
•
When a 7600 chassis with four MWAMs using the centralized configuration storage feature is reloaded, the MWAM reboot task to load the centralized configuration from Supervisor bootflash takes seven minutes.
There are no known workarounds.
•
During an RPR+ switchover on a dual Supervisor chassis, the RPR+ operation can stall when the SFM-capable 48-port 10/100 Mbps RJ45 linecard (WS-X6548-RJ-45 ) fails to go on line. The linecard is automatically powered down, and the RPR+ process does not execute a timely switchover to the second Supervisor. The system can be off line for up to five minutes before recovering. The linecard recovers and powers on without operator intervention.
The user can observe the following failure messages (module 9 is the WS-X6548-RJ-45 card):
%OIR-SP-3-PWRCYCLE: Card in module 9, is being power-cycled off(Module not responding to Keep Alive polling)SP: oir_notify_online: Failed to send online notification: slot 9Messages that show recovery from the failure:
%DIAG-SP-6-DIAG_OK: Module 9: Passed Online Diagnostics%OIR-SP-6-INSCARD: Card inserted in slot 9, interfaces are now on lineThere are no known workarounds.
•
On rare occasions after an MWAM is reset, there is no IP connectivity between the MWAM processors and the Supervisor or any outside devices. This problem may occur after issuing the hw-module module <#> reset command from the Supervisor.
Workaround: Reset the MWAM again from the Supervisor.
•
On rare occasions, the MWAM displays a minor error in response to the show mod command after the Supervisors switch activity for a failover condition:
SK-sup-2#sho mod~snipped~Mod Online Diag Status--- -------------------1 Pass2 Pass4 Minor Error5 Pass6 Pass8 Pass9 Minor ErrorThere are no known workarounds.
•
Traffic flowing from an MWAM interface into a VLAN exceeds the policing limits defined by the policy applied to the VLAN.
When a MWAM internal interface has been defined to be part of a specific VLAN through the mwam module <module-num> port <port-num> allowed-vlan command, and the VLAN has a QoS policy applied to the input which contains a police policy, the traffic coming from the MWAM will exceed this policing definition.
Workaround: No workaround exists.
Resolved Caveats—Cisco IOS Release 12.3(7)T
Resolved SSG Caveats
•
Symptoms/Conditions: If the connection to the LNS fails (due to LNS Reboot or redundant LNS-Failover) the SSG needs a long time to send L2TP HELLO packets to tear down control connection and reestablish the tunnel to the redundant LNS. During this period, quite a few L2TP-HELLOs are sent to LNS.
Workaround: There is no workaround.
•
Symptoms: A Cisco router with the SSG application may reload.
Conditions: This problem has been observed with a Cisco MSID access request and when the access accept from a AAA is delayed and/or the access response doesn't contain CDMA Realm.
Workaround: There is no workaround.
•
Symptoms: SSG may crash when there is a failure/timeout contacting SESM/RADIUS.
Conditions: It is observed on SSG running with SSG port-bundle host-key feature enabled.
Workaround: Disable port-bundle host key feature.
•
Symptom: The memory held by SSGCmdQueue process increases continuously when SESM users log on and log off.
Conditions: This happens in SSG deployments when SESM users logon and logoff.
Workaround: There is no known workaround.
•
Symptoms: A Service Selection Gateway (SSG) reloads at ssg_search_conn.
Conditions: This symptom occurs when downstream traffic from a proxy NATed service is sent to an SSG host who is logged onto it. This happens after a host logs off a service and immediately the same or another host with same NATed IP address logs on to the proxy NATed service.
Workaround: There is no workaround.
•
Symptoms: Any new Access Requests from NAS(GGSN) are not processed by SSG when SSG_dummy_pool fills up.
Conditions: SSG_dummy_pool fills up when SSG is honoring an Acct-on/Accounting Off along with an accounting stop throttle configuration. Any new Access-Requests from NAS(GGSN) can create this condition.
Workaround: Unconfigure and then configure ssg radius-proxy or reload SSG to clean up this pool.
•
Symptoms: SSG crashes when logging in HO.
Conditions: This occurs with CHAP authentication.
Workaround: Use only PAP authentication.
•
Symptom: SSG crashes for proxy service authorization.
Condition: SSG Crashes while trying to allocate memory for a proxy service authorization packet.
Workaround: There is no workaround.
•
Symptom: A time drift in the interim accounting update was seen for SSG connection accounting packets.
Condition: This symptom occurs with 10 Host Objects and Connection Accounting interval 300. After 4 days of testing, the time drift was seen in interim accounting update packets.
Workaround: There is no workaround.
•
Symptoms: Incorrect input counters are sent in SSG host and connection RADIUS accounting records.
Condition: A SSG running 12.3(6.2)T2 or later versions with SSG accounting enabled can report incorrect input (downstream) counters in the accounting records for SSG host and connections.
Workaround: There is no workaround.
•
While attempting to create 65000 host objects with two services, the SSG crashed after creating 40000 host objects.
There are no known workarounds.
Resolved MWAM Caveats
•
Symptoms: MWAM processors are reloaded when receiving traffic at 100 % CPU.
Condition: This system has occurred while sending downstream traffic at 100 % CPU on all 4 processors in a cluster.
Workaround: Reduce the CPU from 100 % to 90 %.
•
Symptoms: The MWAM processor clock value (as displayed by the show clock command) will not sync up properly with the Supervisor clock.
Conditions: This condition exists in all versions of MWAM IOS software.
Workaround: There is no workaround.
•
In rare cases, the PC may freeze without any error message on the console. There are no keepalive messages at the processors, and it is not possible to session to the any of them.
There are no known workarounds.
•
The MWAM configuration mode is switched from supervisor mode to local mode after the MWAM is reloaded. This occurs when the radius-server unique-ident <#> command is configured on MWAM processors.
Workaround: No workaround exists.
Resolved Caveats—Cisco IOS Release 12.3(5a)B
All the caveats listed in this section are resolved in Cisco IOS Release 12.3(5a)B. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
Resolved SSG Caveats
•
There is a drift of time in the interim accounting records generation over a period when compared to the configured interval.
There are no known workarounds.
•
Drops may occur when writing to nvram.
This issue occurs during high traffic, saving config or causing a nvram write can cause packets to be dropped.
Workaround: Lower traffic rate when performing maintenance such as configuration file saves.
•
An unexpected reload may occur with the following:
%ALIGN-1-FATAL: Corrupted program counterpc=0x0, ra=0xXXXXXXXX, sp=0xXXXXXXXX%ALIGN-1-FATAL: Corrupted program counterpc=0x0, ra=0xXXXXXXXX, sp=0xXXXXXXXXUnexpected exception, CPU signal 10, PC = 0x0There are no known workarounds.
•
A timer wheel may fail when the same timer is started from both the process level and the interrupt level.
This issue is observed on a Cisco router that runs Network Address Translation (NAT).
There are no known workarounds.
•
A memory allocation failure (MALLOCFAIL) from the I/O memory pool may occur.
This issue is observed on a Cisco router that receives excessive multicast control traffic.
Workaround: Apply a quality of service (QoS) policy map to limit the rate of the multicast control traffic that can be received by the router.
•
You may not be able to configure the maximum transmission unit (MTU) on a virtual template.
This issue is platform independent.
There are no known workarounds.
•
The default number of missed keepalives required to bring down a ppp link has changed from 5 to 3 in releases that have integrated CSCdt94888. The original default behavior can be restored by configuring "keepalive 10 5"on the interface.
There are no known workarounds.
•
The service selection gateway (SSG) sends duplicate Acct-Session-Id in the SSG connection accounting record. Same session id is used in the user accounting record.
This issue occurs on Cisco IOS software version 12.2(16)B2 and 12.3(4)T.
There are no known workarounds.
•
When VPDN session is disconnected by authentication failure, no VPDN syslog message (%VPDN-6-AUTHENFAIL) and history failure table are logged. A record is overwritten by normal causes (%VPDN-6-CLOSED, Result 1, Error 0)
Cisco IOS software version 12.3(3)B, 12.3(4)T VPDN logging is enable
There are no known workarounds.
•
When the ip radius source-interface global configuration command is configured on a PPP over Ethernet (PPPoE) server, the interface address may not be set in the RADIUS NAS-IP-Address [4] attribute.
This issue is observed on a Cisco platform that runs Cisco IOS Release 12.3(2), 12.3(2)T, 12.3(3)B, or 12.3(4)T, that functions as a PPPoE server, and that has the radius-server attribute nas-port format format global configuration command enabled with the value d for the format argument.
Workaround: Do not use value d for the format argument. Rather, use another value to configure the network access server (NAS) port.
Alternate Workaround: Enter the radius-server attribute 4 nrp global configuration command.
•
The individual AAA periodic accounting update messages (Radius accounting messages with Acct-Status-Type=Watchdog) generated by an IOS gateway for each call leg (TDM and IP) of the same voice call may be sent to the Radius server more than 5 minutes apart due to the randomized timer algorithm used by the AAA message transmit function.
The command aaa accounting update newinfo periodic is configured.
There are no workaround.
•
When ip address negotiate is configured on an interface and our address is not successfully negotiated with the peer, no address is assigned to our interface which can cause problems with IP/CEF forwarding.
There are no known workarounds.
•
The memory held by SSGCmdQueue process increases continuously when SESM users log on and log off.
This issue occurs in SSG deployments when SESM users logon and logoff.
There are no known workarounds.
•
Without any global radius servers configured, an access-request is sent to the server defined in the AAA test server group. This happens even with no "radius-server key" defined. This behavior does not occur is 12.2(13.7)T, the error message "No radius servers defined" is displayed.
This is not a serious issue and is a configuration problem. The user is warned when a server that has not been defined is added to the server group.
router(config)#aaa group server radius bogusrouter(config-sg-radius)#server 10.1.1.1 ?acct-port UDP port for RADIUS accounting server (default is 1646)auth-port UDP port for RADIUS authentication server (default is 1645)<cr>router(config-sg-radius)#server 10.1.1.100:55:48: %RADIUS-4-NOSERV: Warning: Server 10.1.1.1:1645,1646 is not defined.It is expected that the behavior will be undefined if the user does not correct the misconfiguration.
•
SSG may not send a calling station ID in connection accounting records to a local and a remote AAA server.
This issue is observed when a client log on by using a proxy service with MSISDN.
There are no known workarounds.
•
Time Drift in Interim Accounting update was seen for SSG connection accounting packets.
This issue occurs with 10 Host Objects and Connection Accounting interval 300. After 4 days of testing time drift was seen in Interim accounting update packets.
There are no known workarounds.
•
PPPOA sessions may not come up.
This issue is observed on a Cisco router when CEF or PXF is enabled and when the encapsulation is changed while no VC is defined.
Workaround: Create a VC and then change the encapsulation.
•
Unauthorized service users do not get redirected.
This issue occurs under the following conditions:
–
–
–
Work around: Either disable CEF or port-map.
•
Currently for prepaid services, the initial authorization to obtain quota happens during the time a user is logged on to a service. This fix enables prepaid services to be configured so that the initial authorization happens only when the user starts sending traffic on that connection.
The attribute to be configured in prepaid services for this purpose is shown below:
code: 251, 'PZW'len: 4+-+-+-+-+-+-+-+-+-+-+-+|a|b| c |d|e|f|g|h|+-+-+-+-+-+-+-+-+-+-+-+a = 26 (Radius attr for vendor specific)b = len (length of the Radius Vendor specific Attribute>c = 9 (Cisco vendor ID)d = 251 (Sub attribute ID for Service-Info)e = len (length of the vendor specific sub attribute)f = 'P' (Payment type)g = 'Z' (Prepaid)h = 'W' (Wait for traffic)The accounting start would be sent during activation and not after user traffic.
•
When a new image is loaded on an MWAM, if either of the processors of a complex previously had configurations in the startup-config that are not recognized by the new image, then the complex may keep resetting continually.
Workaround: If a new image to be loaded on the MWAM may not have one or more subsystems of the previous image and may not recognize a large number of configurations in the startup-config, make sure those configurations are removed from the processors (unconfigured and saved) before loading a new image.
Resolved MWAM Caveats
•
MWAM VLAN interfaces stop responding when the Cisco 7609 router is rebooted. Ping packets sent from the Supervisor to the MWAM fail.
•
SNMP query for CISCO-FLASH-MIB does not populate values. The fields of the CISCO-FLASH-MIB are currently not populated for the flash devices dedicated to each of the processors of the MWAM. When the CISCO-FLASH-MIB of a MWAM processor is queried, the fields of this MIB will incorrectly appear as if there is no flash device for this processor.
•
When multiple MWAMs are reset at the same time using the hw-module module slot_number reset command, on rare occasions the MWAM will fail to boot (remain in a PwrDown state) and the following message will display on the Supervisor console:
SP: oir_disable_notice: slot12: lcp failed to go online•
After reloading a switch containing ten MWAMs, it is no longer possible to upgrade the MP or AP images. All attempts fail with the following message:
stress-6500a#copy tftp: pclc#6-fs: Address or name of remote host [64.102.16.25]? Source filename [users/gferris/mwam/c6svcmwam-js-mz.geo_t_030924.1-2-2-1.dev.bin]? Destination filename [users/gferris/mwam/c6svcmwam-js-mz.geo_t_030924.1-2-2-1.dev.bin]? Accessing tftp://64.102.16.25/users/gferris/mwam/c6svcmwam-js-mz.geo_t_030924.1-2-2-1.dev.bin... Loading users/gferris/mwam/c6svcmwam-js-mz.geo_t_030924.1-2-2-1.dev.bin from 64.102.16.25 (via Vlan111): ! %Error opening pclc#6-fs:users/gferris/mwam/c6svcmwam-js-mz.geo_t_030924.1-2-2-1.dev.bin (Error Sending Request) stress-6500a#•
When simultaneous hw-module reset commands are issued from the Supervisor, some of the MWAMs do not respond correctly. When the reset is issued, the following message displays:
Oct 1 01:49:20: SP: The PC in slot 7 is shutting down. Please wait ... If the problem occurs, the following messages are displayed: Oct 1 01:52:20: SP: shutdown_pc_process:No response from module 7 Oct 1 01:52:20: %C6KPWR-SP-4-DISABLED: power to module in slot 7 set off (Reset) *Oct 1 01:52:19: %C6KPWR-SP-STDBY-4-DISABLED: power to module in slot 7 set off (Reset)•
Under certain circumstances a processor may reload when deleting a file from the bootflash partition.
•
Any debug messages between the MWAM processors and the PC that do displays on the processor console, also do not appear in the Remote Console and Logging (RCaL) debug. For example, the heart beat debug message from the processors to the PC do not appear in the RCaL debug.
•
The reload all command from the PC fails with the following message:
root@mwam-5#reload allGlobal Reset: Unable to Initialize BootManager: Can't open device•
The MWAM needs persistent log files for debugging after a reload or crash.
•
The show log upgrade command displays the upgrade log of an AP upgrade when the user is in the MP. However the command does not display the upgrade log of an MP upgrade when the user is in the AP.
•
The show processor command on the PC should differentiate IOS reloads from the PC, user reloads, and unexpected reloads.
•
The MWAM cannot be shut down or reloaded. If a reload is issued, the module is eventually reset by the Supervisor; if a shutdown is issued, the module remains in the other state indefinitely.
•
After a Supervisor switchover, one or more MWAM processors fails to become active.
•
When NTP is used in MWAM processors for time sync, the time sync is lost with the NTP server on an MWAM reload. Individual processor reloading does not cause any problem.
Workaround: Remove and reconfigure NTP commands from the running configuration on all the processors.
Resolved Caveats—Cisco IOS Release 12.3(3)B1
All the caveats listed in this section are resolved in Cisco IOS Release 12.3(3)B1. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
Resolved SSG Caveats
•
SSG system shows tracebacks and reloads with unexpected exception, CPU signal 10, PC = 0x613F1C10.
This problem occurs when a user is cleared by CLI or disconnects by switching CPE off. Exact cause not yet known.
There are no known workarounds.
•
Unable to log into service on SSG.
This condition was caused by a password mismatch between SESM and SSG in the test setup.
•
SSG service re-authorization failure with after Quota Time expiry.
This problem occurs when SSG does not send re-authorization request after Quota Time expiry for connection with QT60, QV0 and Idle 0.
There are no known workarounds.
•
Unable to logon to tunnel and proxy service.
This condition was caused by a password mismatch between SESM and SSG in the test setup.
•
SSG unexpectedly reloads when logging in HO with chap authentication.
Workaround: Use only PAP authentication.
•
SSG unexpectedly reloads for proxy service authorization.
This problem occrus when SSG trys to allocate memory for proxy service authorization packet.
There are no known workarounds.
•
The SSG hangs (no console or telnet access) after data traffic is started. The SSG does not reload and must be power-cycled.
•
The SSG crashes during a TCP redirect for unauthenticated users.
•
With PZI60 and L60 in the service profile, the SSG sends Interim accounting updates alternatively to local and prepaid server.
There are no known workarounds.
•
A Cisco router with the SSG application may reload. This is noticed with Cisco MSID access request and when the access accept from a AAA is delayed and/or the access response does not contain CDMA Realm.
There are no known workarounds.
•
A Cisco router that terminates both PPP over Ethernet (PPPoE) and PPP over ATM (PPPoA) sessions may fail to switch traffic downstream toward the subscriber via Cisco Express Forwarding (CEF) for a period of up to three minutes.
This symptom is observed when the PPPoE and PPPoA sessions use different virtual templates and when subinterfaces are enabled. The symptom may affect only some subscribers.
Workaround: Configure one virtual template for both PPPoE and PPPoA sessions.
First Alternate Workaround: Disable subinterfaces.
Second Alternate Workaround: Disable CEF.
•
The Calling-Station-Id is not sent in connection accounting records. This condition occurs for proxy service logon with MSISDN.
There are no known workarounds.
•
The wrong Calling-Station-Id is sent to the LNS during tunnel service creation. When a different Calling-Station-Id is received from the SESM for tunnel service logon, the SSG should use this Calling-Id for tunnel service creation with the LNS. However, the SSG is incorrectly sending the host logon calling-id to the LNS for tunnel creation.
There are no known workarounds.
•
The RADIUS attributes that contain the CALLING and CALLED numbers are not in the service account records.
There are no known workarounds.
•
When an HSRP SNMP query is performed on a router with an HSRP group configured on a subinterface, the router stops responding and eventually reloads. This action does not occur for HSRP groups configured on major interfaces.
Workaround: Do not initiate an SNMP query for HSRP.
•
When ip radius source-interface is configured on the PPP over Ethernet (PPPoE) server, the interface address is not set in the RADIUS NAS-IP-Address [4] attribute.
Workaround: Configure the command radius attribute 4 nrp. the problem can be circumvented. Hence not a show stopper.
•
If the number of sessions exceeds theconfigured session limit on the L2TP network server (LNS), subsequent session requests cause a memory leak in the L2TP management daemon.
There are no known workarounds.
•
Original problem (CSCeb65615): The PPP idle timer on a virtual access interface resets with uninteresting outbound traffic that is defined with the command ip idle-group <acl> out. The ACL that defines the uninteresting traffic finds no matches even though the output traffic is uninteresting. This problem was partially repaired in CSCeb65615. Remaining restrictions are resolved with CSCeb84730. These restrictions are:
–
–
–
•
The PPP timeout AAA inbound does not prevent outbound packets from resetting a per-user idle timer. This problem was partially resolved with CSCeb82500. Remaining problems are resolved with CSCec10191.
•
The SSG upstream counter statistics for the connection object are incorrect. This condition is observed when the SSG TCP redirect feature is enabled.
Workaround: Disable IP CEF (no ip-cache cef) on the downlink interface. Note: This action reduces packet throughput.
•
Accounting On packets that are sent by an Access Zone Router (AZR) that has had a cold restart (i.e., power is turned off and then on again) may not be acknowledged by an SSG. This symptom is observed on an SSG that is configured with a basic RADIUS proxy setting.
Workaround: Create a new RADIUS group, and configure the SSG to forward all accounting messages to this new RADIUS group.
Resolved MWAM Caveats
•
MWAM processors are reloaded when receiving traffic at 100 % processor capacity. The condition occurs when sending downstream traffic on processors configured in a cluster.
Workaround: Reduce the CPU from 100 % to 90 %.
•
The IOS on MWAM processors does not support NTP and other clock commands. The processors synchronize their clocks from the PC, which in turn synchronizes with the Supervisor clock. The Supervisor clock is linked to an NTP clock source.
When the clock value is displayed with show clock command both on the Supervisor and an MWAM processor, the values between the Supervisor and the processor clocks is off by a couple of seconds.
There are no known workarounds.
•
The MWAM processor/complex may reload when many VRFs are being configured/unconfigured and data flows to these networks are on.
There are no known workarounds.
•
Copying a file from bootflash: to bootflash: does not work on the MWAM.
Workaround: Copy to nvram: or tftp:.
•
If the ROMMON needs upgrading during configuration of the Remote Console and Logging (RCaL) on the MWAM, the user should be notified through a console message.
Resolved Caveats—Cisco IOS Release 12.3(3)B
All the caveats listed in this section are resolved in Cisco IOS Release 12.3(3)B. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
Resolved SSG Caveats
•
SSG makes authorization requests towards a prepaid server even though the connection cannot be activated.
SSG makes a service authorization request towards OCS for a prepaid service, before it checks whether this service can be activated or not. The service authorization request causes the OCS (prepaid server) to deliver a quota, but if the quota cannot be used by the SSG, this unused quota is not returned to OCS for other active services. One reason why a service cannot be activated could be that the service is pointing to the same network as another service.
Workaround: Mark services with overlapping service networks as sequential or part of the a mutually exclusive service group so that user cannot log into both of them simultaneously.
•
A Cisco router that has a Quality of Service (QoS) service policy attached to an interface may generate memory alignment errors or reload unexpectedly because of a bus error during normal mode of operation.
This problem is observed when the policy map of the service policy has a set action configuration and when traffic is being processed.
Workaround: Remove the set action configuration from the policy map.
•
When VPDN session is terminated by PPP authentication failure, no VPDN syslog message (%VPDN-6-AUTHENFAIL) and history failure table are logged.
Cisco IOS software version 12.2(16)B, 12.3(1) VPDN logging is enable
There are no known workarounds.
•
SSG forwards accounting retransmits from RADIUS-clients to the AAA server and also does additional retransmits for each forwarded request.
When SSG is configured to forward accounting requests from RADIUS-clients, if the AAA server responds slowly, RADIUS clients retransmit the accounting requests. SSG forwards the accounting requests even though it is waiting for a response from the AAA server. However, for access-requests from RADIUS-clients, SSG does not forward retransmitted access-requests while waiting for a response from AAA server.
Workaround is to make the RADIUS-client (Radius timeout*Retry) time greater than SSG (Radius timeout*Retry) time.
•
The bug was reported on Catalyst 6000. Other platforms also may have this issue. In hybrid mode, when a reset [15/16] is issued from SP (CatOS, hybrid mode), the reload time displayed is very large.
The reload time displayed is right when a reload is issued from RP console.
There are no known workarounds.
•
Enhanced Interior Gateway Routing Protocol (EIGRP) hello messages may be sent from a virtual-access interface when they should not be sent.
This problem is observed on a Cisco router that has the passive-interface default or passive-interface virtual-template interface-number router configuration command enabled.
There are no known workarounds.
•
Auto-domain RADIUS-proxy user logon can crash the box.
This problem occurs if the primary service logon fails because of authentication. Any wrong tunnel parameters in the tunnel profile can crash the box.
Workaround: Configure correct tunnel parameters.
•
Configure the router to send accounting start and stop records for a exec connection and configure the following command: aaa accounting send stop-record authen fail.
Do a telnet to the router from any other router. Do not enter anything when it prompts to enter a username. After some time it timesout and reports"[Connection to <IP Addr> closed by foreign host]"
When the telnet connection timesout, two accounting stop records are generated.
There are no known workarounds.
•
RADIUS server is marked dead and does not show as "UP" after the deadtime interval has expired.
Two RADIUS servers are configured on LNS, one of them is marked as Dead during the bootup process because it was not able to respond to system accounting request.
When PPP sessions come up, LNS is still trying to send RADIUS request to dead RADIUS server but now it can access that AAA server because LNS builds up the routing information. LNS is getting responses back from the RADIUS server.
LNS is not changing the status of that RADIUS server to UP even after the elapse of configured dead time.
There are no known workarounds.
•
When SSG control error debugs are enabled, "Stale network routes" error message is displayed.
This happens if there are exclude networks ("E") configured in the service profile and if the user logon to this service and does a account logoff.
There are no known workarounds.
•
Virtual-access interface not freed when client session torn down.
Client session was momentarily disconnected and then re-connected.
There are no known workarounds.
•
The router unexpectedly reloads at sb_timer_intr_handler.
There are no known workarounds.
•
In Cisco IOS 12.3 B releases with CSCeb30098 integrated, LCP renegotiation at the L2TP Network Server after authentication has already completed causes the session to enter the wt-sss state (as seen in "show vpdn"). Unless the LAC tears down the session, the session may get stuck in the wt-sss state.
Workaround: Clear the L2TP tunnel that the stuck sessions are part of.
•
The set commands that are used with a service policy can cause a router to reload in some circumstances. The set cos policy-map class configuration command can cause reloads in addition to other set commands.
This problem may be observed with configurations that have a service policy with the set command on the interface.
There are no known workarounds.
•
User does not get connection to service, for a PPPoE user when logs in second time.
This problem is seen with the PBHK enabled and the PPP session is created as a non SSG PPP user session.
This problem is seen only in 12.3(3)B.
There are no known workarounds.
•
SSG hosts are not cleared when the PPP session for that user goes down.
Also the show ssg host command shows an error message that prints that memory is low. The show ssg host count shows that host count is -ve.
This happens under the following circumstances:
1. SSG binds the PPPoX interface dynamically as downlink (because "ssg direction downlink" has been configured under virtual-template interface mode)
2. user behind the PPPoX interface logs in through the web dashboard (SESM)
SSG host is not deleted when the PPP session goes down. Also when the host is deleted using "clear ssg host all", the host count becomes -ve.
Work-Around: Make sure that the condition#1 does not occur. This can be done by inserting a dummy ssg-account-info attribute in the access-accept of the PPPoX user. This dummy attribute can be: ssg-account-info "Nabracadabra"
•
A Cisco router terminating both PPPoE and PPPoA sessions may fail to CEF switch traffic downstream toward the user when different vtemplates are used for the two types of sessions and sub-interfaces are enabled. This problem may affect only a portion of the subscribers.
Workaround: Use one vtemplate for both types of sessions, disable sub-interfaces or disable CEF.
•
The input queue of the Gi0/0 interface on MWAM module, used by a sibyte processor running the SSG application, becomes full if a AAA server failure occurs. From that point on, no traffic is forwarded between the MSFC and the subinterfaces configured on Gi0/0 from within the SSG application on the sibyte (pings between MSFC and subinterfaces on Gi0/0 fail, etc.).
Workaround: Reset the MWAM module.
•
The router produces the error message:
%AAA-3-BADMETHODERROR: Cannot process authorization method SERVER_GROUPor the error message:
%AAA-3-BADMETHODERROR: Cannot process accounting method SERVER_GROUPfollowed by:
-Process= "AAA Server", ipl= XXX, pid= YYYwhere XXX and YYY are arbitrary integers greater than or equal to zero. The router then produces a traceback.
This problem is observed when you configure and then attempt to use an authorization or accounting method list which refers to a server group which contains no servers, and which has never contained any servers since the router booted.
For example, if you configured:
aaa authorization network default group radius but did not configure any RADIUS servers globally, you would see the error message every time a user attempted to perform network authorization.
Only 12.2B and 12.3B releases are affected.
Workaround: Make sure that the server group contains at least one server. To add a RADIUS server to the global group "radius", configure:
radius-server host <ipv4 address>
To add a tacacs+ server to the global group "tacacs+", configure:
tacacs-server host <ipv4 address>
To add a server to a RADIUS server group named "foo", configure:
aaa group server radius foo
server <ipv4 address>
To add a server to a tacacs+ server group named "bar", configure:
aaa group server tacacs+ bar
server <ipv4 address>
There are no known workarounds.
•
PPPoE sessions does not come up when some debugs are enabled in the LAC. This could possibly due to the additional time lag introduced by enabling the debugs in the LAC.
This happens when "lcp re-negotiation" is configured in the virtual-template in the LNS side.
There are no known workarounds.
•
SSG misbehaves (and often crashes) after total number of connections on the box become 64K.
This problem occurs when the number of connections on the box is 64K+.
Workaround: Keep the number of connections to less than 64K.
•
SSG does not forward user traffic to service for certain networks.
When a user is connected to a service with certain networks, upstream packets from user towards service are dropped.
The following error message are displayed if "debug ssg data" is enabled:
SSG-DATA: CEF-UPST: Unable to find adjacency. Punt (FastEthernet0/0 : 10.0.1.1->10.1.1.1)SSG-DATA: PROC-UPST : IDB is NULL. Drop (FastEthernet0/0 : 10.0.1.1->10.1.1.1)This happens when the destination address falls into a service network of0.0.0.0 with a non-zero netmask.Workaround: Replace the service network so that atleast one bit matches the destination address.
•
While using SSG, executing show align< indicates that a spurious memory access has occurred.
There are no known workarounds.
•
Some sessions may not come up with aa15snap encap.
There are no known workarounds.
•
Abnormal termination of "show vpdn" output results in spurious access.
Normal config and unconfig does not result in spurious access
There are no known workarounds.
•
AVP 31 (Calling-station-id) is missing from accounting records to prepaid server when SSG RADIUS-proxy users are accessing prepaid service. It happens only when no explicit calling station id is available to SSG.
This problem happens only if:
–
–
–
This problem was first reported on Cisco 7200 platform but same exists on all Cisco platforms supporting SSG functionality.
There are no known workarounds.
•
The accounting of input and output bytes/packets for a service connection is not correct. Only upstream traffic is accounted for that service access whereas downstream traffic from that service would be accounted for another service connection.
Could be seen when a user does autologon to 2 no-NAT/passthrough services.
There are no known workarounds.
•
SSG Crashes at ssg_search_conn.
Downstream traffic to a ssg host logged onto a proxy NATed service. This happens after a host logs off a service and immediately same/another host with same NATed IP address logs on to the proxy NATed service.
There are no known workarounds.
•
Memory leak was observed on 3745 platform.
Mem-leak is seen when SSG subscriber access his SOHO and the user is logged on to a Tunnel service.
There are no known workarounds.
•
For each authorization retry in timeout quota in SSG traceback at ServiceAuthorize() is seen.
There are no known workarounds.
•
Traceback is noticed for each login/logout of SSG user.
There are no known workarounds.
•
Spurious memory access when user logoff from the prepaid service.
This problem is seen only in the 12.3(3)B image.
There are no known workarounds.
•
SSG box crashes with __terminate trace.
This can happen if the box is running out of memory and TCP-Redirect is configured.
There are no known workarounds.
•
Real IP assigned by service for an ssg connection is sent as framed-ip attribute in the access-accept to SESM.
When a service (proxy or tunnel) assings an IP Address for a connection SSG send it to the SESM in response to the service logon request in the framed-ip attribute. This hides the framed-ip of the host in the access-accept.
There are no known workarounds.
•
Any new Access Requests from NAS(GGSN) are not processed by SSG when SSG_dummy_pool fills up.
SSG_dummy_pool fills up when SSG is honoring an Acct-on/Accounting Off along with an accounting stop throttle configuration. Any new Access-Requests from NAS(GGSN) can create this condition.
Workaround: Unconfig and config "ssg radius-proxy" OR a Reload of SSG cleans up this pool.
•
If the Connection to the LNS fails (due to LNS Reboot or redundant LNS-Failover) the SSG needs a long time to send L2TP HELLO packets to tear down control connection and re-establish tunnel to redundant LNS. During this period several L2TP-HELLOs are sent to the LNS.
Resolution:
The SSG supports vpdn-group names in the SSG tunnel service profile. The L2TP-specific configuration (e.g., tunnel gateway address, tunnel password, etc,) can be configured in the vpdn-group on the device; only the group name needs to be specified in the service profile.
The SSG uses this vpdn-group name in the service-profile to retrieve the VPDN configuration and set up the tunnel session. This enables the SSG to support all L2TP tunnel parameters configurable within the VPDN group command for setting up tunnel sessions.
The service-profile for the tunnel service accepts the following Cisco Generic VSA:
cisco-generic = "vpdn:group-name=<name>"The following is a sample configuration:
a.
cisco-generic = "vpdn:group-name=tunnel_corp"ssg-service-info = "R10.0.0.0;255.255.0.0"b.
vpdn enablevpdn-group tunnel_corprequest-dialinprotocol l2tpinitiate-to ip 10.1.1.1Resolved MWAM Caveats
•
Unable to display the name of the MWAM image from the Supervisor console.
Workaround: Use the show version command to view the IOS image from the MWAM processor.
•
Cannot copy a file to the bootflash of MWAM CPU with an existing name.
An attempt to copy a file to the bootflash:partition of an MWAM processor with a destination filename that already exists on this partition fails. A copy cannot be made to a file that already exists. The following error message is displayed:
%Error opening bootflash:/running-config (File exists)Workaround: Delete the file before attempting to overwrite an existing file.
•
MWAM traffic shaping does not function with MWAM Gigabit Ethernet interfaces. Traffic shaping configurations on MWAM gig0/0 interface has no effect. The driver for MWAM gig0/0 interface does not support traffic shaping.
Workaround: There is currently no known workaround.
•
When an MWAM is removed from a slot, the MWAM configuration files remain with the MWAM. A replacement MWAM in the same slot must then be fully reconfigured. Also, when an MWAM is moved from one slot to another, the configuration files move with the MWAM instead of being associated with the original slot.
Workaround: Follow the steps provided below:
a.
b.
c.
copy tftp://server_name/file_name running-configcopy running-config startup-config
Note
•
SNMP query for variable chassisType(1.3.6.1.4.1.9.3.6.1) returns -1 for MWAM module.
Workaround: There is currently no known workaround.
•
Issuing the copy running-config startup-config command from the MWAM console fails to write the configuration to the standby Supervisor module.
Workaround: Two workarounds are available:
a.
b.
•
When a chassis is reloaded and contains multiple MWAMs that are running in the Supervisor configuration mode (i.e., MWAM configurations stored on the Supervisor bootflash), some of MWAM processors may not receive their configurations from the Supervisor bootflash.
Workaround: Two workarounds are available:
a.
b.
MIBs
No new or modified MIBs are supported by the Cisco MWAM.
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
Related Documentation
The following sections describe the documentation available related to the Cisco Multiprocessor WAN Application Module. These documents consist of hardware and software installation guides, Cisco IOS configuration guides and command references, system error messages, and other documents.
Documentation is available as printed manuals or electronic documents.
Platform-Specific Documents
These documents are available for the Catalyst 6500/Cisco 7600 series platforms on Cisco.com and the Documentation CD-ROM:
•
•
–
–
–
•
–
–
–
Catalyst 6500 Series Switch Documentation is available at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/index.htm
Cisco 7600 Series Routers Documentation is available at the following URL:
http://www.cisco.com/en/US/products/hw/routers/ps368/products_installation_guides_books_list.html
Obtaining Documentation
These sections explain how to obtain documentation from Cisco Systems.
World Wide Web
You can access the most current Cisco documentation on the World Wide Web at this URL:
Translated documentation is available at this URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.
Ordering Documentation
You can order Cisco documentation in these ways:
•
http://www.cisco.com/cgi-bin/order/order_root.pl
•
http://www.cisco.com/go/subscription
•
Documentation Feedback
You can submit comments electronically on Cisco.com. In the Cisco Documentation home page, click the Fax or Email option in the "Leave Feedback" section at the bottom of the page.
You can e-mail your comments to bug-doc@cisco.com.
You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883We appreciate your comments.
Obtaining Technical Assistance
Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.
Cisco.com
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.
Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you with these tasks:
•
•
•
•
•
If you want to obtain customized information and service, you can self-register on Cisco.com. To access Cisco.com, go to this URL:
Technical Assistance Center
The Cisco Technical Assistance Center (TAC) is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC Web Site and the Cisco TAC Escalation Center.
Cisco TAC inquiries are categorized according to the urgency of the issue:
•
•
•
•
The Cisco TAC resource that you choose is based on the priority of the problem and the conditions of service contracts, when applicable.
Cisco TAC Web Site
You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to this URL:
All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:
http://www.cisco.com/register/
If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC Web Site, you can open a case online by using the TAC Case Open tool at this URL:
http://www.cisco.com/tac/caseopen
If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC Web Site.
Cisco TAC Escalation Center
The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
Before you call, check with your network operations center to determine the level of Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, have your service agreement number and your product serial number available.
Posted: Mon Oct 4 06:04:03 PDT 2004
All contents are Copyright © 1992--2004 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
