release notes for the cisco session border controller on ... · release notes for the cisco session...

Release Notes for the Cisco Session Border Controller on the Cisco 7600 Router

March 18, 2010

Note The most current Cisco documentation for released products is available on Cisco.com.

ContentsThis release note applies to the following software versions for the Cisco Session Border Controller (SBC) on the Cisco 7600 router:

• ACE-SBC-SW3000-K9—ACE Session Border Controller Release 3.1.3 (DC OS SW)








Both software versions run on Cisco 7600 Series ACE 20 HW for the Session Border Controller (ACE20-SBC-K9).

The ACE20-SBC-K9 requires Cisco IOS Release 12.2(33)SRB1 or later for the following models of Supervisor 720 engines: WS-SUP720, WS-SUP720-3B, and WS-SUP720-3BXL.

The ACE20-SBC-K9 requires Cisco IOS Release 12.2(33)SRC or later for the Route Switching Processor 720-1GE.

For information on the Application Control Engine (ACE) module features and configuration details, see the ACE module documentation located at:

http://www.cisco.com/en/US/products/ps6906/tsd_products_support_model_home.html

This release note contains the following sections:

Americas Headquarters:

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

http://www.cisco.com/en/US/products/ps6906/tsd_products_support_model_home.html

New Features in ACE Session Border Controller Release 3.1.3

• New Features in ACE Session Border Controller Release 3.1.3







• Available SBC Licenses

• Software Version Maintenance Release 3.0.2 Caveats

• Software Version Maintenance Release 3.0.1 Caveats

• Software Version ACE Session Border Controller Release 3.0.00 Caveats

• Related Documentation

• Documentation Feedback

• Cisco Product Security Overview

• Product Alerts and Field Notices

• Obtaining Technical Assistance

• Obtaining Additional Publications and Information

New Features in ACE Session Border Controller Release 3.1.3The ACE Session Border Controller Release 3.1.3 provides no new features.



New Features in ACE Session Border Controller Release 3.1.00The ACE Session Border Controller Release 3.1.00 provides the following new features:

• Additional changes to SBC billing

• CAC rate limiting

• DBE signaling pinhole

• Debug usability enhancements

• H.323 performance improvement

2Release Notes for the Cisco Session Border Controller on the Cisco 7600 Router

OL-16727-03


• Improved fast register

• Interchassis redundancy

• Late-to-Early media internetworking

• Parameter profiles

• P-KT-UE-IP feature

• Provisional response filtering

• Response code mapping

• Routing features including:

– Routing by category

– Source number manipulation

– Least-cost routing

– Weighted routing

– Time-based routing

– Regular expression routing

• SDP attribute passthrough

• SDP call hold interworking

• Secure media passthrough

• SIP header manipulation

• SIP PING message support

• SIP statistics setting

• Subscriber policy

• Support for media information

• VRF-Aware DNS query


New Features in ACE Session Border Controller Release 3.0.1The ACE Session Border Controller Release 3.0.1 provides the following feature:

• Cisco 7600/ACE SBC MIB Implementation

New Features in ACE Session Border Controller Release 3.0.00 The ACE Session Border Controller Release 3.0.00 software release provides the following features:

• SBC Adjacencies

• SBC Billing


OL-16727-03


• SBC Policies

• SBC Transcoding

• SBC Firewall Traversal and Network Address Translator

• Session Initiation Protocol (SIP) Method Profiles

• Header Profiles

• Restricting Codecs

• SIP Telephone (TEL) Uniform Resource Identifier (URI) Support

• SIP Timer

• ITU-T H.323 Support

• ITU-T H.323-SIP Interworking

• Tracking Policy Failure Statistics

• SIP 3xx Redirect Responses

• SIP Call Hold

• SIP Call Transfer

• SIP Outbound Authentication

• SIP Inbound Authentication

• SIP-Interworking (I) Transparency and Profile Support

• SIP Configuration Flexibility

• Implementing SBC Quality of Service (QoS) (Marking)

• Denial of Service (DoS) Prevention and Dynamic Blacklisting

• Early Media

• Proxy-Call Session Control Function (P-CSCF) Support

• Integration of Resource Management and SIP

• Interconnection

• Border Control Function (IBCF) Processing Support

For additional information on these features, see the Cisco 7600 Series Routers Session Border Controller Configuration Guide.

New Features in ACE Session Border Controller Release 2.0.00 The ACE Session Border Controller Release 2.0.00 software release provides the following features:

• Network Address Translator (NAT)

• SBC QoS—Marking

• DoS Prevention

• SBC Interworking Dual Tone Multifrequency

• Unexpected Source Address Alerting

• SBC Redundancy (High Availability)

• Data Border Element (DBE) Overload Reporting


OL-16727-03

http://www.cisco.com/en/US/docs/routers/7600/install_config/sbc_config_guide_2/sbc-7600-config-guide.html

Available SBC Licenses

• Media Address Pools

• FAX Support

• SBC Multi-VPN Routing and Forwarding (VRF)

For additional information on these features, see the Cisco 7600 Series Routers Session Border Controller Configuration Guide.

Available SBC LicensesFor ACE-SBC-SW3000-K9:

• ACE-SBC-SIP

• ACE-SBC-H323

For ACE-SBC-SW2000-K9:

• ACE-SBC-RTU 7600 Session Border Control Application RTU

• ACE-SBC-H248 7600 Session Border Control H.248 License

• ACE-SBC-SIP 7600 Session Border Control SIP License

Note You can access the license and show license commands only in the Admin context. You must have the Admin role in the Admin context to perform the tasks of installing, removing, and updating the license.

Software Version Maintenance Release 3.1.3 CaveatsThe following sections contain the resolved and open caveats in software version ACE Session Border Control Release 3.1.2:

• Software Version ACE Session Border Controller Release 3.1.3 Resolved Caveats

• Software Version ACE Session Border Controller Release 3.1.3 Open Caveats

Software Version ACE Session Border Controller Release 3.1.3 Resolved Caveats

The following resolved caveats apply to the software version ACE Session Border Control Release 3.1.3:

• CSCtd58668

When an entity is blacklisted, currently the IP address and VRF information are logged for the event. The IP address and VRF information are insufficient for identifying specific messages or calls that resulted in entity blacklisting.

Blacklisting may be caused due to multiple reasons; spam is the main reason. During the SPAM, out of dialog messages are received by SBC resulting in entity blacklisting.

Workaround: There is no known work around.

• CSCtd31434


OL-16727-03



Software Version Maintenance Release 3.1.3 Caveats

When SBC receives an out of dialog Session Initiation Protocol (SIP) INFO message, it sends a SIP 604 response code to the sender instead of a 481 response code. After sending multiple 604 response codes within the blacklisting window, SBC blacklists the sender with routing failure error message.

This condition is observed when SBC receives an out of dialog SIP INFO message.


• CSCtd58652

SBC application leaks memory and is not able to process the calls.

This condition is observed when a re-INVITE method exits with a BYE message. The SBC fails to clear the buffers associated with the re-INVITE method, and associated response code (100) and reason phrase (Trying).


• CSCtc95127

SBC crashes while processing Dual Tone Multi-Frequency (DTMF) packets in Real-Time Protocol (RTP).

This condition is observed when SBC processes DTMF packets in RTP and converts them into the SIP signaling message. SBC crashes while closing the call.


• CSCtd61348

SBC crashes while sending a large (exceeding 1300 bytes) SIP ACK message.

This condition is observed when SBC sends a very large SIP ACK message (larger than Maximum Transmission Unit [MTU] size) over TCP. Subsequent attempts to send the message over User Datagram Protocol (UDP) result in failure because, by then, the call state is already cleared.


• CSCtf10844

SBC crashes while copying a new cac-policy-set configuration to a cac-policy-set.

This condition is observed while modifying a cac-policy-set that is being used by active calls, observed in C7906, software version 3.0(1) AS31(1).

Workaround: There is no known workaround.

• CSCte91666

SBC crashes on an assert with the assert message.

This condition is observed when a BYE message is received by SBC on a call currently processing a previous re-INVITE or UPDATE message that renegotiated the media.


Software Version ACE Session Border Controller Release 3.1.3 Open CaveatsThe following resolved caveats apply to the software version ACE Session Border Control Release 3.1.3:

• CSCsz14483

The Cseq parameter in the second INVITE message uses the same Cseq as the first INVITE to terminate side for transcoding.

This condition is observed when the value of CSeq is not incremented by 1 for a new request, which is a function of the transcoding feature.


OL-16727-03


Workaround: Use codec filtering on SBC to enforce transcoding. The SBC allows you to restrict codecs that a particular call, caller, and callee are allowed to use, by whitelisting the codecs. Initially all recognized codecs are on the whitelist. If a codec, which is absent from the call, caller, or callee codec whitelist is requested, the call proceeds after removing the unavailable codecs from the offer and media gate configuration.

• CSCsx97013

SBC console or terminal hangs on running a command and the control is not returned back to the console or terminal.

This condition is observed when there is:

– High load due to memory congestion. The console or terminal hangs when you run no activate sbe and activate sbe commands immediately, one after the other.

– Cue to continual reload of standby while active sbc is on high load with memory congestion

Workaround: Follow these instructions:

– Wait for more than five seconds between no activate sbe and activate sbe commands as the sbc needs to release the current calls.

– Do not continually reload the standby card when active sbc is on high load due to memory congestion.





The following resolved caveats apply to software version ACE Session Border Control Release 3.1.2:

• CSCta00117

SBC cannot increase bandwidth on the SDP answer.

This condition is observed when the SDP answer has lower ptime than the SDP offer

Workaround: Increase the ptime in the SDP offer to a value greater than in the SDP answer.

• CSCta23634

PCT_SCK 46 needs to be rate-limited and improved. The following message is printed repeatedly:

%ACE-2-900014: SBC/SOCKET: **** UNEXPECTED 0x0303 - 46 (0000) **** 00000000000000000000000000000001SBC/SOCKET: (sckrecv2.c 1289) at 17:24:28, 17 June 2009 (180013 ms)SBC/SOCKET: Socket write error: Network is unreachableSBC/SOCKET: (Debugging info: error code = 128SBC/SOCKET: socket ID = 49)

The reason for this condition not known.

Workaround: Disable logging using the no logging enable command.


OL-16727-03


• CSCta20031

Command execution error when standby SBC is reloaded. The following error is displayed:

switch/Admin# Internal CLI error: No such file or directory`ssh key rsa 1024 force`*** Context 0: cmd exec error ***

This condition is observed when the active SBC is configured with ssh key rsa 1024 force command.

Workaround: Remove the ssh key related CLIs from the active SBC configuration.

• CSCta36111

Default method-profile cannot be changed. Updating the default profile results in a configuration error.

This condition is observed after an initial switchover.

Workaround: Create a new method-profile with a name other than "default".

• CSCta79672

No snmp adj trap is sent when ping message is lost.

This condition is observed when sip Adj is configured with ping-enable command.

Workaround: Check the syslog/console log to get peer lost information.

• CSCsz00331

The SBC crashes when configuring an adjacency through Cisco Element Management System (EMS).

This condition is observed while configuring an adjacency through EMS, which causes SBC coredump.


• CSCta00098

RTP packet mismatch.

When SBC get INVITE with offer G711 stream without ptime attribute, it forwards it to peer after setting ptime=10, which causes RTP packet mismatch since the destination processor has different ptime expectation.


• CSCta77573

SBC fails to pass through UPDATE 200 RSP.

This condition is observed when the time header is configured to require state.

Workaround: Disable session timer in EP point or add the following configuration:

sip option-profile opt1blacklistadjacency sip sip-proxyoption-profile ua inbound opt1option-profile ua outbound opt1adjacency sip sip-usersoption-profile ua inbound opt1option-profile ua outbound opt1

• CSCtb64929

SBC crashes.

This condition is observed while processing duplicate SDP.


OL-16727-03



• CSCta75746

SBC crashes.

This condition is observed when a CANCEL is received for an INVITE dialog while an UPDATE transaction is in progress.


• CSCta30427

Standby SBC crashes on first sip call with cic after promotion to active.

This condition is observed when a routing policy entry includes the edit-src command.

Workaround: Remove the edit-src command from the configuration, using the no edit-src command.

• CSCtc47070

nbb_assert in sipt_prk_ua_fsm.

This condition is observed when SBC process a PRACK request immediately after processing a 486 final INVITE response and 183 reliable response.


• CSCtc49534

Memory utilization increases as SBC fails to clear up UPDATE transaction state.

This condition is oberved when a call was cancelled while an UPDATE renegotiation was in progress.


• CSCtc48324

SBC retransmits the INVITE after 20 seconds even though it has received a 180 ringing reply from the PGW.

This condition is observed due to problem with NAT function.


• CSCtc18639

The standby SBC crashed while upgrading from 3.1.1 to a special image with the b-line fix.

This condition is observed while upgrading from image version 3.1.1 to special image upgrade


Software Version ACE Session Border Controller Release 3.1.2 Open CaveatsThe following resolved caveats apply to software version ACE Session Border Control Release 3.1.2:

• CSCsz14483

The Cseq in the Second INVITE uses the same Cseq as the first INVITE to terminate side for transcoding.

This condition is observed when the value of CSeq is not getting incremented by one for the new request, which is a function of transcoding feature.


OL-16727-03


Workaround: Use codec filtering on SBC to enforce transcoding. The SBC allows you to restrict the codecs that a particular call, caller and callee are allowed to use by whitelisting the codecs. Initially all recognized codecs are on the whitelist. If a codec is requested which is absent from the call, caller, or callee codec whitelist, the call proceeds after removing the forbidden codecs from the offer and media gate configuration.

• CSCsx97013

SBC console or terminal hangs on running a command and the control is not returned back to the console or terminal.

This condition is observed:

– Due to high load with memory congestion. The console or terminal hangs when you run no activate sbe and activate sbe commands immediately one after the other.

– Due to continual reload of standby while active sbc is on high load with memory congestion

Workaround: Follow the instructions below:

– Wait for more than five seconds between no activate sbe and activate sbe commands as th e sbc needs to release many current calls on it.

– Do not continually reload the standby card when active sbc is on high load with memory congestion.





There are no resolved caveats for software version ACE Session Border Control Release 3.1.1.

Software Version ACE Session Border Controller Release 3.1.1 Open CaveatsThe following resolved caveats apply to software version ACE Session Border Control Release 3.11:

• CSCsz37049—Several TCP ports are opened on the SBC which leads to a security issue. These ports are 27000, 6464, and 32778.

– Workaround: For port 6464, this issue is resolved by binding port 6464 to the local host.

For ports 27000 and 32778, configure the ACL on the supervisor as follows:

sbc-dev03(config)# access-list 101 deny tcp any host 10.140.80.20 range 27000 27009sbc-dev03(config)# access-list 101 deny tcp any host 10.140.80.20 eq 32778sbc-dev03(config)# access-list 101 permit ip any any

Apply this ACL to the VLAN interface for SBC:


OL-16727-03


sbc-dev03(config)# interface vlan 93sbc-dev03(config-if)# ip access-group 101 out

• CSCsz82020—The show services output of the Match Prefix Length in cac table is incorrect.

– Workaround: None.

• CSCsj78705—The show services sbc dbe controller command shows incorrect counter values.


• CSCsz36539—Inbound local authentication fails under interop due to lack of Authorization information being included in ACK message.


• CSCsz00331—The SBC crashes when configuring an adjacency through Cisco Element Management System (EMS).


• CSCsx97013—The SBC console or freezes on any command entry. The command does not return control to the console or terminal.

– Workaround: Use the no activate sbe command and then wait five seconds and do the activate sbe command (to allow the SBC to release current calls). Also, do not continually reload the standby card.

• CSCsz14483—The Cseq in the second INVITE uses the same Cseq as the first INVITE to terminate the side for transcoding.

– Workaround: Use codec filtering on the SBC to enforce transcoding.






• CSCsh42395—After adding VDBE local controller parameters, the configured values are not applied or displayed with the show run command.

• CSCsh61600—The CLI backend blocks deleting media-addresses when DBE is activated, but it allows media-address port ranges to be deleted. This can result in media-addresses without port ranges.

• CSCsk77454—The authentication once timeout is not shown under the adjacency after it is configured as 0.

• CSCso08776—When making a SIP call, the SBC fails to act on an invite containing four videos when the invite is returned from a SIP Proxy.


OL-16727-03


• CSCso59933—Differentiated Services Code Point (DSCP) signaling QoS profiles value are shown when profiles are not set.

• CSCso82801—It is possible to delete an adjacency without a prompt when it is attached or passing traffic.

• CSCsq77128—During a switchover, adjacencies will move from the detached state to the going up state.

• CSCsr09141—Entering the no reason routing-failure command when there is a blacklist address-default containing multiple reasons (including the reason routing-failure) causes the blacklist configuration to disappear.

• CSCsr09181—For the show services sbc sbe call-stats command, the number of successful call attempts appears unrealistic.

• CSCsr31814—The CANCEL and the 487 (the response to the INVITE) sent to the callee by the SBC to the INVITE do not contain the Reason header, while the same messages received by the SBC do contain the Reason header.

• CSCsr42637—The show sbe dbe h248-profile command may show garbage values if the SBE is configured.

• CSCsr65684—The TFTP application is enabled in the default setting.

• CSCsr66234—When running traffic and performing multiple switchovers on the SBC, only one of the ACE modules recovered and the SBC signaling border element (SBE) configuration did not activate. As a result, all adjancencies became detached and no traffic passed.

• CSCsr78503—The show services sbc sbe sip timers command tcp-connect-timeout defaults to 0 ms (instead of 30000 ms).

• CSCsr81465—The SIP timer udp-response-linger-period cannot be modidifed.

• CSCsr93741—Setting the default value of the sbc sbe radius authentication retry-limit command yields 3 instead of the proper default value of 5.

• CSCsu04433—After using the no control address aaa command, the RADIUS authentication server is not reconfigurable.

• CSCsu12327—An H.323 to H.323 call with H.245-tunnel disable causes the SBC to core dump.

• CSCsu22440—The SBC cannot create an SBE after a DBE.

• CSCsu49054—The SBC starts to drop calls when CPU usage is approximately 60 percent.

• CSCsu49062—The ips and pd log is lost when the SBC core dumps.

• CSCsu64585—The show services sbc sbe adjacency command shows the description for the H.323 adjacency instead of the SIP adjacency.

• CSCsu64749—The SBC loses the IP connection with the supervisor card during and after a malform IPv4 attack.

• CSCsu64793—The show services sbc sbe adjacencies detail command shows incorrect parameters.

• CSCsu65827—There are issues with the call admission control scope. When creating the second CAC policy set, the new policy, by default, inherits the first policy's scope parameters. The no form of the first-cac-scope command fails. In some cases, multiple scopes are allowed, whereas in other cases, only one is allowed.

• CSCsu69653—The show services sbc sbe adjacencies command cannot display an adjacency name longer than twelve characters.

• CSCsu70031—The show run and show services commands do not show the configured blacklist.


OL-16727-03


• CSCsu72051—After setting marking on both caller and callee, marking is only be applied after a specific point in a call.

• CSCsu72287—The SBC resets when the callee-hold-setting command is configured under the CAC policy.

• CSCsu73534—The delivery of an H.245 address is not configurable on an H.323 adjacency.

• CSCsu74051—The Media Packet Forwarder (MPF) latches the SIP QoS signal DSCP values when it should change dynamically.

• CSCsu76464—The SBC allows configuration of a non-existing adjacency in a call-policy-set.

• CSCsu77498—The SBC does not accept the RADIUS accounting server name.

• CSCsu77538—The control address and RADIUS account do not show after being successfully added.

• CSCsu94190—After executing the no sbc SigPinhole command, executing the no inservice and inservice ft group 1 commands causes the SBC to crash.

• CSCsu99195—The media-address pool configuration does not accept overlapping media-address pool addresses in a different VRF.

• CSCsv01593—On the ACE module with the clock timezone CST command, there is confusion about what CST means (China Standard Time or Central Standard Time).

• CSCsv09954—The no form of the match-value command fails. Also, in some cases, multiple match-values are allowed where as in other cases, only one is allowed.

• CSCsv09960—You can configure multiple hunting-trigger values without exiting the "adj h323" and "h323" submodes. However, after exiting and reentering the submodes, the previously configured values are lost and must be reconfigured.

• CSCsv24377—When conducting a Nessus scan against the SBC, several alerts were identified.

• CSCsv29115—With the SBC acting as DBE and the PGW acting as SBE, making a H.323(DBE) to H.323(DBE) fax call causes the SBC IXP to hang and the ACE module cannot be pinged.

• CSCsv42258—When the SBC rejects a CAC policy, the CAC policy still appears when the show services sbc sbe cac-policy-set tables command is issued.

• CSCsv57320—The services sbc sbc dbe controllers command shows odd Estab time.

• CSCsv72134-There is an mxfshow core dump when setting the xscale debug trace flag.

• CSCsv75156—When a VRF peer initiates a TCP connection to send a SIP request to the SBC, the SBC is unable to use the connection and instead tries to respond using port 5060 as local port; however, port 5060 is in use, so this causes an error.

• CSCsv85696—The SBC rejects the option profile with multiple tags when it is whitelisted.

• CSCsv97028—When the calling phone is Linksys ATA SPA2102 type and the called phone is Scientific Atlanta cable modem phone EPC2203, and both try to register under proxy through SBC, then the basic SIP call fails.

• CSCsv99743—In an adjacency configuration, the signaling-address and signaling-peer are not reconfigurable without first removing the adjacency and then adding it again.

• CSCsw14703—An incorrect pdlog format in the mpfstub causes a crash without any traceback.

• CSCsw20968—H.323 tunneling is wrongly set to TRUE.

• CSCsw21093—The ldr-check command minute option shows the range as 0-60 instead of 0-59.

• CSCsw26751—The services sbc test sbe radius accounting command that is used to reactivate a failed RADIUS server is not working.


OL-16727-03


• CSCsw39487—The billing configuration can be activated without RADIUS transport.

• CSCsw44558—Reconfiguring the FT interface VLAN on the ACE module causes the SBC to core dump.

• CSCsw46714—The SBC does not attempt to reconnect with a failed RADIUS server unless the services sbc sbe radius accounting command is used.

• CSCsw49552—If a blacklist configuration is entered for a certain VPN on the SBC, then the SBC duplicates the blacklist configuration for the VPN.

• CSCsw79248—The SBC core dumps when receiving an INVITE with Tel URI.

• CSCsw80381—The debug services sbc off command does not clear the IPS trace.

• CSCsw81646—The help text for the adjacency H323 command ras rrq ttl values shows 2 instead of 60.

• CSCsw83770—The SBC fails to parse an H.323 facility message in a fax call.

• CSCsx03014—The SBC sends a 200 OK message for SUBSCRIBE without an Expires header.

• CSCsx16238—With proxy authorization turned on, the SBC incorrectly sends a 481 for Subscribe request (with the authorization header).

• CSCsx31669—The show services sbc sbe blacklist configured-limits command does not display the address-default blacklist.

• CSCsx32740—When there are more than 1000 subscribers on the SBC, issuing the show services sbc sbe sip subscribers command causes CPU congestion.

• CSCsx51983—The SBC crashes at nbb_assert.

• CSCsx61267—Upon receiving an INVITE containing an SDP with crypto RTP (SRTP), the SBC rejects it with 415 Unsupported Media Type.

• CSCsx63200—Billing does not attempt to restart a failed transport.

• CSCsx64959—When an adjacency is configured with a nondefault method (or header) profile, upon reload adjacencies fail to get configured or attached due to an "invalid header|method profile."

• CSCsx75119—When using Admin Context with FT group not equal to 1, the SBC does not come to STANDBY_HOT status.

• CSCsy05516—Configuring the CAC policy limit before configuring the match value causes the active SBC to crash.

• CSCsy08288—The SBC responds to BYE messages during the switchover by sending a '481 - Call/Transaction Doesn't Exit' message.

• CSCsy16877—If you attempt to configure the local-id argument to be longer than 24 characters, it is truncated to 24.

• CSCsy22000—An SIP-H323 call fails to establish when PRACK is enabled.

• CSCsy22291—On an active ACE module, configuring both the domain server and switchover causes to the ACE module to continuously reload.

• CSCsy33681—The show services sbc sbe billing instance command does not display batch time with units.

• CSCsy34131—The show services sbc sbe call-policy-set command shows an incorrect error message.

• CSCsy39285—The standby SBC resets after a reload with a large blacklist.

• CSCsy55216—On switchover from active to standby, the configuration on the newly promoted active may be corrupted.


OL-16727-03


• CSCsy68968—When the SBC receives the incoming SIP message method, it incorrectly adds the contact header in the outgoing SIP message method.

• CSCsy72316—The SBC fails to send an ACK signal to a 486 request, causing the endpoint to resend several times.

• CSCsy89034—During a call transfer, the SBC sends a response 486 upon receiving a REFER.

• CSCsy97997—Configuring the FT group and then quickly activating the SBE causes both the active and standby ACE module to become active.

• CSCsy99403—The show mib command does not display the contents of SIP_TM_STAT_TABLE.

• CSCsz07178—The SBC does not respond to ACK messages when the traffic rate is higher than five calls per second (CPS).

• CSCsz11484—SBC IXP hangs when handling transcoding calls.

• CSCsz15006—Online Insertion and Removal (OIR) of hot standby SBC causes new call freeze and blacklisting.

• CSCsz20010—The show services sbc mysbc sbe sip subscribers command shows spurious AOR prefix output.

• CSCsz21557—After using the no activate command and activate command with fast registration, the adjacency remains in the unattached state, unable to attach.

• CSCsz39784—During a switchover when active calls are switched to standby, the media starts flowing through an incorrect context or the media stops flowing in one, or both directions. This occurs when the configured adjacency names have different lengths.

• CSCsz39971—Residual media after switchover may cause incorrect MAC address entries.

Software Version ACE Session Border Controller Release 3.1.00 Open CaveatsThe following open caveats apply to software version ACE Session Border Control Release 3.1.00:

• CSCsj78705—The show services sbc dbe controller command shows incorrect counter values.


• CSCsz36539—Inbound local authentication fails under interop due to lack of Authorization information being included in ACK message.


• CSCsz00331—The SBC crashes when configuring an adjacency through Cisco Element Management System (EMS).


• CSCsz14483—The Cseq in the second INVITE uses the same Cseq as the first INVITE to terminate the side for transcoding.

– Workaround: Use codec filtering on the SBC to enforce transcoding.

• CSCsx97013—The SBC console or freezes on any command entry. The command does not return control to the console or terminal.

– Workaround: Use the no activate sbe command and then wait five seconds and do the activate sbe command (to allow the SBC to release current calls). Also, do not continually reload the standby card.


OL-16727-03







• CSCsv91288—SBC crashes while making SIP to H.323 call.

• CSCsv83092—The ACE module reloads when a mix of SIP and H.323 calls are placed.

• CSCsv75153—When the SBC forwards the Require:100rel header upstream, the header changes to Require:100REL.

• CSCsv97028—When the calling phone is Linksys ATA SPA2102 type and the called phone is Scientific Atlanta cable modem phone EPC2203, and both try to register under proxy through SBC, then the basic SIP call fails.

• CSCsw34404—The SBC core dumps upon receiving a cancel message against the specified endpoint.

• CSCsv85696—The SBC rejects the option profile with multiple tags when it is whitelisted.

• CSCsw36090—A blacklist is triggered without any evident reason and the peer is blacklisted for 138 hours.

• CSCsw33351—When a global blacklist is configured for endpoint-registration and there is no trigger-period configured, the SBC crashes when the number of subscribers exceeds 5000.

• CSCsw73105—The backup ACE module sometimes becomes stuck in the STANDBY COLD state.

• CSCsv29115—With the SBC acting as DBE and the PGW acting as SBE, making a H.323(DBE) to H.323(DBE) fax call causes the SBC IXP to hang and the ACE module cannot be pinged.

• CSCsu64749—The SBC loses the IP connection with the supervisor card during and after a malform IPv4 attack.

• CSCsu62102—When testing a SIP to SIP call using UDP, if the message size is larger than 1500 bytes, the SBC cannot receive the SIP message.

• CSCsr70002—When the PGW (acting as an SBE) sends out a bulk audit request message, checking the Cisco 7600 DBE reply against this audit request message shows a 7600 fragmented UDP message checksum error in the SBC application.

• CSCsr80463—After called party side hold, calling side can not hear on hold music. After called party side resumes, there is no voice path.

• CSCsw67373—The show version command truncated the source workspace path such that the complete path was not available.

• CSCsx43973—When there is a SIP call with a DNS query, the SBC uses up all the file descriptors on the system.


OL-16727-03



• CSCsu80002—The default DBE location-id for the SBE configuration does not match the the default DBE location-id for the DBE configuration. This causes a "503 Service Unavilable" message when attempting a call.

– Workaround: Set DBE location-id=0 and SBE location-id=0.

• CSCsr66234—When running traffic and performing multiple switchovers on the SBC, only one of the ACE modules recovered and the SBC signaling border element (SBE), configuration did not activate. As a result, all adjancencies became detached and no traffic passed.

– Workaround: Disable one ACE module. Reload the other ACE module and when it becomes active, reload the other ACE module.





• CSCsr85533—In the address-default submode of the blacklist command, entering the no reason authentication-failure command, the no reason bad-address command, the no reason corrupt-message command, the no reason endpoint-registration command, the no reason policy-rejection command or the no reason routing-failure command will set triggersize to 0, trigger-period to 0, and timeout to 0. The default value should be triggersize is 4, trigger-period is 100ms, timeout is 600s.


• CSCso61641—The SBC does not release the H.248 socket even after multiple SBC creations and deletions.


• CSCsj78705—The show services sbc test dbe controllers command shows incorrect counter values.


• CSCsu92793—Console shows call failure; console also shows output of the Problem Determination (PD) log indicating a resource shortage even though there are no resource shortages.

– Workaround: The SBC encountered a syntax error while parsing the Request Uniform Resource Identifier (URI). Check the syntax of the Request URI.

• CSCsu12327—An H.323 to H.323 call with H.245-tunnel disable causes the SBC to core dump.


• CSCsx16238—With proxy authorization turned on, the SBC incorrectly sends a 481 for Subscribe request (with the authorization header).


• CSCsw44558—Reconfiguring the ft interface VLAN on the ACE module causes the SBC to core dump.


OL-16727-03


– Workaround: Before modifying the fault torrent interface VLAN IP address setting, first issue the no ft group command to remove the fault torrent group, then issue the no ft peer command to remove the fault torrent peer on the Cisco 7600 SBC. After completing the fault torrent interface VLAN IP address modification, add back the fault torrent peer and fault torrent group.

• CSCsx50255—When two H.323 adjacencies are configured in UNI (remote-address 0.0.0.0) and NNI mode (remote-address=20.20.20.20) with the same signaling-address and signaling-port, then the configuration fails.

– Workaround: Change the signaling-port for one of the adjacencies to non-default.

• CSCsr31814—The CANCEL and the 487 (the response to the INVITE) sent to the callee by the SBC to the INVITE do not contain the Reason header, while the same messages received by the SBC do contain the Reason header.







• CSCsq92036—The ACE module reloads with a call from a delayed offer device when codec restriction list is applied.

• CSCsr67524—A crash is seen on the ACE module when configuring a RADIUS server with debugs enabled.

• CSCsq74827—With High Availability (HA) and RADIUS billing is configured with 20 cps of SIP UDP calls, both ACE modules reload.

• CSCso88697—The SBC crashes after a DBE no activate and re-activate while there is a dangling call.

• CSCsq32222—The ACE module reloads while bringing up of the pair of ACE modules at the same time.

• CSCsq22492—H.323 fast start calls fail if ITU-T H.245 tunneling is disabled on the SBC.

• CSCsr67892—SBC memory congestion and leaking occurs with SIP User Datagram Protocol (UDP) to SIP (UDP) traffic with 200 seconds call hold time and 38 cps.

• CSCso81839—After running 8K transmission control protocol (TCP) calls at 25 cps for an extended period of time with a complex configuration, the ACE module hangs.

• CSCsq07528—The active ACE module hangs under a heavy H.323 call load and the standby module takes over.

• CSCsq65238—When the ping-fail-count is configured with the value 4294967294 (maximum value) the show services sbc test sbe mib vpssadjtable command displays a negative value.


OL-16727-03


• CSCsq73655—Configuration of DVI4, EVRCO, and MP2S codecs causes an N-base error.

• CSCsr57919—A supported header is incorrectly stripped from the 200 REGISTER response even when option whitelisting is set to pass everything.

• CSCsr57276—The SBC tears down the call when the SBC receives a modified Session Description Protocol (SDP) in the 200 OK SIP message.

• CSCsr48072—After the SBC has received and forwarded the connect message, the SBC releases the call because of the "h.225 establishment timeout."

• CSCsr80463—During the established call session, the SBC does not learn the changed Real-Time Protocol (RTP) remote port.

• CSCsr61902—A record query fails because the signaling peer is cofigured for a domain name server (DNS) name that has more than 24 characters.

• CSCsu06779—The SBC crashes with the debug services sbc information command enabled.

• CSCsr09181—For the show services sbc sbe call-stats command, the number of successful call attempts appears unrealistic.

• CSCsr09141—Entering the no reason routing-failure command when there is a blacklist address-default containing multiple reasons (including the reason routing-failure) causes the blacklist configuration to disappear.

• CSCsr09098—For the blacklist dump, the timing format is inconsistant.

• CSCsl58752—After FT (Fault Tolerance) is configured on a new standby ACE module, the active ACE module sends all the non-SBC configuration information to the standby ACE module but does not send the SBC configuration. If the user switches over to the standby ACE module, the SBC configuration will be lost.

• CSCsr93741—Setting the default value of the sbc sbe radius authentication retry-limit command yields 3 instead of the proper default value of 5.

• CSCsr91326—After switchover, Simple Network Management Protocol (SNMP) Traps do not display csbSBCServiceName with the SBC name on the active ACE module.

• CSCsr09127—When running a sequence of attacks, the show services sbc test sbe blacklist configured-limits command shows blacklisted IP addresses in an endless loop. This does not affect functionality.

• CSCsr06813—N-base error occurs when executing the no form of the adjacency h323 signaling address, adjacency h323 remote address, adjacency h323 signaling peer, adjacency sip signaling address, adjacency sip remote address, adjacency sip signaling peer, and adjacency sip reg-min-expiry commands.

• CSCsr00947—Cannot configure more than the specified buffer size for the sbc sbc-name sbe cac-policy-set cac-policy-num table table-name entry entry_id command.

• CSCsr21178—When log level and debugs are on, and there are no other calls, the SBC hangs or reloads if a hairpin call is made at very high log level (level 5).

• CSCsq86751—With call admission control policy failure where bandwidth limits are involved, after call admission control policy is pegged (specifically based on codec whitelisting in this particular scenario), the policy failure statistics show bandwidth limits counter pegged two times for a single failure.

• CSCso07369—With some unused adjacencies in detached state (for example, when no IP addresses are configured), there is a 503 error when setting up calls between two attached adjacencies.


OL-16727-03


• CSCsq85566—Setting the media-timeout value to 0 results in inconsistent call handling behavior (to include calls terminating early from the SBC and some no-media calls completing while others are prevented).

• CSCsq36265—A large trigger period configured for blacklist does not display correctly with show services CLI.

• CSCsq24086—The maximum outbound-flood-rate and ping-fail-count in adjacency data display incorrectly as -1 if the configured value is 4294967295.

• CSCsm22787—The number of H.323 media-update failures is not reflected accurately in policy-failure statistics.

• CSCso38593—Cannot edit or remove media gateway configuration when configuring the media gateway address followed by the exit command.

• CSCsr48686—N-base error while deleting the first-cac-table.

• CSCsk76641—Just before the blacklist timeout expiry, the show services sbc sbe blacklist current-blacklisting command shows the time remaining as 49 days instead of 1 or 2 seconds.

• CSCso89807—When the SBC receives a 18x message with the 'requires: 100rel' header:param it includes a second duplicate header in the outgoing 18x, which is combined into a 'Required: 100rel, 100rel' header later in the call flow.

• CSCso13743—After configuring hunting triggers in SIP adjacencies, the show services sbc j sbe sip hunting-trigger command does not show hunting triggers.

• CSCsu12327—Starting an H.323-H.323 call with an H.245 tunnel disabled causes an SBC core dump.

• CSCsr99758—The SBC core dumps while running the Codenomicon H.248 test suite.

• CSCsr99489—In an SBC redundant deployment, the standby ACE module may reload after a write memory command is issued on the active ACE module.

• CSCsr21042—The SBC reloads after FT switchover, which is expected, then reloads three more times, which is not expected.

• CSCsr43832—If the answer received by SBC has changed payload types for a codec, that codec is forwarded by SBC in the ongoing answer. If the answer is left with no valid media codecs, the signaling goes through. However, there may be media issues because of incompatible media-types.

• CSCsu26306—When configuring congestion on the DBE, the ACE module crashes. This occurs when configuring sbc test, rsrc-mon, and cpu congestion-threshold 1 clear-threshold 2 freq 1000 congestion-probe-period 200 normal-proble-period 200.

• CSCsr65536—SBC may crash when using the show logging internal facility command.

• CSCsr24168—When running the PROTOS test suite, certain test cases cause an SBC core dump.

• CSCsr65640—The SBC does not show active blacklist defaults even when blacklist is not configured.

• CSCsw28053—For certain calls rejected by CAC policy, the SIP 503 response is sent when it should be 486.



OL-16727-03


• CSCsu80002—The default DBE location-id for the SBE configuration does not match the the default DBE location-id for the DBE configuration. This causes a "503 Service Unavilable" message when attempting a call.

– Workaround: Set DBE location-id=0 and SBE location-id=0.

• CSCsr66234—When running traffic and performing multiple switchovers on the SBC, only one of the ACE modules recovered and the SBC signaling border element (SBE), configuration did not activate. As a result, all adjancencies became detached and no traffic passed.

– Workaround: Disable one ACE module. Reload the other ACE module and when it becomes active, reload the other ACE module.





• CSCsr85533—In the address-default submode of the blacklist command, entering the no reason authentication-failure command, the no reason bad-address command, the no reason corrupt-message command, the no reason endpoint-registration command, the no reason policy-rejection command or the no reason routing-failure command will set triggersize to 0, trigger-period to 0, and timeout to 0. The default value should be triggersize is 4, trigger-period is 100ms, timeout is 600s.


• CSCsr70002—With a PGW acting as a signaling border element (SBE) and a Cisco 7600 DBE, the PGW sends out a bulk audit request message. The Cisco 7600 DBE should send out a fragmented UDP message without a UDP checksum error, however, when checking the DBE reply against this audit request message, there is a Cisco 7600 fragmented UDP message checksum error.


• CSCso61641—The SBC does not release the H.248 socket even after multiple SBC creations and deletions.


• CSCsj78705—The show services sbc test dbe controllers command shows incorrect counter values.


• CSCsu82541—If the show running-config command for a release 3.0.1 image shows h248-profile gatecontrol, the downgrade procedures from Release 3.0.1 to Release 3.0.0 do not work.

– Workaround: SBC Release 3.0.0 only supports H.248-profile-version 3 for the gatecontrol profile (the default settings).

• CSCsu87098—When upgading from SBC Release 3.0.0 to 3.0.1, a concurent-requests XXX *** cmd parse error *** appears where XXX is a value other than 250 (the default).

– Workaround: Two workarounds are available. For the first workaround, temporarily deactivate and remove the radius accounting client name command configuration during the downgrade procedure. For the second workaround, temporarily set concurrent-requests parameter to its default value (250) for the SBC Release 3.0.1 configuration.

• CSCsu92793—Console shows call failure; console also shows output of the Problem Determination (PD) log indicating a resource shortage even though there are no resource shortages.


OL-16727-03

Software Version ACE Session Border Controller Release 3.0.00 Caveats

– Workaround: The SBC encountered a syntax error while parsing the Request Uniform Resource Identifier (URI). Check the syntax of the Request URI.

Software Version ACE Session Border Controller Release 3.0.00 Caveats

The following sections contain the resolved and open caveats in software version ACE Session Border Control Release 3.0.00:





• CSCsq22492—H.323 fast start calls fail if H.245-tunnel is disabled on SBC. In case of transcoding, the H.323 calls need to be slow started as that is a SBC limitation. If the originator is capable of generating a fast start call, SBC is supposed to force it to slow start , this is achieved by configuring on the adjacency "h245tunnel-disable." This was tested with Cisco's IOS callgen.

• CSCso88697—SBC crash with SBC DBE no activate and re-activate. This is a negative scenario and is not recommended in a live enviroment.

• CSCsq32222—When the pair of HA modules came up, one module reloaded while both ACE modules were coming up at the same time.


• OPENCSCsq23314—After executing multiple switchovers with 8K SIP TCP calls at a high call rate with a limited size media-address pool, there are call failures and no CLI response.


• CSCsq07699—The intermittent call forwarding failures if you start with a configuration that points the call routing into the wrong adjacency or when there is a change to the call routing configuration to point to the correct adjacency.

– Workaround: Reset any of the active or standby ACE modules.

• CSCsk99196—CLI for clearing blacklisting does not work. After the clear services sbc uut105-1 sbe blacklist ipv4 command is executed, the blacklisted endpoint is not cleared from the list and continues to be blacklisted.


• CSCso81445—The ACE module coredumps with switchover 10K reg and 5K calls on a node running the SBC application. This issue is seen intermittently after at least 3 to 4 switchovers.



OL-16727-03

Related Documentation

• CSCso72393—After a switchover both ACE modules become active. This condition is seen on a node running the SBC application. After switchover, the heartbeats are not exchanged between the ACE module and standby ACE module and after the standby comes up, it becomes active. Reset the standby module to clear the condition.


• CSCso67902—After configuring SBC and immediately executing a write memory command, the active ACE FT status went to active and the standby ACE FT status went to unknown.

– Workaround: Use the copy running-config startup-config command instead of the write memory command.

• CSCso67839—With fully qualified domain names (FQDNs) requiring DNS resolution with SBC running as P-CSCF in IMS setup, there are aborting call error messages with 6k calls at 10cps plus 10K reg.


• CSCso03125—On a node running the SBC application, the SBC configuration is lost after switchover.


• CSCsq37874—The SBC is not blacklisting the bad address port responsible for a DOS attack.


• CSCsq37007—While running the SBC application under a heavy load for an extended period of time, the ACE module hangs. Heavy load consisted of 6k to 8k SIP calls at a rate of 20 cps (on average) with features that include DTMF interworking, transcoding, call forwarding, and registrations.

– Workaround: Reduce the CPS and avoid congestion.

Related DocumentationThe following publications are available for the Cisco 7600 series routers:

• Cisco 7600 Series Router Installation Guide

• Cisco 7600 Series Router Module Installation Guide

• Cisco 7600 Series Router SIP, SSC, and SPA Hardware Installation Guide

• Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide

• Cisco 7600 Series Router Cisco IOS Command Reference

• Cisco 7600 Series Internet Router System Message Guide

• Release Notes for Cisco IOS Release 12.2SRA on the Cisco 7600 Series Routers

• Cisco IOS Configuration Guides and Command References—Use these publications to help you configure Cisco IOS software features not described in the Cisco 7600 series router publications:

– Configuration Fundamentals Configuration Guide

– Configuration Fundamentals Command Reference

– Bridging and IBM Networking Configuration Guide

– Bridging and IBM Networking Command Reference

– Interface Configuration Guide


OL-16727-03

Obtaining Documentation, Obtaining Support, and Security Guidelines

– Interface Command Reference

– Network Protocols Configuration Guide, Parts 1, 2, and 3

– Network Protocols Command Reference, Parts 1, 2, and 3

– Security Configuration Guide

– Security Command Reference

– Switching Services Configuration Guide

– Switching Services Command Reference

– Voice, Video, and Home Applications Configuration Guide

– Voice, Video, and Home Applications Command Reference

– Software Command Summary

– Software System Error Messages

– Debug Command Reference

– Internetwork Design Guide

– Internetwork Troubleshooting Guide

– Configuration Builder Getting Started Guide

• For information about MIBs, go to this URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html


OL-16727-03

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

release notes for the cisco session border controller on ... · release notes for the cisco session...

Documents