This document discusses several bugs found in various networking devices and products. For each bug, it provides details about the issue and asks how test cases could be designed to catch the bug, why it was not caught internally, and what test strategies could cover it. It aims to analyze customer-found bugs to improve testing methods.
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Why we didn't catch that
1. Catch Me If You Can
Customer Fund Bug Analysis
Liang Gao
2.
3. Analysis Customer Found Bug is Good
• Why we didn’t find it through our internal
testing
• What test case can be designed to catch that
• What kind of test strategy can cover that
• How can we make sure we can catch this kind
if bug from now on
4. Bug
• Title: 在向某防火墙发送 version 字段为 0 的
IPv6 报文时,打开防火墙的 snoop ,会造
成防火墙重启 .
• How would you design test case?
• Why it was not caught internally
• What kind of test strategy can cover this?
5. Bug
• 处理 IPv6 分片 ICMP 大包 . 防火墙上结果是
未通过
• How would you design test case?
• Why it was not caught internally
• What kind of test strategy can cover this?
6. Bug
• 某网络安全代理产品:当访问已有代理的
Web 服务器时候访问不了
• How would you design test case?
• Why it was not caught internally
• What kind of test strategy can cover this?Content secure gateway
Proxy Web Server
7. Bug
• 配置了 65535 个 RP 和 1785 个 vlan 的 IP
地址后, wr ,死机,重新断电启动,
等待 10 分钟后仍然无法启动
• How would you design test case?
• Why it was not caught internally
• What kind of test strategy can cover this?
8. Bug
• 当使用 BGP PEER GROUP 时,当邻居
实际 AS 与配置的 AS 不同时,仍能建
立连接
9. Bugs
• A Cisco Secure Access Control Server (ACS) that is
configured to use Extensible Authentication Protocol-
Transport Layer Security (EAP-TLS) to authenticate
users to the network will allow access to any user
that uses a cryptographically correct certificate which
can be expired, or come from an untrusted
Certificate Authority (CA) and still be
cryptographically correct.
• CSCse58195. The WLC contains a bug when
processing WLAN ACLs that causes the WLANvACL
configuration to be saved with an invalid checksum.
When the configuration is subsequently reloaded at
boot time, the checksum fails and the WLAN ACLs are
not installed.
10. Bugs
• CSCdv24925 It is possible to read stored
configuration file from the Storage Router
without any authorization.
• CSCdu45417 It is possible to halt the Storage
Router by sending a fragmented packet over
the Gigabit interface.
• CSCdv24925 An unauthorized person may
read the configuration of the Storage Router.
That may lead to unauthorized access of a
storage space.
11. Bugs
• Versions of the Cisco ACE 4710 Application
Control Engine appliance prior to software
version A1(8a) use default administrator, web
management, and device management account
credentials. The appliance and module do not
prompt users to modify system account
passwords during the initial configuration
process.
• Crafted SSH Packet Vulnerability
• Crafted SNMPv2c Packet Vulnerability
13. Boundary Testing Bugs
13
214-748-3647
Most popular
phone number
in US
Largest 32 bit
signed number
Store phone
number in a
signed 32 bits
and didn’t check
buffer overflow
15. Bugs
• WLC ARP Storm
• A vulnerable WLC may mishandle unicast
ARP requests from a wireless client leading
to an ARP storm. In order for the
vulnerability to be exposed, two WLCs
attached to the same set of Layer-2 VLANs
must each have a context for the wireless
client. This can occur after a Layer-3 (cross-
subnet) roam or when guest WLAN (auto-
anchor) is in use.
16. Bugs
• In a topology that uses VLAN interfaces for
intermediate router connections, PIM
register and PIM register stop messages
might loop between the intermediate
routers until the TTL count expires.
(CSCea51320 )
• Hardware failures on the WS-X6548-RJ-45
module are not detected. (CSCea17192)
• A reload might occur if you configure an IP
address that is a duplicate of an IP address
17. Bugs
• With PIM dense mode configured, multicast
traffic might get dropped when all routers
have the multicast group in a pruned state
even though interested receivers are
present. (CSCea26993)
• An interface that is defined in an Enhanced
Interior Gateway Routing Protocol (EIGRP)
network statement may fail to come up in
the EIGRP topology table. This symptom is
observed after a system reload. The
occurrence of the symptom depends on the
18. Bugs
• UP and DOWN status messages may be
displayed on the console. This symptom is
observed when a leased-line configuration is
in the UP state, but the peer is not
responding. This symptom occurs because
PPP calls the interface reset vector regularly
if the peer is not responding to the PPP
attempts to communicate. This problem is
resolved in Release 12.1(19)E. (CSCdx55880)
• A redundant supervisor engine might not
reload if you enter the reload command on
the redundant supervisor engine's console or
19. Bugs
• MPLS does not work if you configure fall-
back bridging on the MPLS subinterface. This
problem is resolved in Release 12.1(19)E.
(CSCdz75507
• Cisco routers and switches running Cisco IOS
software and configured to process Internet
Protocol version 4 (IPv4) packets are
vulnerable to a Denial of Service (DoS)
attack. A rare sequence of crafted IPv4
packets sent directly to the device may cause
the input interface to stop processing traffic
once the input queue is full. No
20. Bugs
• When an OSPF topology change occurs, an
MPLS provider edge (PE) router might not
forward IP-to-Tag traffic to some IP
destinations when it has equal cost load-
sharing paths to the IP destinations. This
problem is resolved in Release 12.1(20)E.
(CSCeb52169)
• An E3 link to an OC-12 channelized OSM
might not come up. This problem is resolved
in Release 12.1(20)E. (CSCec39689)
21. Bugs
• If you delete and recreate Frame Relay
subinterfaces in random order on OSM POS
interfaces, some traffic might be sent to the
wrong subinterface. This problem is resolved
in Release 12.1(20)E2. (CSCec67501)
• An OC-12 POS OSM might reset as a result of
memory corruption. This problem is resolved
in Release 12.1(20)E2. (CSCec59550)
• A Catalyst 6509 switch with a Supervisor
Engine 1 and an MSFC2 repeatedly reboots
22. Bugs
• After a few weeks of normal operation, an interface on a PA- MC-8E1
port adapter begins flapping and finally pauses with the output queue
stuck as follows:
• You can attach a service policy that contains invalid configuration to an
interface. If you apply a Frame Relay map-class with both input policing
and output queuing to a DLCI twice, the FlexWAN module might reload.
This problem is resolved in Release 12.1(20)E. (CSCin52060)
• Ignore messages from a 1-port multichannel STM-1 port adapter (PA-
MC-STM-1) that reports a large number of degraded minutes on an E1
controller. For example, after 15 minutes of operation since startup,
35,000,000 degraded minutes might be reported and these values
might increase every second. Code violations might also be reported.
This problem is resolved in Release 12.1(20)E. (CSCec08973)
23. Bugs
• Illegal memory accesses when a dGRE test is configured on HSSI Frame
Relay encapsulation for a FlexWAN module might cause a reload. This
problem is resolved in Release 12.1(20)E2. (CSCin29514)
• An administratively shut-down subinterface that is configured for
Frame-Relay encapsulation might forward packets. This problem is
resolved in Release 12.1(20)E3. (CSCed78803)
• With a high traffic load, PA-A3-OC3, PA-A3-T3, and PA-A3-E3 port
adapters might display an increasing "rx_no_buffer" counter in the
output of the show controllers atm privileged EXEC command and
some PVCs configured on the PA-A3 port adapter might stop receiving
traffic. This problem is resolved in Release 12.1(20)E3. (CSCin49458)
24. Bugs
• With a large number of static multicast entries configured
(approximately 8,000), some entries might not propagate to DFCs. This
problem is resolved in Release 12.1(20)E. (CSCec50577)
• With EoMPLS configured, a reload might occur if you configure a
different access VLAN on the CE-facing port. This problem is resolved in
Release 12.1(20)E. (CSCec23787)
• With QoS and Cisco IOS server load balancing (Cisco IOS SLB) configured
on a Supervisor Engine 1, a VACL configured to filter multicast traffic on
one VLAN might incorrectly be applied to multicast traffic on other
VLANs. This problem is resolved in Release 12.1(20)E. (CSCeb69582)
25. Bugs
• On WS-X6548-GE-TX and WS-X6548V-GE-TX
modules, CEF-switched Ethernet egress
packets that are less than 64-bytes long are
not padded correctly. This problem is
resolved in Release 12.1(20)E. (CSCeb47640)
• With EoMPLS configured, a reload might
occur if you configure a different access
VLAN on the CE-facing port. This problem is
resolved in Release 12.1(20)E. (CSCec23787)
• The running configuration does not show
changes in the network time protocol (NTP)
password. This problem is resolved in
26. Bugs
• When there is insufficient memory, crash information is not generated
after a Supervisor Engine reload. This problem is resolved in
Release 12.1(20)E. (CSCeb51785)
• When you enter the show policy-map interface [interface] command
on a system with a Supervisor Engine 2 and MSFC2, a system reload
may occur. This problem is resolved in Release 12.1(20)E. (CSCeb49634)
• Occasionally a bus error and reload might occur if an MPLS packet
triggers the sending of an Internet Control Message Protocol (ICMP)
packet. This problem is resolved in Release 12.1(20)E. (CSCeb27452)
27. Bugs
• An OSPF designated router does not generate a network link-state
advertisement (LSA) for a broadcast network when another interface on
the designated router has an administratively shut down interface with
a duplicate address configured with the OSPF passive-interface
command. This problem is resolved in Release 12.1(20)E. (CSCea35186)
• With Internet Group Management Protocol (IGMP) and IP Protocol
Independent Multicast (PIM) enabled, continual tracebacks might occur
when you perform an online insertion and removal (OIR) of a module.
This problem is resolved in Release 12.1(20)E. (CSCec13278)
• A reload might occur if you delete a VPN routing and forwarding (VRF)
instance while the show ip vrf vrf_name EXEC command executes. This
problem is resolved in Release 12.1(20)E. (CSCea83675)
28. Bugs
• When more than 12 VLOUs are used in a
policy attached to an interface, the entries
are expanded. If the expanded entries are for
a non-deny ACE, the entries are not
accurate. The resulting ACEs for the policy
are also inaccurate. This problem is resolved
in Release 12.1(20)E2. (CSCed47753)
• The ip pim register source command is not
supported in Release 12.1E. This problem is
resolved in Release 12.1(20)E2.
(CSCec70483)
• When fragmenting MPLS traffic, a reload
29. Bugs
• An IGMP packet flood might cause a reload.
This problem is resolved in
Release 12.1(20)E2. (CSCec39132)
• The ip pim register source command is not
supported in Release 12.1E. This problem is
resolved in Release 12.1(20)E2.
(CSCec70483)
• When fragmenting MPLS traffic, a reload
might occur after display of a "SYS-2-
GETBUF" message. This problem is resolved
30. Bugs
• With both static and dynamic Port Address Translation (PAT) configured
and if the ip nat pool inside_pool_name command has been entered for
only one IP address, the IP addresses that are used for overloading
might be used as one-to-one translations. This problem is resolved in
Release 12.1(20)E3. (CSCdx19396)
• Following a reload with a large number of active interfaces, an Open
Shortest Path First (OSPF) interface might be in the down state while
the port and the line protocol might be in the up state, which causes
missing OSPF neighbor adjacencies on the OSPF interface that is in the
down state. This problem is resolved in Release 12.1(20)E3.
(CSCeb04048)
• A reload might occur if you establish an SSHv2 session immediately after
the "Press RETURN to get started!" message appears on the console.
This problem is resolved in Release 12.1(20)E3. (CSCin48676)
31. Bugs
• OSPF area border routers (ABRs) might
continue to generate summary link-state
advertisements (LSAs) for obsolete
nonbackbone intra-area routes. This problem
is resolved in Release 12.1(20)E6.
(CSCee36622)
• If you add VLANs 1002-1005 to the allowed
VLAN list for an SSL module, the SSL module
might have a connectivity problem. This
problem is resolved in Release 12.1(22)E.
(CSCec60933)
32. Bugs
• With ISIS routing configured, an E3 or T3 port adapter might have its
neighbors flap after a reload. This problem is resolved in
Release 12.1(22)E. (CSCeb01905)
• TCP FIN and RST packets might be dropped, which causes a 3 to 4
second delay in retrieving web content, if a hardware-switched TCP
connection carrying more than 1,000 packets per second is load
balanced through IOS Firewall Load Balancing or Cisco IOS server load
balancing. This problem is resolved in Release 12.1(22)E. (CSCed38956)
• A reload because of memory corruption might occur when an IP
Security (IPsec) generic routing encapsulation (GRE) tunnel carries
multicast traffic. This problem is resolved in Release 12.1(22)E.
(CSCec06341)
33. Bugs
• HSRP packets are sent with the IP TTL field set to 2 instead of 1. This
does not affect HSRP operation because HSRP packets are sent to a
Layer 2 multicast address. This problem is resolved in Release 12.1(22)E.
(CSCuk31498)
• A reload might occur if you enter the interface
loopback interface_number interface configuration command and the
value of theinterface_number argument is a 9-digit number that starts
with 10. This problem is resolved in Release 12.1(22)E. (CSCec03907)
• With high traffic levels and when the reverse forwarding path (RPF)
towards the rendezvous point and the multicast source are different,
partially hardware-switched multicast flows might not be forwarded
correctly. This problem is resolved in Release 12.1(22)E. (CSCec80654)
34. Bugs
• In IP packets with the IP options field
populated, the IP type-of-service (ToS) byte
might be truncated to a 3-bit long field. This
problem deletes 3 bits of the 6-bit DSCP
value and causes incorrect QoS operation.
This problem is resolved in
Release 12.1(22)E4. (CSCed93264)
• Multicast 127-byte UDP packets that egress
from OSM-2OC12-POS interfaces have
invalid checksums. This problem is resolved
in Release 12.1(23)E. (CSCec72798)
• The SNMP slbStickyObjectTableEntry MIB
35. Bugs
• A reload might occur if you do the following on a FlexWAN module interface:
– – Attach an egress queueing policy
– – Attach an ingress policy that uses the same policy-map class
– – Remove the ingress policy
– – Update a queueing feature in the egress policy
• A response time reporter (RTR) probe does not report input or output packets
for serial interfaces of PA-MC-8T1, PA-MC-8E1, and PA-MC-8TE1+ port adapters.
This problem is resolved in Release 12.1(23)E. (CSCee82681)
• When a Multicast Source Discovery Protocol (MSDP)-enabled rendezvous point
(RP) for a multicast group fails and an incoming (*,G) join message is received,
the RP does not build an (S,G) state from its Source-Active (SA) cache when it
should do so. Depending on the topology and if a Shortest Path Tree (SPT)
threshold is configured as infinite, this situation might result in a multicast
forwarding interruption of up to 2 minutes. This problem is resolved in
Release 12.1(23)E. (CSCee89438)
36. Bugs
• If there are more than 50 files on the flash
card, access from CiscoView Device Manager
(CVDM) might cause a reload. This problem
is resolved in Release 12.1(23)E.
(CSCef07965)
• If you change the STP root bridge, a Layer 2
loop might exist very briefly. This problem is
resolved in Release 12.1(23)E. (CSCed85411)
• Following switchover to a redundant
supervisor engine, any EtherChannels on the
newly active supervisor engine are not active
and the newly redundant supervisor engine
37. Bugs
• High traffic flow rates (for example, 60
percent or more of capacity) through a PA-
A3 ATM port adapter might cause a reload.
This problem is resolved in
Release 12.1(26)E. (CSCdy46272)
• A reload might occur if you apply egress
WAN QoS features to an ingress WAN
interface. This problem is resolved in
Release 12.1(23)E. (CSCin77116)
• When the number of routing table entries
exceeds the capacity of the hardware-
forwarding information base (FIB), the
38. Bugs
• If you enable PIM on a VLAN interface and configure a bridge group on
the VLAN interface, and then remove the PIM configuration from the
VLAN interface, EIGRP neighborships are lost. This problem is resolved
in Release 12.1(26)E. (CSCed12722)
• When an OSPF neighbor on a local IP segment has multiple interfaces
on that IP segment, OSPF installs only a single next-hop entry to routes
reachable through the OSPF neighbor, instead of multiple next-hop
entries, as required by RFC 2328. This problem is resolved in
Release 12.1(26)E. (CSCee21928)
• Policing might not be accurate for packets smaller than 82 bytes. This
problem is resolved in Release 12.1(26)E. (CSCee78451)
39. Bugs
• When you configure a static PIM rendezvous point (RP) IP address with
an ACL that specifies the groups for the RP, and there is also another RP
IP address configured without an ACL, you cannot remove the first RP IP
address from the configuration. This problem is resolved in
Release 12.1(26)E. (CSCee93574)
• When the BGP table is full on an MPLS backbone router, routing
updates or configuring additional routes might cause a reload. This
problem is resolved in Release 12.1(26)E. (CSCef49199)
• After a switchover to a redundant supervisor engine, aggregate policers
might not be applied to the interfaces where they are configured. This
problem is resolved in Release 12.1(26)E. (CSCin83227)
40. Bugs
• When an EXEC session is at the "More" prompt, the session fails to time
out. This problem is resolved in Release 12.1(26)E. (CSCef35192)
• If you are using the Open Shortest Path First (OSPF) protocol and the
Catalyst 6500 series switch or the Cisco 7600 series router is an Area
Border Router (ABR) attached to one or more not-so-stubby areas
(NSSAs), the configuration of "summary-address 0.0.0.0 0.0.0.0" can
result in the ABR default summary Link State Advertisement (LSA) being
repeatedly flushed and reoriginated in each attached NSSA. This
problem is resolved in Release 12.1(26)E2. (CSCdx83438)
• If an intermittent multicast source is inactive for 3.5 minutes, (S,G)
entries in the MSDP cache might become inconsistent with a neighbor's
cache which can cause multicast packet loss. This problem is resolved in
Release 12.1(26)E4. (CSCsb23433)
41. Bugs
• An autonomous system boundary router (ASBR) that is running open
shortest path first (OSPF) and is configured with the area area_idnssa
default-information-originate command, might continue to advertise a
default route in a not-so-stubby area (NSSA) even after the default
Border Gateway Protocol (BGP) route has been withdrawn and removed
from the routing table. This problem is resolved in Release 12.1(26)E5.
(CSCsc03828)
• Static routes that are redistributed into BGP display an incorrect next
hop address. This situation might cause a routing loop. This problem is
resolved in Release 12.1(26)E7. (CSCeg41727)
• A very slow memory leak might occur in the medium buffers. This
problem occurs on a system configured with a distributed EtherChannel
(DEC). When this problem occurs, MALLOCFAIL messages are displayed
in the switch processor log. This problem is resolved in
Release 12.1(26)E8. (CSCsf31542)
42. Bugs
• With a tunnel configured to use an ATM interface, one end of the tunnel
cannot ping the other end until you bring either end of the tunnel
interface down and up. This problem is resolved in Release 12.1(26)E8.
(CSCse40423)
• Port 2 or port 4 on a WS-X6816-GBIC switching module might go up and
down when port 1 is enabled, not connected, and set to autonegotiate.
This problem occurs if a 1000BASE-T GBIC was ever inserted since the
last time the module was reloaded. This problem is resolved in
Release 12.1(26)E8. (CSCse12195)
• A Multilink PPP (MLP) link does not forward traffic when MLP is
configured on an interface of a FlexWAN port adapter, or an Enhanced
FlexWAN PA. This problem is resolved in Release 12.1(27b)E.
(CSCeb07656)
43. Bugs
• A reload occurs when you delete a policy
map that was attached in both the in and out
direction. This problem is resolved in
Release 12.1(27b)E. (CSCsb29774)
• For multicast flows, the PFC does not provide
Layer 3 switching on output interfaces with
MTU sizes smaller than the flow's input
interface MTU size.
• When a redundant supervisor engine is in
standby mode, the Ethernet ports on the
44. Bugs
• You cannot configure the MTU size on VLAN
interfaces. For Supervisor Engine 2, this
problem is resolved in Release 12.1(8a)E. For
Supervisor Engine 1, this problem is resolved
in Release 12.1(7)E. (CSCdr62024)
• For multicast flows, the PFC does not provide
Layer 3 switching on output interfaces with
MTU sizes smaller than the flow's input
interface MTU size.
• When a redundant supervisor engine is in