BugZero | Cisco BugID CSCwa17933 - legacy VRF configuration referenced in AAA configu...

Loading...

Operational Defect Database

A free repository of operational (non-security) bugs centralized through custom integrations with leading IT vendors.

Product

Enterprise platform
Bug Scrub Advisor
Operational Risk Scoring
Vendor Integrations

Company

Plans
Value Guide
About
Contact us

Resources

Blog
ServiceNow App
Trust Center
Risk Management
NIST
DORA

Operational Defect Database

A free repository of operational (non-security) bugs centralized through custom integrations with leading IT vendors.

Product

Enterprise platform
Bug Scrub Advisor
Operational Risk Scoring
Vendor Integrations

Company

Plans
Value Guide
About
Contact us

Resources

Blog
ServiceNow App
Trust Center
Risk Management
NIST
DORA

©2025 BugZero. All Rights Reserved.

Privacy Policy Terms of Service

BugZero | Cisco BugID CSCwa17933 - legacy VRF configuration referenced in AAA configu...

ODD
Cisco
CSCwa17933

Cisco - Defect ID: CSCwa17933

legacy VRF configuration referenced in AAA configuration removed after upgrade to 17.05.01 or later

ODD
Cisco
CSCwa17933

Cisco - Defect ID: CSCwa17933

legacy VRF configuration referenced in AAA configuration removed after upgrade to 17.05.01 or later

Last updated on October 30th, 2025

BugZero Risk Score
7.8 High

Overall: 7.8

Severity: 8.2

Lifecycle: 9.1

Popularity: 5.1

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Bug Details

Views: 94

Description

Symptom

When a device [switch/router/...] is running IOS-XE release 17.04.01 or earlier and has aaa server group configuration block referencing VRF to provide connectivity to TACACS+ or RADIUS server outside of the global routing table, and this VRF is configured using the ip vrf syntax, such configuration will be rejected upon upgrade to 17.05.01 or later release. This will result in the loss of connectivity to the affected TACACS+ or RADIUS server unless it is also reachable within the global routing table. The following messages will be seen on the console upon bootup [depending on whether IPv4 or IPv6 connectivity towards TACACS+ or RADIUS server is used] IPv4 Table-id not existing for tacacs sg VRF, config may fail IPv6 table-id not existing for tacacs sg VRF, config may fail IPv4 Tableid not existing for radius sg VRF, config may fail IPv6 Tableid not existing for radius sg VRF config may fail

Conditions

- device is running IOS-XE release 17.04.01 or earlier - aaa server group configured for RADIUS or TACACS+ servers is using VRF to provide connectivity to the server(s) - VRF is configured using the ip vrf syntax If these conditions are met, and the device is upgraded to 17.05.01 or later release, the VRF configuration under the aaa group server configuration block will be rejected. This will result in the loss of connectivity to the affected TACACS+ or RADIUS server unless it is also reachable within the global routing table.

Workaround

Convert the VRF configuration from the ip vrf syntax to the vrf definition syntax vrf upgrade-cli multi-af-mode non-common-policies vrf or vrf upgrade-cli multi-af-mode common-policies vrf

Further Problem Description

A sample of the problematic configuration could look like this: ! aaa new-model aaa group server radius server-private key ip vrf forwarding aaa group server tacacs+ server-private key ip vrf forwarding ! ip vrf VRF_NAME ! This configuration has been accepted and works fine in IOS-XE releases up to 17.04.01. Starting from the 17.05.01 release, additional validation of the supplied VRF is performed in AAA code, and if the VRF referenced within the aaa group server configuration block does not exist, the line is rejected. The reason for this rejection upon bootup is that VRF is configured using the ip vrf syntax is located below the aaa group server configuration block, and thus, at the time when AAA code is validating the supplied VRF, such VRF has not been created yet.

Relevant Products

Click on a version to see all relevant bugs

Affected versions:Bengaluru-17.5.1, Bengaluru-17.6.1

Fixed versions: 17.10.1, 17.10.1a, 17.10.1b, 17.11.1, 17.11.1a, 17.12.02a, 17.12.1, 17.12.1a, 17.12.1w, 17.12.1x, 17.12.1y, 17.12.1z, 17.12.1z1, 17.12.1z2, 17.12.1z3, 17.12.1z4, 17.12.2, 17.12.2a, 17.12.3, 17.12.3a, 17.12.4, 17.12.4a, 17.12.4b, 17.12.5, 17.12.5a, 17.13.1, 17.13.1a, 17.14.1, 17.14.1a, 17.15.1, 17.15.1a, 17.15.1b, 17.15.1w, 17.15.1x, 17.15.1y, 17.15.2, 17.15.2a, 17.15.2b, 17.15.2c, 17.15.3, 17.16.1, 17.16.1a, 17.17.1, 17.6.3, 17.6.3a, 17.6.4, 17.6.5, 17.6.5a, 17.6.6, 17.6.6a, 17.6.7, 17.6.8, 17.6.8a, 17.8.1, 17.8.1a, 17.9.1, 17.9.1a, 17.9.1w, 17.9.1x, 17.9.1x1, 17.9.1y, 17.9.1y1, 17.9.2, 17.9.2a, 17.9.3, 17.9.3a, 17.9.4, 17.9.4a, 17.9.5, 17.9.5a, 17.9.5b, 17.9.5c, 17.9.5d, 17.9.5e, 17.9.5f, 17.9.6, 17.9.6a, 17.9.6b, 17.9.7, 17.9.7a, Cupertino-17.8.1

Relevant Products

Click on a version to see all relevant bugs

Affected versions:Bengaluru-17.5.1, Bengaluru-17.6.1

Fixed versions: 17.10.1, 17.10.1a, 17.10.1b, 17.11.1, 17.11.1a, 17.12.02a, 17.12.1, 17.12.1a, 17.12.1w, 17.12.1x, 17.12.1y, 17.12.1z, 17.12.1z1, 17.12.1z2, 17.12.1z3, 17.12.1z4, 17.12.2, 17.12.2a, 17.12.3, 17.12.3a, 17.12.4, 17.12.4a, 17.12.4b, 17.12.5, 17.12.5a, 17.13.1, 17.13.1a, 17.14.1, 17.14.1a, 17.15.1, 17.15.1a, 17.15.1b, 17.15.1w, 17.15.1x, 17.15.1y, 17.15.2, 17.15.2a, 17.15.2b, 17.15.2c, 17.15.3, 17.16.1, 17.16.1a, 17.17.1, 17.6.3, 17.6.3a, 17.6.4, 17.6.5, 17.6.5a, 17.6.6, 17.6.6a, 17.6.7, 17.6.8, 17.6.8a, 17.8.1, 17.8.1a, 17.9.1, 17.9.1a, 17.9.1w, 17.9.1x, 17.9.1x1, 17.9.1y, 17.9.1y1, 17.9.2, 17.9.2a, 17.9.3, 17.9.3a, 17.9.4, 17.9.4a, 17.9.5, 17.9.5a, 17.9.5b, 17.9.5c, 17.9.5d, 17.9.5e, 17.9.5f, 17.9.6, 17.9.6a, 17.9.6b, 17.9.7, 17.9.7a, Cupertino-17.8.1

Top Cisco Defects

9.7Defect ID: CSCwa70008
Expired certs cause Security Intelligence updates to fail
9.7Defect ID: CSCwc94466
Cisco ASA/FTD Firepower 2100 SSL/TLS Denial of Service Vulnerability
9.7Defect ID: CSCvq12070
Not able to establish more than 2 simultaneous ASDM sessions
9.7Defect ID: CSCwf80292
ISE cannot retrieve a peer certificate during EAP-TLS authentication
9.7Defect ID: CSCvd48893
Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability

Ready to prevent the next vendor outage?

Change history

2025-07-08 Added: Bengaluru-17.5.1, Bengaluru-17.6.1

Links

Original Vendor Announcement

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise