Release Notes for Cisco 4000 Series ISRs, Cisco IOS XE Gibraltar 16.12.x

Cisco 4000 Series Integrated Services Routers Overview

The Cisco 4000 Series ISRs are modular routers with LAN and WAN connections that can be configured by means of interface modules, including Cisco Enhanced Service Modules (SM-Xs), and Network Interface Modules (NIMs).

The following table lists the router models that belong to the Cisco 4000 Series ISRs:

System Requirements

The following are the minimum system requirements:

Note: There is no change in the system requirements from the earlier releases.

• Memory: 4GB DDR3 up to 16GB
• Hard Drive: 200GB or higher (Optional). (The hard drive is only required for running services such as Cisco ISR-WAAS.)
• Flash Storage: 4GB to 32GB

Note: There is no change in the flash storage size from the earlier releases. The flash storage size must be equal to the system memory size.

• NIMs and SM-Xs: Modules (Optional)
• NIM SSD (Optional)

Determining the Software Version

For more information, see the Cisco 4000 Series ISRs Data Sheet.

Note: For more information on the Cisco WAAS IOS-XE interoperability, refer to the WAAS release notes: https://www.cisco.com/c/en/us/support/routers/wide-area-application-services-waas-software/products-release-notes-list.html.

You can use the following commands to verify your software version:

• For a consolidated package, use the show version command
• For individual sub-packages, use the show version installed command

Upgrading to a New Software Release

To install or upgrade, obtain a Cisco IOS XE Gibraltar 16.12.1a consolidated package (image) from Cisco.com. You can find software images at http://software.cisco.com/download/navigator.html. To run the router using individual sub-packages, you also must first download the consolidated package and extract the individual sub-packages from a consolidated package.

Note: When you upgrade from one Cisco IOS XE release to another, you may see %Invalid IPV6 address error in the console log file. To rectify this error, enter global configuration mode, and re-enter the missing IPv6 alias commands and save the configuration. The commands will be persistent on subsequent reloads.

For more information on upgrading the software, see the How to Install and Upgrade the Software section of the Software Configuration Guide for the Cisco 4000 Series ISRs.

Recommended Firmware Versions

Table 1: Recommended Firmware Versions, on page 2 provides information about the recommended Rommon and CPLD versions for releases prior to Cisco IOS XE Everest 16.4.1.

Upgrading the ROMMON Version on the Cisco 4000 Series ISR

For information about ROMMON compatability matrix, and ROMMON upgrading procedure, see the ROMMON Compatability Matrix and "ROMMON Overview and Basic Procedures” sections in the Upgrading Field-Programmable Hardware Devices for Cisco 4000 Series ISRs.

Upgrading Field-Programmable Hardware Devices

The hardware-programmable firmware is upgraded when Cisco 4000 Series ISR contains an incompatible version of the hardware-programmable firmware. To do this upgrade, a hardware-programmable firmware package is released to customers.

Generally, an upgrade is necessary only when a system message indicates one of the field-programmable devices on the Cisco 4000 Series ISR needs an upgrade, or a Cisco technical support representative suggests an upgrade.

From Cisco IOS XE Release 3.10S onwards, you must upgrade the CPLD firmware to support the incompatible versions of the firmware on the Cisco 4000 Series ISR. For upgrade procedures, see the Upgrading Field-Programmable Hardware Devices for Cisco 4000 Series ISRs.

Feature Navigator

You can use Cisco Feature Navigator to find information about feature, platform, and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on cisco.com is not required.

Limitations and Restrictions

The following limitations and restrictions apply to all releases:

• Cisco Unified Threat Defense, on page 3
• Cisco ISR-WAAS and AppNav-XE Service, on page 3
• USB Etoken, on page 4

Cisco Unified Threat Defense

The Cisco Unified Threat Defense (UTD) service requires a minimum of 1 to 4 GB of DRAM.

Cisco ISR-WAAS and AppNav-XE Service

The Cisco ISR-WAAS/AppNav service requires a system to be configured with a minimum of 8GB of DRAM and 16GB flash storage. For large service profiles, 16GB of DRAM and 32GB flash storage is required. Also, Cisco ISR-WAAS requires a minimum of 200GB SSD.

IPsec Traffic

IPsec traffic is restricted on the Cisco 4000 Series ISR. The router has the same IPsec functionality as a Cisco ISR G2. The default behavior of the router will be as follows (unless an HSECK9 license is installed):

• If the limit of 1000 concurrent IPsec tunnels is exceeded, no more tunnels are allowed and the following error message appears:

%CERM-4-TUNNEL LIMIT: Maximum tunnel limit of 1000 reached for Crypto functionality with securityk9 technology package license.

• The throughput encrypted traffic supports 250 Mbps.
• The Cisco 4000 Series ISR does not currently support nested SA transformation such as:

crypto ipsec transform-set transform-1 ah-sha-hmac esp-3des esp-md5-hmac

crypto ipsec transform-set transform-1 ah-md5-hmac esp-3des esp-md5-hmac

• The Cisco 4000 Series ISR does not currently support COMP-LZS configuration.

USB Etoken

USB Etoken is not supported on Cisco IOS XE Denali 16.2.1.

Yang Data Models

Effective with Cisco IOS XE Everest 16.5.1b, the Cisco IOS XE YANG models are available in the form of individual feature modules with new module names, namespaces and prefixes. Revision statements embedded in the YANG files indicate if there has been a model revision.

Navigate to https://github.com/YangModels/yang/tree/master/vendor/cisco/xe/1651, to see the new, main cisco-IOS-XE-native module and individual feature modules attached to this node.

There are also XPATH changes for the access-list in the Cisco-IOS-XE-acl.yang schema.

The README.md file in the above Github location highlights these and other changes with examples.

CTI Configuration

CME does not support CTI configurations on Cisco 4000 Series ISRs.

TACACS Legacy Command

Do not configure the legacy tacacs-server host command; this command is deprecated. If the software version running on your device is Cisco IOS XE Gibraltar 16.12.2 or a later release, using the legacy command can cause authentication failures. Use the tacacs server command in global configuration mode.

New and Changed Information

New Software Features in Cisco 4000 Series ISRs Release Cisco IOS XE Gibraltar 16.12.2

The following features are supported by the Cisco 4000 Series Integrated Services Routers for Cisco IOS XE Gibraltar 16.12.2:

New Hardware Features in Cisco IOS XE Gibraltar 16.12.1a

• Support for Media Flow-around using Multi-VRF: Multi-VRF is added following call flows in standalone and high availability scenarios:
• Basic Audio Call
• Call Hold and Resume
• Re-INVITE based Call Transfer
• 302 based Call Forward
• Fax Pass Through Calls
• T.38 Fax Calls

New Hardware Features in Cisco IOS XE Gibraltar 16.12.1a

The following features are supported by the Cisco 4000 Series Integrated Services Routers for Cisco IOS XE Gibraltar 16.12.1a:

• Installing the Cisco SM-X-16G4M2X EtherSwitch Service Module-Cisco SM-X-16G4M2X is a layer-2 switch module that bring high-density Small Form-Factor Pluggable (SFP) /Small Form-Factor Pluggable Plus (SFP+), 1 Gigabit, 2.5 mGiG, and 10G connectivity to the Cisco 4000 Series Integrated Services Routers (ISRs).

New Software Features in Cisco 4000 Series ISRs Release Cisco IOS XE Gibraltar 16.12.1a

The following features are supported by the Cisco 4000 Series Integrated Services Routers for Cisco IOS XE Gibraltar 16.12.1a:

• BGP Support for TCP-AOO—On a secure control plane, BGP uses Message Digest 5 (MD5) algorithm as the authentication mechanism. It uses the TCP API to configure the keychain on a TCP connection. When authentication is enabled, any Transmission Control Protocol (TCP) segments belonging to BGP are exchanged between peers, verified and then accepted only if authentication is successful.
• Configuring the SM-X-16G4M2X EtherSwitch Service Module-Cisco SM-X-16G4M2X service module provides a variety of 1 Gigabit, 2.5 mGiG, and 10G SFP/SFP+ ethernet connectivities. Also, provides 10G-capable internal uplink to central forwarding data plane on modular Cisco 4000 Series ISRs.
• Configuring FXS Ports for Supplementary Services—To handle supplementary services for FXS ports, FXS ports event handler handles the hookflash or onhook events.
• Support for DHCP on DMVPN Tunnels-In a Dynamic Multipoint VPN (DMVPN) network, each spoke has a unique IP address belonging to the same IP subnet. On a large DMVPN network, it is difficult to manually configure the spoke addresses. With this feature, you can dynamically configure the spoke addresses of the Generic Routing Encapsulation (GRE) tunnel interfaces using DHCP.
• IPv6 Support for Encrypted Traffic Analytics (ET-Analytics)—This feature extends support for ET-Analytics to IPv6 addresses. ET-Analytics is used to identify malware communications in encrypted traffic. ET-Analytics uses passive monitoring, extraction of relevant data elements, and supervised machine learning with cloud-based global visibility.
• Multi-SA Support for SVTI-You can define and associate an Access Control List (ACL) with an SVTI to select traffic between specific source and destination proxies. By associating the ACL, you are modifying the default configuration that uses a single any-any traffic selector and for every non-any-any traffic selector, IPSec SAs are created.
• PFS for GETVPN—If a Group Member (GM) is compromised, an attacker may access saved long-term keys and messages. Use Perfect Forward Secrecy (PFS) for GETVPN so that the attacker cannot use the keys and messages to obtain the keys of past or future sessions to decrypt recorded or future communication.
• Support for Federal Information Processing Standards (FIPS)—FIPS are publicly announced standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors. In FIPS mode, the device tries to prevent the use of non-FIPS compatible algorithms, but you must ensure that you configure the device to use only FIPS approved algorithms. Some functionality may silently fail in FIPS mode if it attempts to use non-FIPS compliant algorithms.
• Support for IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling—IEEE 802.1Q Tunneling is designed for service providers to carry traffic of multiple customers across their networks while maintaining the VLAN and Layer 2 protocol configurations of each customer without impacting the traffic of other customers. Layer 2 protocol tunneling can be used independently or can enhance IEEE 802.1Q tunneling.
• Show Command for IP Route Sum VRG All-Address and IA_PD (Identity Association-Prefix Delegation) components of the packet, and extracts each IPv6 address contained in the packet.
• Secure Control Plane: Infra Crypto Module Integration-The key chain related commands are updated.
• Show Commands Updates for SRTP Rollover Counter (ROC)—The output of the following commands is enhanced to display SRTP ROC information:: show voip fpi calls, show voip fpi stats, and show voip rtp connections.
• Online Diagnostics-Online diagnostics are used to check different hardware components, interfaces, and verify the status of software processes.
• Show Tech OSPF-You can specify a vrf-instance with the show tech-support ospf command so that the following commands are executed for the specified VRF: show ip route summar and show ip route ospf.
• TCP-AO Support for SXP—CTS SXP peers exchange IP-SGT bindings over a TCP connection. TCP Authentication Option (TCP-AO) guards against spoofed TCP segments in CTS SXP sessions between a set of peers.
• Web User Interface-Supports an embedded GUI-based device-management tool that provides the ability to provision the router, simplifies device deployment and manageability, and enhances user experience. The following features are supported on Web User Interface from Cisco IOS XE Gibraltar 16.12.1a:
• Configuring Cisco Unified Communications Manager Express
• Configuring Trustsec
• Viewing File Manager
• Monitoring Trustsec Statistics

Configure the Cellular Back-off Operation

For information on how to access the Web User Interface, see Configure the Router for Web User Interface section.

YANG Data Models-For the list of Cisco IOS XE YANG models available with this release, navigate to https://github.com/YangModels/yang/tree/master/vendor/cisco/xe/16121/BIC. Revision statements embedded in the YANG files indicate if there has been a model revision. The README.md file in the same GitHub location highlights changes that have been made in the release.

Note: In Cisco IOS XE Release 16.12.3, the semantic version number for the YANG models is not updated and is therefore not accurate. However, this limitation does not impact the functionality of the YANG models.

For a router with 3G/4G interface, sometimes service provider network might be busy, congested, in maintenance or in fault state. In such circumstances, service provider network rejects session activation request from the router by returning reject cause code 33 as a response of the activation request. After the router receives the reject cause, the router uses the back-off operation with the pre-defined timer value which could be carrier-specific. While back-off operation is in progress, no new session activation request is sent out from the router. After the back-off period is up, new session activation request is sent out from the router.

Note: There is no command to disable the cellular back-off feature on the router.

The following example shows how to configure the cellular back-off feature to stop continuous session activation requests back to the router:

Router#show cell 0/2/0 all
Profile 1, Packet Session Status = INACTIVE
Profile 2, Packet Session Status = INACTIVE
Profile 3, Packet Session Status = INACTIVE
Success rate is 0 percent (0/5)
Router#show cell 0/2/0 c
Profile 1, Packet Session Status = INACTIVE
Profile 2, Packet Session Status = INACTIVE
Profile 3, Packet Session Status = INACTIVE
RouterCall end mode = 3GPP
RouterSession disconnect reason type = 3GPP specification defined(6)
RouterSession disconnect reason = Option unsubscribed (33)
RouterEnforcing cellular interface back-off
Period of back-off = 1 minute(s)
Profile 4, Packet Session Status = INACTIVE
Profile 16, Packet Session Status = INACTIVE
Profile 16, Packet Session Status = INACTIVE

Configure the Router for Web User Interface

This section explains how to configure the router to access Web User Interface. Web User Interface requires the following basic configuration to connect to the router and manage it:

• An HTTP or HTTPS server must be enabled with local authentication.
• A local user account with privilege level 15 and accompanying password must be configured.
• Vty line with protocol ssh/telnet must be enabled with local authentication. This is needed for interactive commands.
• For more information on how to configure the router for Web User Interface, see Cisco 4000 Series ISRS Software Configuration Guide, Cisco IOS XE 17.

Entering the Configuration Commands Manually

To enter the Cisco IOS commands manually, complete the following steps:

Before you begin

If you do not want to use the factory default configuration because the router already has a configuration, or for any other reason, you can use the procedure in this section to add each required command to the configuration.

Procedure

1. Log on to the router through the Console port or through an Ethernet port.
2. If you use the Console port, and no running configuration is present in the router, the Setup command Facility starts automatically, and displays the following text:

   System Configuration Dialog
   Continue with configuration dialog? [yes/no]:

   Enter no so that you can enter Cisco IOS CLI commands directly. If the Setup Command Facility does not start automatically, a running configuration is present, and you should go to the next step.
3. When the router displays the user EXEC mode prompt, enter the enable command, and the enable password, if one is configured, as shown in the following example:

   Router> enable
   password password

4. Enter config mode by entering the configure terminal command, as shown in the following example.

   Router> config terminal
   Router (config)#

5. Using the command syntax shown, create a user account with privilege level 15.
6. If no router interface is configured with an IP address, configure one so that you can access the router over the network. The following example shows the interface GigabitEthernet 0/0/0 configured.

   Router (config)# interface gigabitethernet 0/0/0
   Router (config-if)# ip address 10.10.10.1 255.255.255.248

7. Configure the router as an http server for nonsecure communication, or as an https server for secure communication. To configure the router as an http server, enter the ip http server command shown in the example:

   Router (config)# ip http secure-server

8. Configure the router for local authentication, by entering the ip http authentication local command, as shown in the example:

   Router (config)# ip http authentication local

9. Configure the vty lines for privilege level 15. For nonsecure access, enter the transport input telnet command. For secure access, enter the transport input telnet ssh command. An example of these commands follows:

   Router(config) 3% line vty 0 4
   Router(config-line)# privilege level 15
   Router(config-line)#23 login local
   Router(config-line)#23 transport input telnet
   Router (config-line)#2 transport output telnet
   Router(config-line)#2 transport input telnet ssh
   Router (config-line)# transport output telnet ssh
   Router(config-line)# exit
   Router(config)#2 line vty 5 15
   Router(config-line)# privilege level 15
   Router (config-line)#2 login local
   Router(config-line)# transport input telnet
   Router(config-line)#2 transport output telnet
   Router(config-line)#2 transport input telnet ssh
   Router (config-line)# transport output telnet ssh
   Router(config-line)# end

Resolved and Open Bugs

This section provides information about the bugs in Cisco 4000 Series Integrated Services Routers and describe unexpected behavior. Severity 1 bugs are the most serious bugs. Severity 2 bugs are less serious. Severity 3 bugs are moderate bugs. This section includes severity 1, severity 2, and selected severity 3 bugs.

The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products. Within the Cisco Bug Search Tool, each bug is given a unique identifier (ID) with a pattern of CSCxxNNNNN, where x is any letter (a-z) and N is any number (0-9). The bug IDs are frequently referenced in Cisco documentation, such as Security Advisories, Field Notices and other Cisco support documents. Technical Assistance Center (TAC) engineers or other Cisco staff can also provide you with the ID for a specific bug. The Cisco Bug Search Tool enables you to filter the bugs so that you only see those in which you are interested.

In addition to being able to search for a specific bug ID, or for all bugs in a product and release, you can filter the open and/or resolved bugs by one or more of the following criteria:

• Status, such as fixed (resolved) or open
• Severity
• Rating
• Support Cases

Resolved and Open Bugs in Cisco 4000 Series Integrated Services Routers

Resolved Caveats - Cisco IOS XE Gibraltar 16.12.8

All resolved caveats for this release are available in the Cisco Bug Search Tool.

Resolved Caveats - Cisco IOS XE Gibraltar 16.12.7

All resolved caveats for this release are available in the Cisco Bug Search Tool.

Using the Cisco Bug Search Tool

You can save searches that you perform frequently. You can also bookmark the URL for a search and email the URL for those search results.

Note: If the bug that you have requested cannot be displayed, this may be due to one or more of the following reasons: the bug ID does not exist, the bug does not have a customer-visible description yet, or the bug has been marked Cisco Confidential.

We recommend that you view the field notices for the current release to determine whether your software or hardware platforms are affected. You can access the field notices from the following location: http://www.cisco.com/en/US/support/tsd_products_field_notice_summary.html

Using the Cisco Bug Search Tool

For more information about how to use the Cisco Bug Search Tool, including how to set email alerts for bugs and to save bugs and searches, see Bug Search Tool Help & FAQ.

Before You Begin

Note: You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account.

Procedure

1. In your browser, navigate to the Cisco Bug Search Tool.
2. If you are redirected to a Log In page, enter your registered Cisco.com username and password and then, click Log In.
3. To search for a specific bug, enter the bug ID in the Search For field and press Enter.
4. To search for bugs related to a specific software release, do the following:
   1. In the Product field, choose Series/Model from the drop-down list and then enter the product name in the text field. If you begin to type the product name, the Cisco Bug Search Tool provides you with a drop-down list of the top ten matches. If you do not see this product listed, continue typing to narrow the search results.
   2. In the Releases field, enter the release for which you want to see bugs.
5. The Cisco Bug Search Tool displays a preview of the results of your search below your search criteria.
6. To see more content about a specific bug, you can do the following:
   • Mouse over a bug in the preview to display a pop-up with more information about that bug.
   • Click on the hyperlinked bug headline to open a page with the detailed bug information.
7. To restrict the results of a search, choose from one or more of the following filters:

Resolved and Open Bugs in Cisco 4000 Series Integrated Services Routers

Resolved Caveats - Cisco IOS XE Gibraltar 16.12.8

All resolved caveats for this release are available in the Cisco Bug Search Tool.

Open Caveats - Cisco IOS XE Gibraltar 16.12.6

All open caveats for this release are available in the Cisco Bug Search Tool.

Resolved Caveats - Cisco IOS XE Gibraltar 16.12.6

All resolved caveats for this release are available in the Cisco Bug Search Tool.

Resolved and Open Bugs in Cisco 4000 Series Integrated Services Routers

Open Bugs-Cisco IOS XE Gibraltar 16.12.5

All open bugs for this release are available in the Cisco Bug Search Tool.

Resolved Bugs-Cisco IOS XE Gibraltar 16.12.5

All resolved bugs for this release are available in the Cisco Bug Search Tool.

Open Bugs-Cisco IOS XE Gibraltar 16.12.4

All open bugs for this release are available in the Cisco Bug Search Tool.

Open Bugs-Cisco IOS XE Gibraltar 16.12.4

All open bugs for this release are available in the Cisco Bug Search Tool.

Resolved Bugs-Cisco IOS XE Gibraltar 16.12.4

All resolved bugs for this release are available in the Cisco Bug Search Tool.

Open Bugs-Cisco IOS XE Gibraltar 16.12.3

All open bugs for this release are available in the Cisco Bug Search Tool.

Open Bugs-Cisco IOS XE Gibraltar 16.12.3

All open bugs for this release are available in the Cisco Bug Search Tool.

Resolved Bugs-Cisco IOS XE Gibraltar 16.12.3

All resolved bugs for this release are available in the Cisco Bug Search Tool.

Resolved Bugs-Cisco IOS XE Gibraltar 16.12.3

All resolved bugs for this release are available in the Cisco Bug Search Tool.

Resolved Bugs-Cisco IOS XE Gibraltar 16.12.2S

All resolved bugs for this release are available in the Cisco Bug Search Tool.

Open Bugs-Cisco IOS XE Gibraltar 16.12.2

All open bugs for this release are available in the Cisco Bug Search Tool.

Resolved Bugs-Cisco IOS XE Gibraltar 16.12.2

All resolved bugs for this release are available in the Cisco Bug Search Tool.

Resolved Bugs-Cisco IOS XE Gibraltar 16.12.2

All resolved bugs for this release are available in the Cisco Bug Search Tool.

Open Bugs - Cisco IOS XE Gibraltar 16.12.1a

All open bugs for this release are available in the Cisco Bug Search Tool.

Resolved Bugs - Cisco IOS XE Gibraltar 16.12.1a

All resolved bugs for this release are available in the Cisco Bug Search Tool.

Resolved Bugs - Cisco IOS XE Gibraltar 16.12.1a

All resolved bugs for this release are available in the Cisco Bug Search Tool.

Related Documentation

Platform-Specific Documentation

For information about the Cisco 4000 Series ISRs and associated services and modules, see: Documentation Roadmap for the Cisco 4000 Series ISRs,Cisco IOS XE 16.x.

Cisco IOS Software Documentation

The Cisco IOS XE Fuji 16.x software documentation set consists of Cisco IOS XE Fuji 16.x configuration guides and Cisco IOS command references. The configuration guides are consolidated platform-independent configuration guides organized and presented by technology. There is one set of configuration guides and command references for the Cisco IOS XE Fuji 16.x release train. These Cisco IOS command references support all Cisco platforms that are running any Cisco IOS XE Fuji 16.x software image.

See http://www.cisco.com/en/US/products/ps11174/tsd_products_support_series_home.html

Information in the configuration guides often includes related content that is shared across software releases and platforms.

Additionally, you can use Cisco Feature Navigator to find information about feature, platform, and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on cisco.com is not required.

Communications, Services, and Additional Information

• To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
• To get the business impact you're looking for with the technologies that matter, visit Cisco Services.
• To submit a service request, visit Cisco Support.
• To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.
• To obtain general networking, training, and certification titles, visit Cisco Press.
• To find warranty information for a specific product or product family, access Cisco Warranty Finder.

Cisco Bug Search Tool

Cisco Bug Search Tool (BST) is a web-based tool that acts as a gateway to the Cisco bug tracking system that maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. BST provides you with detailed defect information about your products and software.