Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco Router and Security Device Manager

Release Notes for Cisco Router and Security Device Manager Version 2.2

Downloads

Table Of Contents

Release Notes for Cisco Router and Security Device Manager Version 2.2

Contents

Introduction

System Requirements

Memory Requirements

Hardware Supported

Supported Network Modules, WICs, Port Adapters, and Service Adapters

PC System Requirements

Software Supported

Cisco IOS Images

Web Browser Versions and Java Runtime Environment Versions

PC Operating System Versions

New and Changed Information

New Features Supported in SDM Version 2.2

SDM Files

Installation Notes

Cisco 1700 Routers Running ITS/CCME and Cisco IOS Release 12.2(13)T

Downloading SDM from Cisco.com and Installing It on the Router

Upgrading to a New SDM Release

Uninstalling SDM Files

Restrictions and Limitations

SDM Minimum Screen Resolution

Restrictions for Cisco 7204VXR, 7206VXR, and 7301 Routers

Important Notes

SDM IPS User Guide Discontinued for SDM 2.2

SDM May Lose Connection to Network Access Device

SDM on PC May Not Launch under Windows XP with Service Pack 2

Popup Blockers Disable SDM Online Help

Disable Proxy Settings

Routers Shipped with SDM Do Not Execute the Standard Cisco IOS Startup Sequence

Unable to Perform "squeeze flash:" Operation

Security Alert Dialog May Remain After SDM Launches

Caveats

Open Caveats—Release 2.2

Related Documentation

Platform-Specific Documents

Software Documents

Obtaining Documentation

Cisco.com

Documentation DVD

Ordering Documentation

Documentation Feedback

Cisco Product Security Overview

Reporting Security Problems in Cisco Products

Obtaining Technical Assistance

Cisco Technical Support Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information


Release Notes for Cisco Router and Security Device Manager Version 2.2

April 5, 2006

These release notes support Cisco Router and Security Device Manager version 2.2. They should be used with the documents listed in the "Related Documentation" section. These release notes are updated as needed.

Contents

This document contains the following sections:

Introduction

System Requirements

New and Changed Information

Restrictions and Limitations

Important Notes

Caveats

Related Documentation

Obtaining Documentation

Documentation Feedback

Cisco Product Security Overview

Obtaining Technical Assistance

Obtaining Additional Publications and Information

Introduction

Cisco Router and Security Device Manager (SDM) is a web-based configuration tool that allows you to configure LAN and WAN interfaces, routing, Network Admission Control (NAC), Network Address Translation (NAT), firewalls, Intrusion Prevention System (IPS), Virtual Private Networks (VPNs), and other features on the router. SDM version 2.1 and later can be installed on a PC, or in router flash, disk, or slot memory. Earlier versions of SDM cannot be installed on PCs, but can be installed in router flash, disk, or slot memory. If you have a router listed in the "Hardware Supported" section, SDM may be preinstalled in router memory, or may be shipped on a CD with the router.

System Requirements

This section contains SDM system requirements.

Memory Requirements

A minimum of 5.2 MB of free router memory is required to support Cisco SDM files. 2 MB of router memory is required to support Cisco SDM Express files. The Wireless Management application requires an additional 2 MB.

Cisco SDM installed on a PC requires 5.2 MB of memory.

Table 2 lists the files that are included with Cisco SDM, Cisco SDM Express, and the Wireless Management application.

Hardware Supported

This section lists the hardware that SDM supports.

Note SDM does not support Telco/CO router models.

SDM is supported on the following Cisco SB100 series routers.

Cisco SB101

Cisco SB106

Cisco SB107

SDM is supported on the following Cisco 800 series routers:

Cisco 831

Cisco 836

Cisco 837

Cisco 851

Cisco 857

Cisco 871

Cisco 876

Cisco 877

Cisco 878

SDM is supported on the following Cisco 1700 series routers:

Cisco 1701

Cisco 1710

Cisco 1711

Cisco 1712

Cisco 1721

Cisco 1751

Cisco 1751-v

Cisco 1760

Cisco 1760-v

SDM is supported on the following Cisco 1800 series routers:

Cisco 1801

Cisco 1802

Cisco 1803

Cisco 1811

Cisco 1812

Cisco 1841

SDM is supported on the following Cisco 2600 series routers:

Cisco 2610XM

Cisco 2611XM

Cisco 2620XM

Cisco 2621XM

Cisco 2650XM

Cisco 2651XM

Cisco 2691

SDM is supported on the following 2800 series routers:

Cisco 2801

Cisco 2811

Cisco 2821

Cisco 2851

SDM is supported on the following Cisco 3600 series routers:

Cisco 3620

Cisco 3640

Cisco 3640A

Cisco 3661

Cisco 3662

SDM is supported on the following Cisco 3700 series routers:

Cisco 3725

Cisco 3745

SDM is supported on the following Cisco 3800 series routers:

Cisco 3825

Cisco 3845

SDM is supported on the following Cisco 7000 series routers:

Cisco 7204VXR

Cisco 7206VXR

Cisco 7301

Supported Network Modules, WICs, Port Adapters, and Service Adapters

SDM supports configuration on the following network modules:

NM-1E

NM-4E

NM-4T

NM-2W

NM-1E2W

NM-1FE2W

NM-1FE2W-V2

NM-1FE-FX-V2

NM-2E2W

NM-2FE2W

NM-2FE2W-V2

NM-1FE-FX

NM-1FE-TX

NM-4A/S (synchronous only)

NM-8A/S (synchronous only)

NM-CIDS-K9

NM-16ESW

NM-36ESW

SDM supports only Ethernet configuration on the following network modules:

NM-1E1R2W

NM-1FE1R2W

NM-1FE1CE1U

NM-1FE2CE1B

NM-1FE1CE1B

NM-1FE2CE1U

NM-1FE1CT1

NM-1FE2CT1

NM-1FE1CT1-CSU

NM-1FE2CT1-CSU

SDM supports the following EtherSwitch Service Modules:

NME-16ES-1G-P

NME-X-23ES-1G-P

NME-XD-24ES-1S-P

NME-XD-48ES-2S-P

SDM supports the following WAN interface cards:

WIC-1T

WIC-2T

WIC-2A/S (Frame Relay, PPP, HDLC, no asynchronous)

WIC-1DSU-T1

WIC-1ADSL

WIC-1ENET

WIC-1SHDSL

WIC-1DSU-T1-V2

WIC-1B-S/T

WIC-1B-S/T-V3

WIC-1AM

WIC-2AM

WIC-4ESW

WIC-1SHDSL-V2

SDM supports the following high-speed wan interface cards (HWICs):

HWIC-4T

HWIC-4A/S

HWIC-8A/S-232

HWIC-4ESW

HWICD-9ESW

HWIC-AP-G-X

HWIC-AP-AG-X

HWIC-ADSL-B/ST

HWIC-ADSLI-B/ST

HWIC-1ADSL

HWIC-1ADSLI

SDM supports the following advanced integration modules (AIMs):

AIM-VPN/BP

AIM-VPN/BP II

AIM-VPN/BPII-PLUS

AIM-VPN/HP

AIM-VPN/HP II

AIM-VPN/HPII-PLUS

AIM-VPN/EP

AIM-VPN/EP II

AIM-VPN/EPII-PLUS

SDM supports the following port adapters on Cisco 7000 routers:

PA-2FE-TX

PA-2FE-FX

PA-8E

PA-4E

SDM supports the following service adapters on Cisco 7000 routers:

SA-VAM

SA-VAM2

SA-VAM2+

SDM also supports the MOD-1700VPN.

PC System Requirements

SDM is designed to run on a personal computer that has a Pentium III or faster processor.

Software Supported

This section describes SDM software requirements.

Cisco IOS Images

SDM is compatible with the Cisco IOS images listed in Table 1.

Note SDM supports the IOS Intrusion Prevention System (IPS). In order to be able to use SDM to configure IOS-IPS, the router must run an IOS image of Release 12.3(8)T4 or later.

Table 1 SDM-Supported Routers and Cisco IOS Releases 

SDM-Supported Routers
SDM-Supported Cisco IOS Releases

Cisco SB101
Cisco SB106
Cisco SB107

12.3(8)YG

12.4(2)T or later

Cisco 831
Cisco 837

12.2(13)ZH or later

12.3(2)XA or later

12.3(2)T or later

12.4(2)T or later

Cisco 836

12.2(13)ZH or later

12.3(2)XA or later

12.3(4)T or later

12.4(2)T or later

Cisco 851
Cisco 857

12.3(8)YI

12.4(2)T or later

Cisco 871
Cisco 876
Cisco 877
Cisco 878

12.3(8)YI

12.4(2)T or later

Cisco 1701

12.2(13)ZH or later

12.3(2)XA or later (SDM does not support Cisco IOS release 12.3(2)XF.)

12.3(4)T or later

12.4(2)T or later

Cisco 1711
Cisco 1712

12.2(15)ZL or later

12.3(2)XA or later (SDM does not support Cisco IOS release 12.3(2)XF.)

12.4(2)T or later

Cisco 1710
Cisco 1721
Cisco 1751
Cisco 1751-v
Cisco 1760
Cisco 1760-v

12.2(13)ZH or later

12.3(2)XA or later (SDM does not support Cisco IOS release 12.3(2)XF.)

12.2(13)T3 or later

12.3(2)T or later

12.3(1)M or later

12.2(15)ZJ3 (not available for the Cisco 1710 or Cisco 1721)

12.4(2)T or later

Cisco 1801
Cisco 1802
Cisco 1803
Cisco 1811

12.3(8)YI

12.4(2)T or later

Cisco 1812

12.3(8)YH or later

12.4(2)T or later

Cisco 1841

12.3(8)T4 or later

12.4(2)T or later

Cisco 2610XM
Cisco 2611XM
Cisco 2620XM
Cisco 2621XM
Cisco 2650XM
Cisco 2651XM
Cisco 2691

12.2(11)T6 or later

12.3(2)T or later

12.3(1)M or later

12.3(4)XD

12.2(15)ZJ3

12.4(2)T or later

Cisco 2801
Cisco 2811
Cisco 2821
Cisco 2851

12.3(8)T4 or later

12.4(2)T or later

Cisco 3640
Cisco 3661
Cisco 3662

12.2(11)T6 or later

12.3(2)T or later

12.3(1)M or later

12.3(4)XD

12.2(15)ZJ3

12.4(2)T or later

Cisco 3620

12.2(11)T6 or later

12.3(1)M or later

Cisco 3640A

12.2(13)T3 or later

12.3(2)T or later

12.3(1)M or later

12.3(4)XD

12.2(15)ZJ3

12.4(2)T or later

Cisco 3725
Cisco 3745

12.2(11)T6 or later

12.3(2)T or later

12.3(1)M or later

12.3(4)XD

12.2(15)ZJ3

12.4(2)T or later

Cisco 3825
Cisco 3845

12.3(11)T or later

12.4(2)T or later

Cisco 7204VXR
Cisco 7206VXR

12.3(2)T or later

12.3(1)M or later

12.4(2)T or later

SDM does not support B, E, or S train releases on the Cisco 7000 routers.

Cisco 7301

12.3(2)T or later

12.3(3)M or later

12.4(2)T or later

SDM does not support B, E, or S train releases on the Cisco 7000 routers.


Determining the Cisco IOS Software Version

To determine the Release of Cisco IOS software currently running on your Cisco router, log in to the router and enter the show version EXEC command. The following sample output from the show version command indicates the version number on the second output line: 

router> show version 

Cisco Internetwork Operating System Software 

IOS (tm) C1700 Software (c1700-k8sv3y7-mz) Version 12.2(13)ZH

Web Browser Versions and Java Runtime Environment Versions

SDM can be used with the following browsers:

Firefox version 1.0.6

Internet Explorer version 5.5 and later

Netscape version 7.1 and version 7.2

SDM requires Sun Java Runtime Environment (JRE). The following versions are supported:

JRE1.4.2_08

JRE 1.5.0_04

Although the SDM application requires JRE to run, the Cisco SDM Express application included with SDM can run under the native Java Virtual Machine in the supported browsers, as well as with JRE.

PC Operating System Versions

SDM can be run on a PC running any of the following operating systems:

Microsoft Windows XP Professional

Microsoft Windows 2003 Server (Standard Edition)

Microsoft Windows 2000 Professional with Service Pack 4

Microsoft Windows ME

Microsoft Windows NT 4.0 Workstation with Service Pack 4

Note Windows 2000 Advanced Server is not supported.

SDM version 2.2 is available only in English. SDM version 2.1.2 is available in six additional languages: Japanese, Simplified Chinese, French, German, Spanish and Italian. SDM version 2.1.2 supports full SDM functionality released prior to SDM 2.2. New functionality introduced in SDM 2.2 is currently under development for these languages and will be available shortly. If you want to use SDM version 2.1.2 in one of these languages, your PC must run one of the following operating systems:

Microsoft Windows XP Professional with Service Pack 2 or later

Microsoft Windows 2000 Professional with Service Pack 4 or later

Refer to the Release Notes for Cisco Router and Security Device Manager Version 2.1.2 for more information. See Related Documentation to learn how to obtain these release notes.

New and Changed Information

This section contains information that is new or that has changed since the previous release.

New Features Supported in SDM Version 2.2

This release of SDM supports the following new features:

Application Security—SDM allows you to inspect traffic by application, as well as by network protocol. You can specify what the router is to do when it encounters traffic from the applications that you identify. SDM also offers low, medium and high application security policies that you can apply to router interfaces when completing the basic and the advanced firewall wizards.The Application Security feature also offers Granular Protocol Inspection, also described in this list.

Network Admission Control (NAC)—NAC enables the router to control the use of the local network by local hosts, based on their virus protection status. When given a NAC configuration, the router can use NAC policy servers to determine host status, and user-defined policies to determine what action to take, including directing hosts to virus remediation sites . You can configure exception lists to specify the hosts that are to be exempted from the NAC validation process, and you can list the hosts that do not have posture agent software installed.

Granular Protocol Inspection (GPI)—GPI allows you to have the router inspect Cisco IOS-recognized TCP and UDP protocols. GPI works with Port-to-Application Mapping, also described in this feature list.

Dynamic DNS—SDM supports client-mode DDNS, enabling the router to update a DNS server when a router interface IP address is changed.

NAT wizards—You can configure NAT translation rules using the basic or the advanced NAT wizard. After you configure the rule with the wizard, you can use the Edit screens to make additional changes to the rule.

Port-to-Application Mapping (PAM)—Network applications typically accept traffic on registered, well-known port numbers, and the router uses those port numbers by default. For example, FTP typically uses port 21. When applications are configured to use nonstandard ports, the router must be given the mapping between the application and the port number that it uses. PAM enables you to create these mappings for the router. You can create mappings on a host or network basis, and if the application is configured to use a range of port numbers, you can create a mapping between the application and that port number range.

Search function—You can now search for SDM features by entering the feature name on the toolbar and clicking Search.

Switch Module support—SDM allows you to configure switchport VLANs and VLAN subinterfaces, and you can launch the eXpresso switch module management application from the SDM toolbar.

Support for new High-speed WAN Interface Cards (HWICS)—The HWIC-ADSL-B/ST, HWIC-ADSLI-B/ST, HWIC-1ADSL, and HWIC-1ADSLI network modules are supported.

USB Flash and Token support—SDM can detect the presence of USB flash and USB token devices on the router, and can use configuration files and digital certificates stored on those types of devices.

DHCP Enhancements—SDM allows you to bind a particular IP address from a DHCP pool to a host MAC address that you specify.

Easy VPN Remote enhancements—SDM now supports web intercept, RSA signatures, dial backup, VLAN subinterfaces, multiple routed subnets, traffic-triggered tunnel activation, and mode-configured addresses for device access.

Easy VPN Server enhancements—SDM now allows you to do the following: create a banner to display to Easy VPN Remote clients when they log on to the server; provide for automatic updates by specifying an IOS image location and revision level; ensure consistency in client configuration via a configuration push feature; provide browser proxy server information to clients. In this release, SDM also supports split DNS, which allows remote clients to use an internal DNS server to resolve hosts with specific domain names, Perfect Forwarding Secrecy (PFS) push to remote clients, netmask support, the restriction of Easy VPN connections to specific interfaces, the setting of an IPSecurity (IPSec) idle timer, and group policies using a single AAA server.

Easy VPN Troubleshooting enhancements—This feature has been enhanced to support new Easy VPN Remote and Easy VPN Server enhancements.

Intrusion Prevention System (IPS) enhancements—IPS is integrated into the main SDM application, and includes an IPS rule wizard, and a signature import wizard. Also, IPS now supports TrendMicro signature engines.

SDM Files

This section describes the files used in SDM version 2.2.

Table 2 describes the files that SDM and SDM applications use.

Table 2 SDM File List 

File Name
Size
Description

sdm.tar

3.86 MB

SDM application file

es.tar

793 KB

SDM Express application file

common.tar

984 KB

SDM and SDM Express support file

home.shtml

1.01 KB

SDM and SDM Express support file

home.tar

110 KB

SDM and SDM Express support file

wlanui.tar

1.7 MB

Wireless Application

attack-drop.sdf

228 KB

Signature Definition File (SDF) used by IPS

128MB.sdf

499 KB

Signature Definition File (SDF) used by IPS

256MB.sdf

738 KB

Signature Definition File (SDF) used by IPS

sdmconfig-modelnum.cfg

For example:

sdmconfig-180x.cfg

2.25 KB

Default configuration file


Installation Notes

This section contains important information regarding installation and upgrades to SDM.

Cisco 1700 Routers Running ITS/CCME and Cisco IOS Release 12.2(13)T

If you are installing SDM on a router that already has the Internet Telephony Service (ITS) or Cisco Call Manager Express (CCME) application installed in flash memory, you may exceed the number of files allowed in flash memory by installing SDM. Cisco 1700 routers using a Cisco IOS Release 12.2(13)T image cannot have more than 32 files in flash memory.

Before installing SDM, you must delete any unneeded files from flash memory. If no files can be deleted, do not install SDM on the router.

Downloading SDM from Cisco.com and Installing It on the Router

If SDM is not currently installed on the router, the document Downloading and Installing Cisco Router and Security Device Manager (SDM) explains how to download SDM from Cisco.com and install it on the router. To obtain this document, go to the following URL:

http://www.cisco.com/go/sdm

Upgrading to a New SDM Release

If a version of SDM later than version 1.0 is already installed on the router, you should use the SDM automatic update feature to install the latest files on the router. SDM automatically checks Cisco.com for more recent versions of SDM, downloads them to your PC, removes the old SDM files from memory, runs the squeeze flash: command if necessary, and copies the latest files to the router. The update feature is available from the Tools menu. Choose Tools > Update SDM > Update from CCO.

If you are currently using SDM version 1.0, you must download the file SDM-Vnn.zip at the following URL:

http://www.cisco.com/cgi-bin/tablebuild.pl/sdm

The document Downloading and Installing Cisco Router and Security Device Manager (SDM) explains how to install SDM and all related files on the router. This document is available at the following URL:

http://www.cisco.com/go/sdm

Click Install and Upgrade in the Technical Documentation and Tools box, and then click Install and Upgrade Guides.

Uninstalling SDM Files

If you want to remove SDM from flash memory or from a router disk file system, you can do so by logging onto the router and completing the following steps in EXEC mode:

Step 1 Change to the directory in which the SDM files are located.

If the router has a flash file system, use the following command: 

router# cd flash:

If the router has a disk file system, use the following command: 

router# cd diskN

Replace N with the actual number of the disk. Use the slot keyword instead of the disk keyword if necessary.

Step 2 Use the delete command to remove the SDM files. The example below deletes the file sdm.tar: 

router# delete sdm.tar

Delete filename [sdm.tar]?

Delete flash:sdm.tar? [confirm]

Press Return to confirm the deletion.

Step 3 Use the delete command to remove the remaining SDM files. The "SDM Files" section lists the files used by SDM.

Step 4 Reclaim memory space by using the squeeze flash: command: 

router# squeeze flash:

It is not necessary to use the squeeze flash: command on DOS-based file systems.

SDM version 2.1 or later can be installed on your PC. To remove SDM from your PC, complete the following steps:

Step 1 Click Start > Program> Cisco Systems > Cisco SDM > Uninstall to launch the Uninstall program.

Step 2 When the message "Do you want to remove the selected applications and all of its features?" appears, click Yes.

Step 3 When the Uninstallation Complete screen is displayed, click Finish.

Restrictions and Limitations

This section describes restrictions and limitations that may apply to SDM.

SDM Minimum Screen Resolution

SDM requires a screen resolution of at least 1024 x 768.

Restrictions for Cisco 7204VXR, 7206VXR, and 7301 Routers

The following restrictions apply to SDM running on Cisco 7204VXR, 7206VXR, and 7301 Routers:

The SDM Express application is not supported.

WAN configuration is not supported. SDM supports configuration of Ethernet and Fast Ethernet interfaces.

The SDM Reset feature is not available.

No SDM-default configuration file is supplied.

Important Notes

This section contains important information for SDM.

SDM IPS User Guide Discontinued for SDM 2.2

The SDM IPS application has been merged with SDM version 2.2. Instructions for using IPS are included in the Cisco Router and Security Device Manager Version 2.2 User's Guide. No SDM IPS User's Guide has been published for this release.

SDM May Lose Connection to Network Access Device

This note concerns the NAC feature.

If the PC used to invoke SDM returns a posture state (Healthy, Infected, Checkup, Quarantine, or Unknown) and if the group policy on the ACS server attached to the posture token assigned to the PC has a redirect URL configured, the connection between SDM and the router acting as the Network Access Device (NAD) may be lost. The same problem can occur if an exception list entry attached to a policy with a redirect URL is configured with the IP address or MAC address of the PC.

If you try to reinvoke SDM from this PC, you will not be able to do so because the browser will be redirected to the location specified in the redirect URL.

There are two workarounds for this problem:

Ensure that the PC that you use to invoke SDM attains a posture token which has an associated group policy on the ACS server that is not configured with a redirect URL.

Alternatively, use SDM to create a NAC exception list entry with the IP address or MAC address of the PC you use to invoke SDM. Note that the exception list entry created for the PC should be associated to an exception policy which does not have a redirect URL configured in it.

For more information, refer to the links in the SDM NAC online help pages.

SDM on PC May Not Launch under Windows XP with Service Pack 2

When SDM is installed on a PC running Windows XP with Service Pack 2, Internet Explorer may display HTML source code when you attempt to launch SDM. To fix this problem, go to Tools > Internet Options > Advanced. Then scroll to the Security section, check Allow active content to run in files on my computer, and click Apply. Then relaunch SDM.

Popup Blockers Disable SDM Online Help

If you have enabled popup blockers in the browser you use to run SDM, SDM online help will not appear when you click the help button. To prevent this from happening, you must disable the popup blocker when you run SDM. Popup blockers may be enabled in search engine toolbars, or may be standalone applications integrated with the web browser.

Microsoft Windows XP with Service Pack 2 blocks popups by default. In order to turn off popup blocking in Internet Explorer, go to Tools > Pop-up Blocker > Turn Off Pop-up Blocker.

If you have not installed and enabled pop up blockers, go to Tools >Internet Options > Privacy, and uncheck the Block popups checkbox.

Disable Proxy Settings

SDM will not start when run under Internet Explorer with proxy settings enabled. To correct this problem, choose Internet Options from the Tools menu, click the Connections tab, and then click the LAN settings button. In the LAN Settings window, disable the proxy settings.

Routers Shipped with SDM Do Not Execute the Standard Cisco IOS Startup Sequence

Because a default configuration file is provided on a router shipped with SDM, the router will not execute the standard Cisco IOS startup sequence. If you are expecting to use the Cisco IOS setup utility, a TFTP/BOOTP configuration download, or other features available through the standard Cisco IOS startup, you will need to erase the configuration file.

To erase the existing configuration and take advantage of the Cisco IOS startup sequence, perform the following steps. This will leave SDM on the router if you later decide you want to use it, but you will need to configure the router manually before you can begin using SDM. Please refer to the router quick start guide and to the SDM FAQ (available at http://www.cisco.com/go/sdm) for information about the minimum configuration required for using SDM.

Step 1 Connect the light blue console cable, included with the router, from the blue console port on the router to a serial port on your PC. See the router hardware installation guide for instructions.

Step 2 Connect the power supply to the router, plug the power supply into a power outlet, and turn on the router. See the router quick start guide for instructions.

Step 3 Use a terminal emulation program on your PC, with the terminal emulation settings 9600 baud, 8 data bits, no parity, 1 stop bit, and no flow control, to connect to the router.

Step 4 At the prompt, enter the enable command, and enter the password cisco. 

yourname> enable


Password: cisco

yourname#

Step 5 Enter the erase startup-config command. 

yourname# erase startup-config

Step 6 Confirm the command by pressing Enter.

Step 7 Enter the reload command. 

yourname# reload

Step 8 Confirm the command by pressing Enter.

After the router completes the reload operation, it enters into the standard Cisco IOS startup sequence. You can use the startup sequence to give the router a configuration manually, or to copy a configuration file from the network. If you later decide you want to use SDM to change an existing configuration, refer to the instructions on starting SDM included in the quick start guide for the router.

Unable to Perform "squeeze flash:" Operation

If the router is using a Cisco IOS image earlier than release 12.3T, or release 12.2(13)ZH, it may be necessary to use the squeeze flash: command to reclaim flash memory after repeated use of SDM. If this becomes necessary, SDM will inform you that the squeeze flash: command must be used, and will execute the command upon your confirmation.

However, the squeeze flash: command will not work if an erase flash: command has never been executed on the router. If this is the case you will receive an "Unable to perform `squeeze flash'" warning message, and you will need to run the erase flash: command to enable the use of the squeeze flash: command.

Executing the erase flash: command removes SDM and the Cisco IOS image from the router flash memory, and you will lose your connection to the router. Complete the following steps to save files in flash memory, execute erase flash:, and copy the files back so you can reconnect to SDM.

Step 1 Ensure that the router will not lose power. If the router loses power after an erase flash: operation, there will be no Cisco IOS image in memory.

Step 2 Prepare a TFTP server to which you can save files and copy them over to the router. You must have write access to the TFTP server. Your PC can be used for this purpose if it has a TFTP server program.

Step 3 Open up a Telnet session on the router so that you can use the CLI.

Step 4 Save the router's running configuration to the startup configuration by entering the command copy running-config startup-config.

Step 5 Use the copy tftp command to copy the Cisco IOS image, and the SDM files from flash memory to a TFTP server:

copy flash: filename tftp://tftp-server-address/filename

For example: 

Router# copy flash: sdm.tar tftp://10.10.10.3/sdm.tar

Table 2 lists the files SDM uses.

Tip If you prefer to download a Cisco IOS image, and the SDM-Vnn.zip file, follow these instructions to use an Internet connection to download an SDM-supported Cisco IOS image, and the SDM-Vnn.zip file.

a. Click the following link to obtain a Cisco IOS image from the Cisco Software Center:

http://www.cisco.com/kobayashi/sw-center

b. Obtain an image that supports the features you want on the Cisco 12.2(11)T release or later. Save the file to the TFTP server that is accessible from the router.

c. Use the following link to obtain the latest SDM-Vnn.zip file.

http://www.cisco.com/cgi-bin/tablebuild.pl/sdm

d. Extract the SDM files from SDM-Vnn.zip.

e. Click the setup.exe file to start the SDM installation wizard.

Step 6 From the PC, log in to the router using Telnet, and enter Enable mode. 

Router> enable

Password: 

Router#

Step 7 Enter the command erase flash:, and confirm. The router's IOS image, configuration file, and the SDM files are removed from flash memory.

Step 8 Use the copy tftp command to copy the IOS image and the SDM files from the TFTP server to the router:

copy tftp://tftp-server-address/filename flash:

Example: 

Router# copy tftp://10.10.10.3/SDM.tar flash:

Note Copy the Cisco IOS image first, followed by the SDM files.

Step 9 Start your web browser, and reconnect to SDM, using the same IP address you used when you started the SDM session.

Now that an erase flash: operation has been performed on the router, you will be able to execute the squeeze flash: command when necessary.

Security Alert Dialog May Remain After SDM Launches

When SDM is launched using HTTPS, a security alert dialog box that informs you of possible security problems and asks you if you want to proceed with program launch may appear. This can happen if the router does not have the following global configuration command in the running configuration: 

ip http timeout-policy idle 600 life 86400 requests 10000

Caveats

Caveats describe unexpected behavior in SDM. Severity 1 caveats are the most serious caveats, severity 2 caveats are less serious, and severity 3 caveats are the least serious of these three severity levels.

Open Caveats—Release 2.2

This section lists caveats that are open in release 2.2.

CSCsd82357

When you upgrade from SDM version 2.2.a to 2.2.1, SDM displays a warning popup that indicates that you are attempting to downgrade SDM to an earlier version. This message is seen when upgrading from SDM 2.2a to any language edition of SDM 2.2.1.

Workaround: Click Yes in the warning popup window to indicate that you want to proceed with the update.

CSCei33081

When SDM is run on the PC, the Load File from PC function available from the File Management window may not work properly.

Workaround: With a TFTP server application on the PC, copy files to the router using the copy tftp flash command.

CSCej01054

The SDM_HIGH security policy may not block Instant Messaging (IM) applications. The application security feature blocks IM applications using the server deny name command. New servers may become available, and if they do, IM applications may connect to them.

Workaround: Complete the following steps:

a. Turn on firewall logging for IM applications. The names of the servers that the IM applications connect to will be revealed in the log.

b. Use the CLI to block the new servers. The following example uses the server newserver.yahoo.com: 

router# config t

router(config)# appfw policy-name SDM_HIGH

router(cfg-appfw-policy)# application im yahoo

router(cfg-appfw-policy-ymsgr)# server deny name newserver.yahoo.com 

router(cfg-appfw-policy-ymsgr)# exit

router(cfg-appfw-policy)# exit

CSCei75188

Due to IOS caveat CSCei75121, extra spaces introduced into the running configuration output may prevent SDM from accurately reading the running configuration. This occurs when RSA key pairs are manually entered.

Workaround: Go to View > Running Config to display the running configuration.

CSCei84100

When the applications security policy blocks some Point-to-Point (P2P) applications, but permits others, blocked applications may be able to download files.

Workaround: Instead of permitting some P2P applications and blocking others, exclude the applications that you want to permit from the application security policy by unchecking the box next to the application name.

CSCej07924

Because of a problem with the Cisco IOS NBAR feature, some Point-to-Point applications are able to download files even when application security is configured to block them. When the Cisco IOS NBAR feature is used to block Point-to-Point applications, only those applications and protocols supported by the NBAR feature will be successfully blocked.

Workaround: None

CSCsb26386

Because of a problem with Cisco IOS (CSCin92327), a connection between an Easy VPN Remote client and an Easy VPN Server may timeout before the user has time to enter the credentials.

Workaround: None

CSCsb59200

Due to a JVM bug (http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4110094) SDM IPS may crash when large Signature Definition Files (SDF) are imported. When SDM is used to import large SDFs such as virtualsensor.xml or IOS-S178.zip, SDM crashes when dismissing the Import Signature dialog. This problem does not always occur.

Workaround: Set the java heap size to -Xmx256m and try to import the file again. If you need to use SDM to perform a critical operation, complete that operation before reattempting to import the file.

CSCsb82161

The SDM IPS import dialog may not appear when you attempt to import a large SDF, such as virtualsensor.xml more than 5 times. A java out-of-memory error occurs and the Import Signature dialog does not appear.

Workaround: Set the java heap size to -Xmx256m , restart SDM, and try to import the file again.

CSCsb38890

When using SDM IPS, if you go to IPS Global Settings > Edit and change the size of the SDEE event store, and then refresh or reinvoke SDM IPS, SDM shows the default size of the SDEE event store (200) instead of the value that you configured.

Workaround: None

CSCsa40535

VPN status in the Monitor windows do not show IPSec security association (SA) parameters for DMVPN when CLI status commands report that the crypto tunnels are up and traffic is passing through. The DMVPN tunnel is shown as established in the IKE SA tab.

Workaround: Use the CLI to view DMVPN status.

CSCef50601

This problem is encountered on routers running Cisco IOS image c3825-advsecurityk9-mz.123-10.2. If an ATM interface is configured on routers running this image, WAN troubleshooting may display inconsistent results. PVC connections may be shown as UP when they are DOWN.

Workaround: None.

CSCef29588

When both SDM and IPS are open, an open dialog box requiring an OK or Cancel in one application will prevent the user from working in the other application.

Workaround: Complete the work in the dialog box and click OK, or click Cancel to close the dialog box before switching to the other application.

CSCef34056

If multiple instances of SDM are run under Netscape version 7.1 using the Java Virtual Machine (JVM) or the Java plug-in, and the user shuts down one instance of SDM, then all other open instances of SDM on that PC are shut down.

This problem occurs because Netscape version 7.1 uses only one instance of the JVM or the Java plug-in, even when multiple instances of Netscape are launched. As a result, when one instance of SDM is shut down, Netscape shuts down the JVM or the Java plug-in, and all other instances of SDM are also shut down.

Workaround: If SDM is run under Netscape version 7.1, open only one instance of SDM . Using Internet Explorer is advised when multiple instances of SDM must be opened, such as when the user must configure multiple routers at the same time.

CSCef43267

When the crypto identity ca command is used, the Loopback0 interface is shown as having no configured IP address in the Edit Interfaces and Connections window when an IP address has been configured.

Workaround: Disregard the IP address information in the Interfaces and Connections window. If you need to view the IP address, choose the interface and click the Edit button.

CSCef43429

This problem is caused by the Cisco IOS caveat CSCef46305. After an Easy VPN Remote connection has been brought up after a successful user authentication (Xauth), the remote peer may not be listed in the Easy VPN Remote Edit screen if SDM is refreshed or reinvoked. If this problem occurs, Easy VPN Remote troubleshooting might not behave as expected for this connection.

This problem will occur only when the Easy VPN server sends Xauth challenges to the Easy VPN remote at the same time that the Easy VPN remote is trying to establish a tunnel with the VPN server.

Workaround: None.

CSCef50389

When an Easy VPN Server is configured using Digital Certificates for authentication, and an Easy VPN Remote connection is configured on another router, the client statistics for the Easy VPN server are all shown as 0 in the VPN Status window.

Workaround: To view client statistics, choose Tools > Telnet. Log in to the router, and issue the show crypto session command.

CSCef57546

When adding a new signature to the ATOMIC.ICMP engine, you may see the error message "[Enum(xxx)-StorageKey-ATOMIC.ICMP] the value AaBb is not a valid value."

Workaround: In the Add Signature window, go to the parameter StorageKey, and click the green square to enable editing for this parameter. the green square icon will change to a red diamond icon. Choosing any value from the drop down box will fix this problem.

CSCef63016

This problem is caused by the Cisco IOS caveat CSCef64124. When the user unchecks the Save Xauth username and password on the router check box in the Edit Easy VPN Remote dialog box and clicks OK, the command is delivered to the router, but SDM shows the check box as checked, and the corresponding command is still shown in the running configuration if SDM is refreshed.

This occurs when the user wants to remove the saved Xauth username and password in Easy VPN Remote.

CSCef63313

If an Easy VPN Remote configuration has connections to more than one Easy VPN server configured, VPN troubleshooting deactivating may report troubleshooting results for only one VPN server or give incorrect recommendations. This issue is seen only in some Cisco IOS images.

Workaround: None.

CSCef72022

Invoking SDM with a user associated with SDM_Monitor view adds a PKI trust point and an Easy VPN profile. This behavior does not affect the running configuration.

Workaround: Invoke SDM with a user associated with a different CLI view, or with a user of privilege level 15.

CSCef53222

SDM filenames are case sensitive. If the SDM files are copied from the PC hard disk to a flash card, File Explorer changes the names to uppercase. When this happens, SDM cannot be invoked from this flash card.

Workaround: Before removing the flash card from the PC, restore the filenames to lowercase.

CSCef77689

When the router is running a Cisco IOS image that does not support the show pppoe session command, WAN troubleshooting may not report any reasons for failure or recommended actions for PPPoE connections that are found to be down.

Workaround: None.

CSCin54600

If a firewall is configured for an interface which already has a Management Access policy associated with it, choosing Replace in the Merge/Replace dialog box might prevent access to certain networks.

This occurs because choosing Replace causes the policy access control entries (ACEs) to be disassociated from the interface but not from the vty or HTTP line.

Workaround: When running Firewall wizard on an interface configured with Management Access policy, choose Merge option instead of Replace and proceed.

CSCef73879

VPN troubleshooting may report a possible Maximum Transmission Unit (MTU) problem in the passthrough network when the tunnel is up. If the VPN interface is a dialer interface configured on an asynchronous interface, this problem may not always exist, and the displayed recommended action will have no effect.

Workaround: Ignore this message and the corresponding recommendation.

CSCef73395

Due to a problem with Cisco IOS, if a custom protocol is mapped to a port and the same custom protocol is specified for matching under a classmap, and then the mapping of the custom protocol is deleted from the configuration , Cisco IOS does not give any warning message that the user should first delete the match protocol custom-01 commands that make use of the custom protocol mapping.

Workaround: Do the following:

Configure the custom protocol again.

Remove all the match protocol statements that reference the custom protocol that you configured.

Remove the custom protocol from the configuration.