{"uuid": "9efe843b-d436-4523-b2f0-a1a756d09a30", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-4160", "type": "seen", "source": "https://gist.github.com/dantte-lp/cad234b97fb6a943106614b7dff85806", "content": "# \u0413\u043b\u043e\u0431\u0430\u043b\u044c\u043d\u044b\u0435 Release Notes \u2014 Cisco Catalyst 8000V Edge Software (IOS-XE)\n\n\u041a\u043e\u043d\u0441\u043e\u043b\u0438\u0434\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u043a\u0443\u043c\u0435\u043d\u0442 \u043f\u043e \u0432\u0441\u0435\u043c \u0432\u0435\u0440\u0441\u0438\u044f\u043c IOS-XE \u0434\u043b\u044f C8000V.\n\u0418\u0441\u0442\u043e\u0447\u043d\u0438\u043a: \u043e\u0444\u0438\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u0435 Cisco Release Notes (PDF \u2192 MD \u043a\u043e\u043d\u0432\u0435\u0440\u0442\u0430\u0446\u0438\u044f).\n\n## \u0421\u0432\u043e\u0434\u043d\u0430\u044f \u0442\u0430\u0431\u043b\u0438\u0446\u0430 \u0432\u0435\u0440\u0441\u0438\u0439\n\n| \u0412\u0435\u0440\u0441\u0438\u044f | \u0422\u0438\u043f | \u0414\u0430\u0442\u0430 RN | \u041d\u043e\u0432\u044b\u0445 \u0444\u0438\u0447 | Resolved bugs | Open bugs |\n|--------|-----|---------|-----------|---------------|-----------|\n| 17.10 | Standard | \u2014 | 10 | 7 | 14 |\n| 17.11 | Standard | \u2014 | 12 | 58 | 12 |\n| 17.12 | Extended | \u2014 | 17 | 263 | 159 |\n| 17.13 | Standard | \u2014 | 19 | 7 | 26 |\n| 17.14 | Standard | \u2014 | 15 | 25 | 26 |\n| 17.15 | Extended | \u2014 | 23 | 183 | 67 |\n| 17.16 | Standard | \u2014 | 11 | 16 | 17 |\n| 17.18 | Extended | \u2014 | 33 | 41 | 0 |\n| 17.6 | Extended | \u2014 | 10 | 156 | 144 |\n| 17.7 | Standard | \u2014 | 17 | 39 | 19 |\n| 17.8 | Standard | \u2014 | 10 | 5 | 2 |\n| 17.9 | Extended | \u2014 | 15 | 290 | 173 |\n| 26.1 | Extended (new) | \u2014 | 12 | 12 | 0 |\n\n## IOS-XE 17.10\n\n### \u041d\u043e\u0432\u044b\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438\n\n- **Support for ED25519 SSH Key in AWS and GCPDeployments**: Cisco Catalyst 8000V supports ED25519 SSH keytype for authentication when you deploy an instancein Amazon Web Services 9 (AWS) and Google CloudPlatform (GCP). Although SSH-RSA keys are\n- **Support for PCI Passthrough on NIC port with ixgbeDriver**: Cisco Catalyst 8000V now supports the ixgbeNetwork Interface (vNIC) card for deployments inESXi, KVM, and NFVIS (CSP) environments. Thisdriver enables the Peripheral Component Interconnect\n- **Packet Tracer with UDF Offset**: Using this feature you can configure to match thepackets based on user defined field position andlength. This can be used by an ACL to match packetsthat cannot be classified easily with th\n- **Support for Secure Real-time Transport Protocol(SRTP) Dual-Tone Multi-Frequency (DTMF)Interworking**: This feature provides support for Dual-ToneMulti-Frequency (DTMF) interworking betweenCisco Unified Communications Manager (CUCM)and Secure Software MTP in pass-through mode. Itis supp\n- **Layer 2 BGP VXLAN EVPN**: Border Gateway Protocol (BGP) Ethernet VPN(EVPN) Virtual Extensible LAN (VXLAN) is acampus and data center network solution for Ciscodevices that run on Cisco IOS XE software. Thisfeat\n- **Segment Routing Absolute One-Way Link LossMeasurement for GRE-IPSec Tunnel**: This feature provides a mechanism for link lossmeasurement for point-to-point GRE-IPSec tunneland identifies paths that meet specified loss criteria.\n- **SHA2 support for SNMP v3 User Authentication**: This feature provides support for SHA-2 as anadditional authentication protocol to create anSNMPv3 user and associate a security level to eachuser. The SHA-256, SHA-384, and SHA-512 are th\n- **Support for YANG Operational Model in theGETVPN architecture**: This feature enables the YANG operational model inthe GETVPN architecture to support the crypto gdoicommand which was previously enabled only for theCLI and SNMP models.\n- **YANG model enhancements for Unified SRST andCUBE**: Additional YANG configuration models are includedin this release to enable Unified SRST secure calling,applications for CUBE, and additional codecs forvoice class codec lists.\n- **Permanent License Reservation (PLR) in SmartLicensing Using Policy**: A PLR enables you to use an unlimited count of anylicense on the product instance. It is suited to ahigh-security deployment or entirely air-gappednetworks where a product instance cannot&lt;\n\n### \u0418\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0435 \u0431\u0430\u0433\u0438 (7)\n\n- CSCwc77981: C8000V crashed - track the FMAN-FP's memory leak caused by cond-debug\n- CSCwc70511: Router reloads unexpectedly during NHRP processing\n- CSCwb35303: X25 FRMR seen when switching from XOT to low speed serial\n- CSCwc29735: Improve debug for reload at crypto_dev_proxy_ipc_ipsec_sa_crt_hndlr when scale exceedlimit\n- CSCwc06327: PFP policy in SRTE, RIB resolution in FC bring down ipsec tunnel interface- stuck at linestatedown\n- CSCwc78021: Standby WLC crash @ fman_acl_remove_default_ace\n- CSCwd16664: GetVPN long SA - GM re-registration after encrypting 2^32-1 of packets in one IPSEC SA\n\n### \u041e\u0442\u043a\u0440\u044b\u0442\u044b\u0435 \u0431\u0430\u0433\u0438 (14)\n\n- CSCwc77570: C8000V: IOS-XE Web UI Licensing Service Settings page doesn't load\n- CSCwd07580: C8000V QFP uCode crash due to MLX4 low level drivers\n- CSCwd25107: Interface Vlan1 placed in \"shutdown\" state when configured with IP address pool\n- CSCwd23810: IOS-XE: A high CPU utilization caused by NHRP\n- CSCwd45402: MSR Unicast-To-Multicast not working if DST and SRC are the same in Service Reflectconfiguration\n- CSCwd61255: Data Plane Crash on the device when making QoS configuration changes\n- CSCwc65697: Device crashes and restarts during call flow with the new image\n- CSCwd53205: IKEv2 The RRI routes intermittently disappear from a FlexVPN hub\n- CSCwc99823: FMAN crash seen in SGACL@ fman_sgacl_calloc\n- CSCwd59722: Unexpected reboot due to IOSXE-WATCHDOG: Process = Crypto IKMP\n- CSCwd12828: Segmentation fault crash in CCSIP_SPI_CONTROL process\n- CSCwd74089: CUBE call leak at FPI layer\n- CSCwc66646: Unexpected reload due to segmentation fault in the CCSIP_SPI_CONTROL process\n- CSCwc23645: When using SRTP with higher ciphers, CUBE is inserting distortion in voice\n\n## IOS-XE 17.11\n\n### \u041d\u043e\u0432\u044b\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438\n\n- **Attaching Extended Color Communities to BGP VRF**: This feature introduces new methods of attachingextended color communities to a prefix. A colorcommunity is an indicator of the bandwidth or latencylevel of the traffic sent to the prefix.\n- **Bridge Domain VIF Support on Layer 2 EVPN**: This enhancement allows configuring a Layer 2 EVPNnetwork to support a Bridge Domain Interface (BDI)to act as an interface to a routing domain. Also, youcan attach one or more bridge domai\n- **Device Telemetry**: This functionality enables collection of anonymoususage telemetry data for Cisco products, which helpsin continuous product improvements. From Cisco IOSXE 17.11.1a, this functionality is e\n- **Deprecation of Weak Ciphers**: The minimum Rivest, Shamir, and Adleman (RSA)key pair size must be 2048 bits. The compliance shieldon the device must be disabled using the**crypto****engine compliance shield disable**com\n- **MAC and IP Addressing Learning from a Static ARPAlias Entry**: This enhancement allows you to configure an EVPNVXLAN network to learn an EVPN MAC addressand IP binding from a static Address ResolutionProtocol (ARP) alias entry. After learning the MAC&lt;\n- **Quantum-Safe Encryption Using Post-QuantumPreshared Keys**: This feature implements RFC 8784 and Cisco SecureKey Integration Protocol (SKIP) for quantum-safeencryption of IKEv2 and IPsec packets usingPost-quantum Preshared Key (PPK). The PPKsco\n- **Redirecting Deprecated LISP Commands to RevisedVersions**: The feature includes a list of deprecated LISPcommands which will automatically redirect the userto the updated command and associated output whenexecuted. A banner will appear on the scre\n- **Replication of Broadcast, Unknown-unicast, andMulticast Traffic**: With this enhancement, the multi-destination Layer2 broadcast, unknown-unicast, and multicast (BUM)traffic in an EVPN VXLAN network is replicatedthrough a multicast group in the underlay n\n- **Support for RAR PPPoE IPv6 Multicast**: This feature provides support for IPv6 multicast inPPPoE-based Radio Aware Routing (RAR) networks.\n- **Support for 16 vCPU in KVM**: Cisco Catalyst 8000V now supports 16 vCPUinstances in a KVM environment.\n- **Unified SRST: Concurrent use of Webex CallingSurvivability Gateway and Unified SRST**: From Cisco IOS XE 17.11.1a, concurrent use of CiscoWebex Calling Survivability Gateway and UnifiedSRST is supported on the same router.\n- **Snapshots for Product Activation Key (PAK) licenses**: Starting with Cisco IOS XE Dublin 17.11.1a, thePAK-managing library is discontinued and theprovision to_take_a snapshot is no longer available.Software images from Cisco IOS XE Dublin 17.1\n\n### \u0418\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0435 \u0431\u0430\u0433\u0438 (58)\n\n- CSCwe19394: Device may boot up into prev_packages.conf due to power outage\n- CSCwc99038: C8000V stuck in Day-0 prompt with the customdata having invalid syntax\n- CSCwd62953: C8000V : error platform provided UDI list has invalid values: ; udi_sn is empty\n- CSCwe37002: C8000V does not accept two file formats during day 0 configuration in OpenStack\n- CSCwe09916: QoS shaping parameter range is shown in [8000-10000000000] (only up to 10G)\n- CSCwd47940: PMTU Discovery is not working after interface flap\n- CSCwd45402: MSR Unicast-To-Multicast does not work if DST and SRC are the same in the service reflectconfiguration\n- CSCwc79115: Device policy commit failure notification and alarm from vsmart\n- CSCwd16559: ISG FFR: ARP request to reroute nexthop IP is not triggered if ARP entry not in ARP table\n- CSCwe28204: Control connection over L3 Tloc extension failing as no NAT table entry created\n- CSCwe34808: FMAN FP leak due to the punt-policer command\n- CSCwe09805: OID for SNMP monitoring of DSP resources are not working as expected\n- CSCwd89012: Tested flap-based auto-suspension - minimum duration value - no results as expected\n- CSCwe29430: Critical process fpmd fault on rp_0_0 (rc=134)\n- CSCwd87195: NAT configuration with redundancy, mapping id and match-in-vrf options with no-aliassupport.\n- CSCwd81357: QoS Classification does not work for DSCP or ACL + MPLS EXP\n- CSCwc99823: Fman crash seen in SGACL@ fman_sgacl_calloc\n- CSCwd90168: Unexpected reload after running the**show voice dsp**command while an ISDN call disconnects\n- CSCwd44439: Device crashes at fman_sdwan_nh_indirect_delete_from_hash_table\n- CSCwd34941: NAT configuration with no-alias option is not preserved after reload\n- CSCwc72588: Router does not allow weak cryptographic algorithms to be configured for IPsec\n- CSCwd25107: Interface VLAN1 placed in \"shutdown\" state when configured with \"ip address pool\"\n- CSCwc68069: RTP packets are not forwarded when packet duplication is enabled. No issue without duplicationfeature\n- CSCwe00946: System crash after disabling endpoint-tracker on tunnel interfaces\n- CSCwe18058: Unexpected reload with IPS is configured\n- CSCwd61255: Data Plane Crash on the device when Making Per-Tunnel QoS configuration changes withscale\n- CSCwe01015: IKEv2/IPSec - phase 2 rekey fails when peer is behind NAT\n- CSCwd17272: UTD Packet drops due to fragmentation for ER-SPAN traffic\n- CSCwe27241: NBAR classification error with custom app-aware routing policy\n- CSCwc37465: Unable to push \"no-alias\" option on static NAT mapping from the management system\n- ... \u0438 \u0435\u0449\u0451 28\n\n### \u041e\u0442\u043a\u0440\u044b\u0442\u044b\u0435 \u0431\u0430\u0433\u0438 (12)\n\n- CSCwe40024: 98% memory utilization for C8000V\n- CSCwd07580: Azure: C8000V QFP uCode crash due to MLX4 driver\n- CSCwd97676: VMware C8000V 'show interfaces' counters are incorrect and display extremely large values\n- CSCwd42523: Same label is assigned to different VRFs\n- CSCwd45508: Device does not form BFD across serial link during upgrade\n- CSCwe52971: Bfd tunnels via Starlink remain in down state\n- CSCwe54089: ZTP process does not work\n- CSCwe37123: Device uses excessive memory when configuring ACLs with large object groups\n- CSCwe19394: Device may boot up into prev_packages.conf due to power outage\n- CSCwe18276: Route-map not getting effect when its applied in OMP for BGP routes\n- CSCwd68111: Device object group called in ZBFW gives error after upgrade\n- CSCwe49684: BFD sessions keep flapping intermittently\n\n## IOS-XE 17.12\n\n### \u041d\u043e\u0432\u044b\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438\n\n- **Support for RHEL 9.2**: From Cisco IOS XE 17.12.4a, you can deploy CiscoCatalyst 8000V on RedHat RHEL 9.2 operatingsystem with KVM hypervisor.\n- **Support for VMware ESXi 8.0**: From Cisco IOS XE 17.12.4a, you can deploy CiscoCatalyst 8000V on VMware ESXi 8.0 Update 2hypervisor operating system.\n- **Support for N2 instances for Google Cloud Platformdeployments**: Cisco IOS XE 17.12.4a supports n2-standard-8,n2-standard-4 instance types for Cisco Catalyst 8000Vdeployments in Google Cloud Platform.\n- **Support for SUSE SLES15 SP5**: From Cisco IOS XE 17.12.2, you can deploy Cisco Catalyst 8000V on SUSESLES 15 SP5 operating system with KVM hypervisor.\n- **Cisco Managed CellularActivation (eSIM)**: The Managed Cellular Activation solution provides a programmable subscriberidentity module (SIM), called an eSIM, a physical SIM card that you can configurewith a cellular service plan of your\n- **Support for Intel Atom\u00ae C3000 Processor Series(Denverton)**: From Cisco IOS XE 17.12.1a onwards, Cisco Catalyst8000V is supported on Intel Atom\u00ae C3000 processor(Denverton) CPU-based servers with Intel x550 NICon the following hypervisors:\n- **Support for Intel i350 NICs**: Cisco Catalyst 8000V includes drivers to supportSR-IOV connectivity to Intel i350 NICs on Intel XeonCPU based x86 servers with SUSE SLES 15 SP3KVM hypervisor.You can run Cisco Catalyst\n- **Support for D16_v5 instance in Microsoft Azureenvironment**: Cisco Catalyst 8000V supports the D16_v5 instancetype with 8 NICs (maximum) in the Microsoft AzureMarketplace for increased throughput.\n- **Cisco Catalyst 8000V Performance Enhancements**: Cisco Catalyst 8000V supports improved, 16-coreperformance for on-prem deployments in the KVMand ESXi environments.\n- **IPv6 Unicast Support with DLEP**: The IPv6 Unicast Support feature introduces supportfor IPv6 dataplane to RAR Dynamic Link ExchangeProtocol.\n- **Managing the SD-Routing Devices Using CiscoSD-WAN Manager**: This feature allows you to perform managementoperations for SD-Routing devices using CiscoCatalyst SD-WAN Manager. You can use a singlenetwork manage system ( Cisco Catalyst SD-WANMana\n- **Segment Routing over IPv6 Dataplane**: Segment Routing (SR) can currently be applied onMultiprotocol Label Switching (MPLS) dataplane.From Cisco IOS XE 17.12.1a, SR is supported overthe IPv6 dataplane for the following protocol\n- **Support for Automatic Log Deletion**: This feature allows you to delete the entries from thelogging buffer. You can configure the local syslogretention period after which the entries are purgedfrom the device automatically. To\n- **TrustSec and Software-Defined Access ScaleMeasurement**: With this feature, the scale numbers for TrustSec andSoftware-Defined Access (SDA) are measured for thefollowing:\u2022 Security Group Tag (SGT) or Destination GroupTag (DGT) Policies\u2022 \n- **CUBE: GCM Ciphers for WebSocket-based MediaForking**: From Cisco IOS XE Dublin 17.12.1a onwards, GCMcipher negotiation supports secure connectivity ofWebSocket server.\n- **CUBE: IPv6 Flows in High Availability**: From Cisco IOS XE Dublin 17.12.1a onwards, HighAvailability in CUBE supports IPv6 flows.\n- **CUBE/LGW: Cover Buffer Enhancements for VoIPTrace**: From Cisco IOS XE Dublin 17.12.1a onwards, VoIPTrace for SIP messages displays cause code in thecover buffer.\n\n### \u0418\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0435 \u0431\u0430\u0433\u0438 (263)\n\n- CSCwr27127: Azure C8000V deployment fails with provisioning timedout error\n- CSCwr83968: Unexpected reload on device with Static NAT when polling NAT translation data\n- CSCwo57783: NHRP Encap Error for Purge Request populates on spoke despite correct routing atHUB\n- CSCwn85623: Missing Calling-Station-ID in radius messages\n- CSCwp96706: Memory leak in MallocLite and Crypto IKEv2\n- CSCwq22471: Device unexpectedly reboots when importing CA chains\n- CSCwq21566: HSL entries are missing when configuration is pushed via vManage\n- CSCwq51358: Device might experience high memory utilization and unexpected reloads during IKEv2operations\n- CSCwn18874: DMVPN spoke crashed at Process = NHRP\n- CSCwo14975: Memory leak in DNS Proxy/SKA triggers unexpected reloads\n- CSCwj88080: IOS XE device continuously crashes after configuring UTD and reboots\n- CSCwp40010: RP crashes while debugging IKEv2\n- CSCwp38609: CTS trustpoint loop triggers PKI segfault\n- CSCwq49981: Call Failures due to FPI resource leaks\n- CSCwo60972: C8000V: Device shows high memory usage and cpp_ha_top_leve keeps increasing\n- CSCwp03641: Multiple inside local addreses are translated to the same inside global IP address andport\n- CSCwo91955: Endpoint tracker remains in the Up state when DNS is reachable from the other interface\n- CSCwn99822: Large number of BFD sessions stuck due to out of window drops reported with controlconnections NAT flaps\n- CSCwp28915: SNMP walk fails to consistently return tunnel names due to incomplete tunnel setup\n- CSCwo89784: Unexpected reload of standby occurs during PKI trustpoint removal\n- CSCwn99723: The**request platform software package expand**commands are deprecated forupgrades\n- CSCwp12923: IKEv2 fails to parse certain route-set prefix Cisco VSA attributes from the Radiusserver\n- CSCwo47118: Crash occurs when clearing L2TP tunnels with the clear VPDN tunnel L2TP command\n- CSCwb24403: BFD flap on public IP change on a private color TLOC\n- CSCwo66822: Router reboots due to ucode core dump\n- CSCwo90396: Serial interface configuration lost after reload\n- CSCwm33545: FlexVPN - IP address assigned to spoke changes to unassigned\n- CSCwo12453: The login block-for xx attempts xx within xx? does not function when you set?access-class xx in vrf Mgmt-vrf? on the line vty\n- CSCwn57838: Startup configuration is lost for NIM interfaces\n- CSCwo51627: Unexpected reload occurs due to Critical process linux_iosd_image fault\n- ... \u0438 \u0435\u0449\u0451 233\n\n### \u041e\u0442\u043a\u0440\u044b\u0442\u044b\u0435 \u0431\u0430\u0433\u0438 (159)\n\n- CSCwr60310: SDWAN Template push or CLI config update fails due to the duplication of VTY orAsync lines in the configuration\n- CSCwr00088: Add CLI to change per MPLS label CEF statistics query interval on FMAN FP\n- CSCwn29062: Device might see Cosmetic DATACORRUPTION logs during IPSec tunnel up/downevents\n- CSCwk55051: polaris_vconfd_cfgpull_t logging denials observed during configuration push trigger\n- CSCwr31999: Using the Azure Portal GUI stop button initiates reload before forcefully shutting downin 10 minutes\n- CSCwm54978: polaris_iosd_t denials 2024-09-16 06:43:22 errors seen during system boot or**dir****bootflash:**command\n- CSCwn85623: Missing Calling-Station-ID in radius messages\n- CSCwq22471: Device unexpectedly reloads after importing subca chain\n- CSCwq08151: Unexpected reload occurs while running a speed test from and leaves the page beforeit completes\n- CSCwo57783: A NHRP Encap Error for Purge Request error message populates on the spoke despitecorrect routing at HUB\n- CSCwm54978: The following alert is seen when you boot the device or when you run the**dir bootflash:**command`%SELINUX-1-VIOLATION: Chassis 1 R0/0: audispd: type=AVC``msg=audit(1724681880.369:235): avc: denied { getattr } for pid=4585``comm=417578696C69617279205468726561 path=\"/bootflash/pd_info\" dev=\"sda1\"``ino=1444321 scontext=system_u:system_r:polaris_iosd_t:s0``tcontext=system_u:object_r:polaris_pd_info_t:s0 tclass=dir permissive=0.`\n- CSCwp40010: RP crashes while debugging IKEv2\n- CSCwp38609: CTS trustpoint loop triggers PKI segfault\n- CSCwq49981: Call failures due to FPI resource leaks\n- CSCwn97600: BFD flapping is seen intermittently with PWK IPsec-rekey\n- CSCwe23188: Upgrade from vmanage declared successful even though device boots up with differentversion than requested\n- CSCwk87338: SNMPv3 user credentials to be stored as part of running-configuration with encryption.\n- CSCwj05500: Accelerated Networking stops working due to driver issue\n- CSCwj85529: C8000V license boot level configuration done through customdata is getting lost afterreload\n- CSCwh91039: C8000V faces high system CPU load reported due to unsupported number of vCPUsallocated\n- ... \u0438 \u0435\u0449\u0451 139\n\n## IOS-XE 17.13\n\n### \u041d\u043e\u0432\u044b\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438\n\n- **Support for Intel E810 NIC for**: Cisco Catal\n- **on-prem ESXi and KVM hosts**: optimizes h\n- **Support for c6in Instance types inAWS Deployments**: Cisco Catalyst 8000V now supports c6in instance types for AWS deploymenthird Generation Intel Xeon Scalable processors that provide greater networkperformance.\n- **Support for Mellanox CX-5 on Ubuntu16.04 LTS**: Cisco Catalyst 8000V now supports Mellanox CX-5 on Ubuntu 16.04 LTS.\n- **Application Performance Monitor**: The Application Performance Monitor feature is a simplified framework thatintent-based performance monitors. With this feature, you can view real-timeperformance filtered by client segments, n\n- **Cisco SD-Routing Cloud OnRamp forMulticloud**: Cisco SD-Routing Cloud OnRamp for Multicloud extends enterprise WAN to pusolution helps to integrate public cloud infrastructure into the Cisco Catalystthese capabilities, the devices can acce\n- **Enhancements to BGP MaximumPrefix**: \u2022 Discard Extra Prefixes: This enhancement introduces the**neighbor maxi**command to drop all excess prefixes received from the neighbor when tprefixes exceed the maximum limit.b - Logging enh\n- **Initiating GARP for NAT Mapping**: This feature introduces support for configuring retry time intervals for GARPinterface. You can configure this feature using the**global ip arp nat-garp-ret****static**commands.\n- **Schedule Software Upgrade onSD-Routing Devices**: With this feature, you can upgrade the software image on the supported Ciscoan option to schedule the upgrade process at specified time. This allows you tto the software upgrade process.\n- **SD-Routing Configuration Group**: The Configuration Group feature provides a simple, reusable, and structuredSD-Routing device using Cisco Catalyst SD-WAN Manager.\n- **Segment Routing over IPv6 Dataplane**: From Cisco IOS XE 17.13.1a, Segment Routing is supported over the IPv6 daProtocol (BGP) on L3VPN networks using On-Demand Next Hop (ODN).\n- **Speed Test for SD-Routing Devices**: Cisco SD-WAN Manager allows you to measure the network speed and availdevice and an iPerf3 server. The speed tests measure the upload speed from theor specified iperf3 server, and measure the \n- **Strength Enforcement for IKE SecurityAssociation (SA)**: This feature introduces an algorithm to ensure that the strength of the IKE (IKEvcipher is greater than or equal to the strength of its child IPsec SA encryptionTo enable this algorithm, use t\n- **Support for Flexible NetFlowApplication Visibility on SD-RoutingDevices**: The Flexible NetFlow (FNF) feature provides statistics on packets flowing thto identify the tunnel or service VPNs. Also, it provides visibility for all the trVPN0 on Cisco SD-Routing devices \n- **Support for Packet Capture forSD-Routing**: This feature allows you to capture the bidirectional IPv6 traffic data to troubleshSD-Routing devices.\n- **Support for Persistence of BGPDynamic Neighbors**: From IOS XE 17.13.1a, the device maintains the neighbor information even after tTo configure this, use the**bgp listen persistent**command for all dynamic neighb**range peer-group persistent**\n- **Support for Security-Enhanced Linux**: SELinux (Security-Enhanced Linux) is a solution designed to incorporate a stronaccess control (MAC) architecture into Cisco IOS XE platforms.From Cisco IOS XE 17.13.1a, SELinux is enabled by d\n- **Support for Suite B ciphers with GETVPN**: This enhancement introduces support for Suite B ciphers with GET VPN on Cisc\n- **NAT Traversal using RTP Keepalive**: From Cisco IOS XE 17.13.1a onwards, using RTPkeepalive packets, CUBE supports media transmissionin the NAT environment.\n\n### \u0418\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0435 \u0431\u0430\u0433\u0438 (7)\n\n- CSCwh10813: Add verbose log to indicate grant ra-auto un configures grant auto in PKI server\n- CSCwf25735: Device QoS more than four remark with set-cos not work\n- CSCwf44703: NAT64 prefix is not originated into OMP\n- CSCwf80400: IOS XE router may experience unexpected reset while executing the**show utd engine****standard statistics**command\n- CSCwf14607: Crash observed when exporting PKCS12 to terminal via SSH CLI\n- CSCwf71116: Static route keeps advertising via OMP even though there is no route\n- CSCwf45486: OMP to BGP redistribution leads to incorrect AS_Path installation on the chosenNext-Hop\n\n### \u041e\u0442\u043a\u0440\u044b\u0442\u044b\u0435 \u0431\u0430\u0433\u0438 (26)\n\n- CSCwh84068: C8000V crashes after changing NAT HSL configuration\n- CSCwi19182: C8000V throttles throughput to 20Mbps while it must be 250Mbps\n- CSCwh94906: WLC segmentation fault crashes with Network Mobility Services Protocol (nmsp)\n- CSCwh77221: SNMP unable to poll tunnel data after a minute\n- CSCwi06843: Endpoint tracker triggers a CPU hog\n- CSCwh76453: Tracker for TLOC extension is down even though TLOC is up and there is ICMPreachability\n- CSCwi14178: Failed to connect to device : x.x.x.x Port: 830 user : vmanage-admin error : Connectionfailed\n- CSCwi08171: Router crashes due to crypto IKMP process\n- CSCwh01678: Device FTM crashes with SIG enabled\n- CSCwi05395: SNMPbulkget cannot get loss, latency and jitter for ProbeClassTable &amp;ClassIntervalTable OIDs\n- CSCwi23562: When RADIUS is down and there is an IKE-AUTH request received, the box stopsreplying to DPD packets\n- CSCwi11807: SNMPbulkget breaks the OID appRouteStatisticsTable after minute not returning thecorrect order\n- CSCwi00369: Device loses security parameter after upgrade\n- CSCwi06404: Device undergoes PKI related crash after failing a CRL fetch\n- CSCwi13563: IP SLA probe for endpoint tracker does not work once endpoint tracker is changeduntil reload\n- CSCwh65016: Device unexpectedly reboots due to QFP exception\n- CSCwi15688: Unexpected NAT translation occurs in a specific network\n- CSCwh91136: IOS XE:Traffic not encrypted and droped over IPSEC SVTI tunnel\n- CSCwi16452: 20.13 SSE:401 Error thrown when switching from SSE to SIG\n- CSCwi16015: [SIT]: SSE tunnels don't come up with dialer interface relax check in IKE\n- ... \u0438 \u0435\u0449\u0451 6\n\n## IOS-XE 17.14\n\n### \u041d\u043e\u0432\u044b\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438\n\n- **AWS Migration Tool**: From Cisco IOS XE 17.14.1a, an AWS migration toolis available as a CloudFormation template, to migrateyour AWS instances from Cisco CSR1000V to CiscoCatalyst 8000V. This one-click solution\n- **Configuration Group Enhancements**: This release introduces support for the following inCisco SD-WAN Manager:\u2022 Transport Profiles\u2022 Management Profile\u2022 Service Profile\u2022 CLI Profile\u2022 Policy Object Profile\n- **Configure Secure Service Edge**: Secure Service Edge is a cloud solution that providesseamless, transparent, and secure Direct InternetAccess (DIA) to protect against internet-based threats.This solution can be configured\n- **Configure SSL/TLS Proxy for Decryption of TLSTraffic on SD-Routing Devices**: The SSL/TLS Proxy feature allows you to configurean autonomous device as a transparent SSL/TLSproxy. Such proxy devices can then decrypt incomingand outgoing TLS traffic to enable their in\n- **View Unmodelled Commands on SD-Routing Devices**: After an SD-Routing device is deployed, you can viewthe unmodelled commands on Cisco SD-WANManager. The list of unmodelled commands areregenerated if the device reboots\n- **YANG Configurational Model Support forSD-Routing Devices**: This release introduces support for the followingYANG Configurational Models:\u2022 BGP\u2022 MPLS\u2022 RSVP\u2022 SNMP\u2022 AAA\u2022 QOS\u2022 ACL\u2022 DHCP\n- **Support to Configure VPN Solutions for SD-Routingdevices**: This release introduces support for the following VPNsolutions:\u2022 FlexVPN\u2022 GETVPN\u2022 DMVPN\u2022 L3VPNThese VPN solutions can be configured by using**Configuration**&gt;**Configuratio\n- **Enhanced IS-IS Fast Flooding**: The IS-IS Fast Flooding feature optimizes LSPtransmission to accelerate network convergence bydynamically adjusting the LSP rate based on receivercapability. From Cisco IOS XE 17.14.1a, IS\n- **Enhancement to the show reload-history Command**: From Cisco IOS XE 17.14.1a, the**show****reload-history**command is modified to**show reload****history**. The output for the command is updated toinclude crash data, Cisco High Availabili\n- **IP Endpoint Delay Measurement and LivenessMonitoring**: This feature enables you to measure the end-to-enddelay and monitor liveness towards either a specifiedIPv4 or IPv6 endpoint. From Cisco IOS XE 17.14.1a,you can be configure this feature u\n- **gNMI: Stream Subscriptions with On-Change Mode**: gNMI telemetry supports on-change subscriptions onthe same set of models as other telemetry protocols.\n- **gNMI - SubscribeResponse with sync_response**: The sync_response is a boolean field that is part ofthe SubscribeResponse response message. Thesync_response message is sent after the first updatemessage.\n- **CUBE: Secure SIP with TLS 1.3 support**: From Cisco IOS XE 17.14.1a onwards, security ofthe communication between the client and the serveris enhanced with the support of Transport LayerSecurity (TLS) version 1.3 and associated c\n- **SRST: Secure SIP with TLS 1.3 support**: Starting from Cisco Unified SRST 14.4 release, theSRST security feature is enhanced to support TLSversion 1.3 and associated ciphers.\n- **500 Mbps Aggregate for Tier 1 and 250 MbpsThroughput Configuration in Autonomous Mode**: Starting with this release, when you configure athroughput of 250 Mbps or T1,_if_an HSECK9 licenseis available on the device, then throughput is cappedat 500 Mbps (transmitted or Tx data o\n\n### \u0418\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0435 \u0431\u0430\u0433\u0438 (25)\n\n- CSCwi49846: FMTD crashes when SIG GRE tunnels configs are removed\n- CSCwi55725: SDR CLI config group issue\n- CSCwi61369: Device unexpectedly reloads due to SIGABRT\n- CSCwi35716: AAR backup preferred color is not working as expected\n- CSCwi53306: Unknown appID in ZBFW HSL log\n- CSCwf84567: Unexpected reload after re-connecting to vsmart\n- CSCwi14178: Failed to connect to device : x.x.x.x Port: 830 user : vmanage-admin error : Connectionfailed\n- CSCwj25493: Device crashes twice with_Critical process linux_iosd_image fault on rp_0_0_error\n- CSCwi40603: Memory leak in the Crypto IKMP process\n- CSCwf08658: Devices will flap the BFD sessions if we are in a non equilibrium state and havesymmetric NAT\n- CSCwi35177: Device crash caused by continuous interface flap; interface associated to many ipsecinterfaces\n- CSCwi60266: Device with enterprise certificates not forming control connections with controllersafter upgrade\n- CSCwi67983: Tracker state log is missing when DNS Query fails\n- CSCwi53951: Packets with Unicast MAC get dropped on a Port Channel L2 Sub-intf after a routerreboot\n- CSCwb25507: Add vendor specific parameter for NBAR protocol pack version\n- CSCwi53549: Device crashes with reason_Critical process fman_fp_image fault on fp_0_0 (rc=134)_\n- CSCwi82548: Crash in IKEv2 Cluster Load Balancer\n- CSCwi51381: TrapOID of ciscoSdwanBfdStateChange is different from MIB file\n- CSCwi85293: IKEv2 IPv6 Cluster Load balance: Secondary in cluster unable to connect to clusterin case of FVRF\n- CSCwi86698: No error message is seen while using multicast address as system-IP in SD-routingdevice.\n- CSCwj06622: Segmentation fault and core files are seen on IOS-XE in controller-manged devicesdue to speedtest\n- CSCwi16111: IPv6 TCP adjust-mss does not work after delete and reconfigure\n- CSCwi62230: SIG tunnel: 'SIG STATE\u00e2 is showing blank value\n- CSCwj27545: Device crashes due to FTMD\n- CSCwj70773: Unable to create a portchannel interface with maximum number limit\n\n### \u041e\u0442\u043a\u0440\u044b\u0442\u044b\u0435 \u0431\u0430\u0433\u0438 (26)\n\n- CSCwj05500: Accelerated Networking stops working due to driver issue\n- CSCwh91039: High System CPU load reported due to unsupported number of vCPUs allocated\n- CSCwj48393: ISG: Service with no priority is not working as expected\n- CSCwj48421: After onboarding device on IOTOD, OD was not able to connect with the device\n- CSCwj09284: Unexpected reboot in WLC due to SSL\n- CSCwj40589: Endpoint tracker using DNS does not log the DOWN message when the DNS serverreachability is lost\n- CSCwj26085: [SIT]: control connections in TLS with mode; vsmart &amp; vmanage goes to 'trying' statewith UTD\n- CSCwj29381: Service-policy will not be applied to a new Tunnel interface when sourced usingsub-interface\n- CSCwj45177: A_dmidecode: command not found_error is seen when executing the**show sdwan****certificate validity**command\n- CSCwj34578: NAT46 translations are dropped when router is configured with NAT64 and as a CarrierSupporting Carrier CE\n- CSCwi91887: IPsec PWK SPI mismatch causes cEdge bfd tunnels to remain in down state\n- CSCwi81026: SDWAN BFD Sessions flapping during IPSec Rekey in scaled environment\n- CSCwi59854: The**show sdwan policy service-path**command gives inconsistent results when appname is specified\n- CSCwj02661: UTD signature update fails and device does not record the update\n- CSCwj43905: Unexpected reboot due to QFP-Ucode-Radium failure\n- CSCwj38804: ZBFW FQDN patterns missing from QFP patten-list\n- CSCwj02628: Speed-test does not work for cEdge device\n- CSCwj30334: CVLA ucode crashes when attempting merge on used block\n- CSCwj49941: dns-snoop-agent has TCAM entry with all zeros for some regex patterns\n- CSCwi77159: Some of the objects of CISCO-SDWAN-APP-ROUTE-MIB are not implemented\n- ... \u0438 \u0435\u0449\u0451 6\n\n## IOS-XE 17.15\n\n### \u041d\u043e\u0432\u044b\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438\n\n- **Support for Nutanix AHV Hypervisor**: Cisco IOS XE 17.15.5 supports the on-premisesdeployment of Cisco Catalyst 8000V virtual routeron Nutanix AHV (Acropolis Hypervisor) bundled inNutanix AOS version 7.3 (Acropolis Operatingcertified servers**: Cisco IOS XE 17.15.5 supports the deployment ofCisco Catalyst 8000V virtual router on MicrosoftHyperV hypervisor in Microsoft HCI OS version23H2 operating system software that runs onM\n- **Support for RHEL 9.6 hypervisor for KVM hosts**: Cisco IOS XE 17.15.5 supports the deployment ofCisco Catalyst 8000V on Red Hat RHEL 9.6 operatingsystem with KVM hypervisor.\n- **Support for Nvidia Mellanox ConnectX-7 networkinterface cards**: Cisco IOS XE 17.15.5 supports SR-IOV connectivityfor Nvidia Mellanox ConnectX-7 Network InterfaceCards (NICs) that deliver higher throughput andperformance for the supported hypervisors.\n- **Support for DSv5 instances for Microsoft Azuredeployments**: Cisco IOS XE 17.15.3a supports DSv5 instances forCisco Catalyst 8000V deployments in MicrosoftAzure.\n- **Support for N2 instances for Google Cloud Platformdeployments**: Cisco IOS XE 17.15.3a supports n2-standard-8,n2-standard-4 instance types for Cisco Catalyst 8000Vdeployments in Google Cloud Platform.\n- **Support for AWS Local Zones**: AWS Local Zones (LZs) enable you to deploy latencysensitive applications closer to end-users. Startingwith Cisco IOS XE 17.15.1a, you can deploy CiscoCatalyst 8000V on c5d.2xlarge instance\n- **Support for Interface speed setting of 40000**: From Cisco IOS XE 17.15.1a, you can set an interfacespeed of upto 40000 in Cisco Catalyst 8000V. Thisenables some traffic profiles to see higher throughputs.\n- **Support for RHEL 9.2 hypervisor for KVM hosts**: From Cisco IOS XE 17.15.1a, you can deploy CiscoCatalyst 8000V on RedHat RHEL 9.2 operatingsystem with KVM hypervisor.Note that support for RHEL 7.x is deprecated fromthis release.\n- **Support for SUSE Linux\u00ae Enterprise Server 15 SP5**: From Cisco IOS XE 17.15.1a, you can deploy CiscoCatalyst 8000V on SUSE Linux\u00ae Enterprise Server15 SP5 operating system with KVM hypervisor.\n- **Support for VMware ESXi 8.0**: From Cisco IOS XE 17.15.1a, you can deploy CiscoCatalyst 8000V on VMware ESXi 8.0 Update 2hypervisor operating system.Note that ESXi hypervisor version 6.0 will no longerbe supported f\n- **Absolute Path for HTTP or HTTPS File Transfer**: The File Transfer using HTTP or HTTPs featureallows you to copy files from a remote server to yourlocal device, using the**copy**command. From CiscoIOS XE 17.15.1a, you must provide the ab\n- **Cisco Umbrella Scope Credentials**: From Cisco IOS XE 17.15.1a, this feature providesthe ability to define and configure a new single CiscoUmbrella credential for both Umbrella SIG andUmbrella DNS.\n- **Configure DMVPN for SD-Routing Devices**: Cisco DMVPN (Dynamic Multipoint VPN) is arouting technique to build a VPN network withmultiple sites without having to statically configureall devices. This technique uses tunnelling proto\n- **Configure Multiple WAN Interfaces on CiscoSD-Routing Devices Using a Custom VRF**: You can now create a custom VRF that hosts one ormore WAN interfaces. You can extend thisfunctionality to create multiple custom VRFs witheach VRF hosting multiple WAN interfaces. TheseConfiguration Groups**: This release introduces support to configure site tocloud connectivity from an SD-Routing branch toAmazon Web Services using Configuration Groups.This is an enhancement over the existingSD-Routing Devices**: The Flow-level Flexible NetFlow (FNF) feature allowsyou to monitor the NetFlow traffic and view all theflow-level FNF data that is captured includingapplication-level statistics.\n- **Enhanced NAT Management**: From Cisco IOS XE 17.15.1a, the Enhanced NATManagement feature enables network operators tosafeguard system performance by limiting NATtranslations based on CPU usage with theip nattra\n- **Enhancements to Segment Routing over IPv6Dataplane**: From Cisco IOS XE 17.15.1a, Segment Routing overIPv6 dataplane supports these functionalities:\u2022IS-IS Microloop Avoidance\u2022IS-IS Loop-Free Alternate Fast Reroute\u2022IS-IS Topology-Independe\n- **Monitoring Software Defined (SD) - Routing Alarms**: From Cisco IOS XE 17.15.1a, network administratorscan monitor SD-Routing device alarms on CiscoCatalyst SD-WAN Manager. This feature enablesSD-Routing devices to record and store various a\n- **Network-Wide Path Insights on Software Defined(SD) - Routing Devices**: Network-Wide Path Insights (NWPI) is a tool thatallows network administrators to monitor CiscoSD-Routing deployment, identify network andapplication issues, and optimize the network.\n- **SD-Routing License Management**: This release introduces license management supportfor SD-Routing devices. The supported licensingworkflows include license assignment orconfiguration, license use, and license usage report\n- **Classic CLI**: This feature provides support for including Cisco IOSXE CLI configuration commands that do not have anassociated yang model. When used with the currentconfiguration group, Classic CLI prov\n\n### \u0418\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0435 \u0431\u0430\u0433\u0438 (183)\n\n- CSCwr55240: C8000v experiences critical failure with OMPd process\n- CSCwr31999: Using Azure Portal GUI stop button initiates reload before forcefully shutting downin 10 minutes\n- CSCwp06956: NGFW Policy deployment fails due to long rule name\n- CSCwr03611: The LWM \"memory free low-watermark processor\" value ts changing itself afterupgrade\n- CSCwr83968: Device reloads unexpectedly with static NAT when polling NAT translation data\n- CSCwq79503: Device reloads unexpectedly during startup due to segmentation fault\n- CSCwr19450: EVPN type-2 locally originated route is not withdrawn even if there is no informationabout the MAC/IP in SISF/EVPN Manager/L2RIB.\n- CSCwr19564: After migration event and receiving the route via the EVPN Fabric, locally originatedBGP route and L2RIB route stuck even if the SISF entry and EVPN Manager entrydoes not exist.\n- CSCwq29468: BGP routes are advertised with 0 in AS PATH attribute when replacing ASN\n- CSCwm85778: After VRRS flaps AAA overflows the packet buffers causing an Out of Memory crash\n- CSCwr51490: DMVPN hub routers experiences an unexpected reload after tunnel down in specifictiming scenario\n- CSCws09528: Device experiences an issue where all line interfaces become blocked and unable toforward traffic\n- CSCwn18874: DMVPN spoke crashes at NHRP Process\n- CSCwp17828: uCode core is not getting generated when specific interrupt instructions are executed\n- CSCwo14975: Memory leak is seen in DNS Proxy; SKA triggers unexpected reloads\n- CSCwp67808: ZBFW invalid zone drops after upgrade\n- CSCwn85623: Missing Calling-Station-ID in radius messages\n- CSCws15533: IPv6 stale entries are not expiring\n- CSCwr05809: PKI: Discard CRL of greater than 5MB. Large CRL processing can take significanttime causing CPUHOG and subsequent crash if it continues\n- CSCwq22471: Device unexpectedly reboots when importing CA chains\n- CSCwr10159: Even after the 5-minute \u2018block-for\u2019 timer expires, ACL remains active on the VTYlines, preventing SSH access\n- CSCwq26347: Device accepts under object-group service tcp port range where the end port is lessthan the starting port\n- CSCws30834: Device ignores the keepalive command under the SIG tunnel interface\n- CSCwq32935: After running the**show policy-map type inspect zone-pair sessions**command,memory increase for a couple of hours until it crashes\n- CSCwk55051: IR1101: polaris_vconfd_cfgpull_t denials observed during config push trigger\n- CSCwr02964: Initial Authc/Authz does not go to first TACACS server even when the server is alive\n- CSCwp06965: SNMPv3 user with encrypted password is not seen in**show run**command withoutre-configuring all SNMPv3 configurations\n- CSCwr69613: cpp_cp_svr crash if CEF OCE points to MPLS-SR-Tunnel interface\n- CSCwm01063: Device unexpectedly reload due to segmentation fault on IP SLA DynHostNameprocess\n- CSCwr09289: Device crashes when collecting backtrace for callsite\n- ... \u0438 \u0435\u0449\u0451 153\n\n### \u041e\u0442\u043a\u0440\u044b\u0442\u044b\u0435 \u0431\u0430\u0433\u0438 (67)\n\n- CSCws51814: Increased CPU utilization caused by BGP scanner process\n- CSCwo60972: Device shows high memory usage as `cpp_ha_top_leve`keeps increasing\n- CSCws75443: IPv6 neighbour table entries are not timing out causing High TCAM utilisation whenno default timers are configured\n- CSCwr00088: Add CLI to change the per MPLS label CEF statistics query interval on FMAN FP\n- CSCws71815: Behaviour change for the**ip dhcp use class**command on device\n- CSCws35452: Device attempts DHCP relay instead of local assignment leading to clients losingconnectivity\n- CSCwq08151: Device experiences unexpected reload due to DBGD process\n- CSCwo57783: A_NHRP Encap Error for Purge Request_message populates on spoke despite correctrouting at HUB\n- CSCwp28915: SNMP walk fails to consistently return tunnel names due to incomplete tunnel setup\n- CSCwh91039: C8000V: High system CPU load is reported due to unsupported number of vCPUsallocated\n- CSCwm71868: Stopping C8000V in Azure results in the device reloading and stopping after 10 minutes\n- CSCwo45527: C8000V: Hot add and delete do not work in AWS\n- CSCwn85623: Missing Calling-Station-ID in radius messages\n- CSCwn92976: PPP is not establishing when L2tp over ipsec\n- CSCwn60286: IOS-XE: Memory leak is observed in IPSEC/IKE session bringup with cert-basedauthentication\n- CSCwn44339: Router crashes due to failed DLC license conversion when contacting CSSM\n- CSCwo47118: Crash observed when clearing L2TP tunnels with the**clear vpdn tunnel l2tp****&lt;ID&gt;**command\n- CSCwn48140: Failing to ping to service-side IPv4 interface from remote cEdge with IPv6 tunnel andLTE cellular\n- CSCwm33545: FlexVPN - IP address assigned to spoke changes to unassigned\n- CSCwj65057: BFD sessions stuck in down state due to SA_NOT_FOUND\n- ... \u0438 \u0435\u0449\u0451 47\n\n## IOS-XE 17.16\n\n### \u041d\u043e\u0432\u044b\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438\n\n- **Configure Source Interface for High Speed Logging**: From Cisco IOS XE 17.16.1a, you can configuresource interfaces for High-Speed Logging (HSL) andSysLog for security logging in Cisco SD-WANManager. You can also enable HSL for your firewall\n- **Disablement of Weak SSH Algorithms**: From Cisco IOS XE 17.16.1a, the ssh-rsa algorithmis disabled by default on port 22 to improve security.\n- **Enhanced Support for Binary Tracing**: From Cisco IOS XE 17.16.1a onwards, you canretrieve events sent to the IOS process in the binarytrace using the**show logging process IOS module****nhrp**command, without enabling DMVPN ev\n- **Enhancement to the**show cellular 0/x/0 connection**Command**: From Cisco IOS XE 17.16.1a, the output for the**show****cellular 0/x/0 connection**command includes thefollowing parameters:\u2022 Access Point Name (APN), and\u2022 Cellular Link Uptime\n- **Enhancements to Segment Routing over IPv6Dataplane**: From Cisco IOS XE 17.16.1a, Segment Routing overIPv6 dataplane supports these functionalities:\u2022 eBGP Inter-AS\u2022 PCE-Delegated Path Computation\u2022 Enhancements to OAM Traffic Engineering\n- **Improved Workflow to Configure Branch ConnectSolution**: This release introduces a simplified guided workflowto ease each step of configuring site to cloudconnectivity.\n- **Monitoring Application Performance on SD-RoutingDevices**: In Cisco IOS XE 17.16.1a, you can now monitor TCPand RTP traffic on DMVPN tunnels for IKEv2 trafficusing Application Response Time (ART) monitor andMedia monitor respectively. This functio\n- **Monitoring Crypto VPN Solutions on SD-RoutingDevices**: If you have configured crypto VPN solutions such asDMVPN, FlexVPN or Layer 3 VPNs on SD-Routingdevices, you can use Cisco Catalyst SD-WANManager to visualize the VPN solution deployed inSD-WAN Manager enables site-to-site speed tests tomeasure bandwidth between devices over DMVPNtunnels. These tests check upload speed from the\n- **Support for Enrollment over Secure Transport (EST)**: From Cisco IOS XE 17.16.1a onwards, you can useHTTP-based authentication for EST Client Support,using the**enrollment http username****[http_username] password [http_password]**command\n- **UTD Container Management for SD-Routing Devices**: When Cisco IOS-XE autonomous devices transitionto Cisco SD-Routing mode, the Unified ThreatDefense (UTD) Container Migration feature ensuresthat existing container functionalities are pres\n\n### \u0418\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0435 \u0431\u0430\u0433\u0438 (16)\n\n- CSCwn07540: C8000v crashed due to IOSXE_INFRA-2-FATAL_NO_PUNT_KEEPALIVE.\n- CSCwm56800: FIA trace packet decode displays incorrect value for fragmentation offset.\n- CSCwk78018: SD-ROUTING: Yang model does not handle properly default ikev2 authorisationpolicy.\n- CSCwm67178: Cannot configure MD5 for the hash under the ikev2 proposal when compliance shieldis disabled.\n- CSCwk42493: Cellular interface in last-resort mode should be admin up, line protocol down.\n- CSCwk62954: Multiple \"match address local interface \" not pushed under crypto profile.\n- CSCwk79606: PKI trustpoint password command only allows encryption type 0 and 7 on all IOS XEplatforms.\n- CSCwj33723: Config not synced between active and 3rd member of stack.\n- CSCwm48459: Software crash with critical process vip_confd_startup_sh fault on rp_0_0 (rc=6).\n- CSCwm50619: Data policy commit failure occurs when export-spread is enabled in Cflowdconfiguration.\n- CSCwn29062: Traceback log output with \"DATACORRUPTION\" error logs.\n- CSCwm62981: Device crashes with PKI \"revocation-check ocsp none\" enabled.\n- CSCwm70520: LNS tracebacks generation.\n- CSCwm74317: Syslog message'%CRYPTO_ENGINE-4-CSDL_COMPLIANCE_RSA_WEAK_KEYS:RSA keypairCISCO_IDEVID_CMCA_SUDI.\n- CSCwm54978: Selinux: Subject polaris_iosd_t denials 2024-09-16 06:43:22.\n- CSCwm77426: Unexpected reload in NHRP, cache freed prior to function call.\n\n### \u041e\u0442\u043a\u0440\u044b\u0442\u044b\u0435 \u0431\u0430\u0433\u0438 (17)\n\n- CSCwn09185: Traffic loss observed on minimal values with time based policy-map.\n- CSCwn26353: BFD sessions via TLOC-Ext do not come up when IPv6 is dynamically changed.\n- CSCwn40906: Router crash observed when optimizing encrypted traffic with DRE.\n- CSCwm71639: cpp_cp_svr crash noticed when configured service-policy to a dialer interface.\n- CSCwm73195: C8000V 'show interfaces' counters are incorrect and unreasonably large.\n- CSCwn02485: Fragmented UDP SIP packets dropped on PE with IpFragErr on IP VFR and MPLSenabled tunnel interface.\n- CSCwn24226: GETVPN mismatch in GMs reported across COOP due to KEK sync issue betweenprimary &amp; secondary KSs.\n- CSCwn34457: Post power cycle, unable to login to router due to error authentication failed.\n- CSCwn19586: Certificate-based MACsec flapping when dot1x reauth timers are set and after reload.\n- CSCwk20995: PPPoE session with sub-interface getting stuck after reboot.\n- CSCwm87270: MKA session down with \"ICV Verification of a MKPDU failed for\" error on one ofthe interfaces.\n- CSCwn39447: Speed test might work abnormally after changing system-ip.\n- CSCwm43089: Low throughput with C8000v.\n- CSCwm71868: Stopping C8000v in Azure results in device reload, then stop after 10 minutes.\n- CSCwn35476: cflowd source interface for sub-interface does not get pushed.\n- CSCwm28388: Traceback seen - EVENTLIB-3-CPUHOG - fman_fp_image.\n- CSCwo39530: Applied changes in the filter of pcap fileds are not reflecting after refreshing.\n\n## IOS-XE 17.18\n\n### \u041d\u043e\u0432\u044b\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438\n\n- **Ease of set up**: Support for MicrosoftAzure on MANAEnabled Hosts\n- **Ease of set up**: Support for MicrosoftHyperV on Azure Localcertified servers\n- **Ease of set up**: Support for NutanixAHV Hypervisor\n- **Ease of use**: Support for RHEL 9.6hypervisor for KVMhosts\n- **Ease of use**: Support for NvidiaMellanox ConnectX-7network interfacecards\n- **Security**: Resilient Infrastructure\n- **Software Reliability**: High availability forDHCP servers\n- **Ease of Setup**: IPv6 Rule and Rule SetSupport in SecurityPolicies\n- **Upgrade**: IPv6 GRE-TP tunnel asprotected link supportfor SRv6 TI-LFA withIS-IS\n- **Upgrade**: IPv4 GRE-TP tunnel asprotected link supportfor SR-MPLS TI-LFAwith OSPFv2\n- **Upgrade**: IPv4 GRE-TP tunnel asprotected link supportfor SR-MPLS TI-LFAwith IS-IS\n- **Upgrade**: Directional attributecompliance for SIPRECresponses\n- **Security**: Security warnings forusage of legacy TLSand associated weakerciphers \u2013CUBE andSRST\n- **Ease of Use**: Support fordeployment of Catalyst8000V in Oracle CloudInfrastructure\n- **Ease of Use**: Support for N4 and N2compute instancefamilies in Googlecloud Platform\n- **Ease of Use**: Support for D[s]_v5compute instancefamily in Microsoft\n- **Software Reliability**: Support for NvidiaMellanox ConnectX-6network interfacecards\n- **Ease of Use**: Support for Ubuntu22.04 LTS\n- **Software Reliability**: Throughputperformanceoptimizations\n- **Licensing Process**: Licensing compliance,reporting, andnotificationenhancements\n- **Ease of Use**: Hosted Edge Servicesfor SD-RoutingDevices\n- **Ease of use**: Managing NGFWPolicies from SecurityCloud Control\n- **Security**: Custom IPS signaturesets\n- **Ease of Use**: CertificateManagement on SD-Routing Devices\n- **Upgrade**: MVPN Ingress\n- **Replication (IR) overSRv6**: network. It simplifies multicast deployment by using the existing SRv6unicast infrastructure as the underlay. With this feature, the ingress PErouter receives multicast traffic and creates a s\n- **Upgrade**: SRv6 Path MTUDiscovery\n- **Upgrade**: SRv6 Flex-Algo withTI-LFA and uLoopAvoidance\n- **Upgrade**: MVPN IngressReplication (IR) overSRv6\n- **Licensing Process**: Product Analytics forrouters\n- **Ease of Use**: Enhanced support forserviceability in SIPrecording\n- **Upgrade**: Third-Party GUIDcapture for correlationbetween call transfersand SIP-basedrecording\n- **Upgrade**: IOS UC apps reportssmart licensing flexsubscriptionentitlement tag\n\n### \u0418\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0435 \u0431\u0430\u0433\u0438 (41)\n\n- CSCwr42574: C8Kv MLX5 main interface ping fails if subinterfaces are configured\n- CSCws72902: C8200/C8300/C8500L: Overrun drops due to uneven GRE traffic distribution across data plane cores\n- CSCwr90843: SD-WAN Edge: Device may reload unexpectedly under heavy IPSec Traffic Load\n- CSCwr72709: Router crash in TDM-TDM call when debug voip fpi enabled\n- CSCws66278: Unable to install Cisco PKI controller certs on MT overlay\n- CSCws68039: C8200: Unable to configure HSRP Groups up to the maximum limit\n- CSCws28994: CPP crash while processing QoS rate profile\n- CSCwr95551: c8kv crashes when configuring SSL VPN with Policy-Based Routing (PBR) and NAT\n- CSCwr84985: dmiauthd process crashes, due to which the configuration does not sync between startup-config andthe running-config.\n- CSCws32991: C1100TGX does not honor jumbo MTU on WAN ports after reboot\n- CSCws95993: Seeing T1 license in use even after configuring T2.\n- CSCws30718: Dataplane Crash Observed on CGN NAT Scale Router after \"clear ip nat translation *\"\n- CSCwt18839: Segmentation Fault in cpp_cp_svr while Printing FIA Trace Data\n- CSCws77372: Software crash with fman_fp core due to NAT-related show commands\n- CSCwr44547: SDWAN Manager: Reporting abnormal loss value for tunnel stats in the UI\n- CSCws80232: SD-WAN Edge: Zone-Based Firewall Not Programmed Correctly Resulting in Class-Default Match\n- CSCwt46335: MAP-E: stop sending IPv4 traffic during MAP rule refresh\n- CSCwq60752: Catalyst 8000 FP Crash After Clearing NAT Translations\n- CSCws58529: When the name server is specified using IPv6, half entries are created due to unintended NAT.\n- CSCws76668: Memory leak udner \"fman_fp_image\" on CAT8500 routers when NAT is enabled.\n- CSCwt22873: High QFP Caused by \"all-host\" Limit in - Carrier Grade NAT mode\n- CSCwr42950: On-demand tunnels in SD-WAN do not expire when Universal Mobile Telecommunications System(UMTS) is enabled.\n- CSCwq51935: A NAT64 static entry is removed when a command to delete a non-existent entry is applied.\n- CSCwe19394: The device may boot up with the previous packages configuration file due to a power outage.\n- CSCwr77958: Network-Based Packet Inspection (NWPI) is not capturing self-generated syslog traffic.\n- CSCwj61730: The router may crash when Security Group Tag (SGT) caching is removed from an interface.\n- CSCwq77322: The router sends a 2-byte packet for the FLOW_SAMPLER_RANDOM_INTERVAL field instead of a 4-byte packet.\n- CSCwr24031: After an upgrade, the SD-WAN service tracker in a VRF instance may select the source IP addressfrom the global routing table when Multiprotocol Label Switching (MPLS) Inter-AS Virtual PrivateNetwork (VPN) option B is configured.\n- CSCwr49794: Integrated Services Router (ISR) exporters with Encrypted Traffic Analytics (ETA) enabled generateinvalid template data errors in Secure Network Analytics (SNA).\n- CSCwq98206: The Enhanced Policy-Based Routing (EPBR) set interface action is missing after a reboot.\n- ... \u0438 \u0435\u0449\u0451 11\n\n## IOS-XE 17.6\n\n### \u041d\u043e\u0432\u044b\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438\n\n- **AWS Metadata Version 2**: Earlier, when you deployed Cisco Catalyst 8000V onAmazon Web Services, only version 1 or V1 wasapplicable for the**Metadata Accessible**field. Startingfrom Cisco IOS XE Release 17.6.1a, me\n- **Automatic Mapping of Cisco CSR 1000V or CiscoISRv Licenses to DNA Tier Licenses**: The Cisco Smart Software Manager (CSSM) manageslicenses of all the Cisco devices including Cisco CSR1000V and Cisco ISRv, which have an end-of-lifemilestone of year 2022. To continue to ke\n- **Support for ESXi 7.0**: Cisco Catalyst 8000V supports ESXi 7.0 and 6.7 fromCisco IOS XE 17.6.1a. Note that support for ESXi6.5 has been deprecated.\n- **Zone-Based Firewall Policy Reclassification**: The Zone-Based Firewall (ZBFW) PolicyReclassification feature is an enhancement to theZone-Based Firewall feature. With this enhancement,any changes you make to the policy configuration on\n- **Asymmetric Lease for DHCPv6 Relay PrefixDelegation**: This feature allows you to manage or change the leaserenewal. It provides options to force renewal of leaseand also detects when the lease is nearing the expirydate.\n- **Upgrade to pyang version 2.x**: The updated pyang plugin version 2.x fixes existingissues such as XPATH validation and upstream pyangissues. Additionally, this version reports all errors inthe YANG models to the users an\n- **WebSocket Based Forking for Cloud Speech Servicesin CUBE**: From Cisco IOS XE Bengaluru 17.6.1, CUBE canuse WebSockets to handle media forking in a CiscoUnified Contact Center Enterprise (UCCE) solutiondeployment with Cloud Speech Services. WebSock\n- **Support for OPUS Codec Transcoding in CUBE**: From Cisco IOS XE 17.6.1 onwards, CUBE cantranscode Opus encoded media streams. Because Opuscodecs perform very well over the Internet, this featureis particularly beneficial when routing \n- **Class of Restriction YANG Configuration Modelupdates:**: YANG models were developed for the following CLIsas part of the Class of Restriction configuration:\u2022 dial-peer voice  pots/voip corlist\u2022 dial-peer voice vad\u2022 dial-peer cor custom \n- **Snapshots for PAK Licenses**: The library that manages product activation key(PAK) licenses is being deprecated from the softwareimage. To continue supporting and honouring anyexisting PAK licenses you may have, the sy\n\n### \u0418\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0435 \u0431\u0430\u0433\u0438 (156)\n\n- CSCwh73350: Device keeps crashing when processing a firewall feature\n- CSCwh99399: FTMD crash observed in ENCS platform while running PWK suite\n- CSCvo01546: NHRP reply processing may dequeue an unrelated request\n- CSCwh49644: CSDL Compliance failure: Use of 3DES by IPSec is denied\n- CSCwi01046: PoE module does not provide enough power to bring the ports after an unexpectedreload\n- CSCwh01425: ITU channel configuration does not work\n- CSCwh20577: Crashed by TRACK client thread at access; invalid memory location\n- CSCwh70449: PMTUD incorrectly converges without attempting to learn a higher MTU\n- CSCwf34171: The**configure replace**command fails due to the`license udi PID XXX SN:XXXX`lineon IOS-XE devices\n- CSCwh36801: Crash in IP input process during tunnel encapsulation\n- CSCwh87343: Cisco IOS XE Software Web UI Privilege Escalation Vulnerability.\n- CSCwf70596: Fix VLAN replay for SRIOV i40e interface after link flap\n- CSCwe09745: Memory leak in Pubd when continuously trying to connect to remote peer\n- CSCwd63063: Standby BGP session receives incorrect routes from Active\n- CSCwe19084: NAT: Traffic is not translated to the same global address though PAP is configured\n- CSCwd90168: Unexpected reload after running the**show voice dsp**command while an ISDN calldisconnects\n- CSCwe60059: Crash when using dial-peer groups with STCAPP\n- CSCwe36122: ISIS crash when performing TI-LFA calculation\n- CSCwf59173: Segmentation fault at IPv6 BGP backup route notification\n- CSCwf00769: L2RIB thread crash after removing EVPN member from bridge domain\n- CSCwf83301: Device displays incorrect values for Call Quality statistics(RTT/MOS)\n- CSCwe72462: Username/Password under voice register pool gets deleted post CME reload\n- CSCwe25006: An unexpected removal of the underlay S,G entry resulting ~20s disruption in themulticast flow SDA\n- CSCwe21042: NBAR DP traceback - \"Failed to process non-graph batch message: wrong batch id\"is logged\n- CSCwf47796: NHRP cache entries flood matching a /32 default route\n- CSCwe32862: Router IOS-XE crashes while executing AES crypto functions\n- CSCwf09758: Watchdog crashes while importing a large CRL file into the device\n- CSCwf67564: Memory Leak at process SSS Manager\n- CSCvy87339: Telemetry subscription fails to connect to grpc receiver when multiple XPATH changesare made to it\n- CSCwe41946: DTMF is failing through IOS MTP during call on-hold\n- ... \u0438 \u0435\u0449\u0451 126\n\n### \u041e\u0442\u043a\u0440\u044b\u0442\u044b\u0435 \u0431\u0430\u0433\u0438 (144)\n\n- CSCwe92277: Performance degradation on C8000V hosted in Azure cloud when the traffic flow isasymmetrical\n- CSCvz96485: Azure: C8000V NETVSC PMD DPDK Support\n- CSCwe37016: The output rate on the port channel does not match the total physical interface outputrate\n- CSCwh14083: High CPU due to MPLS MIB poll\n- CSCwd16559: ARP request to reroute nexthop IP is not triggered if ARP entry not in ARP table\n- CSCwf99647: SRTP cipher failure for RTCP packets when AEAD_AES_256_GCM Cipher is usedfor call\n- CSCwh21376: Unable to disable the call-home feature on devices\n- CSCwe93070: Tracebacks seen when configuring VRF with 32 characters or more\n- CSCwf80400: IOS XE Router may experience unexpected reset while executing the**show utd engine****standard statistics**command\n- CSCwd46688: Unable to apply the Service Policy on tunnel interfaces\n- CSCwf55243: Device is crashing while adding a trustpoint to the router\n- CSCwe29301: AOM objects (FMAN_OBJ_ACL_REF) might be missing intermittently after MMAflapping\n- CSCwe90119: Device-tracking database entry stuck on UNKNOWN state with temporal mac address.\n- CSCwh15021: QFP crash when configuring S2S VPN (IKEv2/IPSEC) with Azure vWAN/HUB\n- CSCwf55145: SFP transceiver DOM does not work after some time; however interface forwards thetraffic as expected\n- CSCvu85539: Unable to delete wrong interface name in C8000V\n- CSCwd97212: UNIX-EXT-SIGNAL: Segmentation fault(11), Process = IOSXE-RP Punt ServiceProcess\n- CSCwe14885: VPN is established although the peer is using a revoked certificate for authentication\n- CSCwc67429: CTS PI changes for adding new binding source priority for LISP sourced local hostbindings\n- CSCwh45169: Unexpected reboot while dispalying information from a cleared SSS session\n- ... \u0438 \u0435\u0449\u0451 124\n\n## IOS-XE 17.7\n\n### \u041d\u043e\u0432\u044b\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438\n\n- **Factory-installed Trust Code**: For new hardware and software orders, a trust codeis now installed at the time of manufacturing.You cannot use a factory-installed trustcode to communicate with CSSM.**Note**\n- **Installing Cisco Catalyst 8000V in an OpenStackEnvironment**: Starting with the Cisco IOS XE Release 17.7.1a, youcan now install Cisco Catalyst 8000V on OpenStacksoftware (Train release) which acts as a hypervisormanager. The OpenStack Train release \n- **Flexible NetFlow Support on BD-VIF**: This feature introduces Flexible NetFlow (FNF)support on Bridge Domain Virtual IP Interfaces(BD-VIF). Flexible Netflow provides improvedoptimization and performance, enhanced security, and\n- **Marking Packets Sent Via ATM Interface WithCOS(BITP) Value**: This feature introduces the \u2018set cos 3\u2019 command usingwhich you can configure the router to mark thepackets with a cos (bitp) value. The marked packetsare indicators of priority for the use\n- **Multicast - mcast group calculation**: The**show ip multicast overlay-mapping**commanddisplays an underlay group address from the overlaygroup address which is used to troubleshoot orconfigure the network. The output includes t\n- **Secure Web Socket-based Media Forking on Cisco4431, 4451-X, and 4461 Integrated Services Routers**: From Cisco IOS XE Cupertino 17.7.1a, CUBE canuse WebSockets to handle media forking with CloudSpeech Services on the Cisco 4431, 4451-X, and 4461Integrated Services Routers platforms apart\n- **YANG Configuration Models for CUBE**: From Cisco IOS XE Cupertino 17.7.1a, YANGmodels are now available to configure and manageCUBE.\n- **Converting IOS Commands to XML**: This feature helps to automatically translate IOScommands into relevant NETCONF-XML orRESTCONF/JSON request messages.\n- **ZTP Configuration through YANG**: ZTP is enabled through YANG models whenNETCONF is enabled.\n- **Ability to save authorization code request and returnin a file and simpler upload in the CSSM Web UI**: If your product instance is in an air-gapped network,you can now save a SLAC request in a file on theproduct instance. The SLAC request file must beuploaded to the CSSM Web UI. You can the\n- **Account information included in the ACK and showcommand outputs**: A RUM acknowledgement (ACK) includes the SmartAccount and Virtual Account that was reported to, inCSSM. You can then display account informationusing various**show**commands. The accountdesktop) running Linux.See:CSLU,Workflow for Topology: Connected toCSSM Through CSLU,Workflow for Topology:CSLU Disconnected from CSSM\n- **Factory-installed trust code**: For new hardware and software orders, a trust codeis now installed at the time of manufacturing.You cannot use a factory-installed trustcode to communicate with CSSM.**Note**See:Ov\n- **RUM Report optimization and availability of statistics**: RUM report generation and related processes havebeen optimized. This includes a reduction in the timeit takes to process RUM reports, better memory anddisk space utilization, and visibilit\n- **Support for trust code in additional topologies**: A trust code is automatically obtained in topologieswhere the product instance initiates the sending ofdata to Cisco Smart License Utility (CSLU) and intopologies where the product instanc\n- **Support to collect software version in a RUM report**: If version privacy is disabled (**no license smart****privacy version global configuration**) command,the Cisco IOS-XE software version running on theproduct instance and the Smart Agent v\n- **Tier- Based Licenses**: You can now configure tier-based throughput valuesif the license PID is tier-based. For example, for PIDDNA-C-T0-E-3Y, you can configure Tier 0 (T0) asthe throughput value on the platform.\n\n### \u0418\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0435 \u0431\u0430\u0433\u0438 (39)\n\n- CSCwa17720: Router rebooted due to watchdogs after issuing the show crypto mib ipsec command\n- CSCwa11150: E1 configurations (under Serial interface) lost after reload.\n- CSCwa76260: IKEv2 Deprecated Ciphers denied by Crypto Engine CDSL - PSB Security Compliance -DES, 3DES, DH1/2/5\n- CSCwa37006: VXE: IOSd watchdog crash while printing to syslogs to console\n- CSCwa15085: Router crash due to stuck thread with appnav-xe dual controller mode.\n- CSCvx28426: Router may crash due to Crypto IKMP process\n- CSCwa80474: IKEv2 Deprecated Ciphers denied by Crypto Engine CDSL - PSB Security Compliance -MD5, SHA1\n- CSCwa15132: DMVPN over DMVPN with IPSEC - return packets are dropped with BadIpChecksum CSCwa01293 ZBFW: Optimized policy traffic failure due to OG edit error CSCwa18177 Flapping bidirectional/unidirectional packet capture option with ipv4 filter for long time failed\n- CSCvy34805: Consecutive Multicast Crashes in device\n- CSCvy38743: CISCO-CLASS-BASED-QOS-MIB doesn't work with LTE Cellular interface on the routerafter reload\n- CSCvy92696: Cosmetic: `Logging host` configuration inconsistent between sdwan and IOS configuration\n- CSCvz30670: Qos issue on IPv6 Virtual access (tunnel ipsec) interface\n- CSCvz14745: Memory leak seen when using DNS with IP SLA\n- CSCvy27721: IOS-XE Router may experience unexpected reboot with X25 RBP\n- CSCvz98446: Device crashes when changing Debug Level\n- CSCvy45095: IPv6 ebgp multihop session remains in \"idle\" state after removal and recreation of the config\n- CSCvy72210: CIsco IOS XE crashes after executing 'show flowspec ipv4' command\n- CSCvy53885: ip pim rp-candidate command removed after reload when group list is configured\n- CSCvz21812: QoS policy update with \"random-detect dscp\" configuration get rejected on device side\n- CSCvy54964: Large tx/rx rate on Dialer interface in show interface output.\n- CSCvy23400: MC-LAG feature cannot preserve administratively shut down sub-interfaces\n- CSCvy08748: OSPF summary-address isn't generated though candidate exists\n- CSCvy99942: Netconf: Logging to syslog stops working in certain scenarios\n- CSCvy93946: Removal of SHA-1 HMAC Impacting ability to SSH\n- CSCvy83154: MAG is not detecting the path UP after several reboots\n- CSCvw16093: Secure key agent trace levels set to Noise by default\n- CSCvy29106: Device crashed on a Eigrp enabled device when Netconf get operation was used\n- CSCvw13682: L3 connected lite session not coming up , stuck in data-plane(qfp)\n- CSCvt66541: Crypto PKI-CRL-IO process crash when PKI trustpoint is being deleted\n- CSCvx62167: Route-map corruption when configured using Netconf with ncclient manager\n- ... \u0438 \u0435\u0449\u0451 9\n\n### \u041e\u0442\u043a\u0440\u044b\u0442\u044b\u0435 \u0431\u0430\u0433\u0438 (19)\n\n- CSCvz65764: Peer MSS value showing incorrect CSCwb25137 [XE NAT] Source address translation for multicast traffic fails with route-map CSCwb78423 Excessive packet loss observed during DMVPN tunnel flapping CSCwb66749 When configration ip nat inside/outside on VASI intereface, the ack/seq number is abnormal CSCwb55683 Large number of IPSec tunnel flapping occurs when underlay is restored CSCwb74821 Yang-management process confd is not running CSCwa13553 C8000V QFP core due to NAT scaling issue CSCwb11389 NAT translation stops suddenly; ip nat inside doesn't work CSCwb51238 Router reloads two times unexpectedly with the netflow show command CSCwb34625 Static ip from bootstrap config overwritten by dhcp on fresh install CSCwb25913 After configuring match input-interface on class-map, router goes into a reboot loop CSCwa08378 C8000V Day0 ZTP ignores crypto configuration before licensing CSCvz89354 Router Running 17.x.x crashes due to CPUHOG when walking ciscoFlashMIB CSCwb08186 E1 R2 - dnis-digits CLI not working CSCvz91309 Crash due to IOSXE-WATCHDOG due to management port traffic storm CSCwb39822 MLX5 Driver Error on a C8000V in Microsoft Azure causes excessive debug printing CSCwb12647 Device crash for stuck threads in cpp on packet processing CSCwa48512 CoR intercepted DNS reply packets dropped with drop code 52 (FirewallL4Insp) if UTD also enabled CSCwb41907 CPP uCode crash due to ipc congestion from dp to cp CSCvz99455 36% Degradation seen with FNF on C8000V 1v CPU KVM CSCwa67398 NAT translations do not work for FTP traffic in the device CSCwb76509 Assert failure while showing FTM (Forwarding Traffic Manager) data in NH TYPE switch case CSCwa84919 \"Revocation-check crl none\" does not failover to NONE DNAC-CA CSCwb78173 CSDL failure: IPSec QM Use of DES by encrypt proc is denied CSCwb46649 NAT translation dont show (or use) correct timeout value for an established TCP session\n- CSCwb68897: \"Total output drops\" counter in \"show interface\" on Port-channel doesn't work properly\n- CSCwb02142: Traceback: fman_fp_image core after clearing packet-trace conditions\n- CSCwb29362: Evaluation of IOS-XE for OpenSSL CVE-2022-0778 and CVE-2021-4160\n- CSCvz34668: Static mapping for the hub lost on one of the spokes\n- CSCwa74499: ZBFW sees the SIP ALG incorrectly, dropping traffic and resetting connection\n- CSCwb76866: CSDL failure: Use of MD5 by IPSEC key engine is denied\n- CSCwa68540: FTP data traffic is broken when UTD IPS enabled in both service VPN\n- CSCwb79138: Device drops GRE tunnel packets after the upgrade starts\n- CSCvz92954: C8000V UTD Container doesn't come up after a reboot\n- CSCwa07494: IPSec tunnel not passing traffic when IPSec tunnel is sourced from VASI interface\n- CSCwa46001: VRRP traffic sent while the device boots will congest the interface queue causing taildrops\n- CSCwa08378: C8000V Day0 ZTP ignores crypto configuration before licensing\n- CSCvz72871: Multicast traffic received over DMVPN tunnel are dropped on RP and not forwardeddownstream.\n- CSCwa27659: virtual VRRP IP address unreachable from the BACKUP VRRP\n- CSCvz41067: IP Community-list config out of sync in sdwan and ios-xe\n- CSCwa22665: Memory leak in scaled EIGRP DMVPN implementation due to EIGRP: mgd_timer\n- CSCvz99455: 36% Degradation seen with FNF on C8000V 1v CPU KVM\n- CSCvz55553: BGP routes refreshing in the routing table after adding \"bgp advertise-best-external\"\n\n## IOS-XE 17.8\n\n### \u041d\u043e\u0432\u044b\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438\n\n- **Support for Software Media Termination Point**: A Software Media Termination Point (SWMTP) isan essential component of large-scale deploymentsof Cisco Unified Communications Manager (CUCM).In these deployments, the SWMTP bridges the med\n- **Show Command to Debug Packet Drops**: The Show Drops command introduced in this releaseallows you to troubleshoot the root cause for packetdrops and identify:\u2022 The reason for the packet drop.\u2022 The dropped interface with Rx\n- **Download AnyConnect Profiles with IPSec IKEv2VPN**: This feature allows you to configure Internet ProtocolSecurity (IPSec)-Internet Key Exchange (IKEv2) VPNto download AnyConnect profiles over SSL, forIOS-XE headends.\n- **Support for bidirectional debugging**: You can now enable bidirectional debugging of trafficusing debug platform condition match command.\n- **mTLS Client CN-SAN Validation**: It is now possible to verify a client through thevalidation of the common name or subject alternatename fields in its certificate.\n- **Unified Secure SRST: SHA2-Cipher-only Mode**: To ensure that only the most robust cipher suites areused, Secure SRST (SCCP) may now be configuredto only use TLS 1.2 Cipher Suites. Secure SIP SRSTnow supports the granular control of ci\n- **Unified Secure SRST: SIP oAuth Client Registration**: IP Phones, Jabber clients, and the Webex app maynow failover and register to Secure SIP SRST usingOAuth authentication.\n- **VRF-aware Listen Port per Tenant**: SIP trunks configured using the CUBE tenant featuremay now be configured with a specific listen port,allowing more flexibility in routing inbound calls tothe correct trunk. This feature ma\n- **IPSec YANG model**: This feature introduces an YANG model for the showplatform hardware qfp active feature ipsec statecommand. This model displays the Cisco QuantumFlow Processor (QFP) IPsec state information\n- **YANG Model Version 1.1**: Cisco IOS XE Cupertino 17.8.1a uses the YANGversion 1.0; however, you can download the YANGversion 1.1 from GitHub athttps://github.com/YangModels/yang/tree/master/vendor/cisco/xefolde\n\n### \u0418\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0435 \u0431\u0430\u0433\u0438 (5)\n\n- CSCvz99455: 36% Degradation seen with FNF on C8000V 1v CPU KVM\n- CSCwa15132: DMVPN over DMVPN with IPSEC - return packets are dropped with BadIpChecksum\n- CSCwa07494: IPSec tunnel not passing traffic when IPSec tunnel is sourced from VASI interface\n- CSCwa08378: C8000V Day0 ZTP ignores crypto configuration before licensing\n- CSCwa13553: C8000V QFP core due to NAT scaling issue CSCvz34380 Multiple Cisco Products Snort Modbus Denial of Service Vulnerability CSCwa92411 Slowness issues caused by intermittent traffic drop on Cisco ISRv ingress from GRE tunnel CSCwa47219 Crash on ipv4_nat_get_all_mapping_stats due to NULL pointer of mapping_hash_table CSCwb11389 NAT translation stops suddenly(ip nat inside doesn't work) CSCvz98373 ZBFW : FirewallPolicy drops seen with RTSP traffic in steady state CSCwa26412 ZBFW: OG lookups are missing from device for optimized policy CSCwa36699 Prefetch CRL Download Fails CSCvz74773 Discrepancies in CLI and GUI interface details (Truncating interface numbers) CSCvt15177 Certificate Signing Request made by IOS-XE never show the Subject Alternate Name CSCwa67398 NAT translations do not work for FTP traffic in the device CSCvy78501 AAR not working properly as configured SLA classes are not shown under app-route stats CSCwa51443 Incorrect check of the TCP sequence number causing return ICMP error packets to drop (ThousandEyes) CSCwa93930 \"alarms alarm bfd-state-change syslog\" command is getting rejected while reconfiguring the device. CSCvz80101 Policy XML pruning without ConfD dependency CSCvz34668 Static mapping for the hub lost on one of the spokes CSCwa15085 Router Crash due to Stuck Thread with appnav-xe dual controller mode.\n\n### \u041e\u0442\u043a\u0440\u044b\u0442\u044b\u0435 \u0431\u0430\u0433\u0438 (2)\n\n- CSCwb13850: License boot level not detected with Day0 after C8000V boots on the latest polaris image CSCwb34625 C8000V auto mode: static IP from bootstrap config overwritten by dhcp on fresh install CSCwb13820 C8000V crashes at high scale with IPSEC and heavy features configured CSCvz28950 DMVPN phase 2 connectivity issue between two spokes CSCvz65764 Peer MSS value shows incorrect CSCwb11389 NAT translation stops suddenly(IP nat inside doesn't work) CSCwa84919 \"Revocation-check crl none\" does not failover CSCwb42807 After Enforce Software Version (ZTP) completes successfully, it automatically rolls back CSCwb04815 NHRP process takes more CPU with IP nhrp redirect configured CSCwa72273 ZBFW drops return packets post device upgrade CSCwb25137 [XE NAT] Source address translation for multicast traffic fails with route-map\n- CSCwb18223: SNMP v2 community name encryption problem CSCwb55683 Large number of IPSec tunnel flapping occurs when underlay is restored CSCwb12647 Device crashes for stuck threads in cpp on packet processing CSCwb24123 Registration of spoke fails with dissimilar capabilities CSCwb21645 NAT traffic gets dropped when default route changes from OMP to NAT DIA route CSCwa08847 ZBFW policy stops working after modifying the zone pair CSCwb45422 Crash due to IPv4 reassembly CSCvw50622 Nhrp network resolution not working with link-local ipv6 address. CSCwb29362 Evaluation of IOS-XE for OpenSSL CVE-2022-0778 and CVE-2021-4160 CSCwa74499 ZBFW seeing the SIP ALG incorrectly dropping traffic and resetting connection CSCwa68540 FTP data traffic broken when UTD IPS enabled in both service VPN CSCwb27900 WebSocket forking connection failed for Voice VRF scenario CSCwa48122 SIP OAuth http request to fetch keys from CUCM fails after bootup as interface is down\n\n## IOS-XE 17.9\n\n### \u041d\u043e\u0432\u044b\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438\n\n- **Support for ConnectX-5VF vNIC**: Cisco Catalyst 8000V now supports theConnectX-5VF Virtual Network Interface (vNIC)card for deployments in ESXi, KVM, and NFVIS(CSP) environments. This enhancement providesmultiple bene\n- **Support for c5n.18xlarge instance type**: Cisco Catalyst 8000V running on Amazon WebServices (AWS) now supports the c5n.18xlargeinstance type for deployment. This instance typesupports Elastic Fibre Adapter (EFA) that enhances\n- **AWS Enhancements**: Cisco Catalyst 8000V running on AWS supportsperformance enhancements with higher number ofqueues, thereby increasing the packet processing rate.\n- **Support for Unicast-to-Multicast DestinationReflection**: This feature introduces support for configuration ofunicast-to-multicast destination reflection to facilitateunicast-to-multicast destination translation andunicast-to-multicast destinatio\n- **Support for BGP additional paths with label-unicastunique mode**: This enhancement introduces support for configuringBGP additional paths when label-unicast unique modeis configured.\n- **ACE Scale Limit Per OGACL**: This feature provides the capabilities to increase theCommon Adaptive Classification Engine (CACE)scale limit per ACL and object group (OG) ACL.Currently, the CACE supports only 64K ACEs p\n- **CUBE: End-to-end Secure Calling for Courtesy CallBack and Unified Contact Center Survivability**: With the Cisco Voice Portal (CVP) application, acaller may request an automatedcallback, rather thanwait in a queue for an extended period. When an agentbecomes available, CVP sends a requ\n- **CUBE: Load Balancing for DNS SRV Host**: This enhancement to the DNS session target feature,provides effective call distribution and load balancingof calls based on the preference, priority andavailability of hosts provided in DN\n- **CUBE: Options Ping for DNS SRV Hosts**: Previously, CUBE (Local Gateway) had to beconfigured with separate dial-peers to monitor theavailability of individual proxies used in services suchas Webex Calling. To simplify this confi\n- **Transfer of Call Detail Records Using SFTP**: Cisco IOS gateways can use FTP and now SFTPservers to transfer call accounting files.\n- **Managed Service License Agreement (MSLA)Support with Smart Licensing Using Policy.**: For Cisco Catalyst 8000V running in the autonomousmode, you can now implement a post-paid model forlicenses, where you pay for the actual usage of alicense instead of pre-paying for the li\n- **New mechanism to send data privacy relatedinformation**: A new mechanism to send data privacy relatedinformation was introduced. This information is nolonger included in a RUM report.If data privacy is disabled (**no license smart privacy***\n- **Hostname support**: Support for sending hostname information wasintroduced.If you configure a hostname on the product instanceand disable the corresponding privacy setting (**no****license smart privacy h\n- **RUM Report Throttling**: For all topologies where the product instance initiatescommunication, the minimum reporting frequency isthrottled to one day. This means the product instancedoes not send more than one RUM\n- **Virtual Routing and Forwarding (VRF) Support**: On a product instance where VRF is supported, youcan configure the**license smart vrf**_vrf_string_command and use a VRF to send licensing data toCSSM, or CSLU, or SSM On-Prem.**Note**\n\n### \u0418\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0435 \u0431\u0430\u0433\u0438 (290)\n\n- CSCwq31287: Cisco IOS and IOS XE software SNMP denial of service and remote code executionvulnerability.\n- CSCwk69597: C8000V running config write memory did not persist after reload\n- CSCwn07540: C8000V crashes due to IOSXE_INFRA-2-FATAL_NO_PUNT_KEEPALIVE\n- CSCwm72099: Cisco DPDK: ICE PF driver reports MDD with DPDK v21.11 and higher versions\n- CSCwk31560: NAT command is not readable after reload\n- CSCwm78086: BFD session is down after change tloc preference with pairwise-keying enabled\n- CSCwk65071: Unexpected reboot occurs due to IOSXE-WATCHDOG DBAL EVENTS after cellularinterface flap\n- CSCwm07651: An IOS XE router running as a cEdge may experience an unexpected reset due to dbgdprocess\n- CSCwn56474: In a pairwise-keying setup, every single BFD session up/down trigger tunnel deleteand create events\n- CSCwm05395: Add event cause in IPsec vesen log\n- CSCwf77488: IOSd crash after device boot up and online\n- CSCwn07671: Tracker group with IP and DNS name tracker elements goes down when DNS queryis failing\n- CSCwj92560: STCAPP command is removed from device after reload\n- CSCwm81900: CPP crashes during UTD security policy config on device\n- CSCwk03686: Crash occurs due to a segmentation fault from a negative value\n- CSCwd01261: MACsec with Non XPN cipher suite can't rekey as expected when PN reaches 75%\n- CSCwn20614: After you change integrity-type twice, all BFD sessions are down\n- CSCwh45169: Unexpected reboot occurs while dispalying information from cleared SSS sessions\n- CSCwk97930: Crash occurs when IPv6 packets with link-local source are forwarded to SDWANtunnels\n- CSCwk45165: fman_fp memory leak is seen on the device\n- CSCwk37351: Unexpected reboot occurs during PVDM OIR\n- CSCwi87546: Firewall releases its session lock twice resulting in a system crash. CPP unexpectedlyreboots due to QFP CPP stuck at waiting\n- CSCwn31739: Device crashes when EPC is configured on 100Gb link\n- CSCwn24226: GETVPN mismatch is seen in GMs reported across COOP due to KEK sync issuebetween prim &amp; Sec KSs\n- CSCwk95044: Packet drops are observed with packet duplication enabled when the primary TLOCis shut\n- CSCwk75459: MGCP GW fails to respond with 250 OK when there's a delay from dataplane ingathering stats\n- CSCwm48755: XE NAT: Static IP NAT outside entry translates traffic only in one direction withMPLS VPN\n- CSCwm79570: Cisco IOS and IOS XE SNMP Denial of Service Vulnerabilities\n- CSCwm89600: Cisco IOS, IOS XE, and IOS XR SNMP Denial of Service Vulnerabilities\n- CSCwn19888: Cisco IOS-XE device may experience a \"qfp-ucode\" crash due to stuck thread condition\n- ... \u0438 \u0435\u0449\u0451 260\n\n### \u041e\u0442\u043a\u0440\u044b\u0442\u044b\u0435 \u0431\u0430\u0433\u0438 (173)\n\n- CSCwh12416: C8000V is not loading the config from vManage generated config-group based bootstrap\n- CSCwm33545: FlexVPN - IP address assigned to spoke changes to unassigned\n- CSCwh18120: IKEv2 - diagnose feature is taking up 11% CPU when a session is coming up\n- CSCwn51758: Incoming packets are dropped with bad checksum when l2tp through IPsec encryptstunnel\n- CSCwj79987: Device does not establish BFD sessions after upgrade\n- CSCwk89256: Speed mismatch in IOS-XE configuration after device template push\n- CSCwk31560: NAT command is not readable after reload\n- CSCwj44868: GETVPN COOP KS | Wrong Severity for Rekey acknowledgement configurationmismatch log message\n- CSCwm07651: Device crashes due to DBGD debug process\n- CSCwh74249: IPv6 PMTUD packet is fragmented at 1494 bytes\n- CSCwi34858: NETVSC VLAN sub interfaces do not pass traffic after upgrade\n- CSCwk49806: Device reboots unexpectedly due to process NHRP crash\n- CSCwi31110: Traceback seen @_nhrp_cache_delete due to negative global cache count\n- CSCwb55514: Unexpected reboot of the ESP seen after enabling**platform qos****port-channel-aggregate**\n- CSCwk63722: Startup configuration fails after PKI server enablement\n- CSCwj77594: IOS XE Controller Mode - WAN IP is allowed to be configured as SYSTEM IP\n- CSCwh44418: ARP incomplete in VRF Mgmt-intf - G0/0/0 - Switch -G0\n- CSCwk75459: MGCP GW fails to respond with 250 OK when there's a delay from dataplane ingathering stats\n- CSCwf73123: BFD timers reverts to default value after negotiating correctly\n- CSCwk61133: Process IOMd memory leak due to POE TDL message\n- ... \u0438 \u0435\u0449\u0451 153\n\n## IOS-XE 26.1\n\n### \u041d\u043e\u0432\u044b\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438\n\n- **Ease of set up**: Support for MicrosoftHyperV on Azure Localcertified servers\n- **Ease of set up**: Support for NutanixAHV Hypervisor\n- **Ease of use**: Support for Interfacespeed setting of 100Gbps\n- **Upgrade**: Support for SLES 15SP7\n- **Ease of use**: Support for NvidiaMellanox ConnectX-7network interface cards\n- **Software reliability**: DNS Security andincrease the supportfor Local domainbypass scale to 256\n- **Software reliability**: Enhancements forNGFW in Policy Groups\n- **Ease of use**: One minute granularityinterface statisticsusing Cisco CatalystSD-WAN Manager\n- **Ease of use**: BGP AdvertisementStartup Delay\n- **Software reliability**: Resilient Infrastructure\n- **Upgrade**: Advanced TLS securitycompliance and control\n- **Upgrade**: Dual certificate supportfor SIP trunk client andserver functionality\n\n### \u0418\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0435 \u0431\u0430\u0433\u0438 (12)\n\n- CSCws40263: uCode crash occurs due to Stuck Thread during NAT session DB walk\n- CSCwr30573: TLOC extension unable to program due to module boot up timing\n- CSCws89172: When start NWPI trace on muliti-VRFs and send traffic, the device crashes\n- CSCwr11064: Speed test session Timeout is not clear enough to get details\n- CSCwq77458: FMAN crash is seen after FNF configuration changes\n- CSCwr00088: Add CLI to change per MPLS label CEF statistics query interval on FMAN FP\n- CSCwr06399: Certificate verify fails and ID cert not installed after reload of device, of certs withEC Key 521\n- CSCwr08462: NAT router does not respond to ARP requests\n- CSCws62501: IOSd crash seen when \"match authen-status unauthenticated\" is configured\n- CSCwr44921: Device may reload unexpectedly with reload reason: CPU Usage due to MemoryPressure exceeds threshold\n- CSCwq98154: Multicast traffic not forwarded over P2P DMVPN phase 1 tunnel\n- CSCwq43883: Converting L2 routed port channel to L3 is broken\n\n## \u0420\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u043c\u044b\u0439 \u043f\u0443\u0442\u044c \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f\n\nCisco \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442 \u043e\u0431\u043d\u043e\u0432\u043b\u044f\u0442\u044c\u0441\u044f \u0447\u0435\u0440\u0435\u0437 Extended Release:\n\n```\n17.6.x \u2192 17.9.x \u2192 17.12.x \u2192 17.15.x \u2192 17.18.x \u2192 26.1.x\n```\n\n### \u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0435 \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044f \u043f\u0440\u0438 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0438\n\n- **26.1.1**: Resilient Infrastructure \u2014 \u0432\u0441\u0435 insecure CLI \u043a\u043e\u043c\u0430\u043d\u0434\u044b \u0437\u0430\u0431\u043b\u043e\u043a\u0438\u0440\u043e\u0432\u0430\u043d\u044b \u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e\n  (Telnet, HTTP, FTP/TFTP, SNMPv1/v2, SSHv1, TLS 1.0/1.1, Type 0/5/7 \u043f\u0430\u0440\u043e\u043b\u0438)\n  \u041f\u0440\u0438 \u043d\u0430\u043b\u0438\u0447\u0438\u0438 insecure \u043a\u043e\u043c\u0430\u043d\u0434 \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u0438 \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0435\u0442\u0441\u044f `system mode insecure`\n- **17.16.1a**: ssh-rsa \u043e\u0442\u043a\u043b\u044e\u0447\u0451\u043d \u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e \u043d\u0430 \u043f\u043e\u0440\u0442\u0443 22\n- **17.13.1a**: SELinux \u0432\u043a\u043b\u044e\u0447\u0451\u043d \u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e \u0432 Enforcing \u0440\u0435\u0436\u0438\u043c\u0435\n- **17.15.1a**: \u0422\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u0430\u0431\u0441\u043e\u043b\u044e\u0442\u043d\u044b\u0439 \u043f\u0443\u0442\u044c \u0434\u043b\u044f \u043a\u043e\u043c\u0430\u043d\u0434\u044b `copy`\n", "creation_timestamp": "2026-06-30T20:00:53.678823Z"}