Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco Router and Security Device Manager

Release Notes for Cisco Router and Security Device Manager 2.4

Downloads

Table Of Contents

Release Notes for Cisco Router and Security Device Manager 2.4

Contents

Introduction

System Requirements

Memory Requirements

Hardware Supported

Supported Adapters, Cards and Network Modules

PC System Requirements

Software Supported

Cisco IOS Releases

Web Browser Versions and Java Runtime Environment Versions

PC Operating System Versions

New and Changed Information

New Features Supported in Cisco SDM 2.4

Cisco SDM Files

Installation Notes

Cisco 1700 Routers Running Cisco ITS/Cisco CallManager Express and Cisco IOS Release 12.2(13)T

Downloading Cisco SDM from Cisco.com and Installing It on the Router

Upgrading to a New Cisco SDM Version

Uninstalling Cisco SDM Files

Limitations and Restrictions

Cisco SDM Minimum Screen Resolution

Restrictions for Cisco 7204VXR, Cisco 7206VXR, and Cisco 7301 Routers

Important Notes

Cisco SDM May Not Operate with Custom Configuration File

Cisco SDM Merge and Replace Configuration Functions Fail Under Some Conditions

Cisco SDM Security Dashboard May Display Threats Unrelated to Your Cisco IOS IPS Installation

Cisco SDM May not Launch Using IP Address of SSL VPN Gateway

Cisco SDM IPS User Guide Discontinued for Cisco SDM 2.2

Cisco SDM May Lose Connection to Network Access Device

Cisco SDM on PC May Not Launch under Windows XP with Service Pack 2

Popup Blockers Disable Cisco SDM Online Help

Disable Proxy Settings

Routers Shipped with Cisco SDM Do Not Execute the Standard Cisco IOS Startup Sequence

Unable to Perform "squeeze flash:" Operation

Security Alert Dialog May Remain After Cisco SDM Launches

Caveats

Open Caveats—Cisco SDM 2.4

Related Documentation

Platform-Specific Documents

Software Documents


Release Notes for Cisco Router and Security Device Manager 2.4

July 23, 2007

These release notes support Cisco Router and Security Device Manager (Cisco SDM) version 2.4. They should be used with the documents listed in the "Related Documentation" section. These release notes are updated as needed.

Contents

This document contains the following sections:

Introduction

System Requirements

New and Changed Information

Limitations and Restrictions

Important Notes

Caveats

Related Documentation

Introduction

Cisco SDM is a web-based configuration tool that allows you to configure LAN and WAN interfaces, routing, Network Admission Control (NAC), Network Address Translation (NAT), firewalls, Intrusion Prevention System (IPS), Virtual Private Networks (VPNs), and other features on the router. Cisco SDM 2.1 and later versions can be installed on a PC, or in router flash, disk, or slot memory. Earlier versions of Cisco SDM cannot be installed on PCs, and can be installed in router flash, disk, or slot memory. If you have a router listed in the Hardware Supported section, Cisco SDM is either preinstalled in router memory, or is shipped on a CD with the router.

Cisco SDM Express allows you to give a router a basic LAN, WAN, firewall and NAT configuration. It is installed in router memory.

System Requirements

This section contains Cisco SDM system requirements.

Memory Requirements

Table 1 shows how much memory is required to support Cisco SDM and related applications.

Table 1 Cisco SDM Memory Requirements

Application
Minimum Memory Required

Cisco SDM

6.97 MB (7,314,958 bytes)

Cisco SDM Express

2.04 MB (2,140,174 bytes)

Cisco SDM installed on a PC

7.5 MB (7,865,653 bytes)

Wireless Management application

2 MB, in addition to Cisco SDM memory requirements.


Table 4 lists the files that are included with Cisco SDM, Cisco SDM Express, and the Wireless Management application.

Hardware Supported

This section lists the routers that Cisco SDM supports, by series.

Note Cisco SDM does not support Telco/CO router models.

Cisco SB100 series:

Cisco SB101

Cisco SB106

Cisco SB107

Cisco 800 series:

Cisco 831

Cisco 836

Cisco 837

Cisco 851

Cisco 857

Cisco 871

Cisco 876

Cisco 877

Cisco 878

Cisco SDM is supported on the following Cisco 1700 series:

Cisco 1701

Cisco 1710

Cisco 1711

Cisco 1712

Cisco 1721

Cisco 1751

Cisco 1751-v

Cisco 1760

Cisco 1760-v

Cisco 1800 series:

Cisco 1801

Cisco 1802

Cisco 1803

Cisco 1811

Cisco 1812

Cisco 1841

Cisco 2600 series:

Cisco 2610XM

Cisco 2611XM

Cisco 2620XM

Cisco 2621XM

Cisco 2650XM

Cisco 2651XM

Cisco 2691

2800 series:

Cisco 2801

Cisco 2811

Cisco 2821

Cisco 2851

Cisco 3600 series:

Cisco 3620

Cisco 3640

Cisco 3640A

Cisco 3661

Cisco 3662

Cisco SDM is supported on the following Cisco 3700 series:

Cisco 3725

Cisco 3745

Cisco SDM is supported on the following Cisco 3800 series:

Cisco 3825

Cisco 3845

Cisco SDM is supported on the following Cisco 7000 series:

Cisco 7204VXR

Cisco 7206VXR

Cisco 7301

Supported Adapters, Cards and Network Modules

Network modules:

NM-1E

NM-4E

NM-4T

NM-2W

NM-1E2W

NM-1FE2W

NM-1FE2W-V2

NM-1FE-FX-V2

NM-2E2W

NM-2FE2W

NM-2FE2W-V2

NM-1FE-FX

NM-1FE-TX

NM-4A/S (synchronous only)

NM-8A/S (synchronous only)

NM-CIDS-K9

NM-16ESW

NM-16ESW-1GIG

NM-16ESW-PWR

NM-16ESW-PWR-1GIG

NM-36ESW

NMD-36ESW-2GIG

NMD-36ESW-PWR

NMD-36ESW-PWR-2GIG

Cisco SDM supports only Ethernet configuration on the following network modules:

NM-1E1R2W

NM-1FE1R2W

NM-1FE1CE1U

NM-1FE2CE1B

NM-1FE1CE1B

NM-1FE2CE1U

NM-1FE1CT1

NM-1FE2CT1

NM-1FE1CT1-CSU

NM-1FE2CT1-CSU

EtherSwitch Service Network Modules:

NME-16ES-1G-P

NME-X-23ES-1G-P

NME-XD-24ES-1S-P

NME-XD-48ES-2S-P

WAN interface cards:

WIC-1T

WIC-2T

WIC-2A/S (Frame Relay, PPP, HDLC, no asynchronous)

WIC-1DSU-T1

WIC-1ADSL

WIC-1ENET

WIC-1SHDSL

WIC-1DSU-T1-V2

WIC-1B-S/T

WIC-1B-S/T-V3

WIC-1AM

WIC-2AM

WIC-4ESW

WIC-1SHDSL-V2

WIC-1SHDSL-V3

WIC 1ADSL-DG

WIC 1ADSL-I-DG

High-speed WAN interface cards (HWICs):

HWIC-4T

HWIC-4A/S

HWIC-8A/S-232

HWIC-4ESW

HWICD-9ESW

HWIC-AP-G-X

HWIC-AP-AG-X

HWIC-ADSL-B/ST

HWIC-ADSLI-B/ST

HWIC-1ADSL

HWIC-1ADSLI

Advanced integration modules (AIMs):

AIM-VPN/BP

AIM-VPN/BP II

AIM-VPN/BPII-PLUS

AIM-VPN/HP

AIM-VPN/HP II

AIM-VPN/HPII-PLUS

AIM-VPN/EP

AIM-VPN/EP II

AIM-VPN/EPII-PLUS

AIM-VPN/SSL-1

AIM-VPN/SSL-2

AIM-VPN/SSL-3

Port adapters on Cisco 7000 family routers:

PA-2FE-TX

PA-2FE-FX

PA-8E

PA-4E

Network Processing Engines and Network Service Engines on Cisco 7000 family routers.

NPE-225

NPE-400

NPE-G1

NPE-G2

NSE-1

Service adapters on Cisco 7000 family routers:

SA-VAM

SA-VAM2

SA-VAM2+

C7200-VSA

Cisco SDM also supports the MOD-1700VPN.

PC System Requirements

Cisco SDM is designed to run on a personal computer that has a Pentium III or faster processor.

Software Supported

This section describes Cisco SDM software requirements.

Cisco IOS Releases

Cisco SDM is compatible with the Cisco IOS releases listed in Table 2.

Note Cisco SDM supports the Cisco IOS Intrusion Prevention System (Cisco IOS IPS). In order to be able to use Cisco SDM to configure the Cisco IOS IPS software, the router must run Release 12.3(8)T4 or a later release. Later Cisco IOS releases support additional Cisco IOS IPS functionality. Table 3 lists the Cisco IOS IPS feature history by Cisco IOS release.

Table 2 Cisco SDM-Supported Routers and Cisco IOS Releases 

Cisco SDM-Supported Routers
Cisco SDM-Supported Cisco IOS Releases

Cisco SB101
Cisco SB106
Cisco SB107

12.3(8)YG

12.4(2)T or later releases

Cisco 831
Cisco 837

12.2(13)ZH or later releases

12.3(2)XA or later releases

12.3(2)T or later releases

12.4(2)T or later releases

Cisco 836

12.2(13)ZH or later releases

12.3(2)XA or later releases

12.3(4)T or later releases

12.4(2)T or later releases

Cisco 851
Cisco 857

12.3(8)YI

12.4(2)T or later releases

Cisco 871
Cisco 876
Cisco 877
Cisco 878

12.3(8)YI

12.4(2)T or later releases

Cisco 1701

12.2(13)ZH or later releases

12.3(2)XA or later releases (Cisco SDM does not support Cisco IOS release 12.3(2)XF.)

12.3(4)T or later releases

12.4(2)T or later releases

Cisco 1711
Cisco 1712

12.2(15)ZL or later releases

12.3(2)XA or later releases (Cisco SDM does not support Cisco IOS release 12.3(2)XF.)

12.4(2)T or later releases

Cisco 1710
Cisco 1721
Cisco 1751
Cisco 1751-v
Cisco 1760
Cisco 1760-v

12.2(13)ZH or later releases

12.3(2)XA or later releases (Cisco SDM does not support Cisco IOS release 12.3(2)XF.)

12.2(13)T3 or later releases

12.3(2)T or later releases

12.3(1)M or later releases

12.2(15)ZJ3 (not available for the Cisco 1710 or Cisco 1721)

12.4(2)T or later releases

Cisco 1801
Cisco 1802
Cisco 1803
Cisco 1811

12.3(8)YI

12.4(2)T or later releases

Cisco 1812

12.3(8)YH or later releases

12.4(2)T or later releases

Cisco 1841

12.3(8)T4 or later releases

12.4(2)T or later releases

Cisco 2610XM
Cisco 2611XM
Cisco 2620XM
Cisco 2621XM
Cisco 2650XM
Cisco 2651XM
Cisco 2691

12.2(11)T6 or later releases

12.3(2)T or later releases

12.3(1)M or later releases

12.3(4)XD

12.2(15)ZJ3

12.4(2)T or later releases

Cisco 2801
Cisco 2811
Cisco 2821
Cisco 2851

12.3(8)T4 or later releases

12.4(2)T or later releases

Cisco 3640
Cisco 3661
Cisco 3662

12.2(11)T6 or later releases

12.3(2)T or later releases

12.3(1)M or later releases

12.3(4)XD

12.2(15)ZJ3

12.4(2)T or later releases

Cisco 3620

12.2(11)T6 or later releases

12.3(1)M or later releases

Cisco 3640A

12.2(13)T3 or later releases

12.3(2)T or later releases

12.3(1)M or later releases

12.3(4)XD

12.2(15)ZJ3

12.4(2)T or later releases

Cisco 3725
Cisco 3745

12.2(11)T6 or later releases

12.3(2)T or later releases

12.3(1)M or later releases

12.3(4)XD

12.2(15)ZJ3

12.4(2)T or later releases

Cisco 3825
Cisco 3845

12.3(11)T or later releases

12.4(2)T or later releases

Cisco 7204VXR
Cisco 7206VXR

12.3(2)T or later releases

12.3(1)M or later releases

12.4(2)T or later releases

Cisco SDM does not support B, E, or S train releases on the Cisco 7000 routers.

Cisco 7301

12.3(2)T or later releases

12.3(3)M or later releases

12.4(2)T or later releases

Cisco SDM does not support B, E, or S train releases on the Cisco 7000 routers.


Table 3 shows the Cisco IOS IPS feature history, and lists the Cisco IOS releases that offered each set of features, beginning with the latest release. This information is available in the Cisco IOS IPS Deployment Guide available at the following link.

http://www.cisco.com/en/US/products/ps6634/prod_white_papers_list.html

Table 3 Feature History of Cisco IOS IPS

Cisco IOS Release
Cisco IOS IPS Features or Improvements

12.4(11)T2

Support for a versioned-based signature definition format used by Cisco appliance-based IPS products, and the predefined Basic and Advanced signature categories.

12.4(6)T

Session setup rate performance improvements

12.4(3a)/12.4(4)T

String engine memory optimization

12.4(4)T

MULTI-STRING engine support for Trend Labs and Cisco Incident Control System

Performance improvements

Distributed Threat Mitigation (DTM) support

12.4(2)T

Layer 2 transparent intrusion prevention system (IPS) support

12.3(14)T

Support for three string engines (STRING.TCP, STRING.UDP, and STRING.ICMP)

Support for two new local shunning event actions: denyAttackerInline and denyFlowInline

12.3(8)T

Support for Security Device Event Exchange (SDEE) protocol

Support for ATOMIC.IP, ATOMIC.ICMP, ATOMIC.IPOPTIONS, ATOMIC.UDP, ATOMIC.TCP, SERVICE.DNS, SERVICE.RPC, SERVICE.SMTP, SERVICE.HTTP, SERVICE.FTP, and OTHER engines


Determining the Cisco IOS Release

To determine the release of Cisco IOS software currently running on your Cisco router, log in to the router and enter the show version EXEC command. The following sample output from the show version command indicates the Cisco IOS release on the second output line: 

Router> show version 

Cisco Internetwork Operating System Software 

IOS (tm) C1700 Software (c1700-k8sv3y7-mz) Version 12.2(13)ZH

Web Browser Versions and Java Runtime Environment Versions

Cisco SDM can be used with the following browsers:

Firefox 1.0.6 and later versions

Internet Explorer 5.5 and later versions

Netscape 7.1 and 7.2

Cisco SDM requires Sun Java Runtime Environment (JRE). The following versions are supported:

JRE 1.5_09

JRE1.4.2_08

JRE 1.5.0_06

JRE 1.5.0_07

Although the Cisco SDM application requires JRE to run, the Cisco SDM Express application included with Cisco SDM can run under the native Java Virtual Machine in the supported browsers, and also JRE.

PC Operating System Versions

Cisco SDM can be run on a PC running any of the following operating systems:

Microsoft Windows XP Professional

Microsoft Windows 2003 Server (Standard Edition)

Microsoft Windows 2000 Professional with Service Pack 4

Note Windows 2000 Advanced Server is not supported.

Cisco SDM 2.4 is available only in English. Cisco SDM 2.3.4 is available in six additional languages: French, German, Italian, Japanese, Simplified Chinese, and Spanish. Cisco SDM 2.3.4 supports full Cisco SDM functionality released prior to Cisco SDM 2.4. If you want to use Cisco SDM 2.3.4 in one of these languages, your PC must run one of the following operating systems:

Microsoft Windows XP Professional with Service Pack 2 or later

Microsoft Windows 2000 Professional with Service Pack 4 or later

See the Release Notes for Cisco Router and Security Device Manager Version 2.3.4 for more information.

New and Changed Information

This section contains information that is new or changed since the previous version.

New Features Supported in Cisco SDM 2.4

Cisco SDM 2.4 supports the following new features:

Certificate Authority Server—You can configure the router as a Certificate Authority (CA) server, and have it grant certificates to hosts on your network. Using a CA server in your own network eases the deployment of VPN technology by enabling local hosts to enroll for certificates from the CA server you configure, and not from a public CA server.

802.1x Authentication—The router can be configured to perform IEEE 802.1x authentication, enabling a client to authenticate using machine identity rather than the IP address.

Dynamic Virtual Tunnel Interfaces (DVTI)—DVTI enables you to configure an Easy VPN connection using a virtual interface. The dynamic virtual tunnels provide an on-demand separate virtual access interface for each Easy VPN connection. The configuration of the virtual access interfaces is cloned from a virtual template configuration, which includes the IPSec configuration and any Cisco IOS software feature configured on the virtual template interface, such as QoS, NetFlow, or access control lists (ACLs).

Zone-Based Policy Firewall—Zone-based policy firewalls use a zone-based configuration model that is more flexible than interfaced-based firewalls. Interfaces are assigned to zones, and zones are placed in zone pairs to define traffic source and destination interfaces. Inspection polices can be applied to zone pairs to govern the traffic that flows from the source interfaces to the destination interfaces in a zone pair.

Cisco Common-Classification Policy Language (C3PL)—C3PL allows you to create class-based policies. Classes identify traffic types, such as peer-to-peer (P2P) and Instant Messaging (IM) traffic. Policies associate traffic classes and actions. They specify the action that the router is to take on the traffic in a particular class, such as inspecting it, allowing it to pass, or dropping it. These policies can be applied to zone pairs.

Intrusion Prevention System (IPS) Enhancements—Cisco IOS IPS enhancements available with Cisco IOS release 12.4(11)T2 are supported. A new format of signature definition file (SDF) is supported, as well as other features such as the Signature Event Action Processor (SEAP). The SEAP allows greater control over filteringby allowing you to create Signature Event Action filters (SEAF), and assigning Signature Event Action Overrides (SEAO). A migration wizard is provided that allows you to migrate Cisco IOS IPS configurations created prior to Cisco IOS release 12.4(11)T2. The information on parameter severity, action, and whether the signature is enabled or disabled on the router is migrated to the new configuration.

Note If the router is running Cisco IOS release 12.4(11)T2 but has a Cisco IOS IPS configuration created prior to Cisco IOS release 12.4(11)T2, it must be migrated if Cisco IOS IPS to function.

Quality of Service (QoS) Enhancements—QoS has been enhanced to allow you to specify either Differentiated Services Code Point (DSCP) or Network-Based Application Recognition (NBAR) markings to traffic, and to create QoS polices using C3PL.

Cisco SDM Files

This section describes the files used in Cisco SDM 2.4. Table 4 lists the name, size, and description of each file.

Table 4 Cisco SDM File List 

Filename
Size
Description

common.tar

1.11 MB

Cisco SDM and Cisco SDM Express support file

es.tar

841 KB

Cisco SDM Express application file

home.shtml

1.01 KB

Cisco SDM and Cisco SDM Express support file

home.tar

110 KB

Cisco SDM and Cisco SDM Express support file

sdmconfig-modelnum.cfg

For example:

sdmconfig-180x.cfg

2.0 KB

Default configuration file

sdm.tar

5.75 MB

Cisco SDM application file

sdmips.sdf

Variable

File created when Cisco SDM is used to modify Cisco IOS IPS signatures.

securedesktop-ios-3.1.1.45-k9.pkg

1.61 MB

Cisco Secure Desktop client software for SSL VPN clients.

sslclient-win-1.1.3.173.pkg

406 KB

Full tunnel client software for SSL VPN clients

wlanui.tar

1.86 MB

Wireless Application

128MB.sdf

515 KB

Signature Definition File (SDF) used by Cisco IOS IPS

256MB.sdf

775 KB

Signature Definition File (SDF) used by Cisco IOS IPS


Installation Notes

This section contains important information regarding installation and upgrades to Cisco SDM 2.4.

Cisco 1700 Routers Running Cisco ITS/Cisco CallManager Express and Cisco IOS Release 12.2(13)T

If you are installing Cisco SDM 2.4 on a router that already has the Internet Telephony Service (ITS) or Cisco CallManager Express application installed in flash memory, you may exceed the number of files allowed in flash memory by installing Cisco SDM 2.4. Cisco 1700 routers using Cisco IOS Release 12.2(13)T cannot have more than 32 files in flash memory.

Before installing Cisco SDM 2.4, you must delete any unneeded files from flash memory. If no files can be deleted, do not install it on the router.

Downloading Cisco SDM from Cisco.com and Installing It on the Router

If Cisco SDM 2.4 is not currently installed on the router, see Downloading and Installing Cisco Router and Security Device Manager to learn how to download Cisco SDM from Cisco.com and install it on the router. To obtain this document, go to the following URL:

http://www.cisco.com/go/sdm

In the Support box, click Install and Upgrade. Then click Install and Upgrade Guides > Downloading and Installing Cisco Router and Security Device Manager.

Upgrading to a New Cisco SDM Version

If a version of Cisco SDM later than version 1.0 is already installed on the router, use the Cisco SDM automatic update feature to install the latest files on the router. Cisco SDM automatically checks Cisco.com for more recent versions of Cisco SDM, downloads them to your PC, removes the old Cisco SDM files from memory, runs the squeeze flash: command if necessary, and copies the latest files to the router. The update feature is available from the Tools menu. Choose Tools > Update SDM > From Cisco.com.

If you are currently using Cisco SDM 1.0, you must download the file SDM-Vnn.zip at the following URL:

http://www.cisco.com/cgi-bin/tablebuild.pl/sdm

See Downloading and Installing Cisco Router and Security Device Manager (SDM) to learn how to install SDM and all related files on the router at the following URL:

http://www.cisco.com/go/sdm

In the Support box, click Install and Upgrade. Then click Install and Upgrade Guides > Downloading and Installing Cisco Router and Security Device Manager.

Uninstalling Cisco SDM Files

If you want to remove Cisco SDM from flash memory or from a router disk file system, you can do so by logging onto the router and completing the following steps in EXEC mode:

Step 1 Change to the directory in which the Cisco SDM files are located.

If the router has a flash file system, use the following command: 

router# cd flash:

If the router has a disk file system, use the following command: 

router# cd diskN

Replace N with the actual number of the disk. Use the slot keyword instead of the disk keyword if necessary.

Step 2 Use the delete command to remove the Cisco SDM files. The example below deletes the file sdm.tar: 

router# delete sdm.tar

Delete filename [sdm.tar]?

Delete flash:sdm.tar? [confirm]

Press Return to confirm the deletion.

Step 3 Use the delete command to remove the remaining Cisco SDM files. The "Cisco SDM Files" section lists the files used.

Step 4 Reclaim memory space by using the squeeze flash: command: 

router# squeeze flash:

It is not necessary to use the squeeze flash: command on DOS-based file systems.

Cisco SDM version 2.1 or later can be installed on your PC. To remove Cisco SDM from your PC, complete the following steps:

Step 1 Click Start > Program> Cisco Systems > Cisco SDM > Uninstall to launch the Uninstall program.

Step 2 When the message "Do you want to remove the selected applications and all of its features?" appears, click Yes.

Step 3 When the Uninstallation Complete screen is displayed, click Finish.

Limitations and Restrictions

This section describes restrictions and limitations that may apply to Cisco SDM.

Cisco SDM Minimum Screen Resolution

Cisco SDM requires a screen resolution of at least 1024 x 768.

Restrictions for Cisco 7204VXR, Cisco 7206VXR, and Cisco 7301 Routers

The following restrictions apply to Cisco SDM running on Cisco 7204VXR, Cisco 7206VXR, and Cisco 7301 Routers:

The Cisco SDM Express application is not supported. You must use the Cisco IOS CLI to give the router an initial configuration that will enable you to connect to the router using a browser.

WAN configuration is not supported. Cisco SDM supports configuration of Ethernet and Fast Ethernet interfaces.

The Cisco SDM Reset feature is not available.

No SDM-default configuration file is supplied. To run Cisco SDM, you must provide a configuration that includes the commands necessary to support operation of Cisco SDM.

The document Cisco Router and Security Device Manager (SDM) User Guide for the Cisco 7200 VXR and Cisco 7301 Routers describes how to give the router a configuration that supports Cisco SDM and how to start Cisco SDM on Cisco 7000 Family routers.

Important Notes

This section contains important information for Cisco SDM. It contains the following sections:

Cisco SDM May Not Operate with Custom Configuration File

Cisco SDM Merge and Replace Configuration Functions Fail Under Some Conditions

Cisco SDM Security Dashboard May Display Threats Unrelated to Your Cisco IOS IPS Installation

Cisco SDM May not Launch Using IP Address of SSL VPN Gateway

Cisco SDM IPS User Guide Discontinued for Cisco SDM 2.2

Cisco SDM May Lose Connection to Network Access Device

Cisco SDM on PC May Not Launch under Windows XP with Service Pack 2

Popup Blockers Disable Cisco SDM Online Help

Disable Proxy Settings

Routers Shipped with Cisco SDM Do Not Execute the Standard Cisco IOS Startup Sequence

Unable to Perform "squeeze flash:" Operation

Security Alert Dialog May Remain After Cisco SDM Launches

Cisco SDM May Not Operate with Custom Configuration File

If you load a custom configuration file on the router using Cisco Configuration Express or any other process, you may remove Command Line Interface (CLI) commands that Cisco SDM operation requires amd prevent it from operating. Cisco SDM requires the following basic configuration in order to connect to the router and manage it.

An http or https server must be enabled with local authentication.

A local user account with privilege level 15 and accompanying password must be configured.

Vty line with protocol ssh/telnet must be enabled with local authentication. This is needed for interactive commands.

An http timeout policy must be configured with the parameters shown in the following example to avoid a known launch issue with SDM.

The PC on which SDM is to run and the interface through which SDM will be launched must be configured with IP addresses from the same subnet.

The following example shows a configuration that contains the CLI commands Cisco SDM requires in order to operate. 

hostname yourname

!

logging buffered 51200 warnings

!

username cisco privilege 15 secret 0 cisco

!

ip domain-name yourdomain.com

!

interface FastEthernet0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-10/100 Ethernet$

ip address 10.10.10.1 255.255.255.248

description PC must be on the same subnet as this interface

no shutdown

!

ip http server

ip http secure-server

ip http authentication local

ip http timeout-policy idle 60 life 86400 requests 10000

!

line vty 0 4

privilege level 15

login local

transport input telnet

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet

transport input telnet ssh

Cisco SDM Merge and Replace Configuration Functions Fail Under Some Conditions

The problem described here is caveat CSCsj21989. If you attempt to merge configuration changes made using the Cisco SDM Config Editor feature, or replace the running configuration with a configuration from the Config Editor, the router configuration will not be changed if there is a network device with a Network Address Translation (NAT) IP address, or a cache engine in the connection between the PC and the router. If you need to make changes to the router configuration that you would normally make using the Cisco SDM Config Editor, use the Cisco IOS CLI instead.

Cisco SDM Security Dashboard May Display Threats Unrelated to Your Cisco IOS IPS Installation

Some (or all) of the top threats you obtain using the Cisco SDM Security Dashboard may not pertain to your Cisco IOS IPS installation. After you deploy the signatures applicable to the top threats displayed by the Cisco SDM Security Dashboard, the dashboard may still display some (or all) top threats with a red icon because applicable signatures could not be found. Those remaining top threats are unrelated to your Cisco IOS IPS installation and not a danger to your router running Cisco IOS software.

Cisco SDM May not Launch Using IP Address of SSL VPN Gateway

This information provides more information about the caveat CSCek33306. When Cisco SDM attempts to connect to a router with a SSL VPN gateway configured using the Cisco IOS CLI, it might not launch from the IP address used by that gateway if the CLI statements necessary for Cisco SDM access are not included.

For example, if you have configured a SSL VPN connection on the interface Fe 0/0 with the gateway IP address 10.10.10.1, and the gateway name MySSLVPN, you may not be able to launch Cisco SDM using that IP address.

To be able to launch Cisco SDM using that IP address, add the following Cisco IOS CLI commands: 

Router# config t 

Router(config)# interface loopback next-available-loopback-number

Router(config-if)# description Do not delete - SDM SSLVPN generated interface

Router(config-if)# ip address 192.168.1.1 255.255.255.252

Router(config-if)# no shutdown

Router(config-if)# ip nat inside 

Router(config-if)# exit 

Router(config)# ip nat inside source static tcp 192.168.1.1 443 10.10.10.1 4443

Router(config)# router(config)# webvpn gateway MySSLVPN

Router(config-webvpn-gateway)# http-redirect port 80 

Router(config) # interface FastEthernet 0/0 

Router(config-if)# ip nat outside

Router(config-if)# exit

After adding these commands, you can launch Cisco SDM by entering the following IP address and port in the browser: 

https://10.10.10.1:4443

If you remove the SSL VPN gateway that was modified for Cisco SDM access, you must remove the loopback interface and NAT rule that you created to allow access in the first place. Enter the commands shown in the description of caveat CSCek38259.

Cisco SDM IPS User Guide Discontinued for Cisco SDM 2.2

The Cisco SDM IPS application has been merged with Cisco SDM 2.2. Instructions for using IPS are included in the Cisco Router and Security Device Manager Version 2.2 User's Guide and later versions of the user's guide. No Cisco SDM IPS User's Guide has been published for this release.

Cisco SDM May Lose Connection to Network Access Device

This note concerns the NAC feature.

If the PC used to invoke Cisco SDM returns a posture state (Healthy, Infected, Checkup, Quarantine, or Unknown) and if the group policy on the ACS server attached to the posture token assigned to the PC has a redirect URL configured, the connection between Cisco SDM and the router acting as the Network Access Device (NAD) may be lost. The same problem can occur if an exception list entry attached to a policy with a redirect URL is configured with the IP address or MAC address of the PC.

If you try to reinvoke Cisco SDM from this PC, you will not be able to do so because the browser will be redirected to the location specified in the redirect URL.

There are two workarounds for this problem:

Ensure that the PC that you use to invoke Cisco SDM attains a posture token which has an associated group policy on the ACS server that is not configured with a redirect URL.

Alternatively, use Cisco SDM to create a NAC exception list entry with the IP address or MAC address of the PC you use to invoke Cisco SDM. Note that the exception list entry created for the PC should be associated to an exception policy which does not have a redirect URL configured in it.

For more information, see the links in the Cisco SDM NAC online help pages.

Cisco SDM on PC May Not Launch under Windows XP with Service Pack 2

When Cisco SDM is installed on a PC running Windows XP with Service Pack 2, Internet Explorer may display HTML source code when you attempt to launch Cisco SDM. To fix this problem, go to Tools > Internet Options > Advanced. Then scroll to the Security section, check Allow active content to run in files on my computer, and click Apply. Then relaunch Cisco SDM.

Popup Blockers Disable Cisco SDM Online Help

If you have enabled popup blockers in the browser you use to run Cisco SDM, online help will not appear when you click the help button. To prevent this from happening, you must disable the popup blocker when you run Cisco SDM. Popup blockers may be enabled in search engine toolbars, or may be standalone applications integrated with the web browser.

Microsoft Windows XP with Service Pack 2 blocks popups by default. In order to turn off popup blocking in Internet Explorer, go to Tools > Pop-up Blocker > Turn Off Pop-up Blocker.

If you have not installed and enabled third-party pop up blockers, go to Tools >Internet Options > Privacy, and uncheck the Block popups checkbox.

In Firefox 1.5 and later versions, click Tools > Options > Content. Uncheck Block pop-up windows.

Disable Proxy Settings

Cisco SDM will not start when run under Internet Explorer with proxy settings enabled. To correct this problem, choose Internet Options from the Tools menu, click the Connections tab, and then click the LAN settings button. In the LAN Settings window, disable the proxy settings.

Routers Shipped with Cisco SDM Do Not Execute the Standard Cisco IOS Startup Sequence

Because a default configuration file is provided on a router shipped with Cisco SDM, the router will not execute the standard Cisco IOS startup sequence. If you are expecting to use the Cisco IOS setup utility, a TFTP/BOOTP configuration download, or other features available through the standard Cisco IOS startup, you will need to erase the configuration file.

To erase the existing configuration and take advantage of the Cisco IOS startup sequence, perform the following steps. This will leave Cisco SDM on the router if you later decide you want to use it, but you will need to configure the router manually before you can begin using Cisco SDM. Please see the router quick start guide and to the SDM FAQ for information about the minimum configuration required for using Cisco SDM. This document is available at:

http://www.cisco.com/go/sdm

Step 1 Connect the light blue console cable, included with the router, from the blue console port on the router to a serial port on your PC. See the router hardware installation guide for instructions.

Step 2 Connect the power supply to the router, plug the power supply into a power outlet, and turn on the router. See the router quick start guide for instructions.

Step 3 Use a terminal emulation program on your PC, with the terminal emulation settings 9600 baud, 8 data bits, no parity, 1 stop bit, and no flow control, to connect to the router.

Step 4 At the prompt, enter the enable command, and enter the password cisco. 

yourname> enable


Password: cisco

yourname#

Step 5 Enter the erase startup-config command. 

yourname# erase startup-config

Step 6 Confirm the command by pressing Enter.

Step 7 Enter the reload command. 

yourname# reload

Step 8 Confirm the command by pressing Enter.

After the router completes the reload operation, it enters into the standard Cisco IOS startup sequence. You can use the startup sequence to give the router a configuration manually, or to copy a configuration file from the network. If you later decide you want to use Cisco SDM to change an existing configuration, see the instructions on starting Cisco SDM included in the quick start guide for the router.

Unable to Perform "squeeze flash:" Operation

If the router is using a Cisco IOS image earlier than release 12.3T, or release 12.2(13)ZH, it may be necessary to use the squeeze flash: command to reclaim flash memory after repeated use of Cisco SDM. If this becomes necessary, Cisco SDM informs you that the squeeze flash: command must be used, and will execute the command upon your confirmation.

However, the squeeze flash: command will not work if an erase flash: command has never been executed on the router. If this is the case you will receive an "Unable to perform `squeeze flash'" warning message, and you will need to run the erase flash: command to enable the use of the squeeze flash: command.

Executing the erase flash: command removes Cisco SDM and the Cisco IOS image from the router flash memory, and you will lose your connection to the router. Complete the following steps to save files in flash memory, execute erase flash:, and copy the files back so you can reconnect to Cisco SDM.

Step 1 Ensure that the router will not lose power. If the router loses power after an erase flash: operation, there will be no Cisco IOS image in memory.

Step 2 Prepare a TFTP server to which you can save files and copy them over to the router. You must have write access to the TFTP server. Your PC can be used for this purpose if it has a TFTP server program.

Step 3 Open up a Telnet session on the router so that you can use the CLI.

Step 4 Save the router's running configuration to the startup configuration by entering the command copy running-config startup-config.

Step 5 Use the copy tftp command to copy the Cisco IOS image, and the Cisco SDM files from flash memory to a TFTP server:

copy flash: filename tftp://tftp-server-address/filename

For example: 

Router# copy flash: sdm.tar tftp://10.10.10.3/sdm.tar

Table 4 lists the files Cisco SDM uses.

Tip If you prefer to download a Cisco IOS image, and the SDM-Vnn.zip file, follow these instructions to use an Internet connection to download an SDM-supported Cisco IOS image, and the SDM-Vnn.zip file.

a. Click the following link to obtain a Cisco IOS image from the Cisco Software Center:

http://www.cisco.com/kobayashi/sw-center

b. Obtain an image that supports the features you want on the Cisco 12.2(11)T release or later. Save the file to the TFTP server that is accessible from the router.

c. Use the following link to obtain the latest SDM-Vnn.zip file.

http://www.cisco.com/cgi-bin/tablebuild.pl/sdm

d. Extract the Cisco SDM files from SDM-Vnn.zip.

e. Click the setup.exe file to start the SDM installation wizard.

Step 6 From the PC, log in to the router using Telnet, and enter Enable mode. 

Router> enable

Password: 

Router#

Step 7 Enter the command erase flash:, and confirm. The router's IOS image, configuration file, and the Cisco SDM files are removed from flash memory.

Step 8 Use the copy tftp command to copy the IOS image and the Cisco SDM files from the TFTP server to the router:

copy tftp://tftp-server-address/filename flash:

Example: 

Router# copy tftp://10.10.10.3/SDM.tar flash:

Note Copy the Cisco IOS image first, followed by the Cisco SDM files.

Step 9 Start your web browser, and reconnect to Cisco SDM, using the same IP address you used when you started the session.

Now that an erase flash: operation has been performed on the router, you will be able to execute the squeeze flash: command when necessary.

Security Alert Dialog May Remain After Cisco SDM Launches

When Cisco SDM is launched using HTTPS, a security alert dialog box that informs you of possible sec