New and Enhanced Software Features for Cisco IOS XE Gibraltar 16.11.x
New and Enhanced Features for Cisco IOS XE Gibraltar 16.11.1a
-
Cisco Unified Border Element Smart Licensing—Cisco Unified Border Element Smart Licensing—Cisco Smart Software Licensing provides a simple cloud-based solution for managing and tracking the use of your licenses and entitlements across your business. License requirements for the use of CUBE trunk sessions are reported to Cisco Smart Licensing.
For a more detailed overview on Cisco Licensing, go to https://cisco.com/go/licensingguide.
-
Channel-Based Metrics Measurement—Configures the performance monitors used by PfRv3 to employ a data collection method combining metadata and traffic sampling to provide traffic metrics.
-
Consent Token for Shell Access—Consent Token is a time-bound multi-factor authentication mechanism for secure access to Cisco devices. When you try to access the Secure Shell on a Consent-Token-enabled device, the device generates an authentication challenge. You must obtain the response to this challenge from a Cisco Authorized personnel through an out-of-band mechanism such as email or phone call, and enter the response on the device to gain access to the Secure Shell. Secure Shell access is revoked after the time interval you specified while requesting access.
-
Dynamic Application Policy Routing—Dynamic Application Policy Routing (DAPR) dynamically steers overlay and underlay egress application traffic flows between multihomed sites connected over RAR links (virtual-access interfaces). This feature extends the existing path management solution of PfRv2 to virtual access interfaces. DAPR routes your traffic based on policy criteria such as link preference and load balancing to meet performance requirements such as delay and jitter.
-
Enhanced Policy Based Routing and Site Manager—The Enhanced Policy-based Routing (ePBR) routing enables application-based routing. Application-based routing provides a flexible, device-agnostic policy routing solution, while also ensuring application performance.
-
FlexVPN IKEv2 Dynamic Route Tagging—The IKEv2 Dynamic Route Tagging feature enables a tag value for automatically-learned (connected) routes. It also helps to apply this tag value on hub site during installation.
-
FlexVPN Event Trace—Displays event trace messages for FlexVPN.
-
IPFIX support for ETA—IP Flow Information Export (IPFIX) protocol is another way for transmitting traffic flow information over the network. Support for ipfix keyword in flow destinations was added.
-
IPv6 Object Group ACL—This feature extends object group-based policy application to IPv6 ACLs. The Object group for access control list (ACL) allows you to classify users, devices, or applications into groups and apply those groups to ACLs to create access control policies for those groups. Object group-based ACL approach reduces configuration size, makes ACLs easily readable and easier to manage, thus minimizing complex and larger ACL configurations.
-
MACsec exception reports for invalid keys and replay attacks—You can use the show mka policy command to verify the XPN configuration. If you do not want to include icv-indicator in MKPDUs, use the no include-icv-indicator command in the MKA policy.
-
MACsec varialble length CKN and optional support for ICV—Use the platform macsec logging replay protection command in global configuration mode to configure the packet count global configuration mode to configure the packet count.
-
PfRv3 Intelligent Load Balance—The PfRv3 Intelligent Load Balance feature detects the remote bandwidth overrun at the earliest possible. It helps to reduce the packet drop caused by per tunnel QoS and increases the bandwidth utilization.
-
PKI - EST CA Certs on Reykey—This feature enables client devices to obtain CA certificate automatically as part of rekey. The CA certificate certifies a new public key for a device.
-
Programmability—The following programmability features are introduced in this release:
-
Kill Telemetry Subscription—he ability to delete a dynamic model driven telemetry dynamic subscription using either:
-
The clear telemetry ietf subscription Cisco IOS command, or
-
The <kill-subscription> RPC
-
-
NETCONF and RESTCONF Service Level Access Control Lists: Enable you to configure an IPv4 or IPv6 access control list (ACL) for NETCONF and RESTCONF sessions.
Clients that do not conform to the configured ACL are not allowed to access the NETCONF or RESTCONF subsystems. When service-level ACLs are configured, NETCONF and RESTCONF connection requests are filtered based on the source IP address.
-
YANG Data Models: For the list of Cisco IOS XE YANG models available with this release, navigate tohttps://github.com/YangModels/yang/tree/master/vendor/cisco/xe/16111.
Revision statements embedded in the YANG files indicate if there has been a model revision. The README.md file in the same GitHub location highlights changes that have been made in the release.
-
-
Removal of Weak Encryption Types 0, 5, and 7 in AAA—Support has been added for auto-conversion of weak password types 0 and 7 to encrypted password type 6. Configure AES password encryption feature and primary encryption key to auto-convert password types 0 and 7 to password type 6.
-
Security Readiness Criteria (SRC) Closure—Refer to the following documents for information about this feature: Security Readiness Criteria (SRC) closure for Cisco Unified Border Element—SRC is a program to meet a set of security criteria before releasing the product offering to the customers. SRC helps to prioritize security requirements that are necessary to reduce the associated risk.
-
Show commands for ETA—Simplified show commands to display ETA configurations, flow statistics, and export statistics for quick troubleshooting.
-
show interface gigabitethernet accounting—The show command output was modified to display the number of packets of each protocol type that have been sent through all configured interfaces.
-
show platform resources - Display bootflash and harddisk Details for RP modules—With this feature, you can use the show platform resources command to view utilization of boot flash and hard disk of a Route Processor.
-
Source interface support for ETA Netflow records—Support for source-interface interface-name for ETA Netflow records was added.
-
Specific License Reservation—With Specific License Reservation, you can deploy a Smart License on a device without directly connecting it to the Cisco Cloud.
For a more detailed overview on Cisco Licensing, go to https://cisco.com/go/licensingguide.
-
Support certificate CN/SAN validation—Server Identity Validation on Cisco Unified Border Element—Cisco Unified Border Element supports server identity validation through Common Name (CN) and Subject Alternate Name (SAN) fields in the server certificate during client-side SIP/TLS connections. Validation of CN and SAN fields of the server certificate ensures that the server-side domain is a valid entity.
-
VxLAN Static Routing—Provides a method for connecting multiple servers in a data center to an enterprise edge router, using one-to-many static routes and point-to-multipoint (P2MP) VxLAN tunnels.
-
Web User Interface—Supports an embedded GUI-based device-management tool that provides the ability to provision the router, simplifies device deployment and manageability, and enhances user experience. The following features are supported on Web User Interface from Cisco IOS XE Gibraltar 16.11.1:
-
Nat Statistics
-
IPv6 Support for AAA
For information on how to access the Web User Interface, see Configure the Router for Web User Interface section.
-
-
ZBFW HSL using Source Interface Capability—Zone-based Firewall supports export of logged data record to an external collector using NetFlow Version 9, where the collector parses and interprets the data record based on the template. Zone-based firewall uses the High Speed Logging (HSL) capability to generate NetFlow data through the log flow-export v9 udp destination command under the parameter-map type inspect-global configuration.
Resolved and Open Bugs for Cisco IOS XE Gibraltar 16.11.x
About the Cisco Bug Search Tool
Use the Cisco Bug Search Tool to access open and resolved bugs for a release.
The tool allows you to search for a specific bug ID, or for all bugs specific to a product and a release.
You can filter the search results by last modified date, bug status (open, resolved), severity, rating, and support cases.
Resolved Bugs for Cisco IOS XE Gibraltar 16.11.1a
All resolved bugs for this release are available in the Cisco Bug Search Tool through the Resolved Bug Search.
|
Caveat ID Number |
Description |
|---|---|
|
SNMP with Extended ACL |
|
|
Watchdog crash after "% AAA/AUTHEN/CONT: Bad state in aaa_cont_login()." |
|
|
NAT MIB not populated when using traditional NAT |
|
|
Byte counters for physical interface and subinterface don't match |
|
|
Router shows "Flash disk quota exceeded" during the reload, but it still has 60% of free memory left |
|
|
Router crashes when DMVPN tunnel moves accoss ports |
|
|
qWLC-Sanity: interface down due to %EZMAN_RM-3-SERDES_AUTOTUNE_FAIL-R0/0: Failed on lane 54 |
|
|
Several OID from CISCO-CLASS-BASED-QOS-MIB stop working when performing upgrade to Denali-16.3.x |
|
|
CPP 0 failure Stuck Thread resulting in Unexpected Reboot |
|
|
EEM: event mat mac-address not triggered on router with NIM-ES2-8-P |
|
|
ASR1001 has crashed with cgm_avlmgr_find_node |
|
|
When configured vlan unlimited with port-channel subinterface, statistics does not increment |
|
|
CPP crash on L2TP router |
|
|
H225 gatekeeper request dropping under "ALG PARSER" with ZBF |
|
|
NAT ALG ASR1K does not translate call id 0 of PPTP client correctlly. |
|
|
ASR1001-X: interface LED remains amber after shut/no shut on the interface |
|
|
Packet throughput drops down when enable tunnel visibility with single tcp flow(>1MPPS) |
|
|
Provide Passthrough Reason in IOS-XE for AppNav |
|
|
ASR1002-X router crashed in cpp_qm_event_collapse_hl_node |
|
|
IOS-XE FIPS mode is enabled by default in QFP even if it is not enabled in CLI |
|
|
ASR1k with stateful nat conf, mapping ID got locked after vrf delete |
|
|
MAC filtering incorrectly set on builtin ports of ISR4300 |
|
|
debug platform condition start causes keepalive failures with Vasi interface |
|
|
ASR1k unexpected crash when appNav holds a stale pointer. |
|
|
EPA-1X100GE/CPAK-100G-SR4 stays in a down/down state after a reset. |
|
|
Packet trace does not work with re-injected UTD packets |
|
|
Crash after service-policy APPNAV change on WAAS instance |
|
|
The OID - adslAtucCurrOutputPwr returns incorrect output. |
|
|
CDP over EVC is not working |
|
|
LAN Switches does not learn the right ED upon OTV failover |
|
|
DNS ALG will not work when trying to match specific destination hosts |
|
|
"sdavc_ppdk.pack force" command not accepted during boot up |
|
|
GetVPN TBAR failure does not generate syslogs |
|
|
Path of Last Resort Sending Probes in Standby State |
|
|
ASR1001X @incorrect traffic statistics reported of port-channel sub interface using SNMP. |
|
|
ASR1001-X: Investigate "license request failed , err=0x22" seen at Manufacturing test |
|
|
PLR channel is not muted for some time |
|
|
VASI NAT: FTP ALG translation is sometimes failed |
|
|
ASR1K - No kernel/coredump generated with watchdog reload event |
|
|
AVC license should be activated only in case of smart licensing model |
|
|
Dash i2c Kernel message outputted during boot up |
|
|
Crash due to Memory corruption in ISR4k |
|
|
ASR1001-X : netconf interface goes into oper down state afer reboot tests |
|
|
Channel with wrong label may be created on hub border |
|
|
ASR 1009/1013 (ESP200) will drop traffic when setting police rate over 67.104gbps |
|
|
standby router shows warning message as image is missing when image in present in active and standby |
|
|
cBR-8 crash after issuing show platform hardware qfp active infrastructure bqs |
|
|
double exception in ipv4_nat_icmp_lookup_embedded |
|
|
Hoot-n-holler multicast traffic marked with DSCP 0 |
|
|
ASR1K not reachable by Unicast on Port-Channel Sub interfaces when EVC + Sub-interface is configured |
|
|
Unable to remove command 'ip nat inside destination' |
|
|
ESP crash due to fatal error |
|
|
Modification to ZBFW access-lists do not reflect in TCAM |
|
|
ASR1001X - when using VRF NAT port used for ftp data is not freed |
|
|
Ingress ping crash on asr1001x when packet size > 9K |
|
|
Traffic fails after changing Copper SFP to Fiber SFP on 1GE built-in interface. |
|
|
Invalid throughput level in the "show version" output |
|
|
IOS XE 16.08.01 - monitor capture missing packets (TCP ACKed unseen sgmts) |
|
|
Fixed ISR: Increase Maximum Configurable VLAN# and STP# from 32 to 63 |
|
|
IOS-XE : IPv6 ACL for Tunnel QoS not matched |
|
|
WAAS Policy Configuration push may caused AppNav Class-maps programming issue in TCAM |
|
|
ASR1000-6TGE / ASR1000-2T+20X1GE in status Unknown after Active RP3 OIR |
|
|
Quick RP3 recovery after the Punt Path XAUI link goes down |
|
|
Crash due ZBF + NAT |
|
|
Crash observed on ASR1002-X @ fnf_age_recalculate_record_len with AVC performance monitor config |
|
|
"%FMFP-3-OBJ_DWNLD_TO_DP_FAILED:fman_fp_image:xxx" appears when configured "ip port-map" on ISR44xx. |
|
|
ICMP unrechables are not sent to the client on C1117 platform |
|
|
IPSEC in DOWN-NEGOTIATING on HSRP Standby router with local-address config |
|
|
CPP-mcplo-ucode crash while encrypting SIP packets with ALG NAT for SIP |
|
|
Polaris Router - CPUHog - SNMP ENGINE crashed with Watchdog timeout |
|
|
Signaling interface inactive on "show snmp mib ifmib ifindex de" on IOS 16.6.3 |
|
|
Traceback seen when attempting to recover sw port from bpduguard err-disable state |
|
|
Router crash when clearing ip nat translations |
|
|
ASR1001-HX 10GE SFP+ ports may operate as 1000Mbps |
|
|
lacp max-bundle rejected with Aggregate PortChannel subinterface QoS |
|
|
%Error formatting harddisk: (I/O error) - 0913 Polaris dev image |
|
|
ACL dropping packets after updating it - %CPPEXMEM-3-NOMEM |
|
|
Small clock changes or time drifts can cause GETVPN TBAR drops (Crypto-DP) |
|
|
ASR1002-X crash due to ccp_cp_svr going into lockdown state. |
|
|
Host crashes the DSP if ipv6 commands are configured under Service-Engine [Purge ipv6 config option] |
|
|
Active RP crash at __be_datagram_done |
|
|
Crash due to communication failure - IPC (Inter-Procedure Call) messages between DSP and RP. |
|
|
ASR1k crash due to QoS in case of 4k subscribers per subinterface |
|
|
Traceroute not working when sourced from NAT Inside interface |
|
|
An IOS-XE router crashes after umbrella is configured. |
|
|
Router crash occurs while running Dell software update |
|
|
Ethernet FRR switchover takes more than 200ms on EPA10 and EPA100 if remote Rx fiber is pulled |
|
|
Out of Band DTMF Events Not Passing to CUCM via SCCP When Using IOS MTP |
|
|
Unable to reconfigure VTY lines on ISR4221 once deleted |
|
|
show facility-alarm status doesn't reflect actual port state of cellular interface |
|
|
show interface output reports incorrect bandwidth |
|
|
Removal of loopback interface causes router to crash and erases the conf register settings |
|
|
IOS-XE ISAKMP deletes new SPI if rx new SPI packet before installation is done |
|
|
Lowering the severity of Harddisk Missing Alarm from Major to Info |
|
|
Crash in cpp_bqs_rm_yoda_proc_pend_fc_cb |
|
|
FMANFP-6-IPACCESSLOGP message have IP address byte reversed |
|
|
QFP crashes with a HW interrupt |
|
|
Crashed while checking condition debug |
|
|
RP3 Punt Interface May Drop Traffic Due to VLAN Filter Hardware |
|
|
EIGRP session is not coming up if the dynamic PBR is applied on interface |
|
|
Int index is 0 for the Cellular inteface in the exported flow |
|
|
SUP Crash after running the command " show plat hard qfp act infr bqs debug qmrt_dump " |
|
|
Correction to Quick RP3 recovery after the Punt Path XAUI link goes down |
|
|
%QFPOOR-4-TOP_EXMEM_USER reports negative memory allocation |
|
|
Call is not getting connected in Forking Re-INVITE scenario |
|
|
Show call media forking match failed |
|
| DataPlane crash observed in MMOH call flow |
Open Bugs for Cisco IOS XE Gibraltar 16.11
All open bugs for this release are available in the Cisco Bug Search Tool through the Open Bug Search.
|
Caveat ID Number |
Description |
|---|---|
|
router crashed while running system test script during configuring Tunnel interface |
|
|
BFD flaps everytime with dynamic tunnel creation in DMVPN |
|
|
ASR1006X linecard down after Active RP3 OIR |
|
|
DMVPN Phase 2 shortcut triggered from a spoke behind PAT may end up in stuck DNX state |
|
|
SNG_AO unavailable alarms are not clearing after removing the monitor-load feature under policy |
|
|
PKI "revocation check crl none" does not fallback if CRL not reachable |
|
|
Stuck CPP Thread while processing H323 packet |
|
|
IOSXE - firewall corrupts half open list |
|
|
FXS - no busy tone is generated on remote-onhook condition with call pickup scenario |
|
|
IPSec-Session count in "show crypto eli" reaches max causing VPN failure |
|
|
Router configured with ZBFW reloads with a last reload reason of LocalSoft |
|
|
Streaming CRCs seen with GLC-GE-100FX VID: V02 on ISR4k |
Related Documentation
-
Release Notes for Previous Versions of ASR 1000 Series Aggregation Services Routers
-
Hardware Guides for Cisco ASR 1000 Series Aggregation Services Routers
-
Configuration Guides for ASR 1000 Series Aggregation Services Routers
-
Command Reference Guides for ASR 1000 Series Aggregation Services Routers
-
Product Landing Page for ASR 1000 Series Aggregation Services Routers
-
Upgrading Field Programmable Hardware Devices for Cisco ASR 1000 Series Routers
-
Cisco ASR 1000 Series Aggregation Services Routers ROMmon Upgrade Guide
Feedback