Guest

Preview Tool

Cisco Bug: CSCte93229 - ESP crash wtih VFR enabled

Last Modified

Aug 06, 2018

Products (2)

  • Cisco ASR 1000 Series Aggregation Services Routers
  • Cisco ASR 1013 Router

Known Affected Releases

15.0(1)S

Description (partial)

Symptom:Crash of the ASR1K ESP.
Conditions:Affects versions 2.x.x.

First complete fix in 3.1.2S-15.0(1)S2.  (Related bugs: CSCtf87624, CSCte93229, CSCtd19103 and CSCti63623)

The device is vulnerable if running an affected
version of Cisco IOS XE Software and is configured either with Cisco
IOS Firewall or NAT for IP Address Conservation, and Virtual Fragment
Reassembly (VFR) is enabled. Both these features automatically enable
VFR.

Cisco IOS Firewall in Cisco IOS XE Software release 2.4 - 12.2(33)XND
and earlier did not automatically enable VFR.

To determine if the Cisco IOS Firewall feature is configured, log
into the device and issue the "show zone security" CLI command. If
the output contains at least one interface, under the sections
"Member Interfaces" then the device is configured with Cisco IOS
Firewall feature, and has a zone member active on an interface. The
following example, shows a device configured with Cisco IOS Firewall
feature:

    ASR1KRouter#show zone security
    zone self
      Description: System defined zone
    
    
    zone inside
      Description: ** Inside Network **
      Member Interfaces:
        FastEthernet1/0/0
    
    
    zone outside
      Description: ** Outside Network **
      Member Interfaces:
        FastEthernet1/0/1
    
    ASR1KRouter#

To determine if the NAT for IP Address Conservation feature is
configured, log into the device and issue the "show running-config |
include ip nat inside|ip nat outside" CLI command. If the output
contains at least one or more ip nat configuration lines, then the
device is configured with NAT for IP Address Conservation feature.
The following example, shows a device configured with NAT for IP
Address Conservation feature:

    ASR1KRouter#sh run | include ip nat inside|ip nat outside
     ip nat inside
     ip nat outside
    ASR1KRouter#

To determine if the Cisco IOS XE Software device is configured with
the VFR feature, log into the device and issue the "show ip
virtual-reassembly" CLI command. If the output contains "Virtual
Fragment Reassembly (VFR) is ENABLED" and the device is configured
for either Cisco IOS Firewall feature or NAT for IP Address
Conservation feature, then the device is vulnerable.

The following shows a device configured with VFR:

    ASR1KRouter#show ip virtual-reassembly
    GigabitEthernet0/2:
       Virtual Fragment Reassembly (VFR) is ENABLED...
       Concurrent reassemblies (max-reassemblies): 16
       Fragments per reassembly (max-fragments): 32
       Reassembly timeout (timeout): 3 seconds
       Drop fragments: OFF
    
       Current reassembly count:0
       Current fragment count:0
       Total reassembly count:0
       Total reassembly timeout count:0
    
    
    ASR1KRouter#

For more information on the VFR feature, consult the Security
Configuration Guide: Securing the Data Plane, Cisco IOS XE Release 3S
- Virtual Fragmentation Reassembly document at the following
location:
http://www.cisco.com/en/US/docs/ios/ios_xe/sec_data_plane/configuration/guide/sec_virt_frag_reassm_xe_ps11174_TSD_Products_Configuration_Guide_Chapter.html#wp1054311
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.