Release Notes for the Cisco Mobile Wireless Home Agent Feature in Cisco IOS Release
12.4(22)YD1 - Cisco
Release Notes for the Cisco Mobile Wireless Home Agent Feature in Cisco IOS Release
12.4(22)YD1
Available Languages
Download Options
(274.9 KB)
View with Adobe Reader on a variety of devices
Release Notes for the Cisco&Mobile Wireless Home Agent Feature in Cisco&IOS&Release& 12.4(22)YD1
Published: August 14, 2009
Revised: December 02, 2009, OL-21444-01
Cisco IOS Release 12.4(22)YD1 is a special release that is based on Cisco IOS Release12.4, with the addition of enhancements to the Cisco Mobile Wireless Home Agent (HA) feature. The Cisco IOS Release&12.4(22)YD1 is a release optimized for the Cisco Mobile Wireless Home Agent feature on the Cisco Service Application Module for IP (SAMI) for the Cisco 7600 Series. The physical interfaces supported on the Cisco 7600 Series platforms are mainly Fast Ethernet and Gigabit Ethernet, FlexWAN (ATM, Frame Relay), and the new line of Shared Port Adaptor (SPA) and SPA Interface Processor (SIP) line cards, and are independent of physical media.
These release notes include important information and caveats for the Cisco&Home Agent software feature provided in Cisco&IOS 12.4(22)YD1 for the SAMI card on the Cisco 7600 Internet Router platform.
Caveats for Cisco&IOS Release 12.4 can be found
/en/US/products/sw/iosswrel/ps5187/tsd_products_support_series_home. html
Release notes for the Cisco 7600 Router can be found
This release note includes the following topics:
The Cisco Mobile Wireless Home Agent serves as an anchor point for subscribers, providing easy, secure roaming with quality of service (QoS) capabilities to optimize the mobile user experience. The Cisco Mobile Wireless Home Agent (HA) works in conjunction with a Foreign Agent (FA) and mobile node to provide an efficient Mobile IP solution.
This section describes the system requirements for Cisco IOS Release&12.4(22)YD1:
shows the memory requirements for the Home Agent Software Feature Set that supports the SAMI blade on the Cisco 7600 Internet router platform.
Table&1 Memory Requirements for the& SAMI on the Cisco 7600 Router Platform
HA Software Feature Set
SUP32, SUP720 and RSP720
HA Image 12.4(22)YD1
For platform details and complete list of interfaces supported on 7600 series router, please refer to the following URL :
The supported configuration for the HA based on the 7600 Series switch is dependent on the desired capacity, interface type to be deployed and whether IPSec support is required.
Before you install the Cisco HA, keep the following considerations in mind:
The SAMI requires either a Supervisor Engine 32, or a Supervisor Engine-720 (WS-SUP720-3BXL), with MSFC-3 (WS-SUP720)/PFC-3 (WS-F6K-PFC3BXL). For details, see the &Upgrading to a New Software Release& section in the Release Notes for Cisco IOS Release 12.2SR for the Cisco 7600 Series Routers. SRB1 or higher is required for Sup32 and Sup720, and SRC is required for RSP720.
A Cisco SAMI module is required to run HA functionality. Each SAMI module supports 1 HA logical instance running on 6 processors.
For IPSec support, an IPSec VPN accelerator for the Catalyst platform (VPNSPA) is required per 7600 chassis.
Cisco MW HA Release 12.4(22)YD1 is supported on the following platforms:
oCisco 7600 Internet Router platform—Please refer to the following URL for installation and configuration information:
Cisco&IOS Release&12.4(22)YD1 is a special release that is developed on Cisco IOS Release 12.4.
Cisco&IOS Release&12.4(22)YD1 supports the same features that are in Cisco&IOS Release&12.4, with the addition of the Cisco Mobile Wireless HA feature.
To determine the version of Cisco&IOS software running on your router, log in to the router and enter the show version EXEC command:
Router#show version
Cisco IOS Software, SAMI Software (SAMI-H2IK9S-M), Version 12.4(22)YD, RELEASE SOFTWARE
Technical Support: /techsupport
Copyright (c)
by Cisco Systems, Inc.
Compiled Mon 02-Feb-09 17:45 by prod_rel_team
ROM: System Bootstrap, Version 12.4(712) [plin2-sami-bouncer 104], DEVELOPMENT
Router uptime is 18 hours, 34 minutes
System returned to ROM by reload at 19:04:03 UTC Tue Feb 10 2009
System restarted at 19:08:46 UTC Tue Feb 10 2009
System image file is &c7svcsami-h2ik9s-mz.124-22.YD.fc3&
Last reload reason: Reload command by admin
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
Cisco Systems SAMI (MPC8500) processor (revision 1.1) with 536K bytes of memory.
Processor board ID SAD
FS8548H CPU at 1250MHz, Rev 2.0, 512KB L2 Cache
1 Gigabit Ethernet interface
65536K bytes of processor board system flash (AMD S29GL256N)
Configuration register is 0x2102
The SAMI comes preloaded with the operating system software. However, to take advantage of new features and bug fixes, you can upgrade your SAMI with a new version of the software when it becomes available.
The SAMI software (image name c7svcsamifeature-mz) is a bundle of images - comprised of images for the base card and daughter card components.
Each image in the bundle has its own version and release numbers. When an upgrade is initiated using the upgrade hw-module privileged EXEC command, the version and release numbers in the bundle are compared to the versions currently running. If the versions are different, that image is automatically upgraded.
Note The show module command displays the software version of the LCP image, not the version of the full SAMI bundle.
To upgrade the SAMI image, perform the following tasks:
Sup& enable
Enters privileged EXEC mode.
Sup# upgrade
slot slot_num
software file
url/file-name
Copies the bundled image from the specified URL to the compact flash.
Sup# hw-module module
slot_num reset
Resets the module by turning the power off and then on. SAMI resets using the new images.
Sup# show upgrade
software progress
Displays status of the upgrades that are occurring.
Sup# show module
Ensures that the SAMI card comes up properly after the reset. The status of the SAMI should be &OK&.
Here is an example of the show module command:
sup#show module 2
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
2 1 SAMI Module (h2ik9s) WS-SVC-SAMI-BB-K9 SAD121202UK
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------------- ------------ ------------ -------
2 001f.6c89.0dca to 001f.6c89.0dd1 2.2 8.7(0.22)FW1 12.4(2009020 Ok
Mod Sub-Module Model Serial Hw Status
---- --------------------------- ------------------ ----------- ------- -------
2 SAMI Daughterboard 1 SAMI-DC-BB SAD121204DZ 1.1 Ok
2 SAMI Daughterboard 2 SAMI-DC-BB SAD121204CL 1.1 Ok
Mod Online Diag Status
---- -------------------
For example, to perform an image upgrade on a SAMI in slot 2 of the Cisco 7600 chassis, enter the following commands:
Sup& enable
Sup# upgrade hw-module slot 2 software file
tftp://10.1.1.1/c7svcsami-h2ik9s
Loading c7svcsami-h2ik9s from &TFTP SERVER IPADDRESS& (via Vlan10):
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Sup# hw-module module 2 reset
Proceed with reload of module?[confirm]
% reset issued for module 2
Apr 18 17:53:16.149 EDT: SP: The PC in slot 2 is shutting down. Please wait ...
Apr 18 17:53:33.713 EDT: SP: PC shutdown completed for module 2
000151: Apr 18 17:53:33.713 EDT: %C6KPWR-SP-4-DISABLED: power to module in slot 2 set off
000152: Apr 18 17:57:52.033 EDT: %MLS_RATE-4-DISABLING: The Layer2 Rate Limiters have been
000153: Apr 18 17:57:51.513 EDT: %DIAG-SP-6-RUN_MINIMUM: Module 2: Running Minimal
Diagnostics...
000154: Apr 18 17:57:51.537 EDT: %DIAG-SP-6-DIAG_OK: Module 2: Passed Online Diagnostics
000155: Apr 18 17:57:52.073 EDT: %OIR-SP-6-INSCARD: SAMI inserted in slot 2, interfaces
are now online
000156: Apr 18 17:57:59.589 EDT: %SVCLC-5-FWTRUNK: Firewalled VLANs configured on trunks
The following instructions outline the steps needed to install a new SAMI and configure it so that an application image is booting on the PPCs. These instructions assume that this is a brand new SAMI, not a board being transferred from another chassis.
You might need a new SUP image in order to recognize the SAMI. The SAMI requires either a Supervisor Engine 32, or a Supervisor Engine-720 (WS-SUP720-3BXL), with MSFC-3 (WS-SUP720)/PFC-3 (WS-F6K-PFC3BXL). For details, see the &Upgrading to a New Software Release& section in the Release Notes for Cisco IOS Release 12.2SR for the Cisco 7600 Series Routers. SRB1 or higher is required for Sup32 and Sup720, and SRC is required for RSP720.
After reloading the SUP, insert the SAMI into the chassis. Make sure to select a slot that has an empty slot above it so the cables can be easily connected.
Set up and connect a console port for the Itasca/LCP console. Also, set up and connect console ports to the PPC1 console. Even if only one will be used initially, there is a front panel port for each daughter card that will be enabled shortly. It will allow multiplexed access to all 3 processors.
Perform the following tasks to boot the SAMI card from the SUP:
Copy the latest LCP image to your TFTP server.
Step&2 Copy the image to the SUP.
Step&3 Add the following to the SUP configuration:
boot device module {slot} disk0:sb-csg2-image.bin
Step&4 Boot the board (LCP Console):
boot eobc:
Step&5 After the SAMI card boots, log in using &admin& as both the username and password.
The following steps illustrate how to upgrade the LCP ROMMON:
Copy the latest stable LCP ROMMON image.
Step&2 Copy the latest LCP ROMMON image to the Itasca compact flash.
Upgrade the ROMMON:
reprogram bootflash fur-image image:rommon-image
Step&4 Reload the blade (LCP Console):
boot eobc: (from the rommon prompt)
The following steps illustrate how to boot the SAMI from the Itasca compact flash:
Copy the latest LCP image to the Itasca compact flash. Example (from LCP console).
Step&2 Add the boot command to the Itasca configuration:
boot system image:sb-csg2-mzg.bin
Note Remove any existing boot system commands first.
Change the config register to auto boot the Itasca.
config-register 1
Step&4 Reload the board.
To reprogram the ROMMON on the PPCs, perform the following tasks:
Copy the latest LCP ROMMON image.
Copy the image to the Itasca.
Step&3 Restart a PPC. Example (from LCP console):
testdc upgrade-rommon BOUNCER_RM.bin
Set the ppc rommon to autoboot. Example (from the PPC console):
confreg 0x2102
Perform the following tasks to load and run the PPC image:
Step&1 Copy the latest stable ppc application image.
Step&2 Copy the image to the Itasca. Example:
copy tftp://64.102.16.25/{username}/svcsami-h2ik9s.sami
image:svcsami-h2ik9s.sami_060626
Restart a PPC. Example (from LCP console):
testdc restart svcsami-h2ik9s.sami_060626 proc 1
A typical HA configuration requires that you define interfaces in three directions: PDSN/FA, home network, and AAA server. If HA redundancy is required, then you must configure another interface for HSRP binding updates between HAs. If you are running the HA on the SAMI, the HA will see the access to one GE port that will connect to Catalyst 7600 backplane. That port can be configured as a trunk port with subinterfaces provided for each necessary network access.
VLANs can be defined corresponding to each interface: PDSN/FA, home network, AAA. In the case of multiple HA instances in the same 7600 chassis, the same VLAN can be used for all of them.
The section
illustrates the required base configuration for the Cisco Mobile Wireless Home Agent.
To configure the Supervisor engine to recognize the SAMI modules, and to establish physical connections to the backplane, use the following commands:
sup-7602(config)#vlan 3
Add an Ethernet VLAN. Enters vlan configuration submode.
sup-7602(config-vlan)#exit
Updates the VLAN database, propagates it throughout the administrative domain, and return to privileged EXEC mode.
sup-7602(config)#interface vlan 3
sup-7602(config-if)# ip address 3.3.3.25 255.255.255.0
sup-7602(config)#vlan 30
sup-7602(config-vlan)#exit
sup-7602(config)#interface vlan 30
sup-7602(config-if)# ip address 30.0.0.25 255.0.0.0
sup-7602#svclc vlan-group 1 3
sup-7602#svclc vlan-group 2 30
sup-7602#svclc module 8 vlan-group 1,2
For information on SAMI configuration details, please go to the following URL:
Note SAMI modules synchronize their timing functions from the Supervisor engine's clock timers. Do not configure the timers on each individual SAMI.
Home Agent Release 5.0 introduces two new MIBs:
oCISCO-SLB-DFP-MIB
oCISCO-RADIUS-MIB
And the following MIBs are updated:
oCISCO-MOBILE-IP-MIB
oRADIUS-CLIENT-AUTHENTICATION-MIB
Old Cisco Management Information Bases (MIBs) will be replaced in a future release. Currently, OLD-CISCO-* MIBs are being converted into more scalable MIBs—without affecting existing Cisco&IOS products or NMS applications. You can update from deprecated MIBs to the replacement MIBs as shown in .
Table&2 Deprecated and Replacement MIBs&
OLD-CISCO-APPLETALK-MIB
RFC1243-MIB
OLD-CISCO-CHASSIS-MIB
ENTITY-MIB
OLD-CISCO-CPUK-MIB
To be decided
OLD-CISCO-DECNET-MIB
To be decided
OLD-CISCO-ENV-MIB
CISCO-ENVMON-MIB
OLD-CISCO-FLASH-MIB
CISCO-FLASH-MIB
OLD-CISCO-INTERFACES-MIB
IF-MIB CISCO-QUEUE-MIB
OLD-CISCO-IP-MIB
To be decided
OLD-CISCO-MEMORY-MIB
CISCO-MEMORY-POOL-MIB
OLD-CISCO-NOVELL-MIB
NOVELL-IPX-MIB
OLD-CISCO-SYS-MIB
(Compilation of other OLD* MIBs)
OLD-CISCO-SYSTEM-MIB
CISCO-CONFIG-COPY-MIB
OLD-CISCO-TCP-MIB
CISCO-TCP-MIB
OLD-CISCO-TS-MIB
To be decided
OLD-CISCO-VINES-MIB
CISCO-VINES-MIB
OLD-CISCO-XNS-MIB
To be decided
The Cisco&IOS software is packaged in feature sets consisting of software images—depending on the platform. Each feature set contains a specific set of Cisco&IOS features.
Cisco&IOS Release&12.4(22)YD1 supports the same feature sets as Cisco&Release&12.4, with the exception that Cisco&Release&12.4(22)YD1 includes the Cisco Mobile Wireless Home Agent feature. The HA 5.0 feature set is optimized for the Cisco SAMI blade on the 7600 Internet router.
Cisco&IOS images with strong encryption (including, but not limited to 168-bit (3DES) data encryption feature sets) are subject to United States government export controls and have limited distribution. Strong encryption images to be installed outside the United States are likely to require an export license. Customer orders may be denied or subject to delay due to United States government regulations. When applicable, purchaser/user must obtain local import and use authorizations for all encryption strengths. Please contact your sales representative or distributor for more information, or send an e-mail to .
The Cisco&IOS Release&12.4(22)YD1 supports the same feature sets as Cisco&Release&12.4, with the exception that Cisco&Release&12.4(22)YD1 includes the HA feature. The Cisco HA feature is optimized for the Cisco SAMI blade on the 7600 Internet router, and includes the following features:
This section lists features that were introduced or modified in Home Agent Release 5.1 for Cisco IOS Release 12.4(22)YD1:
oConserve Unique IP ID for FA-HA IP-in-IP Tunnel
oSetting Fragmentation Size of First Packet With Offset=0
oCoA for WiMAX Hotlining
oDNS Redirection with Monitoring
oNAI Authentication with Local MN-HA SPI and Key
oIP Redirect for Non-Hotlined Users
oIn/Out Access List Per NAI/Realm
oHA - Realm Case-Insensitive Option
oFA-HA Auth Extension Mandatory
oAbsolute Timeout Per NAI
oAAA Attributes for &ip mobile host/realm&
oVSE Support for China Telecom Attributes
oOM Metrics for 3GPP2 / WiMAX Bindings
oSingle IDB for MIP/UDP Tunnels
oRedundancy Support for Hotlining
oNo Authorization for Re-Reg / De-Reg
oTunnel Stats via SNMP
o3GPP2 RRQ Without MHAE
The following features were introduced prior to Cisco IOS Release 12.4(22)YD1:
oSingle IP Infrastructure
oHome Agent Session Redundancy Infrastructure
oAutomatic Intra-Chassis Configuration Synchronisation
oBounded Limit For Maximum Bindings
oCongestion Control Feature
oForeign Agent Classification
oMAC Address as Show/Clear Binding Key
oData Path Idle Timer
oSupport for RFC 4917
oAddress Assignment Feature
oAccounting Interim Sync
oRADIUS Accounting Support in Single IP Home Agent infrastructure
oGlobal Per Domain Accounting
oSupport for Acct-Terminate-Cause
oAuthentication Configuration Extension
oSupport for Service and Application Module for IP (SAMI)—Up to 9 SAMI cards can be supported in a single Cisco 7600 Series Router chassis.
oEnhancements to Hot-lining
oEnhancements to Home Agent Quality of Service
oFramed-Pool Standard
oWiMAX AAA Attributes
oMS Traffic Redirection in Upstream Path
oPer Foreign-Agent Access-Type Support
oPriority-Metric for Local Pool
oMobile IPv4 Host Configuration Extensions RFC4332
oSupport for Mobile Equipment Identifier (MEID)
oHome Agent Accounting Enhancements
oHome Agent Accounting in a Redundant Setup
oPacket count and Byte count in Accounting Records
oAdditional Attributes in the Accounting Records
oAdditional Accounting Methods—Interim Accounting is Supported.
oVRF Mapping on the RADIUS Server
oConditional Debugging Enhancement
oHome Agent Redundancy Enhancements
oRedundancy with Radius Downloaded Pool Names
oCLI for IP-LOCAL-POOL-MIB
oMobile-User ACLs in Packet Filtering
oIP Reachability
oDNS Server Address Assignment
oMobile IP MIB Enhancements in Network Management, MIBs, and SNMP on the Home Agent
oMobile IPv4 Registration Revocation
oHA Server Load Balancing
oHome Agent Accounting
oSkip HA-CHAP with MN-FA Challenge Extension (MFCE)
oVRF Support on HA
oRadius Disconnect
oConditional Debugging
oHome Address Assignment
oHome Agent Redundancy
oVirtual Networks
oMobile IP IPSec
oSupport for ACLs on Tunnel Interface
oSupport for AAA Attributes MN-HA-SPI and MN-HA SHARED KEY
o3 DES Encryption
oUser Profiles
oMobility Binding Association
oUser Authentication and Authorization
oHA Binding Update
oPer User Packet Filtering
In addition to supporting Cisco IOS networking features, a Cisco 7600 series router configured as a Home Agent, supports the following Home Agent-specific features:
oSupport for both intra-chassis and inter-chassis HA redundancy
oSupport for static IP addresses assignment
–Public IP addresses
–Private IP addresses
oSupport for dynamic IP addresses assignment
–Public IP addresses
–Private IP addresses
oMultiple flows for different Network Access Identifiers (NAIs) using static or dynamic addresses
oMultiple flows for the same NAI using different static addresses
oForeign Agent Challenge extensions in RFC 3012 - bis 03
–Mobile IP Agent Advertisement Challenge Extension
–MN-FA Challenge Extension
–Generalized Mobile IP Authentication Extension, which specifies the format for the MN-AAA Authentication Extension
oMobile IP Extensions specified in RFC 2002
–MN-HA Authentication Extension
–FA-HA Authentication Extension
oReverse Tunneling, RFC 2344
oMobile NAI Extension, RFC 2794
oMultiple tunneling modes between FA and HA
–IP-in-IP Encapsulation, RFC 2003
–Generic Route Encapsulation, RFC 2784
–MIP-UDP tunneling
oBinding Update message for managing stale bindings
oHome Agent redundancy support
oMobile IP Extensions specified in RFC 3220
–Authentication requiring the use of SPI. section 3.2
oSupport for Packet Filtering
–Input access lists
–Output access lists
oSupport for proxy and gratuitous ARP
oMobile IP registration replay protection using time stamps. Nonce-based replay protection is not supported.
All other software features in Cisco IOS Release 12.4 are described in the documentation for Cisco&IOS&Release&12.4, which can be found at:
Caveats describe unexpected behavior in Cisco&IOS software releases. Severity 1 caveats are the
severity 2 caveats are less serious.
Caveats for Cisco&IOS Releases 12.4 can be found on CCO at
section lists open caveats that apply to the current release and might also apply to previous releases.
section lists caveats resolved in a particular release, which may have been open in previous releases.
Note If you have an account with CCO, you can use the Bug Toolkit to find caveats of any severity for any release. You can reach the Bug Toolkit at
The following caveats are unresolved in Cisco IOS Release 12.4(22)YD1:
oCSCtb25158—[Host-Config]: Bulk Sync Not Happening for All DHCP Returned Attributes
a. Configure DHCP pool with DNS Server Address, Default-Gateway etc., options.
b. Send Host-Config request from FASIM.
c. Check in the debugs that all DHCP returned attributes are not syncing to standby card (DNS Server Address, Default-Gateway)
Because of this, after the switchover the new active card is sending Default-Gateway incorrectly on re-registration.
A few attributes are not synching to standby card.
Workaround: none.
oCSCtb39102—Session Not Synced to Standby When MTU Size is 1600
The session does not get synched to the standby unit from the active unit if MTU is configured as 1600 bytes in the Gigabit0/0 interface of the SAMI. The router could possibly RF induced self-reload.
This problem could happen on a redundant system with MTU size configured as 1600 bytes.
Workaround: configure the default MTU size of 1500 byes.
oCSCtb41029—HomeAgent: DHCP Redundancy Issues in HA5.0/HA5.1
The improper behavior of DHCP redundancy contexts between active and standby HA with or without switchover are observed when the HomeAgent is acting as a DHCP Proxy Client. And, the issue is seen on HA5.0 and HA5.1.
This condition occurs when the HomeAgent is acting as DHCP Proxy Client to lease the IP addresses from the DHCP Server for MIP sessions by configuring ip mobile host nai word address pool dhcp-proxy-client dhcp-server dhcp-server-ip interface Loopback60 aaa.
Workaround: none.
oCSCtb46311—Conditional Debugging For Radius Debugs Not Working
RADIUS logs are not displayed.
This condition occurs when RADIUS debugs are enabled along with conditional debugging.
Workaround: none.
The following caveats are resolved in Cisco IOS Release 12.4(22)YD1:
oCSCsw47076
A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at .
oCSCsv48603
A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at .
oCSCsx07114
A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at .
oCSCsx25880
A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software that could allow an unauthenticated attacker to cause a denial of service (DoS) condition on an affected device when the Cisco Unified Border Element feature is enabled. Cisco has released free software updates that address this vulnerability. For devices that must run SIP ther however, mitigations are available to limit exposure of the vulnerability. This advisory is posted at.
oCSCsy15227
Cisco IOS Software configured with Authentication Proxy for HTTP(S), Web Authentication or the consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the authentication proxy server or bypass the consent webpage.
There are no workarounds that mitigate this vulnerability.
This advisory is posted at the following link:
oCSCsy26261—Key Value Displayed Wrongly in Standby HA
–Configure load-sa for a realm.
–Use hmac-md5 algorithm with ascii key value for MN-HA authentication
–Use AAA to send MN-HA authenticator
–Display the cached spi/key value in standby.
–It will show the ascii value in hex.
This is just a display problem and does not affect functionality
Workaround: none.
oCSCsy54122
A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at .
oCSCsz38104
The H.323 implementation in Cisco IOS Software contains a vulnerability that can be exploited remotely to cause a device that is running Cisco IOS Software to reload. Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate the vulnerability apart from disabling H.323 if the device that is running Cisco IOS Software does not need to run H.323 for VoIP services. This advisory is posted at .
oCSCsz91894—Session Timeout Should Be Able to Display More Than 2^32 Value
Currently there is no direct API to display such a large value [136 year ] for the timers that get started based on AAA downloaded session timeout..
To reproduce this condition, configure &session timeout & or &attribute 27 numeric &.
Any timer starts for this value, is not able to display it.
Workaround: none.
oCSCta00770— Previous DNS Servers Info Persists in Bindings for Full NAI
Mobile IP bindings incorrectly retain the previous configured DNS value.
This is seen only for full an NAI Mobile Node user.
Workaround: none.
oCSCta00810—After Local SA Removed for Full-NAI, localsa For Realm Not Being Used
The locally configured MN-HA security association (SA) is not used in some scenarios.
The following conditions exist:
–Configure MN-HA security association (SA) for both full NAI and the corresponding realm.
–Now, unconfigure SA for full-NAI.
–When the same full-NAI user tries registering, the local SA configured for the corresponding realm is not used. Because of this the authentication may fail.
Workaround: If a separate SA for full-NAI is not needed, do not configure. Configure SA for realm only.
oCSCta41989—clear ip mob sec empty load is Causing Tracebacks
Spurious memory access tracebacks are seen in Home Agent.
This is seen while issuing the clear ip mob sec empty load command.
Workaround: none.
oCSCta55764—IPC Config Synch Error
The following error appears on the HomeAgent when ip mobile home-agent data-path-idle 2 is configured.
Error Message&&& %IPC-4-CFG_SYNC_ERROR: Configuration Sync error: IPC Communication
failure in sending cmd to TP
This condition occurs when there is a large number of mobile IP session active (500k), all this sessions get updated with data path idle time.
Workaround: configure ip mobile home-agent data-path-idle when there is no actve sessions or a few number of sessions.
oCSCta58990—HA Reloads When Secure Host is Configured With Full NAI for Overlapp IP VRF
The HA reloads when same overlapping IP address is used across two bindings under two different vrfs.
The following conditions exist:
a. ip mobile secure host has to be configured for full nai MN.
b. Static HoA assignment (RRQ HoA is non-zero).
c. Open/Close and Open should happen.
Workaround: none.
oCSCta62685—VRF is Not Applied For MN When Configured Before VRF Configuration
The VRF is not applied for the MN when configured before the VRF configuration.Conditions:&/B&
The following conditions exist:
–Configure ip mobile host CLI for domain
–Configure ip mobile secure host nai for full NAI MN.
–Configure VRF for the domain
Workaround: after configuring VRF, unconfigure secure host and configure again.
oCSCta65964—Dynamic User Not Cleared in show ip mobile host Output
SA and Dynamic users details of the opened binding are still present even though the binding is cleared.
This conditions occurs when you enable the revocation and clear the binding on HA using the clear ip mobile binding all command.
Workaround: Delete the new recovery compared mn node after deleted registration revocation entry ASK for MN.
oCSCta74909—HA Crashed While Displaying lot of Bindings
HA crashed while displaying lot of bindings.
The condition occurs when a binding gets deleted, while executing show ip mobile binding.
While displaying binding information, if the MN structure gets freed due to deletion of the binding, it results into crash.
Workaround: terminal length should not be set to 1 or 0.
oCSCta75127— Memory Leak Found on TPs After Sending For Long Times With Acls
When packets from downstream are dropped by per user/realm ACL, memory leak of 180K (for 2.2Gbps for 2 hours) is observed.
This condition occurs when you configure a per user/realm ACL which denies the packet in the downstream and send downstream packets.
Workaround: none.
oCSCta98702—&attribute 44 include-in-access-req& Configured But Not Going in Access-Req
The Accounting Session-ID is not included in Access-Request.
This issue occurs under the following conditions:
–&radius-server attribute 44 include-in-access-req& is configured on the HA.
–Accounting is enabled on the HA.
Workaround: none.
oCSCsy60479—Configuration Sync Error for Tunnel Template
A configuration sync error was observed during MIP session creation or deletion using the Tunnel Template feature.
This condition occurs when a Tunnel Template is applied to an HA IP address.
Workaround: none.
oCSCsy78653—Unable to Configure ip mob sec host After Modifying Named ACLs
This problem occurs when operator configures or modifies or updates a named extended ACL, and then tries to configure a security association for MN-HA authentication for a realm/NAI.
In this scenario, local configuration of the security association is not possible due to a bug in the ACL component (refer to CSCsy69542)
This DDTS fixes the problem in the IP-mobile component, and acts as a temporary solution until the actual problem is fixed by the ACL team.
Workaround: Modify or update the local security association for MN-HA authentication before modifying a named extended ACL.
oCSCsy89105—When ACL Denys a Packet From the MN, Packet Counter Decrements in Some Cases
A data packet from the MN is received by the HA through IP/IP, GRE/IP or MIP/UDP binding. If the ACL is configured for this particular user, and the packet gets denied, the ACL counters get incremented twice.
This happens only when the packet gets denied with ACLs.
Workaround: none
oCSCsy98146—Traceback Seen on HA During Bulk Synch
A traceback appears on the standby HA during bulk sync of Mobile IP sessions.
This condition occurs in a redundancy setup with the HA 5.0 release. When the standby comes up and a bulk sync occurs, a traceback appears on the router console.
Workaround: none.
oCSCsz23375—Bindings Not Getting Synced to Standby With NAI Configured for DHCP
Binding does not sync from the active device to the standby device
This condition occurs when the NAI is configured with DHCP proxy option, then only, the binding (which brought up with that NAI) does not sync from the active to the standby.
Workaround: none
oCSCsz30815—Tracebacks in HA with High HA-RK Lifetime
Tracebacks are observed on the HA while starting HA-RK lifetime timer.
This contion occurs when you download an HA-RK lifetime value is greater than 2147483 seconds.
Workaround: Use an HA-RK lifetime value of less than 2147483 seconds.
The following caveats are resolved in Cisco Home Agent Release 12.4(22)YD:
oCSCsu11522
A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS software that can be exploited remotely to cause a reload of the Cisco IOS device.
Cisco has released free software updates that address this vulnerability. There are no workarounds available to mitigate the vulnerability apart from disabling SIP, if the Cisco IOS device does not need to run SIP for VoIP services. However, mitigation techniques are available to help limit exposure to the vulnerability.
This advisory is posted at the following link:
oCSCsv38166
The server side of the Secure Copy (SCP) implementation in Cisco IOS software contains a vulnerability that could allow authenticated users with an attached command-line interface (CLI) view to transfer files to and from a Cisco IOS device that is configured to be an SCP server, regardless of what users are authorized to do, per the CLI view configuration. This vulnerability could allow valid users to retrieve or write to any file on the device's file system, including the device's saved configuration and Cisco IOS image files, even if the CLI view attached to the user does not allow it. This configuration file may include passwords or other sensitive information.
The Cisco IOS SCP server is an optional service that is disabled by default. CLI views are a fundamental component of the Cisco IOS Role-Based CLI Access feature, which is also disabled by default. Devices that are not specifically configured to enable the Cisco IOS SCP server, or that are configured to use it but do not use role-based CLI access, are not affected by this vulnerability.
This vulnerability does not apply to the Cisco IOS SCP client feature.
Cisco has released free software updates that address this vulnerability.
There are no workarounds available for this vulnerability apart from disabling either the SCP server or the CLI view feature if these services are not required by administrators.
This advisory is posted at the following link:
Except for feature modules, documentation is available as printed manuals or electronic documents. Feature modules are available online on CCO&and the Documentation CD-ROM.
Use these release notes with these documents:
The following documents are specific to Cisco&IOS Release 12.4T:
oCisco Mobile Wireless Home Agent Feature for Cisco IOS Release 12.4(22)YD1 at the following url:
Documentation specific to the Cisco&7600 Router is located at the following location:
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco&documents, see the monthly What's&New in Cisco&Product Documentation, which also lists all new and revised Cisco&technical documentation, at:
Was this Document Helpful?
Let Us Help
(Requires a )
Related Support Community Discussions
This Document Applies to These Products}