The following open caveats apply to software version A5(2.0):
• CSCsq65274—When you configure the HTTP header insert feature on the ACE, the configured HTTP header insert and the escape character is not translated properly. Workaround: None.
• CSCti28299—When an rserver reaches the MAXCONN state, ACE generates the SNMP trap cesRealServerStateUpRev1 instead of the cesRealServerStateChangeRev1 trap. Workaround: None.
• CSCtt23176—You are using an ICMP probe attached to a transparent server farm, and the probe stops sending an ICMP echo request after about 12 hours of continuos operation. Workaround: Use a UDP or TCP probe.
• CSCtx12159—The ACE becomes unresponsive and reboots, with the last reboot reason of “CP kernel crash.” Workaround: None.
• CSCtx27765—During the normal booting process, the ACE intermittently fails to reload due to NAT initialization. Workaround: None. ACE reboots and resumes the next reload.
• CSCtx53917—The ACE A235 module fails to reboot if it is run with 20 contexts and has traffic on all contexts. Workaround: None.
• CSCtx57994—After performing a software upgrade or while using software version A4(2.2), the ACE rebroadcasts a non-IP logical-link control (llc) broadcast packet generated by an IBM server.
As a result, this action causes the ACE to believe that the IBM server now resides off the ACE switchport. When this behavior occurs, you will see the following message:
%MAC_MOVE-SP-4-NOTIF: Host <IBM-SERVER-MAC> in vlan XX is flapping between port
<ACE-PORT> and port <SERVER-PORT>
Workaround: If necessary, downgrade to an earlier version of ACE software.
• CSCtx64126—The ACE contains static ARP entries even though no static ARPs have recently been configured. This issue may be related to static ARPs configured in the past and then removed. In this case, the ACE failed to remove the entries. Workaround: Readd the static ARP entry, and then remove it. This action will remove the static ARP from the ACE.
• CSCty08887—The ACE resets a connection if the HTTP header is approximately 14K in length while the VIP configuration does not require HTTP parsing. Workaround: Create an HTTP parameter map that includes the set header-maxparse-length command followed by a proper value.
• CSCty09558—When you configure multiple probes on the ACE and make the probes fail using iptables, the ha_mgr process in the ACE goes into an unresponsive state after the switchover is checked. Workaround: None.
• CSCty18004—The HTTP probe fails if the data has the control character (NULL) "\0". This issue is not seen in a normal UNIX server from which the file is fetched but is seen only with IXIA because it can manipulate the data. Workaround: The data/header portion of the reply should not have a NULL character.
• CSCty24258—Under normal operating conditions, the ACE module reboots during the Load Balancing process. Workaround: None.
• CSCty37843—When you enter the show service-policy detail or show service-policy
url-summary commands, the show service-policy command becomes unresponsive on ACE20 and only a part of the output is shown on the console. Workaround: Break the command by pressing
<ctrl-C>.
• CSCty43331—Under a normal server load-balancing operation when you add or modify a virtual IP (VIP) address, you may find that the VIP addresses do not appear in the show cfgmgr internal table icmp-vip output. Workaround: Reload the ACE.
• CSCty58098—With the ACE configured with a class map containing wildcards within the regex expression match string this may result in inconsistency in the matching criteria. Workaround:
None.
• CSCty58343—In a FT setup, when you do a checkpoint rollback to a blank config in an Active ACE, the standby ACE reboots with the cfgmgr.
Workaround: Shutdown or disable the FT interface and do a checkpoint rollback to an empty config in an active ACE module.
• CSCty61047—When you configure DHCPv6 relay on an interface and use wide-dhcp IPv6 DHCP server as the DHCP server, the DHCP relay fails to function properly. Workaround: None.
• CSCty70458—When you apply the configuration for front-end SSL, remove and then add an rserver under the server farm, and press Ctrl+C, the ACE crashes with the last reboot reason ME Dumper Process Crashed. Workaround: None.
• CSCty96856—Under normal operating conditions, ACE reboots with the reason "ha_mgr".
Workaround: None.
• CSCtz17453—The syslogd process running on the ACE reboots when the Control Plane (CP) is under a stress test with multiple ssh/telnet/probe/xml/snmp scripts. Workaround: None.
• CSCtz20802—When you configure a certificate or a key name using special characters during a backup process and use the show restore errors command, the restore process fails with the following message:
Component:Cert/Key" & "Error, decipher failed for keys
Workaround: Do not use special characters when you configure certificates and key names.
• CSCtz27907—The HTTP probe fails if the data has the control character (NULL) "\0" as a part of the data. This issue is not seen in a normal UNIX server from which the file is fetched but is seen only with IXIA because it can manipulate the data. Workaround: The data/header portion of the reply should not have a NULL character.
• CSCtz28887—When you use/configure “Admin” as a part of the name for a load balancing context, the FT synchronization fails, and goes into the FSM_FT_STATE_STANDBY_CONFIG state for a long time before moving to the FSM_FT_STATE_STANDBY_COLD state. Workaround: Do not include “Admin” in the name of a load balancing context.
• CSCtz30476—When you configure a non matching regex in an HTTP probe, the probe passes and fails intermittently. The probe fails because the binary data response does not have the same regex configured. Workaround: None.
• CSCtz30478—When you configure a non matching regex in an HTTP probe, the probe passes and fails intermittently. The probe fails because the binary data response does not have the same regex configured. Workaround: None.
• CSCtz30667—When you configure a HTTP probe with expected regex, and sent the response from the server with “Len:” instead of “Content-Length:”, the HTTP probe skips. Workaround: None.
• CSCtz41341—During normal operation, the ACE reboots when generating the syslogd core file.
Workaround: None. The ACE reboots and automatically corrects itself.
• CSCtz42584—During normal operation, the ACE reboots when generating the syslogd core file.
Workaround: None.
• CSCtz42618—When real servers are down and you try to telnet to the VIP IP, a connection is established in the ACE because the ICM (Ingress Connection Manager) is not checking the VIP status. If you send another request, the connection is dropped with a L7 rejection.
Workaround: None.
• CSCtz45804—When the ACE is running on a bridged mode, the FT goes into the down state because the multicast packets cause a loop with the real time streaming protocol (RSTP).
Workaround: None.
• CSCtz47000—On the ACE, when you enable the normalization feature on one interface and disable this feature on another interface, the user traffic is initiated from the former interface. Two IP addresses share a single mac address. ACE selects the encap id of a previously added IP address server which has no static arp entry. This results in ACE clearing/dropping the existing connection when the arp time is reached. Workaround: Disable normalization on both interfaces.
• CSCtz47012—When the ACE is running on a bridged mode, the FT goes into the down state because the multicast packets cause a loop with the real time streaming protocol (RSTP).
Workaround: None.
• CSCtz47825—Under normal operating conditions, the ACE module with the HTTP probes configured reboots when allocating memory or parsing an HTTP probe response. Workaround:
Change the HTTP probes to TCP probes, and reset the ACE.
• CSCtz92969—When you configure “vlan internal allocation policy descending” on the supervisor engine, the "interface vlan 4094" appears in the admin context even though the vlan number 2094 is neither configured nor assigned to the ACE.
Workaround: Do not configure “vlan internal allocation policy descending” on the supervisor engine.
• CSCtz96319—The ACE reboots when you do a checkpoint rollback on a config which has user
“Admin” in a non-default domain. Workaround: None.
• CSCua07021—Under normal operating conditions, the ACE module reboots with the last boot reason Service: TACACS Daemon and generates a tacacsd core file. Workaround: None.
• CSCua13827—Continuous and excessive traffic to the CP affects the performance of the CP, thereby causing functions, like probes, to fail. Workaround: None.
• CSCua16421—The client does not receive large replies, approximately 1500 bytes, from VIP and PMTUD does not work. This is seen when
– Virtual IP is configured with a specific port – IPv6 is configured on the client side – IPv4 is configured on the rserver side
– MTU on the path from ACE to client is lower than the MTU on the path from ACE to rserver.
Workaround: Perform either of the following:
– Configure MTU on the path from ACE to rserver to be lower than the MTU on the path from ACE to client.
– Limit maximum MSS for connections to rservers on ACE with the connection parameter map:
parameter-map type connection NAME set tcp mss min 0 max <Maximum MSS on IPv6 side>
• CSCua18092—The ACE does not do the mapping between ICMPv6 and ICMPv4 packets.
Therefore, the ACE does not send ICMPv4 packets because the mapping of ICMPv6 to ICMPv4 is not done for this VIP by a device. This is seen in the following cases:
– The VIP is a class-map that is configured with the protocol/port "any"
– IPv6 is configured on the client side and IPv4 is configured on the rserver side
– The MTU on the path from the ACE to the client is lower than the MTU on the path from the ACE to the rserver
– Client requests result in a large reply size that is greater than the MTU of the ACE to the client path
Workaround: Configure VIP with a specific port.
• CSCua18882—When IPv6 ssl termination is configured to load balance an IPv6 web server, the ACE IPv6 ssl termination VIP does not load a web page. The TCP MSS between the client and ACE is 1220. The packets are dropped when the packet size exceeds the MSS as follows:
ACE/Context# sh np 1 me-stats "-stcp" | i MSS Drops due to packet size exceed MSS: 21 0
Workaround: Configure the following exceed-mss allow in a connection parameter-map for VIP.
parameter-map type connection TCP-Options exceed-mss allow policy-map multi-match VIPS class IPv6-SSL-Term-Vip connection advanced-options TCP-Options
• CSCua18919—When the backtrace decode points to a specific fastpath crash due to a corrupt buffer chain for transition, the ACE reboots with the last boot reason: NP Failed:NP ME Hung.
Workaround: None.
• CSCua19020—If you configure an ACE with two VIP having the same address but on separate ports, and when you remove one of the VIP (with the other VIP operational), and later reconfigure it, the reconfigured VIP remains inactive for a long time.
Workaround: For the VIP addresses that are inactive, remove the configuration in the multi-match policy and reapply them.
• CSCua22740—After you configure a NTP server in ACE and later remove it from the
configuration, the NTP server still remains active (even after it is removed from the configuration).
Workaround: None.
• CSCua25656—When you configure ACE with high syslogging, the ACE CLI becomes
unresponsive when you enter the commands such as show running, show logging, write mem, and so on. Workaround: Reduce syslogging.
• CSCua30450—The ACE unexpectedly reboots. If you specify the show version command, the ACE reloads with the last boot reason: Service cfgmgr. Workaround: None.
•
• CSCua34721—When you enable the TCP timestamp on an ACE, the ACE uses the incorrect timestamp when it acknowledges a packet from the backend server. Though the ACE acknowledges the latest packet, it uses the timestamp of a previous packet.
Workaround: Perform one of the following:
– Add “set tcp wan-optimization rtt 0” to the connection parameter-map – Remove “tcp-options timestamp allow” from TCP connection parameter-map.
• CSCua35646—When an ACE is running the software version A5(1.2), the ACE becomes unresponsive with the incorrect title “HANG DETECTED on core 15”. The title “Program terminated with signal 11” should be displayed.
Workaround: None.
• CSCua37075—The ACE 30 module reloads with the last boot reason: CP Kernal Crash, and generates the “crashinfo” file. Workaround: None.
• CSCua66222—The ACE reloads with the last reboot reason: “NP 1 Failed : NP ME Hung”. This occurs in one of the following conditions:
– The “doAddition” function fails and fills the freelist up to 100%
– 100% ME utilization in the core file Workaround: None.
• CSCua69350—A POST request received from the client matches the class-default instead of matching the class-map. This occurs when ACE is configured in one of the following ways:
– The ACE uses a L7 VIP with multiple class-maps including class-default.
– The HTTP transactions is a POST with HTTP header "Content-Type:
application/x-www-form-urlencoded"
– The POST content length is greater than TCP buffer share but lesser than the content-maxparse-length
Workaround: Perform one of the following:
– Set “content-maxparse-length” to “1”
– Create a connection parameter map with a tcp buffer share of 65535
• CSCua71445—The client request decryption stalls for five seconds. This occurs if the client request contains "Content-Type: application/x-www-form-urlencoded" and hits a policy map which contains at least one class that matches the secondary cookies.
Workaround: Configure HTTP on the front end.
• CSCua78518—The ACE console displays the following error message when the no probe command is entered.
Error: Cannot delete probe associated with tracking.
This occurs in one of the following conditions:
– When the ft track host is configured and is associated with the probe
– If the 'no track-host [ip address]' and 'no peer track-host [ip address]' commands are entered before the ft track is removed
Workaround: Remove the ft track host commands 'no track-host [ip address]' and 'no peer track-host [ip address]'.
• CSCua78518—The ACE console displays the following error message when the no probe command is entered.
Error: Cannot delete probe associated with tracking.
This occurs in one of the following conditions:
– When the ft track host is configured and is associated with the probe
– If the 'no track-host [ip address]' and 'no peer track-host [ip address]' commands are entered before the ft track is removed
Workaround: Remove the ft track host commands 'no track-host [ip address]' and 'no peer track-host [ip address]'.
• CSCua81138—The ACE stops inserting the SSL session ID header when the cached session reaches 1,00,000 sessions (approximately). Workaround: Remove the session cache timeout.
• CSCua92808—When you use the percent sign in the <number> value in the limit-resource all minimum <number> command, the ACE translates the <number> incorrectly and divides the numerical value by 100.
For example, execute the command in the following configuration,
ACE/Admin(config)# resource-class RC1
ACE/Admin(config-resource)# limit-resource all minimum 20% maximum equal-to-min
The following output of the above command appears in the configuration:
resource-class RC1
limit-resource all minimum 0.20 maximum equal-to-min
The output of show resource-usage confirms that the ACE assigns only 0.2% (instead of 20%) of resources to all contexts, which are member of this class.
Workaround: Remove the percent sign ('%') from the “limit-resource” command. The ACE accepts any non-numerical characters (even multiple of these characters) in the <number> field without any error.
• CSCua99477—When SSL termination is configured on an ACE and the client connects with an expired certificate, the configured action-list adds incorrect values in the HTTP header. The HTTP verify-result header on the server shows the status as “OK” even though the certificate is expired.
This occurs only when the CRL check is configured on the ACE.
Workaround: Remove the CRL check from the configuration.
• CSCub05455—The ACE reloads with following last boot reason: AAA Daemon and generates core files. Workaround: None.
• CSCub07887—In an ACE, when you modify one of the class-maps in a management policy, a part of the management traffic towards the ACE drops. Workaround: Reapply the management
service-policy to the interface.
• CSCub12816—When there are multiple contents with the same VIP address, protocol, and port in a configuration, only one policy-map is created. If the contents have different match statements, muliple class-maps are created. However, the L7 match statement and action is missing from the L7 policy-map.
Workaround: Create a single content with all the match statements in it.