Release Notes for Cisco CSR 1000v Series, Cisco IOS XE 3S
Release Notes for Cisco CSR 1000v Series, Cisco IOS XE 3S
Available Languages
Download Options
(938.0 KB)
View with Adobe Reader on a variety of devices
Release Notes for Cisco CSR 1000v Series, Cisco IOS XE 3S
Last Updated: 2/13/18
These release notes provide information about Cisco CSR 1000v Series Cloud Services Routers, for Cisco IOS XE 3S releases—through Cisco IOS XE 3.17S.
The Cisco CSR 1000v Cloud Services Router provides a cloud-based virtual router that is deployed on a virtual machine (VM) instance on x86 server hardware. The Cisco CSR 1000v router is a virtual platform that provides selected Cisco IOS XE security and switching features on a virtualization platform.
When the Cisco CSR 1000v virtual IOS XE software is deployed on a VM, the Cisco IOS software functions just as if it were deployed on a traditional Cisco hardware platform. You can configure different features depending on the supported Cisco IOS XE software image. The Cisco CSR 1000v supports a subset of Cisco IOS XE software features and technologies.
The Cisco CSR 1000v provides secure connectivity from the enterprise premise (such as a branch office or data center) to the public or private cloud.
Cisco IOS XE 3S Releases and Cisco IOS Release Number Mapping
The Cisco CSR 1000 Series Cloud Services Routers releases correspond to the Cisco IOS XE releases. For example, Cisco IOS XE Release 3.13(0) is the software release for Cisco CSR 1000v Series Cloud Services Routers Release 3.13.0S.
lists the mappings between the Cisco IOS XE 3S releases and their associated Cisco IOS releases.
Table 1 Cisco IOS XE 3S–to–Cisco IOS Release Number Mapping
The following sections describe the system requirements for the Cisco CSR 1000v Series Cloud Services Routers.
For installation and hardware requirements, see the
The Cisco CSR 1000v router is a virtual machine, and can be supported on selected x86 hardware.
The following are the minimum requirements for the Cisco IOS XE 3.8S and 3.9S releases.
The Cisco CSR 1000v router VM:
– 4 virtual CPUs
– 4 GB RAM
– 8 GB Hard Drive
PC running the VMware vSphere Client 5.0
Server running VMware ESXi 5.0
– CPU: Intel Nehalem or later is required.
– Hardware Compatibility: Must be listed as supported on the VMware Hardware Compatibility List.
The Cisco CSR 1000v is supported on all Cisco UCS servers.
lists the Cisco UCS and non-Cisco servers that have been tested for compatibility.
Table 2 Servers Tested with Cisco CSR 1000v Release 3.9(0)S
UCS B230 M2
UCS C220 M3
UCS C210 M2
UCS C200 M2
UCS B22 M3
HP ProLiant DL180G6
Dell R720 with Xeon& E5-2660
Note Cisco UCS B230-M2, B440-M2, C260-M2, and C460-M2 servers with Intel Westmere-EX CPUs require UCS release 2.0(4) or later.
– Memory: 16GB DDR3 or higher
– Hard Drive: 100GB or higher
– Network Cards: 1 Gbps (3 or higher)
– The minimum clock rate supported is 1.9 Ghz
Note The Cisco CSR 1000v router supports a maximum of 10 vNICs (the maximum supported by ESXi 5.0)
Beginning with Cisco IOS XE Release 3.15S, the Cisco CSR 1000v supports activation using Cisco Smart Licensing. To use Cisco Smart Licensing, you must first configure the Call Home feature and obtain Cisco Smart Call Home Services. For more information, see the
Evaluation license availability depends on the software version:
(Cisco IOS XE 3.12S and earlier) Evaluation licenses valid for 60 days are bundled with the software image. The evaluation license is for the Premium technology package.
For instructions on activating the evaluation license, see the
section of the
(Cisco IOS XE 3.13S and later) Evaluation licenses valid for 60 days are available at the Cisco Software Licensing (CSL) portal:
http:/www.cisco.com/go/license
The following evaluation licenses are available:
– AX technology package license with 50 Mbps maximum throughput
– APPX technology package license with 10 Gbps maximum throughput
If you need an evaluation license for the Security technology package, or for an AX technology package with higher throughput, contact your Cisco service representative.
For instructions on obtaining and installing evaluation licenses, see the
section of the
Cisco CSR 1000v software licenses are divided into feature set licenses. Supported feature licenses depend on the release.
Legacy License Types
Three legacy technology packages— Standard,
Advanced, and
Premium —were replaced in Cisco IOS XE Release 3.13 with the
Security, and
AX technology packages.
The following feature sets are supported in Cisco IOS XE 3.12S and earlier:
Standard Package: Basic Networking Routing (Routing, HSRP, NAT, ACL, VRF, GRE)
Advanced Package: Standard package + Security features (IP Security VPN, Firewall, MPLS, Multicast, QoS)
Premium Package: Standard package + Security features + Advanced Networking features (AppNav, AVC, OTV and LISP)
Current License Types
The following feature sets are supported beginning in Cisco IOS XE 3.12.1S:
IPBase: Basic Networking Routing (Routing, HSRP, NAT, ACL, VRF, GRE)
The IPBase package replaces the Standard package (legacy).
Security: IPBase package + Security features (IP Security VPN, Firewall, MPLS, Multicast, QoS)
The Security package replaces the Advanced package (legacy).
AX: IPBase package + Security features + Advanced Networking features (AppNav, AVC, OTV and LISP)
The AX package replaces the Premium package (legacy).
Note Cisco recommends using the IPBase, Security, or AX technology packages for compatibility with future releases. All technology packages support the same throughput maximums as the similar feature sets in earlier releases.
The following feature set is supported beginning with Cisco IOS XE 3.13S:
APPX Package: IPBase package + Advanced Networking features - Security features (IP security features not supported)
Features Supported by License Packages
For more information about the Cisco IOS XE technologies supported in the feature set packages, see the overview chapter of the
Throughput
The Cisco CSR 1000v router provides both perpetual licenses and term subscription licenses that support the feature set packages for the following maximum throughput levels:
Throughput levels are supported for different feature set packages in each version. For more information about how the maximum throughput levels are regulated on the router, see the
Memory Upgrade
Beginning with Cisco IOS XE 3.11S, a memory upgrade license is available to add memory to the Cisco CSR 1000v. This license is available only for selected technology packages.
Additional Information about Licenses and Activation
For more information about each software license, including part numbers, see the
. For more information about the standard Cisco IOS XE software activation procedure, see the
The Cisco CSR 1000v.ova installation file nomenclature provides information about a given release. The following are examples of filenames for.ova installation files:
Standard release (note “std” in the filename)
csr1000v-universalk9.03.15.00.S.155-2.S-std.ova
Extended maintenance support release (note “ext” in the filename)
csr1000v-universalk9.03.16.00.S.155-3.S-ext.ova
lists the attributes and the release properties indicated.
Table 3 OVA Installation Filename Attributes
Example: universalk9
Indicates the installed image package.
03.16.00.S.155-3.S
Indicates that the software image is for the Cisco IOS XE 3.16.0S release image, mapped to 15.5(3) in the alternate release numbering system.
std or ext
Standard release or extended maintenance support release
Indicates that the software image supports 4 CPUs on the VM.
Indicates that the software image requires 4 GB memory on the VM.
Indicates that the.ova image installs 3 vNICS. Note The Cisco CSR 1000v supports up to 10 vNICs in Cisco IOS XE 3.9S. The.ova installation process installs 3 vNICS. The remaining vNICS must be manually installed on the VM.
Indicates that the software image requires an 8 GB hard disk.
(Cisco IOS 3.13.0S) The Cisco CSR 1000v has a limit of 4096 IDBs (Interface Descriptor Blocks). This limits the total number of hardware and software IDB’s at any one time to 4096.
This section lists limitations and restrictions on the Cisco CSR 1000v Series Cloud Services Router in Cisco IOS XE 3.12S.
Microsoft Hyper-V has issues with tagged packets, so VLAN (dot1Q and QinQ) will not work on Microsoft Hyper-V.
When the Cisco CSR 1000v is installed on Microsoft Hyper-V, the interface numbers can change after Microsoft Hyper-V fails over to a new server, or restarts after a live migration.
– If the server is set to perform ungraceful failover, there is no workaround.
– If the server is set to perform graceful failover or restart, enter the
clear platform software vnic-if nvtable command before executing the failover or restart.
This issue is not seen if the maximum number of interfaces is configured.
On Citrix XenServer 6.1, the paravirtual drivers for the CSR 1000v will not work without a certain for the XenServer host. This is detrimental to performance. Use the following hot-fix to make sure that the VM loads with the proper paravirtual networking drivers:
Verify that the proper drivers are installed using the following command:
show platform software vnic-if interface-mapping
The driver listed should be vif if the correct drivers are in use.
This section lists limitations and restrictions on the Cisco CSR 1000v Series Cloud Services Router in Cisco IOS XE 3.10S.
Configuring Network Based Application Recognition (NBAR), or Application Visibility and Control (AVC) support on the Cisco CSR 1000v requires a minimum of 4GB DRAM on the VM, even when using the 1 vCPU configuration on the VM.
On the Cisco CSR 1000v, all the NICs are logically named as the Gigabit Ethernet interface. The Cisco CSR 1000v does support the 10G IXGBE vNIC but that interface also is also logically named as a Gigabit Ethernet interface. Note that with emulated devices like VMXNET3/PV/VIRTIO from the hypervisor, the Cisco CSR 1000v is not aware of the underlying interfaces. The vSwitch may be connected to a 10 GB physical NIC or 1 GB physical NICs or multiple NICs (with NIC teaming on the hypervisor) as well.
The following limitations have been observed on the Cisco CSR 1000v with the 1 vCPU configuration with 2.5 GB of RAM allocation on VMware ESXi:
– If the memory Hot-Add option is enabled, and the Cisco CSR 1000v is powered on with 2.5GB initial memory, then the RAM allocation can only increase to a maximum of 3 GB. The system does not allow upgrading to more than 3GB of RAM allocation. The Virtual Machine Properties windows shows “Maximum Hot-Add Memory for this Power is 3 GB”.
– If the Cisco CSR 1000v is powered on with 3GB initial RAM allocation, then the Hot-Add memory option doesn't work, and the option to select memory remains greyed out with the same message on the Properties windows, “Maximum Hot-Add Memory for this Power is 3 GB”.
– If the Cisco CSR 1000v is powered up with 4GB initial RAM allocation, then the Hot-Add option works and you are able to add up to 64 GB of memory.
This section lists limitations and restrictions on the Cisco CSR 1000v Series Cloud Services Router.
You may experience low virtual network I/O performance with an Intel 1 Gbps NIC using the igb driver. Cisco recommends that you use a 10 Gb NIC for higher throughput applications. For more information, see the VMware document at the following location and apply the settings:
The ESXi host power management policy should be set to High Performance. If this power management policy is not set, the Cisco CSR 1000v VM will crash due to the High Availability stuck thread detection not seeing the core running the data plane/ppe run for an extended period of time.
For up-to-date information, see:
Several new APIs have been added to the IP SLA resource of the REST API. See
for details.
Added support for VMware ESXi 6.0.
Note Cisco IOS XE 3.16.1S and later also support VMware ESXi 6.0.
Added support for Red Hat Enterprise Linux 7.1.
specific to Red Hat Enterprise Linux, when launching the Cisco CSR1000v in a Red Hat Enterprise Linux environment using
virt-install, set the host mode as follows:
In Red Hat Enterprise Linux 6, use:
--cpu host
In Red Hat Enterprise Linux 7, use:
--cpu host-model
For additional information about deployment in a KVM environment, see
When installing the Cisco CSR1000v software image, the default setting is to use is the
Virtual VGA console. In some previous releases, the default setting was Automatic Console Detection. See
For up-to-date information, see:
Beginning with Cisco IOS XE Releases 3.16S, the Cisco CSR 1000v supports Connectionless Network Service (CLNS). Requires the IPBase license package. For information, see the
Beginning with Cisco IOS XE Releases 3.16S, the CSR supports several modes of communication between vNICs and the physical hardware:
Para Virtual
PCI Passthrough
Single Root I/O Virtualization (SR-IOV)
Cisco Virtual Machine Fabric Extender (VM-FEX)
For information, see the
For up-to-date feature information, see the
Beginning with Cisco IOS XE Release 3.15S, the Cisco CSR 1000v supports activation using Cisco Smart Licensing. To use Cisco Smart Licensing, you must first configure the Call Home feature and obtain Cisco Smart Call Home Services. For more information, see the
Beginning with Cisco IOS XE Releases 3.13.2, 3.14.1, and 3.15, REST API and
(PNSC) support is limited to TLS.
Beginning with Cisco IOS XE Releases 3.13.2, 3.14.1, and 3.15, REST API and
(PNSC) support is limited to TLS.
This section describes the new features supported on the Cisco CSR 1000v Series Cloud Services Router in Cisco IOS XE 3.14.0S that are specific to this platform. For more information, see the
For information, see:
Currently released under Controlled Availability terms.
Beginning with Cisco IOS XE 3.14.0S, the Cisco IOS XE REST API supports:
IPv6 addressing on an interface
Beginning with Cisco IOS XE Releases 3.13.2, 3.14.1, and 3.15, REST API and
(PNSC) support is limited to TLS.
This section describes the new features supported on the Cisco CSR 1000v Series Cloud Services Router in Cisco IOS XE 3.13.0S that are specific to this platform. For more information about these features, see the
Beginning with Cisco IOS XE 3.13.0S, the APPX license package provides support for the feature set supported in the Standard or IPBase license package, plus the feature set available in the AX package, but does not include support for security features (IPSec VPN, DMVPN, GETVPN, EZVPN, FlexVPN, SSLVPN).
Beginning with Cisco IOS XE 3.13.0S, the Cisco CSR 1000v supports the Broadband Network Gateway feature set. This feature requires the L-CSR-BB-1K= feature add-on license. For more information, see the
Ethernet-based deployments only (PPPoE and IPoE) are supported. Note that the following features are not supported in this release:
ATM-related features such as PPPoA, PPPoEoA
GTP versions 1 and 2
Beginning with Cisco IOS XE 3.13.0S, the Cisco CSR 1000v supports the Intelligent Services Gateway feature set. This feature requires the L-CSR-BB-1K= feature add-on license. Initial support will be for Wireless deployments in Hospitality environments. For more information, see the
Beginning with Cisco IOS XE 3.13.0S, the Common OVF Tool (COT) is bundled with the Cisco CSR 1000v. The Common OVF Tool is an open-source tool for editing Open Virtualization Format (.ovf,.ova) virtual appliances such as the Cisco CSR 1000v. For more information, see the tool documentation at:
Beginning with Cisco IOS XE 3.13.0S, the Cisco CSR 1000v can perform as a Performance Router Master Controller. For more information, see the
Beginning with Cisco IOS XE 3.13.0S, the platform hardware throughput monitor can be used to monitor the platforms current throughput and receive a notification when the maximum allowable throughput level is close to being reached. The
set platform hardware throughput-monitor command configures the percentage of throughput at which you are notified, and the interval for how often the router checks the throughput rate.
Beginning with Cisco IOS XE 3.13.0S, the management virtual services container used for REST API support can share the same IP address as the router’s management interface. In previous releases, a separate IP address had to allocated specifically for the virtual services container. In this release, this feature is supported for the virtual services container when used for REST API, but is not supported when the virtual services container is used for Cisco Prime Network Services Controller (PNSC) support.
Beginning with Cisco IOS XE 3.13.0S, the Cisco CSR 1000v supports Single Root I/O virtualization (SR-IOV) on VMware ESXi and Microsoft Hyper-V. No additional configuration is required on the Cisco CSR 1000v, but the host hardware must support the Intel VT-d or AMD IOMMU specification.
Beginning with Cisco IOS XE 3.13.0S, the Cisco CSR 1000v supports new or modified REST APIs in the following functional areas:
Save Configuration
L2 Interfaces
Bridge Domain
VRF-Aware DNS
VRF Routing Table
VPN site-to-site interface state
For more information, see the
This section describes new features in Cisco IOS XE 3.13.0S that are supported on the Cisco CSR 1000v Series Cloud Services Router and on other platforms.
PPPoE Client
For detailed information, see the following documentation:
Appnav and EZconfig Enhancements
For detailed information, see the following Cisco site:
Flexible NetFlow Export of TrustSec fields
For detailed information, see the following Cisco site:
Group Encrypted Transport VPN Key Server on CSR
For detailed information, see the following Cisco site:
LISP Multicast
For detailed information, see the following Cisco site:
NBAR2 Integrated Protocol Pack 9.0.0
For detailed information, see the following Cisco site:
This section describes the new features supported on the Cisco CSR 1000v Series Cloud Services Router in Cisco IOS XE 3.12.1S. For more information about these features, see the
Beginning with Cisco IOS XE 3.12.1S, the following technology package licenses are supported:
For more information, see the .
Beginning with Cisco IOS XE 3.12.1S, the Cisco CSR 1000v supports SSL VPN. For more information, see the
The Cisco IOS XE SSL VPN Support feature is only supported on the Cisco CSR 1000v in this release.
Beginning with Cisco IOS XE 3.12.1S, the Cisco CSR 1000v supports Single Root I/O virtualization (SR-IOV) to provide improved throughput for selected hypervisors. In this release, SR-IOV is supported for Citrix XenServer and KVM only. No additional configuration is required on the Cisco CSR 1000v, but the host hardware must support the Intel VT-d or AMD IOMMU specification.
This section describes the new features supported on the Cisco CSR 1000v Series Cloud Services Router in Cisco IOS XE 3.12S that are specific to this platform. For more information about these features, see the
Beginning with Cisco IOS XE 3.12S, Cisco CSR 1000v licenses based on higher maximum supported throughput levels are available. You can purchase licenses to support maximum throughput levels of 2.5 Gbps and 5 Gbps. For more information, see the
Beginning with Cisco IOS XE 3.12S, the Cisco CSR 1000v supports installation on the Microsoft Hyper-V hypervisor. The supported hypervisor version is Windows Server 2012 R2.
Beginning with Cisco IOS XE 3.12S, the Cisco CSR 1000v supports installation on VMware ESXi 5.5.
Note VMware ESXi 5.5 update 3 is not supported at this time.
Beginning with Cisco IOS XE 3.12S, the Cisco CSR 1000v supports installation of a KVM instance on OpenStack.
Beginning with Cisco IOS XE 3.12S, the Cisco CSR 1000v offers a configuration option that uses 8 virtual CPUs (vCPUs) for VMware ESXi only.
Beginning with Cisco IOS XE Release 3.12S, the Cisco CSR 1000v supports managing the router using Cisco Configuration Professional. The minimum version required is Cisco Configuration Professional 2.8. For more information, see the
documentation.
Beginning with Cisco IOS XE 3.12S, the Cisco CSR 1000v REST API supports the following APIs:
VRF aware DHCP
– DHCP excluded address
– DHCP pool
– DHCP bindings
VRF aware Site-to-Site VPN
– Keyring
– Statistics
– IKE Profile
Site-to-Site VPN Tunnel Extension to support MTU
For more information, see the
This section describes new features in Cisco IOS XE 3.12S that are supported on the Cisco CSR 1000v Series Cloud Services Router and on other platforms.
Object Groups for ACLs
For detailed information, see the following Cisco document:
onePK Support
For detailed information, see the following Cisco site:
Packet Classification using Frame-Relay DLCI Number
For detailed information, see the following Cisco document:
Support of AES-GCM as an IKEv2 cipher on IOS
For detailed information, see the following Cisco document:
TrustSec Interface & Subnet to SGT mapping
For detailed information, see the following Cisco document:
This section describes the new features supported on the Cisco CSR 1000v Series Cloud Services Router in Cisco IOS XE 3.11S that are specific to this platform. For more information about these features, see the
Beginning with Cisco IOS XE 3.11S, the Cisco CSR 1000v offers a configuration option that uses 2 virtual CPUs (vCPUs).
Beginning with Cisco IOS XE 3.11S, the Cisco CSR 1000v provides a memory upgrade license to add up to 8 GB memory with route reflector support for the 500 Mbps maximum Premium package. For more information, see the .
Beginning with Cisco IOS XE 3.11S, the Cisco CSR 1000v supports deployment on an Amazon Machine Image (AMI). You can deploy a Bring Your Own License (BYOL) AMI using a license purchased from Cisco. For more information, see the
This release provides VxLAN (Virtual eXtensible Local Area Network) Layer 2 and Layer 3 support on the Cisco CSR 1000v. VxLAN is a technology that provides a Layer-2 overlay network, allowing for network isolation. The standard 802.1q VLAN implementation limits the number of tags to 4,096. However, cloud service providers may want to operate more than 4,096 virtual networks. VxLAN uses a 24-bit network ID, which allows for a much larger number of individual identified networks to be operated.
For more information, see the
Beginning with Cisco IOS XE 3.11S, the Cisco IOS XE REST API (formerly called the Cisco CSR 1000v REST API) supports the following technologies:
The following REST APIs have been modified in this release:
Global parameters
For more information, see the
Beginning with Cisco IOS XE 3.11S, the Cisco CSR 1000v supports remote management of the router using Cisco Prime Network Services Controller. For more information, see the
documentation.
This section describes new features in Cisco IOS XE 3.11S that are supported on the Cisco CSR 1000v Series Cloud Services Router and on other platforms.
The following feature has been updated in the Cisco IOS XE 3.11.1 release.
Dropping TCP Packets During Router Reboot Process in AppNav Controller Group Scenario
For AppNav Controller Group (ACG) scenarios, a new CLI ( service-insertion acg-reload-delay) provides a time delay before enabling WAN traffic for a router that has just rebooted. During the delay, the router drops all TCP packets passing through the WAN interface. This enables the router to synchronize flows before traffic is enabled, preventing unintended resetting of connections.
For detailed information, see the following Cisco document:
Cisco Application Visibility and Control (AVC) Support in Cisco IOS XE 3.11S:
For detailed information, see the following Cisco document:
Disjoint LISP RLOC Domains Support
For detailed information, see the following Cisco document:
Enabling ALGs and AICs in Zone-Based Policy Firewalls
For detailed information, see the following Cisco document:
FNF: Prevent Export Storms
For detailed information, see the following Cisco document:
IOS IKEv2 support for AutoReconnect feature of AnyConnect
For detailed information, see the following Cisco document:
IP Tunnel - GRE Key Entropy Support
For detailed information, see the following Cisco document:
IPV4 ACL Chaining Support
For detailed information, see the following Cisco document:
ISIS - Remote LFA FRR
For detailed information, see the following Cisco document:
LISP ESM Multihop Mobility
For detailed information, see the following Cisco document:
MPLS VPN over mGRE
For detailed information, see the following Cisco document:
NBAR2 Integrated Protocol Pack 6.0.0
For detailed information, see the following Cisco document:
OSPF LFA IPFRR Phase 3
For detailed information, see the following Cisco document:
Per Tunnel QoS for DMVPN
For detailed information, see the following Cisco document:
TCP MSS Adjustment
For detailed information, see the following Cisco document:
This section describes the new features supported on the Cisco CSR 1000v Series Cloud Services Router in Cisco IOS XE 3.10S that are specific to this platform. For more information about these features, see the
Beginning with Cisco IOS XE 3.10S, Cisco CSR 1000v licenses based on higher maximum supported throughput levels are available. You can purchase licenses to support a maximum throughput level of 100 Mbps, 250 Mbps, 500 Mbps, or 1 Gbps. The maximum throughput licenses for 10 Mbps and 50 Mbps introduced in Cisco IOS XE 3.9S the throughput licenses for 25 Mbps are no longer supported. For more information, see the
Beginning with Cisco IOS XE 3.10S, the Cisco CSR 1000v offers a low footprint configuration option that requires only 1 virtual CPU (vCPU) and 2.5 Gb memory. This option is only supported on VMware ESXi.
Beginning with Cisco IOS XE 3.10S, the Cisco CSR 1000v supports installation on the Citrix XenServer hypervisor, version 6.02.
Beginning with Cisco IOS XE 3.10S, the Cisco CSR 1000v supports installation on the following KVM-based hypervisors:
KVM hypervisors based on Red Hat Enterprise Linux 6.3 and QEMU 0.12
Red Hat Enterprise Virtualization 3.1
Beginning with Cisco IOS XE 3.10S, the following VMware ESXi 5.0 features are supported on the Cisco CSR 1000v Cloud Services Router:
Distributed Resources Scheduler
Fault Tolerance
Beginning with Cisco IOS XE 3.10S, the Cisco CSR 1000v supports VMware ESXi 5.1.
Beginning with Cisco IOS XE 3.10S, the Cisco CSR 1000v provides support for RESTful APIs as an alternative to configuring the router using the Cisco IOS XE CLI. The REST API support is limited to the following technologies:
Token-services
Host-name, Domain-name, local-users, running-config, DNS servers, NTP
Routing (OSPF, BGP, EIGRP)
ACL (IOS extended ACL)
ZBFW (Zone Based Firewall)
IPSEC site-to-site VPN
Monitoring
Memory, CPU & Syslog
Note that IPV6 is not currently supported for the REST API. The Cisco CSR 1000v only supports the REST APIs over an HTTPS connection.
For more information, see the
The following Cisco IOS XE technologies are supported on the Cisco CSR 1000v Series Cloud Services Router beginning in Cisco IOS XE 3.10S:
Overlay Transport Virtualization (OTV)
Virtual Private LAN Service (VPLS)
This section describes new features in Cisco IOS XE 3.10S that are supported on the Cisco CSR 1000v Series Cloud Services Router and on other platforms.
The following feature has been updated in the Cisco IOS XE 3.10.2 release.
Dropping TCP Packets During Router Reboot Process in AppNav Controller Group Scenario
For AppNav Controller Group (ACG) scenarios, a new CLI ( service-insertion acg-reload-delay) provides a time delay before enabling WAN traffic for a router that has just rebooted. During the delay, the router drops all TCP packets passing through the WAN interface. This enables the router to synchronize flows before traffic is enabled, preventing unintended resetting of connections.
For detailed information, see the following Cisco document:
Cisco Application Visibility and Control (AVC) Support in Cisco IOS XE 3.10S:
For detailed information, see the following Cisco document:
TrustSec SGT Handling: L2 SGT imposition and forwarding
For detailed information, see the following Cisco document:
IOS-XE GTP TEID based ECMP
For detailed information, see the following Cisco document:
The following sections list the new features that are supported by the Cisco CSR 1000v Cloud Services Routers for Cisco IOS XE 3.9S.
This section describes the new features supported on the Cisco CSR 1000v Series Cloud Services Router in Cisco IOS XE 3.9S that are specific to this platform. For more information about these features, see the
Beginning with Cisco IOS XE 3.9S, Cisco CSR 1000v licenses are based on the maximum supported throughput level. You can purchase licenses to support a maximum throughput level of 10 Mbps, 25 Mbps, or 50 Mbps. For more information, see
The following Cisco IOS XE technologies are supported on the Cisco CSR 1000v Series Cloud Services Router beginning in Cisco IOS XE 3.9S:
IP Multicast
Application Visibility Control (AVC)
Network Based Application Recognition (NBAR)
The following VMware ESXi 5.0 features are supported on the Cisco CSR 1000v Cloud Services Router beginning in Cisco IOS XE 3.9S:
Host-Level High Availability
VM-Level High Availability
Distributed vSwitch
NIC Teaming
NIC Load Balancing
Mount or Pass Through of USB Storage
The following CLI commands specific to the Cisco CSR 1000v have been added in Cisco IOS XE 3.9S:
platform hardware throughput level
show platform hardware throughput level
The following CLI command specific to the Cisco CSR 1000v has been deprecated in Cisco IOS XE 3.9S:
license feature csr
This section describes new features in Cisco IOS XE 3.9S that are supported on the Cisco CSR 1000v Series Cloud Services Router and on other platforms.
For detailed information, see the following Cisco document:
For detailed information, see the following Cisco document:
For detailed information, see the following Cisco document:
For detailed information, see the following Cisco document:
For detailed information, see the following Cisco document:
For detailed information, see the following Cisco document:
For detailed information, see the following Cisco documents:
This section provides information about the caveats in Cisco CSR 1000v Series Cloud Services Routers Release 3S. Caveats describe unexpected behavior. Severity 1 caveats are the most serious caveats. Severity 2 caveats are less serious. Severity 3 caveats are moderate caveats. This section includes severity 1, severity 2, and selected severity 3 caveats.
We recommend that you view the field notices for the current release to determine whether your software or hardware platforms are affected. You can access the field notices from the following location:
In this section, the following information is provided for each caveat:
Symptom—A description of what is observed when the caveat occurs.
Conditions—The conditions under which the caveat has been known to occur.
Workaround—Solutions, if available, to counteract the caveat.
Note If you have an account on Cisco.com, you can also use the Bug Search Tool (BST) to find select caveats of any severity. To reach the Bug Search Tool, log in to Cisco.com and go to . (If the defect that you have requested cannot be displayed, this may be due to one or more of the following reasons: the defect number does not exist, the defect does not have a customer-visible description yet, or the defect has been marked Cisco Confidential.)
For Best Bug Search Tool Results
For best results when using the Bug Search Tool:
Product field, enter Cloud Services Router.
Releases field, enter one or more Cisco IOS XE releases of interest. The search results include caveats related to any of the releases entered in this field.
The tool provides autofill while you type in these fields to assist in entering valid values.
Releases beginning with
3.x have an equivalent release number beginning with
15.x, as shown in the following table. Include the
15.x equivalent to ensure that all relevant caveat results are displayed.
Table 4 Release Number Equivalents for Recent Releases
3.14 and 15.5(1).
3.15 and 15.5(2)
3.16 and 15.5(3)
See the following sections.
You can use the
to view new and updated caveats:
For Best Bug Search Tool Results
For best results when using the Bug Search Tool:
Product field, enter Cloud Services Router.
Releases field, enter one or more Cisco IOS XE releases of interest. The search results include caveats related to any of the releases entered in this field.
The tool provides autofill while you type in these fields to assist in entering valid values.
Releases beginning with
3.x have an equivalent release number beginning with
15.x, as shown in the following table. Include the
15.x equivalent to ensure that all relevant caveat results are displayed.
Table 5 Release Number Equivalents for Recent Releases
3.14 and 15.5(1).
3.15 and 15.5(2)
3.16 and 15.5(3)
3.17 and 15.6(1)
Table 6 Resolved Caveats—Cisco IOS XE 3.17.4S
Cisco CSR 1000v is not able to poll CISCO-IPSEC-FLOW-MONITOR-MIB
Table 7 Resolved Caveats—Cisco IOS XE 3.17S
CSR interfaces shows up DHCP/TFTP for Static IP configuration
ISR4331 and ISR4351 platforms crash during GRE performance testing
4331: MMA record timestamp mismatch btw PI/PD, TC missing after 48 hours
CSR1000v fails to pass traffic after upgrading ESXi to 5.5.0 patch 3a
CSR1000v: csr1kv stops Responding to ARP Requests
RESTAPI: VxLAN extension POST would be failed with response=500
CSR1k serial console is not working properly
CSR1000v incorrect API call to AWS
Table 8 Open Caveats—Cisco IOS XE 3.17S
CSR1kv: Silent packet drop seen in aging test with low traffic rate
ULTRA 15.5 - SR-IOV (vfio) 9k packet forwarding broken
CSR Interfaces not coming up with certain VIC's on KVM using ENIC
ASR1k: FP crash due to poor handling of mem allocation failure in IFDB
CSR crashes before booting with 32 vCPU cores on ESXi
ULTRA XE313: Packets Drop at BqsOor with traceback
CSR configuration lost after power off/on
CSR1k - qfp datapath utilization is wrong when ESXi drop prior to CSR Rx
CSR1000v Interface Responds to two different MAC Addr on KVM Enic VM-FEX
CSR1000v Interfaces occasionally enumerate incorrectly after reload
performance degradation on IPSec, NAT, FW, HQos with RHEL 7.1
CSR crashes when we scale MPLS LDP routes
Multiple Cisco Smart Licenses used after switching from CSL to SL
Note To view details of the caveats for releases from 3.14 up to 3.16.2, use the
as explained below in .
Cisco CSR 1000v—GE interface output—Input queue &drops& counter miscalculation
Cisco CSR 1000v—qfp datapath utilization is incorrect when ESXi drops prior to Cisco CSR 1000v Rx
Cisco CSR 1000v—KVM SR-IOV IPv6 Unsuccessful Ping Traffic
Cisco CSR 1000v—unexpected mem upgrade log when boots
Throughput is licensed throughput when idcert renew failed and in EVAL mode
License boot level and throughput level cannot be changed in AWS with volume set at over 8 GB
CSR1000v qfp datapath utilization is wrong when ESXi drops prior to CSR Rx
CSR1000v KVM SR-IOV IPv6 Unsuccessful Ping Traffic
CSR1000v unexpected memupgrade log when CSR 1000v boots
AWS Gateway Redundancy not working because of delayed dns
AWS: CSR 1000V becomes unreachable if rebooted with larger storage size
PCIe pass-thru w/ ixgbe driver causes MaxTu drops due to TCP reassembly
Cisco Cloud Services Router 1000V Command Injection Vulnerability
CSR1000V Hyper-V: Interface missing after reload with static mac-address
CSR %VXE_VNIC_IF-3-MSGINITERROR messages when API add delete new intf
VASI subsystems are not packaged in ipbasek9 image for CSR1K platform
Openstack: CSR goes in grub mode if Hard Reset
CSR startup config sometimes disappear after reload.
AWS: CSR crashes, loses connectivity after detaching PMAP interface
AWS CSR 1000V: HA fails to resolve.com.cn domain for China region
CSR1k - qfp datapath utilization is wrong when ESXi drop prior to CSR Rx
CSR1000v KVM SR-IOV IPv6 Unsuccessful Ping Traffic
CSR1000V: unexpected memupgrade log when boots
In Amazon Web Services, SSH to CSR fails if there is a space in the keyname
CSR AX_100M license produces an HSECK9 failure
Cisco Cloud Services Router 1000V Command Injection Vulnerability
Openstack: CSR goes into grub mode if Hard Reset
For Cisco IOS XE releases 3.14 to 3.16.2S, use the
to view new and updated caveats:
Performance issues with CSR1kv using encrypted AMIs
Config wipeout after add/delete an interface for ESX setup
CSCuf51357
Symptom: A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
The vulnerability is due to a failure to process certain types of HTTP requests. To exploit the vulnerability, an attacker could submit crafted requests designed to consume memory to an affected device. An exploit could allow the attacker to consume and fragment memory on the affected device. This may cause reduced performance, a failure of certain processes, or a restart of the affected device.
Cisco has released free software updates that address these vulnerabilities.
There are no workarounds to mitigate this vulnerability.
This advisory is available at the following link:
Note: The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication.
Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link:
Conditions: See published Cisco Security Advisory
Workaround: See published Cisco Security Advisory
Further Problem Description:
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:
CVE ID CVE- has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
CSCum22661
Symptom: When a Peer sends a certificate with no CDP, the IOS PKI client will try to retrieve the CRL through SCEP [GetCRL] directed to CA, based on enrollment url value, however in case of enrollment profile [with a valid enrollment url], it complains that the enrollment url is not present.
Conditions: IOS PKI Client configured with an Enrollment profile, which has enrollment url and authentication url to communicate with the CA using SCEP.
Workaround:
a) configure the enrollment URL under the trustpoint directly instead of using it through enrollment profile
b) configure the CA to embed a CDP in the client certificates [an HTTP Server or SCEP URL]. Peer will need to be reenrolled afresh.
SCEP URL looks like:
crypto pki server IOS-CA
cdp-url http://10.106.72.139/cgi-bin/pkiclient.exe?operation=GetCRL
[Note: Before typing in ? next to pkiclient.exe in the URL above, type Ctrl+V]
CSCum23619
Symptom: No counter to show the ATM VC IFM call out and response
Conditions: ATM VC IFM call
Workaround: N/A
CSCum29065
Symptom: Group override does not take effect for interface-config strings. Actual ordering of interface config strings on cloned V-Access does not correspond to the expected order based on AAA settings in IKEv2 profile.
Conditions: User & group authorization configured in IKEv2 profile.
Workaround: Move all config-string attributes to a single authorization source (user or group).
CSCum34515
Symptom: QFP crash
Conditions: SIP ALG traffic with FW and NAT
Workaround: None.
CSCum34624
Symptom: IOSd crash when show platform condition after remove the corresponding interface
Conditions: With &debug platform software cond-debug verbose& enabled, and after delete the interface show platform condition will trigger this crash.
Workaround: N/A
CSCum40043
Symptom: Crypto sessions get stuck in UP-IDLE state in scale scenario on a Cisco CSR platform.
Conditions: This symptom occurs on a Cisco CSR platform in Cisco IOS XE Release 3.11.
Workaround: Bring the sessions up in very small increments, for example, 40 sessions at a time initially and keep monitoring. When the sessions stop coming up for 40 sessions at a time, switch to a smaller number like 20.
CSCum43752
Symptom: IOSD crash at ipv6_intf_mtu on flexvpn client
Conditions: Flapping flexvpn client configured with ipv6 on tunnel interface.
Workaround: None.
CSCun04952
Symptom: Traffic which needs to be send between appnav-controllers will get lost.
Received inter-appnav-controller packets will get assigned to the shutdown tunnel interface.
As a result, no flows will be synchronized between this appnav-controller and appnav-controllers in the same appnav-controller-group. Asymmetrically routed packet will also fail due to lack of flow and unable to query flow from other appnav-controller.
Conditions: Having a shutdown tunnel interface configured with tunnel source equals to the local appnav-controller IP and tunnel destination equals to the IP of another appnav-controller in the appnav-controller-group (i.e. another ASR router).
To detect this problem the following counter will go up for every dropped packet:
show platform hardware qfp active statistics drop | i Disabled
alternatively you can use a packet-trace feature on 3.10.2 and above to check for the dropped reply getting send to the shutdown tunnel interface.
Workaround: Remove the shutdown tunnel from configuration or un-shutdown it.
Further Problem Description: The received packet shares the same source and destination IP of an existing GRE tunnel before matching AppNav tunnel. And since the tunnel interface is disabled, the packet is dropped before reaching AppNav's handler.
CSCun31021
Symptom: A vulnerability in IKE module of Cisco IOS and Cisco IOS XE could allow an unauthenticated, remote attacker to affect already established Security Associations (SA). The vulnerability is due to a wrong handling of rogue IKE Main Mode packets. An attacker could exploit this vulnerability by sending a crafted Main Mode packet to an affected device. An exploit could allow the attacker to cause dropping of valid, established IKE Security Associations on an affected device.
Conditions: Device configured to process IKE request that already has a number of established security associations.
Workaround: None.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6:
CVE ID CVE- has been assigned to document this issue. Additional details about the vulnerability described here can be found at:
Additional information on Cisco's security vulnerability policy can be found at the following URL:
CSCun32757
Symptom: Debug platform condition matches traffic that is not included in the condition.
Conditions: Use of packet tracer / conditional debugger.
Workaround: Clear platform condition all and re enable.
CSCun36235
Symptom: Sometimes an error log is seen when tracing packets with 'debug platform packet-trace' or some of the data seems inconsistent.
Conditions: Tracing multicast packets with packet-trace in IOS-XE 3.11.0 or IOS-XE3.12.0 using circular buffering:
debug platform packet-trace &num-pkts& circular
or using drop tracing:
debug platform packet-trace drop [code &code-num&]
Workaround: Avoid the commands above when using.
CSCun68542
Symptom: CSR1000v router running XE3.11 (15.4(1)S) working as Route Reflector. The route-reflector is advertising prefixes with incorrect subnet masks to ibgp peers and route-reflector clients. The incorrect prefixes are not present in the bgp table of the route-reflector itself, however they do get installed in the bgp table of the router receiving the update.
Conditions: This symptom is observed when BGP route reflector uses the additional paths feature.
Workaround: Disable additional path feature either globally under address-family or per neighbor.
CSCun83348
Symptom: IPsec configured router sees unauthenticated router in INIT stage of ospfv3
Conditions: Configure one router with ospfv3 auth and other router with no authentication
Workaround: None.
CSCuo72301
Symptom: Crash occurs when IKEv2 attempts to clean up its contexts when it times-out waiting for received Certificate to be Validated by PKI component.
Conditions: Authentication with certificates and PKI component's response to certificate validation is delayed.
Workaround: There is no workaround.
CSCuo75582
Symptom: Content sensitive help from CLI lists only three protocols instead of the full list. This is valid for securityk9 license when configuring class map:
class-map type inspect
match protocol ?
Conditions: Tested on 4451-X, could be also happening on ASR1K
Workaround: Use appx license instead of securityk9
CSCuo75681
Symptom: RP crash due to %SYS-2-CHUNKBADMAGIC in checkheaps in chunk MallocLite
Conditions: Not known.
Workaround: Not known.
CSCuo77574
Symptom: An error is seen while enabling &auto negotiation&.
Conditions: This symptom is observed when &auto negotiation& is configured on an interface.
Workaround: There is no workaround.
CSCuo79718
1) &crypto isakmp aggressive-mode disable& is in &show run all& by default.
In spite of the disable command, IKE aggressive mode is enabled by default.
2) The command remains in &show run all& output.
&no crypto isakmp aggressive-mode disable& command cannot remove it from &show run all&, and that change (&no& form) does not show up in &show run& output.
The command works properly if it is configured explicitly.
Conditions: Cisco IOS 15.1 or later
Workaround:
- See &show run& output to check if this feature is disabled or not.
- To disable IKE aggressive mode, set &crypto isakmp aggressive-mode disable& explicitly.
CSCuo82943
Symptom: SADB Peer Chunk leak seen.
Conditions: DmVPN Hub with 2000 simulated spokes in stress/scale scenario.
Workaround: Unknown
CSCuo96504
Symptom: A FlexVPN client router may report alignment errors and experience high cpu utilization in IKEv2 FlexVPN process.
Conditions: The tunnel interface in use with the FlexVPN client configuration must flap while the client is processing an IKEv2 redirect. The high cpu utilization is seen only if the client is configured to auto connect.
Workaround: Remove and reconfigure the IKEv2 client configuration block.
CSCuo86953
Symptom: A Cisco router or switch may crash when issuing the show logging command.
Conditions: Open one session to the device and issue show logging. Let the output of the show logging command sit at the more prompt in the Trap logging session. While changing the logging host commands in a different session resume the output of the show logging command. There is a chance that both actions at the same time will make the device crash.
Workaround: Do not make changes to the logging host command while the show logging command output is still outstanding.
CSCup07089
Symptom: FlexVPN - IKEv2 authorization policy config gets deleted after reboot under some conditions.
Conditions: If route set interface is configured for loopback interface
Workaround: None.
CSCup21524
Symptom: A crash is observed:
\Exception to Fastpath Thread:
Frame pointer 0x7FEA, PC = 0x7FEB1F732559
-Traceback= 1#bb8f9a461a7850b52eefb2d5dc713d87 c:7FEB1F59 c:7FEB1FA09 :C515 :0C38 iosd_unix:7FEB1FEDB6 :D4+7AD419 :4AFB :2F8B :D1E1F :+1F :D6787F :7B48 :AE07
IOS Thread backtrace:
UNIX-EXT-SIGNAL: User defined signal 2(12), Process = SSM connection manager
-Traceback= 1#bb8f9a461a7850b52eefb2d5dc713d87 pthread:7FEB1DBF
Auxiliary Thread backtrace:
-Traceback= 1#bb8f9a461a7850b52eefb2d5dc713d87 pthread:7FEB1DC9
Conditions:This issue occurred after a switchover from Active RP to Standby RP was done. The device had 1000 PPPoA sessions on the device. Call Admission Control (CAC) is also configured.
Workaround:Remove the CAC configurations. For example, the following would have to be removed:
call admission new-model
call admission limit 1000
call admission cpu-limit 80
CSCup22022
Symptom: ASR using ZBFW may not properly classify traffic when class-maps of type inspect reference an ACL that uses a service-type object-group.
Conditions: A sample configuration that does not work:
object-group service ICMP_OG
icmp echo-reply
icmp traceroute
icmp unreachable
icmp time-exceeded
ip access-list extended ICMP_ACL
permit object-group ICMP_OG any any
class-map type inspect match-all ICMP_CMAP
match protocol icmp
match access-group name ICMP_ACL
policy-map type inspect ICMP_PMAP
class type inspect ICMP_CMAP
class class-default
zone-pair security INSIDE2OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect ICMP_PMAP
Workaround: Applying the ACL to the interface, then reapplying it to the class-map sometimes resolves the issue. Once the issue is resolved, reloading the ASA will cause the original classification problem to reoccur.
CSCup22590
Symptom: Some Cisco Internetwork Operating System (IOS) releases may be affected by the following vulnerabilities:
These products include a version of openssl that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE- - DTLS invalid fragment vulnerability
CVE- - DTLS recursion flaw
CVE- - SSL/TLS MITM vulnerability
This bug has been opened to address the potential impact on this product.
Conditions: Devices running an affected version of Cisco IOS and utilizing an affected configuration.
One of more of these vulnerabilities affect all versions of IOS prior to the versions listed in the Integrated In field of this defect.
Workaround :None currently available.
More Info: Known affected releases*
---------------------
12.2(58)SE2
15.0(2)SE6
Known unaffected releases
----------------------------
12.2(55)SE9 and earlier
12.2(33)SRE10 and earlier
15.0(2)SG8 and earlier
12.2(33)SXJ7 and earlier
15.0(1)SY and earlier
*if just the base version is given then all the rebuilds and maintenance releases are impacted.
All Cisco IOS services that provide a form of TLS or SSL encryption are affected by this vulnerability. This includes features such as the HTTPS Web Management interface.
Cisco IOS devices that support SSLVPN (AnyConnect) and have the feature configured and enabled are affected by this vulnerability.
Cisco IOS devices that support SSLVPN (AnyConnect) and have the feature configured and enabled are affected by this vulnerability.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 10/9.5:
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
CSCup30453
Symptom: Large multicast packets are not reaching the receiver.
Conditions:Using IPv6 VFR with multicast.
Workaround:None.
CSCup66672
Symptom: AVC coarse grain configuration, while running the debug command show platform hardware qfp active feature nbar function sui_lut_remove_all_links the router crashed.
Conditions: Since the command is debug should not happen on customers.
Workaround: Not to use the debug command.
CSCuo17906
Symptom: The CLI show the overlap ip in its configuration but when using the GUI to admin down/up the interface, it will resulting &failed-to-apply&.
Conditions: When apply overlapping ip address between gigabitEthernet and tunnel interface
Workaround: None.
CSCuo41750
Symptom: When Gig1 is configured on CSR and it is also used as the management ip, if we try to configure sub-interface Gig1.1, it gets configured as &native& by default( even without using the keyword &native&):-
Router(config)#int gig1.1
Router(config-subif)#encapsulation dot1Q 1
Router(config-subif)#
At this point, the telnet session is lost and so is the connectivity with PNSC. When logging in using Vsphere and checking the config, it shows gig1.1 is configured as the native sub-interface. As follows:
interface GigabitEthernet1.1
encapsulation dot1Q 1 native
Conditions: Configure Gig1.1 when Gig1 is configured
Workaround: None.
CSCup58252
Symptom: The default queue-limit programming might not be correct if changing the throughput level without rebooting the box.
Conditions: The change of the license shaper value will not update the already programmed default queue-limit setting. It might cause performance or QoS drops condition misbehave.
Workaround: No workaround except perform a router reload.
CSCup16085
Symptom: VLAN support is not present in SR-IOV.
Conditions: CSR 1000v installation with SR-IOV.
Workaround: There is no workaround.
CSCup43283
Symptom: CSR datapath processes are using regular memcpy to copy packet buffers in different stages, which seems to have impact on throughput performance.
Conditions: Every packet forwarding involves buffer copies.
Workaround: No workaround.
CSCue27980
Symptom: A CPP crash triggered by NBAR may occur on Cisco ASR 1000 Series routers, Cisco 4000 Series ISR routers, and Cisco CSR 1000v routers.
Conditions: This symptom may occur under rare conditions of traffic mixture and rate when NBAR and NAT are both enabled.
Workaround: There is no workaround.
CSCuj23293
Symptom: A memory leak is seen in the MALLOCLITE process: show processes memory ------------------ Processor Pool Total:
Free: 2039716 I/O Pool Total:
PID TTY Allocated Freed Holding Getbufs Retbufs Process 0 0
634324 *Init* 0 0 0 0
0 *MallocLite* 409 0
83639 CCSIP_UDP_SOCKET
Total The memory continues to increase there.
Conditions: This symptom is observed while parsing to header, Gateway gets errors as below: Feb 26 12:07:28 EST: Parse Error: url_parseSipUrl: Received Bad Port Feb 26 12:07:28 EST: //00000/SIP/Error/sippmh_cmp_tags: Parse Error in request header The correct response for the above should have been to send 400 Bad Request The request cannot be fulfilled due to bad syntax The memory associated with the above is not getting released is the side effect of the above.
Workaround: There is no workaround. Further Problem Description: This issue was not seen on versions earlier than 15.3X
CSCuj80245
Symptom: No address prefix flow records get reported when packets get fragmented at Tunnel interface, which has enabled with AVC flow monitor.
Conditions: May occur when packet are fragmented due the maximum packet length limit, called the Maximum Transmission Unit (MTU). When packet size is bigger than the interface MTU, the packet will be fragmented and will not be monitored by AVC.
Workaround: Increase the size of the MTU to accommodate larger packets. For example, configure an MTU of 3000 bytes with the following CLI: Device(config)# interface Gig0/2/1 Device(config-if)# mtu 3000 Further Problem Description: The issue may occur when UDP traffic becomes fragmented over a DMVPN tunnel interface due to a default maximum packet size (MTU) of 1500 bytes.
CSCul01335
Symptom: FP may crash.
Conditions: on changing pap limit from 30 to 60 ith traffic on
Workaround: None
CSCul29918
Symptom: A vulnerability in IPSec tunnel implementation of Cisco IOS Software could allow an unauthenticated, remote attacker to change the tunnel MTU or path MTU and potentially cause IPSec tunnel to drop.
The vulnerability is due to incorrect processing of certain ICMP packets. An attacker could exploit this vulnerability by sending specific ICMP packets to an affected device in order to change the configured MTU value of the tunnel interface. An exploit could allow the attacker to change the tunnel MTU or path MTU and potentially cause IPSec tunnel to drop.
Conditions: A device configured for IPSec VTI and with path-mtu-discovery disabled.
Workaround: Issue is caused by ICMP unreachables. Blocking ICMP is a workaround.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C CVE ID CVE-
has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
Additional information on Cisco's security vulnerability policy can be found at the following URL:
CSCul69990
Symptom: when flapping mpls mldp with scale v4 setup, the lspvif interface disappears in &show ip mfib& output, and packets are dropped.
Conditions: mldp flapping.
Workaround:
CSCum04325
Symptom: Duplicate entry seen in &sh lldp neighbor&
Conditions: if the physical link is a member of a etherchannel bundle. lldp packets are processed on the bundle UIDB. Workaround: None.
Further Problem Description: Solution: if the physical link is a member of a etherchannel bundle. lldp packets are processed on physical link UIDB instead of the bundle UIDB.
CSCum29065
Symptom: Group override does not take effect for interface-config strings. Actual ordering of interface config strings on cloned V-Access does not correspond to the expected order based on AAA settings in IKEv2 profile.
Conditions: User & group authorization configured in IKEv2 profile.
Workaround: Move all config-string attributes to a single authorization source (user or group).
CSCum49437
Symptom: ucode crash@ipv4_nat_cgn_mode_dp_rel_mem on changing nat mode.
Conditions: In a scaled setup on changing nat mode
Workaround: none
CSCum53269
Symptom: &no ip subnet& in l3-custom results in creating custom protocol.
Conditions: Create L3 custom submode ip nbar custom t1est transport tcp id 1 &no ip subnet& cretaes custom protocol and exit submode.
Workaround: None.
CSCum68074
Symptom: many packets are dropped for NatIn2out cause
Conditions: PAT, interface overload.
Workaround: PAT pool overload
CSCum73167
Symptom: LDAP ALG will encode the packet even there is no need to translate them, this will not impact function, but it is not necessary.
Conditions: LDAP ALG will encode the packet even there is no need to translate them.
Workaround: Will not impact function.
CSCum85493
Symptom: ping fails with tunnel protection applied.
Conditions: Tunnel protection applied on GRE tunnel interface, using IKEv1 to negotiate IPsec SAs and remote node (IKEv1 responder) behind NAT.
Workaround: Can switch to using IKEv2.
CSCum86159
Symptom: CPP crash.
Conditions: Conditional debugging and packet tracing is enabled on join interface for OTV.
Workaround: No workaround.
CSCum95078
Symptom: Large IPSEC packets get dropped when fragmentation is done after IPSEC encapsulation.
Conditions: This symptom is not observed under any specific conditions.
Workaround: There is no workaround.
CSCum95638
Symptom: Multiple Tracebacks seen pertaining to uRPF component cannot allocate more memory No functional issues seen (i.e no session drops).
Conditions: TBs seen on Scaled Setup of 128K Authenticated Sessions + 256K Walkby sessions.
Workaround: Lower the session scale during RP Switchover Tested 107K Authenticated Sessions + 223K Walkby Sessions with no issues.
CSCum96156
Symptom: IOS will fail to match the certificate map intermittently.
Conditions: IOS PKI using certificate maps, to authorize the Peer certificates or override CDP. In this case: - if a certificate map is written on a PC, with upper case letters in them: Ex: crypto pki certificate map HR-Users 10 subject-name co ou = HR-Users - and this is a part of the configuration that is merged with the running config through IOS file-system [directly from flash or FTP/TFTP/HTTP etc], IOS retains the upper case letters. [contrary to certificate maps written through CLI, always converts everything to lower case letters].
Workaround: A) - copy the certificate maps [that have upper case letters in them] to a notepad - remove the certificate maps [that have upper case letters in them] - paste the certificate maps, through IOS CLI - wherever these cert maps were being called, they will stay intact, and this change will take effect immediately or B) - The certificate map needs to enter IOS in a manner that IOS would insert it if you were to enter it in a CLI I.e. Make sure the external config generators generate the certificate map in such a way that everything is in lower case, and it has white spaces between DN OID, '=' and the value.
CSCun04952
Symptom: Traffic which needs to be send between appnav-controllers will get lost. Received inter-appnav-controller packets will get assigned to the shutdown tunnel interface. As a result, no flows will be synchronized between this appnav-controller and appnav-controllers in the same appnav-controller-group. Asymmetrically routed packet will also fail due to lack of flow and unable to query flow from other appnav-controller.
Conditions: Having a shutdown tunnel interface configured with tunnel source equals to the local appnav-controller IP and tunnel destination equals to the IP of another appnav-controller in the appnav-controller-group (i.e. another ASR router). To detect this problem the following counter will go up for every dropped packet: show platform hardware qfp active statistics drop | i Disabled alternatively you can use a packet-trace feature on 3.10.2 and above to check for the dropped reply getting send to the shutdown tunnel interface.
Workaround: Remove the shutdown tunnel from configuration or un-shutdown it.
Further Problem Description: The received packet shares the same source and destination IP of an existing GRE tunnel before matching AppNav tunnel. And since the tunnel interface is disabled, the packet is dropped before reaching AppNav's handler.
CSCun09973
A vulnerability in the Layer 2 Tunneling Protocol (L2TP) module of Cisco IOS XE on Cisco ASR 1000 Series Routers could allow an authenticated, remote attacker to cause a reload of the processing ESP card.
The vulnerability occurs during the processing of a malformed L2TP packet. An attacker could exploit this vulnerability by sending malformed L2TP packets over an established L2TP session. An exploit could allow the attacker to cause a reload of the affected ESP card.
Conditions: Device configured with ''no vpdn ip udp ignore checksum'.'
Workaround: None
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.3/5.2:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-
has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
Additional information on Cisco's security vulnerability policy can be found at the following URL:
CSCun09753
Symptom: Ping failed with input errors when HDLC interface MTU set/removed.
Conditions: 1. set MTU (more than 2950) on HDLC interface, then remove MTU; 2. ping failed to peer HDLC interface.
Workaround: N/A
CSCun17558
Symptom: COS markings not seen proper on the dot1q interface.
Conditions: The issue will be seen if met all of following conditions: 1, MPLS packets with fragment happened in data plane on the dot1q interface.
Workaround: No Workaround.
CSCun20274
Symptom: Standby RP source is not participating in clocking selection.
Conditions: we must have the below specific netclk config on the ASR1k and need to perform RP-switchover. &network-clock select 1 BITS R0 &T1/E1& &Framing&& &network-clock select 2 BITS R1 &T1/E1& &Framing&&
Workaround: Remove and re-apply the stby-network-clk Source with different framing Further Problem Description: This bug is specific to below combination. 1. You must configure NETCLK config on ASR RP-bits [ Active and Standby RP bits ] 2. Router must capable of hardware redundancy If the Customer is not using Netclk feature, you can ignore this ddts
CSCun23109
Symptom: Error message is seen in log: %IOSXE-3-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:005 TS: %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 12, src_addr 192.1.2.0, dest_addr 192.1.1.0, SPI 0x250cc2eb
Conditions: Traffic with over subscription shows the TBAR drops. Eventually all the traffic dropped.
Workaround: Increase Anti-replay window size to 20sec.
CSCun26706
Symptom: onep_dpss_l2_raw_inject api returns ONEP_OK which is not support in IOS-XE platform.
Conditions: only when application want to invoke onep_dpss_l2_raw_inject to inject l2 packet.
Workaround: n/a
CSCun26943
Symptom: In an INTRA-box redundancy configuration, the STANDBY FP and ACTIVE FP may not be syncing dplane HA records robustly. The easiest way for the customer to recognize if this *might* be happening is by examining the output of the show platform hardware qfp active system intra and the show platform hardware qfp standby system intra CLIs. If the output shows the counters & rx dropped& and/or &retx& continuously incrementing, then this problem may have been encountered.
Conditions: DUAL FP systems with stateful HA features such as NAT configured.
Workaround: NONE s
CSCun31021
Symptom: A vulnerability in IKE module of Cisco IOS and Cisco IOS XE could allow an unauthenticated, remote attacker to affect already established Security Associations (SA). The vulnerability is due to a wrong handling of r}