Table Of Contents
Release Notes for Cisco Router and Security Device Manager 2.3.1
Supported Adapters, Cards and Network Modules
Web Browser Versions and Java Runtime Environment Versions
New Features Supported in SDM 2.3.1
Cisco 1700 Routers Running Cisco ITS/Cisco CallManager Express and Cisco IOS Release 12.2(13)T
Downloading SDM from Cisco.com and Installing It on the Router
Upgrading to a New SDM Version
Restrictions for Cisco 7204VXR, Cisco 7206VXR, and Cisco 7301 Routers
Cisco SDM Security Dashboard May Display Threats Unrelated to Your Cisco IOS IPS Installation
SDM May not Launch Using IP Address of WebVPN Gateway
SDM IPS User Guide Discontinued for SDM 2.2
SDM May Lose Connection to Network Access Device
SDM on PC May Not Launch under Windows XP with Service Pack 2
Popup Blockers Disable SDM Online Help
Routers Shipped with SDM Do Not Execute the Standard Cisco IOS Startup Sequence
Unable to Perform "squeeze flash:" Operation
Security Alert Dialog May Remain After SDM Launches
Release Notes for Cisco Router and Security Device Manager 2.3.1
April 25, 2006
These release notes support Cisco Router and Security Device Manager version 2.3.1. They should be used with the documents listed in the "Related Documentation" section. These release notes are updated as needed.
Contents
This document contains the following sections:
Introduction
Cisco Router and Security Device Manager (Cisco SDM, and hereinafter called SDM) is a web-based configuration tool that allows you to configure LAN and WAN interfaces, routing, Network Admission Control (NAC), Network Address Translation (NAT), firewalls, Intrusion Prevention System (IPS), Virtual Private Networks (VPNs), and other features on the router. SDM 2.1 and later versions can be installed on a PC, or on the router. Earlier versions of SDM cannot be installed on PCs, and can be installed on the router. If you have a router listed in the "Hardware Supported" section, SDM is either preinstalled in router memory, or is shipped on a CD with the router.
Cisco SDM Express allows you to give a router a basic LAN, WAN, firewall and NAT configuration. It is installed in router memory.
System Requirements
This section contains SDM system requirements.
Memory Requirements
Table 1 shows how much memory is required to support Cisco SDM files. Your router may be equipped with Flash, disk, or slot memory. Although these requirements are stated in terms of Flash memory, they also apply to supported routers that use disk or slot memory.
Note
•
•
•
Table 2 lists the files that are included with Cisco SDM, Cisco SDM Express, and the Wireless Management application.
Hardware Supported
This section lists the routers that SDM supports, by series.
Note
Cisco SB100 series:
•
•
•
Cisco 800 series:
•
•
•
•
•
•
•
•
•
SDM is supported on the following Cisco 1700 series:
•
•
•
•
•
•
•
•
•
Cisco 1800 series:
•
•
•
•
•
•
Cisco 2600 series:
•
•
•
•
•
•
•
Cisco 2800 series:
•
•
•
•
Cisco 3600 series:
•
•
•
•
•
Cisco 3700 series:
•
•
Cisco 3800 series:
•
•
Cisco 7000 series:
•
•
•
Supported Adapters, Cards and Network Modules
Network modules:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
SDM supports only Ethernet configuration on the following network modules:
•
•
•
•
•
•
•
•
•
•
EtherSwitch Service Network Modules:
•
•
•
•
WAN interface cards:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
High-speed WAN interface cards (HWICs):
•
•
•
•
•
•
•
•
•
•
•
Advanced Integration Modules (AIMs):
•
•
•
•
•
•
•
•
•
Cisco 7000 series router port adapters:
•
•
•
•
Cisco 7000 series router VPN Accelerator Modules:
•
•
•
Cisco 7000 series router Network Processing Engines
•
SDM also supports the MOD-1700VPN.
PC System Requirements
SDM is designed to run on a personal computer that has a Pentium III or faster processor.
Software Supported
This section describes SDM software requirements.
Cisco IOS Releases
SDM is compatible with the Cisco IOS releases listed in Table 2.
Note
Table 3 shows the Cisco IOS IPS feature history, and lists the Cisco IOS releases that offered each set of features, beginning with the latest release. This information is available in the Cisco IOS IPS Deployment Guide available at the following link.
http://www.cisco.com/en/US/products/ps6634/prod_white_papers_list.html
Determining the Cisco IOS Release
To determine the release of Cisco IOS software currently running on your Cisco router, log in to the router and enter the show version EXEC command. The following sample output from the show version command indicates the Cisco IOS release on the second output line:
Router> show versionCisco Internetwork Operating System SoftwareIOS (tm) C1700 Software (c1700-k8sv3y7-mz) Version 12.2(13)ZHWeb Browser Versions and Java Runtime Environment Versions
SDM can be used with the following browsers:
•
•
•
SDM requires Sun Java Runtime Environment (JRE). The following versions are supported:
•
•
Although the SDM application requires JRE to run, the Cisco SDM Express application included with SDM can run under the native Java Virtual Machine in the supported browsers, and also JRE.
PC Operating System Versions
SDM can be run on a PC running any of the following operating systems:
•
•
•
•
•
Note
SDM 2.3.1 is available only in English. SDM 2.2.1 is available in six additional languages: French, German, Italian, Japanese, Simplified Chinese, and Spanish and. SDM 2.2.1 supports full SDM functionality released prior to SDM 2.3.1. If you want to use SDM 2.2.1 in one of these languages, your PC must run one of the following operating systems:
•
•
See the Release Notes for Cisco Router and Security Device Manager Version 2.2.1 for more information.
New and Changed Information
This section contains information that is new or changed since the previous version.
New Features Supported in SDM 2.3.1
SDM 2.3.1 supports the following new features:
•
•
•
•
•
•
•
–
–
–
–
–
–
•
–
–
–
–
–
–
–
•
–
–
•
–
–
SDM Files
This section describes the files used in SDM version 2.3.1.
Table 4 describes the files that SDM and SDM applications use.
Installation Notes
This section contains important information regarding installation and upgrades to SDM.
Cisco 1700 Routers Running Cisco ITS/Cisco CallManager Express and Cisco IOS Release 12.2(13)T
If you are installing SDM on a router that already has the Internet Telephony Service (ITS) or Cisco CallManager Express application installed in flash memory, you may exceed the number of files allowed in flash memory by installing SDM. Cisco 1700 routers using Cisco IOS Release 12.2(13)T cannot have more than 32 files in flash memory.
Before installing SDM, you must delete any unneeded files from flash memory. If no files can be deleted, do not install SDM on the router.
Downloading SDM from Cisco.com and Installing It on the Router
If SDM is not currently installed on the router, see Downloading and Installing Cisco Router and Security Device Manager (SDM) to learn how to download SDM from Cisco.com and install it on the router. To obtain this document, go to the following URL:
Upgrading to a New SDM Version
If a version of SDM later than version 1.0 is already installed on the router, use the SDM automatic update feature to install the latest files on the router. SDM automatically checks Cisco.com for more recent versions of SDM, downloads them to your PC, removes the old SDM files from memory, runs the squeeze flash: command if necessary, and copies the latest files to the router. The update feature is available from the Tools menu. Choose Tools > Update SDM > From Cisco.com.
If you are currently using SDM 1.0, you must download the file SDM-Vnn.zip at the following URL:
http://www.cisco.com/cgi-bin/tablebuild.pl/sdm
See Downloading and Installing Cisco Router and Security Device Manager (SDM) to learn how to install SDM and all related files on the router at the following URL:
Click Install and Upgrade in the Technical Documentation and Tools box, and then click Install and Upgrade Guides.
Uninstalling SDM Files
If you want to remove SDM from flash memory or from a router disk file system, you can do so by logging onto the router and completing the following steps in EXEC mode:
Step 1
If the router has a flash file system, use the following command:
router# cd flash:If the router has a disk file system, use the following command:
router# cd diskNReplace N with the actual number of the disk. Use the slot keyword instead of the disk keyword if necessary.
Step 2
router# delete sdm.tarDelete filename [sdm.tar]?Delete flash:sdm.tar? [confirm]Press Return to confirm the deletion.
Step 3
Step 4
router# squeeze flash:It is not necessary to use the squeeze flash: command on DOS-based file systems.
SDM version 2.1 or later can be installed on your PC. To remove SDM from your PC, complete the following steps:
Step 1
Step 2
Step 3
Limitations and Restrictions
This section describes restrictions and limitations that may apply to SDM.
SDM Minimum Screen Resolution
SDM requires a screen resolution of at least 1024 x 768.
Restrictions for Cisco 7204VXR, Cisco 7206VXR, and Cisco 7301 Routers
The following restrictions apply to SDM running on Cisco 7204VXR, Cisco 7206VXR, andCisco 7301 Routers:
•
•
•
•
Important Notes
This section contains important information for SDM. It contains the following sections:
•
•
•
•
•
•
•
•
•
Cisco SDM Security Dashboard May Display Threats Unrelated to Your Cisco IOS IPS Installation
Some (or all) of the top threats you obtain using the Cisco SDM Security Dashboard may not pertain to your Cisco IOS IPS installation. After you deploy the signatures applicable to the top threats displayed by the Cisco SDM Security Dashboard, the Cisco SDM Security Dashboard may still display some (or all) top threats with a red icon because applicable signatures could not be found. Those remaining top threats are unrelated to your Cisco IOS IPS installation and not a danger to your router running Cisco IOS software.
SDM May not Launch Using IP Address of WebVPN Gateway
This information provides more information about the caveat CSCek33306. When SDM attempts to connect to a router with a WebVPN gateway configured using the Cisco IOS CLI, it might not launch from the IP address used by that gateway if the CLI statements necessary for SDM access are not included.
For example, if you have configured a WebVPN connection on the interface Fe 0/0 with the gateway IP address 10.10.10.1, and thegateway name MyWebVPN, you may not be able to launch SDM using that IP address.
To be able to launch SDM using that IP address, add the following Cisco IOS CLI commands:
Router#config tRouter(config)# interface loopback next-available-loopback-numberRouter(config-if)# description Do not delete - SDM WebVPN generated interfaceRouter(config-if)# ip address 192.168.1.1 255.255.255.252Router(config-if)# no shutdownRouter(config-if)# ip nat insideRouter(config-if)# exitRouter(config)# ip nat inside source static tcp 192.168.1.1 443 10.10.10.1 4443Router(config)# router(config)# webvpn gateway MyWebVPNRouter(config-webvpn-gateway)# http-redirect port 80Router(config) # interface FastEthernet 0/0Router(config-if)# ip nat outsideRouter(config-if)# exitAfter adding these commands, you can launch SDM by entering the following IP address and port in the browser:
https://10.10.10.1:4443If you remove the WebVPN gateway that was modified for SDM access, you must remove the loopback interface and NAT rule that you created to allow access in the first place. Enter the commands shown in the description of caveat CSCek38259.
SDM IPS User Guide Discontinued for SDM 2.2
The SDM IPS application has been merged with SDM version 2.2. Instructions for using IPS are included in the Cisco Router and Security Device Manager Version 2.2 User's Guide. No SDM IPS User's Guide has been published for this release.
SDM May Lose Connection to Network Access Device
This note concerns the NAC feature.
If the PC used to invoke SDM returns a posture state (Healthy, Infected, Checkup, Quarantine, or Unknown) and if the group policy on the ACS server attached to the posture token assigned to the PC has a redirect URL configured, the connection between SDM and the router acting as the Network Access Device (NAD) may be lost. The same problem can occur if an exception list entry attached to a policy with a redirect URL is configured with the IP address or MAC address of the PC.
If you try to reinvoke SDM from this PC, you will not be able to do so because the browser will be redirected to the location specified in the redirect URL.
There are two workarounds for this problem:
•
•
For more information, see the links in the SDM NAC online help pages.
SDM on PC May Not Launch under Windows XP with Service Pack 2
When SDM is installed on a PC running Windows XP with Service Pack 2, Internet Explorer may display HTML source code when you attempt to launch SDM. To fix this problem, go to Tools > Internet Options > Advanced. Then scroll to the Security section, check Allow active content to run in files on my computer, and click Apply. Then relaunch SDM.
Popup Blockers Disable SDM Online Help
If you have enabled popup blockers in the browser you use to run SDM, SDM online help will not appear when you click the help button. To prevent this from happening, you must disable the popup blocker when you run SDM. Popup blockers may be enabled in search engine toolbars, or may be standalone applications integrated with the web browser.
Microsoft Windows XP with Service Pack 2 blocks popups by default. In order to turn off popup blocking in Internet Explorer, go to Tools > Pop-up Blocker > Turn Off Pop-up Blocker.
If you have not installed and enabled pop up blockers, go to Tools >Internet Options > Privacy, and uncheck the Block popups checkbox.
Disable Proxy Settings
SDM will not start when run under Internet Explorer with proxy settings enabled. To correct this problem, choose Internet Options from the Tools menu, click the Connections tab, and then click the LAN settings button. In the LAN Settings window, disable the proxy settings.
Routers Shipped with SDM Do Not Execute the Standard Cisco IOS Startup Sequence
Because a default configuration file is provided on a router shipped with SDM, the router will not execute the standard Cisco IOS startup sequence. If you are expecting to use the Cisco IOS setup utility, a TFTP/BOOTP configuration download, or other features available through the standard Cisco IOS startup, you will need to erase the configuration file.
To erase the existing configuration and take advantage of the Cisco IOS startup sequence, perform the following steps. This will leave SDM on the router if you later decide you want to use it, but you will need to configure the router manually before you can begin using SDM. Please see the router quick start guide and to the SDM FAQ (available at http://www.cisco.com/go/sdm) for information about the minimum configuration required for using SDM.
Step 1
Step 2
Step 3
Step 4
yourname> enablePassword: ciscoyourname#Step 5
yourname# erase startup-configStep 6
Step 7
yourname# reloadStep 8
After the router completes the reload operation, it enters into the standard Cisco IOS startup sequence. You can use the startup sequence to give the router a configuration manually, or to copy a configuration file from the network. If you later decide you want to use SDM to change an existing configuration, see the instructions on starting SDM included in the quick start guide for the router.
Unable to Perform "squeeze flash:" Operation
If the router is using a Cisco IOS image earlier than release 12.3T, or release 12.2(13)ZH, it may be necessary to use the squeeze flash: command to reclaim flash memory after repeated use of SDM. If this becomes necessary, SDM will inform you that the squeeze flash: command must be used, and will execute the command upon your confirmation.
However, the squeeze flash: command will not work if an erase flash: command has never been executed on the router. If this is the case you will receive an "Unable to perform `squeeze flash'" warning message, and you will need to run the erase flash: command to enable the use of the squeeze flash: command.
Executing the erase flash: command removes SDM and the Cisco IOS image from the router flash memory, and you will lose your connection to the router. Complete the following steps to save files in flash memory, execute erase flash:, and copy the files back so you can reconnect to SDM.
Step 1
Step 2
Step 3
Step 4
Step 5
copy flash: filename tftp://tftp-server-address/filename
For example:
Router# copy flash: sdm.tar tftp://10.10.10.3/sdm.tarTable 4 lists the files SDM uses.
Tip
a.
http://www.cisco.com/kobayashi/sw-center
b.
c.
http://www.cisco.com/cgi-bin/tablebuild.pl/sdm
d.
e.
Step 6
Router> enablePassword:Router#Step 7
Step 8
copy tftp://tftp-server-address/filename flash:
Example:
Router# copy tftp://10.10.10.3/SDM.tar flash:
Note
Step 9
Now that an erase flash: operation has been performed on the router, you will be able to execute the squeeze flash: command when necessary.
Security Alert Dialog May Remain After SDM Launches
When SDM is launched using HTTPS, a security alert dialog box that informs you of possible security problems and asks you if you want to proceed with program launch may appear. This can happen if the router does not have the following global configuration command in the running configuration:
ip http timeout-policy idle 600 life 86400 requests 10000Caveats
Caveats describe unexpected behavior in SDM. Severity 1 caveats are the most serious caveats, severity 2 caveats are less serious, and severity 3 caveats are the least serious of these three severity levels.
Open Caveats—Release 2.3.1
This section lists caveats that are open in release 2.3.1.
•
If the router is configured to allow SDM access through a WebVPN gateway that listens on the standard port 443, and that gateway is modified to listen on another custom port, the commands that were added for SDM access are not automatically removed, and must be removed using the Cisco IOS CLI. The WebVPN gateway may have been configured using the SDM WebVPN wizard, or it may have been configured manually and then modified to allow SDM access by adding the commands described in SDM May not Launch Using IP Address of WebVPN Gateway.
Workaround:
To safely edit the the WebVPN gateway to listen to a port other than 443, do the following:
a.
b.
c.
d.
e.
SDM can now be invoked using the standard HTTPS port 443.
If you prefer to use the Cisco IOS CLI, enter the following commands to remove the loopback interface and NAT rule that were added to allow SDM access. In these steps, Loopback 0 with an IP address of 192.168.1.1, and FastEthernet 0/0 with an IP address of 10.20.30.40 are used as examples.
Router# config tRouter(config)# no interface Loopback0Router(config)# interface FastEthernet0/0Router(config-if)# no ip nat outsideRouter(config-if)# exitRouter(config)# no ip nat inside source static tcp 192.168.1.1 443 10.20.30.40 4443Router(config)# exit
Note
•
Due to a Cisco IOS problem, no more than 5 actions can be assigned to a signature. This problem has no workaround.
•
When you import signatures from a large Signature Definition File (SDF) more than 4 or 5 times during the same session, SDM may close. This problem has not been observed consistently. This problem has no workaround.
•
SDM may not launch from an interface with a CLI-configured WebVPN if the CLI commands necessary for SDM access have not been added. This includes WebVPNs configured with the command webvpn enable WebVPNname IP-address SSLVPN.
For more information about this caveat, see the "SDM May not Launch Using IP Address of WebVPN Gateway" section.
•
SDM Express browser windows do not close if the Secure Device Provisioning application is launched from SDM Express. If you choose Secure Device Provision in the SDM Express Router Provisioning screen, the SDP application is launched after you complete the SDM Express wizard and deliver the commands to the router. After the commands are delivered, SDM Express closes, but the two browser windows associated with SDM Express do not close automatically. This behavior has been observed in all browsers.
Workaround:
Close these windows manually. However, note that closing these windows manually also closes the SDP application. Therefore, do not close these windows until you have completed configuring the router using the SDP application.
•
If you edit the IPS rule for incoming traffic or outgoing traffic or edit both rules on the interface that SDM is using to communicate with the router, the no form of the existing rule is delivered first. For all other interfaces the no form of the rule is delivered last.
Guest
