Cisco ASR903 – BiDi Optical Transceivers
Problem
When you install a BiDi (BX-U / BX-D) or other third-party SFP transceiver in a Cisco ASR903, the router may log the following warning:
GBIC_SECURITY_CRYPT-4-ID_MISMATCH: Identification check failed for GBIC in port 8This syslog message means the ASR903’s GBIC security subsystem could not cryptographically verify the transceiver as a genuine Cisco-certified module. Third-party and BiDi SFP modules trigger this because they do not carry Cisco’s authentication credentials in their EEPROM. The affected port may be placed into errdisable state, taking the link down.
Prerequisites
IOS-XE 3.x or later on the ASR903 (verify with show version). The service unsupported-transceiver command availability depends on your IOS-XE release — confirm with service unsupported-transceiver ? in config mode.
Privilege level 15 (enable mode) access to the router.
If using BiDi SFPs: confirm you have matched pairs — BX-U on one end and BX-D on the other. Installing the same variant on both ends of a link will result in no connectivity even after applying the fix below.
Solution
Enter global configuration mode and apply the following commands:
enable
configure terminalStep 1 — Allow third-party transceivers:
service unsupported-transceiverThis tells IOS-XE to accept transceivers that fail Cisco’s cryptographic authentication check.
Step 2 — Prevent ports from entering errdisable:
no errdisable detect cause gbic-invalidThis stops the router from shutting down ports when it detects a non-authenticated GBIC/SFP module.
Step 3 — Enable error recovery as a fallback:
errdisable recovery cause gbic-invalid
errdisable recovery interval 300If a port was already in errdisable state before Step 2, this enables automatic recovery every 300 seconds (the default interval). Using cause gbic-invalid instead of cause all limits the scope to GBIC-related events only.
Step 4 — Save the configuration:
end
copy running-config startup-configWithout this step, all changes will be lost on the next router reload.
Step 5 — Verify the fix:
show interfaces transceiver
show log | include GBICConfirm the transceiver is enumerated and no new GBIC_SECURITY_CRYPT warnings appear. For BiDi links, also verify the link is up with show interfaces [interface-id] status.
Important Notes
BiDi wavelength pairing: BX-U transmits at 1310 nm and receives at 1490 nm. BX-D is the reverse. Always install complementary pairs on opposite ends of the fiber. Two BX-U or two BX-D modules on the same link will not establish a connection.
Scope of the fix: The service unsupported-transceiver command and no errdisable detect cause gbic-invalid apply to all ports on the router, not just BiDi ports. Any third-party transceiver in any slot will be accepted after this change.
Platform applicability: While this article targets the ASR903, the same commands and behavior apply to other Cisco IOS-XE platforms including the ASR920, NCS520, and Catalyst 9000 series.
FAQ:
Does service unsupported-transceiver affect all ports on the Cisco ASR903?
Yes. The command is applied globally in IOS-XE configuration mode and affects every SFP/GBIC port on the router. Any third-party or non-Cisco-authenticated transceiver will be accepted after this change, not just BiDi modules.
Will I lose my configuration after a reload?
Yes, if you do not save. After applying the commands, run "copy running-config startup-config" or "write memory" to persist the changes. Without this step, the router reverts to its previous configuration on the next reload and the GBIC_SECURITY_CRYPT-4-ID_MISMATCH warnings will return.
Can I use the same BiDi SFP type on both ends of the link?
No. BiDi SFPs must be installed as matched pairs: BX-U (transmits 1310 nm, receives 1490 nm) on one end and BX-D (transmits 1490 nm, receives 1310 nm) on the other. Installing two BX-U or two BX-D modules will result in no link, even after applying the unsupported transceiver fix.
Does this fix work on other Cisco IOS-XE platforms besides the ASR903?
Yes. The same commands apply to other IOS-XE platforms including the ASR920, NCS520, ME3400 series, and Catalyst 9000 series. The GBIC security behavior and the service unsupported-transceiver command are consistent across IOS-XE.