Guest

Preview Tool

Cisco Bug: CSCun71928 - NP lockup causes ASR9000 Ethernet Line Card restart

Last Modified

Jul 21, 2020

Products (8)

  • Cisco ASR 9000 Series Aggregation Services Routers
  • Cisco IOS XR Software
  • Cisco ASR 9922 Router
  • Cisco ASR 9010 Router
  • Cisco ASR 9904 Router
  • Cisco ASR 9006 Router
  • Cisco ASR 9001 Router
  • Cisco ASR 9912 Router

Known Affected Releases

4.1.1.LC 4.3.1.LC 4.3.4.LC

Description (partial)

Summary
A vulnerability in the parsing of malformed Internet Protocol version 6 (IPv6) packets in Cisco IOS XR Software for ASR 9000 Series Aggregation 
Services Routers could allow an unauthenticated, remote attacker to cause a lockup and eventual reload of a Network Processor (NP) chip and a line 
card processing traffic. Only Trident-based line cards on Cisco ASR 9000 Series Aggregation Services Routers are affected by this vulnerability.

The vulnerability is due to insufficient logic in parsing malformed IPv6 packets. An attacker could exploit this vulnerability by sending a stream of 
malformed IPv6 packets to the affected device. An exploit could allow the attacker to cause a lockup and eventual reload of a NP chip and a line card, 
leading to a denial of service (DoS) condition.


Cisco has released free software updates that address this vulnerability. 
There are no workarounds that address this vulnerability.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140611-ipv6

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 
7.1/5.9:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2014-2176 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html



When the box experiences NP lockup, it can sometimes be recovered by NP fast reset, but sometimes the system may have to reload the line card to 
recover. Such reload action can be done by 
system automatically.

The following logs may be present:

P/0/RSP0/CPU0:Feb 28 19:50:56.808 : ncd[308]: %OS-NCD-3-PAK_CSUM_ERR : Checksum failed on received packet; Pak:0xddc6f4f8 
Length:1480 Offset:44 Computed Checksum:10782
RP/0/RSP1/CPU0:Feb 28 19:50:56.808 : ncd[308]: %OS-NCD-3-PAK_CSUM_ERR : Checksum failed on received packet; Pak:0xddc5a15c 
Length:1480 Offset:44 Computed Checksum:40801
RP/0/RSP1/CPU0:Feb 28 19:50:56.860 : netio[310]: %OS-LPTS-3-ERR_BAD_LISTENER_TAG : bad listner tag detected on the packet, dropping 
packet
LC/0/0/CPU0:Feb 28 19:50:59.661 : pfm_node_lc[267]: %PLATFORM-NP-0-TOP_INACTIVITY_WATCHDOG : Set|prm_server[159819]|Network 
Processor Unit(0x1007004)| NP4 has locked up. This is a 
fatal error, the only way to recover is to reboot the linecard.

Symptom:
line card crash for NP lock up

P/0/RSP0/CPU0:Feb 28 19:50:56.808 : ncd[308]: %OS-NCD-3-PAK_CSUM_ERR : Checksum failed on received packet; Pak:0xddc6f4f8 Length:1480 Offset:44 Computed Checksum:10782
RP/0/RSP1/CPU0:Feb 28 19:50:56.808 : ncd[308]: %OS-NCD-3-PAK_CSUM_ERR : Checksum failed on received packet; Pak:0xddc5a15c Length:1480 Offset:44 Computed Checksum:40801
RP/0/RSP1/CPU0:Feb 28 19:50:56.860 : netio[310]: %OS-LPTS-3-ERR_BAD_LISTENER_TAG : bad listner tag detected on the packet, dropping packet
LC/0/0/CPU0:Feb 28 19:50:59.661 : pfm_node_lc[267]: %PLATFORM-NP-0-TOP_INACTIVITY_WATCHDOG : Set|prm_server[159819]|Network Processor Unit(0x1007004)| NP4 has locked up. This is a fatal error, the only way to recover is to reboot the linecard.

Conditions:
found in normal use.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.