Table Of Contents
Release Notes For Security Device Manager Version 1.1
Supported Network Modules, WICs, Port Adapters and Service Adapters
Web Browser Versions and Java Runtime Environment Versions
Cisco 1700 Routers Running ITS/CCME and Cisco IOS Version 12.2(13)T
Downloading SDM From Cisco.com and Installing It On Your Router
Upgrading to a New SDM Release
New Features Supported in SDM Release 1.1
SDM 1.1a Supports WIC-1SHDSL-V2 on 1700 routers
Default Configuration File Changes
Popup Blockers Disable SDM Online Help
Configuring Your Router as an AAA Client
Configure the Local Router as an AAA Client
Routers Shipped with SDM Do Not Execute the Standard IOS Startup Sequence
Unable to perform `squeeze flash'
Restrictions for SDM Running on Cisco 7204VXR, 7206VXR, and 7301 Routers
Resolved Caveats - Release 1.1
Cisco Security Device Manager (SDM) Quick Start Guide: Disable Proxy Settings
SDM Default Configuration File
SDM Is Not Supported on SOHO 91, SOHO 96, and SOHO 97 Routers.
Modifying the Default Configuration File in Cisco 3620 and 3640 Routers
Obtaining Technical Assistance
Release Notes For Security Device Manager Version 1.1
3/25/04
These release notes support Security Device Manager 1.1. They should be used with the documents listed in the related documentation section. These release notes are updated as needed.
Contents
This document contains the following sections:
•
Obtaining Technical Assistance
Introduction
Security Device Manager (SDM) is a web-based configuration tool that allows you to configure LAN and WAN interfaces, routing, Network Address Translation (NAT), firewalls, Virtual Private Networks (VPNs), and other features on your router. SDM is installed in router Flash memory, and is run in a Web browser installed on a PC. SDM may be pre installed on the routers listed in the "Hardware Supported" section.
System Requirements
This section contains SDM system requirements.
Memory Requirements
SDM requires 3.3 MB of free Flash memory space on supported routers.
Hardware Supported
This section lists the hardware that SDM supports.
Cisco Routers
SDM is supported on the following Cisco 800 series routers:
•
•
•
SDM is supported on the following Cisco 1700 series routers:
•
•
•
•
•
•
•
•
•
SDM is supported on the following Cisco 2600 series routers:
•
•
•
•
•
•
•
SDM is supported on the following Cisco 3600 series routers:
•
•
•
•
•
SDM is supported on the following Cisco 3700 series routers:
•
•
SDM is supported on the following Cisco 7000 series routers:
•
•
•
Supported Network Modules, WICs, Port Adapters and Service Adapters
SDM supports configuration on following Network Modules.
•
•
•
•
•
•
•
•
•
•
•
•
•
SDM supports only Ethernet configuration on following network modules.
•
•
•
•
•
•
•
•
•
•
SDM supports the following WAN interface cards:
•
•
•
•
•
•
•
•
•
•
•
•
•
SDM supports the following Port Adapters on Cisco 7000 routers.
•
•
•
•
SDM supports the following Service Adapters on Cisco 7000 routers.
•
•
PC System Requirements
SDM is designed to run on a personal computer that has a Pentium III processor.
Software Supported
This section describes SDM software requirements.
Cisco IOS Images
SDM is compatible with the Cisco IOS images listed in Table 1.
Determining the Cisco IOS Software Version
To determine the version of Cisco IOS software currently running on your Cisco router, log in to the router and enter the show version EXEC command. The following sample output from the show version command indicates the version number on the second output line:
router> show versionCisco Internetwork Operating System SoftwareIOS (tm) C1700 Software (c1700-k8sv3y7-mz) Version 12.2(13)ZHWeb Browser Versions and Java Runtime Environment Versions
SDM can be used with the following browsers:
•
•
SDM is compatible with SUN Java Runtime Environment (JRE) versions 1.4.1 or later. If the JRE is not installed on your PC, SDM functions fully using the Java Virtual Machine (JVM) in your browser.
PC Operating System Versions
SDM can be run on a PC running any of the following operating systems:
•
•
•
•
•
Installation Notes
This section contains important information regarding installation and upgrades to SDM.
Cisco 1700 Routers Running ITS/CCME and Cisco IOS Version 12.2(13)T
If you are installing SDM on a router that already has the Internet Telephony Service (ITS) or Cisco Call Manager Express (CCME) application installed in Flash, you may exceed the number of files allowed in Flash memory by installing SDM.Cisco 1700 routers using a Cisco IOS version 12.2(13)T image cannot have more than 32 files in Flash memory.
Before installing SDM, you must delete any unneeded files from Flash memory. If no files can be deleted, do not install SDM on the router.
Downloading SDM From Cisco.com and Installing It On Your Router
The document Downloading and Installing Cisco Security Device Manager (SDM) explains how to download SDM from Cisco.com and install it on your router. To obtain this document, visit the following URL.
Upgrading to a New SDM Release
If SDM is already installed on a router, and you are upgrading to a newer SDM release, you must also upgrade the configuration file for the router in order for new SDM software to function properly. The latest SDM configuration files are contained in the SDM .zip file, available from Cisco.com at the following URL:
http://www.cisco.com/cgi-bin/tablebuild.pl/sdm
The document Downloading and Installing Cisco Security Device Manager (SDM) Version 1.0 explains how to obtain the SDM zip file and how to install SDM and all related files on your router. This document is available at the following URL:
Uninstalling SDM Files
If you want to remove SDM from Flash memory or from a router disk file system, you can do so by logging onto your router and completing the following steps in EXEC mode:
Step 1
router#delete sdm.tarDelete filename [sdm.tar]?Delete flash:sdm.tar? [confirm]Step 2
Step 3
router#squeeze flash:It is not necessary to use the squeeze flash: command on DOS-based file systems.
New and Changed Information
This section contains information that is new or that has changed since the previous release.
New Features Supported in SDM Release 1.1
SDM version 1.1 supports the following new features:
•
•
•
•
•
•
•
•
•
•
•
SDM 1.1a Supports WIC-1SHDSL-V2 on 1700 routers
SDM version 1.1a supports the WIC-1SHDSL-V2 WAN interface card on supported Cisco 1700 routers running Cisco IOS version 12.3(4)XG or later.
Important Notes
This section contains important information for this release.
Default Configuration File Changes
The SDM default configuration file has changed with this release. The changes are as follows:
•
•
•
•
•
Popup Blockers Disable SDM Online Help
If you have enabled popup blockers in the browser you use to run SDM, SDM online help will not display when you click the help button. To allow SDM online help to be displayed, you must disable the popup blocker when you run SDM. Popup blockers may be enabled in search engine toolbars, or may be stand-alone applications integrated with the web browser.
Configuring Your Router as an AAA Client
This section explains how you can configure your router as an Authentication, Authorization, and Accounting (AAA) client in a way that will enable the AAA server to authenticate users logging on to SDM.
Configure the AAA Server
Configure the AAA server by performing the following tasks:
Step 1
Step 2
Step 3
a.
b.
c.
d.
e.
Configure the local router as an AAA client by completing the steps in the next section.
Configure the Local Router as an AAA Client
Open a Telnet or console session to the router you want to be the AAA client, and complete the following steps to configure your router and then log on to SDM.
Step 1
Step 2
username lab privilege 15 password 7 121504151E0A0EStep 3
aaa new-modelaaa authentication login default group tacacs+ localaaa authentication ppp default group tacacs+ localaaa authorization exec default group tacacs+ localaaa authorization network default group tacacs+ local!tacacs-server host 10.1.1.1tacacs-server directed-requesttacacs-server key sdm!ip http authentication aaa!Step 4
Step 5
http://router IP-addressReplace router IP-address with the IP address of the router interface the PC is connected to.
Step 6
Step 7
All users accessing SDM on this router will be authenticated by the AAA server.
Routers Shipped with SDM Do Not Execute the Standard IOS Startup Sequence
Because a default configuration file is provided on a router shipped with SDM, it will not execute the standard Cisco IOS startup sequence. If you are expecting to use the Cisco IOS setup utility, a TFTP/BOOTP configuration download, or other features available through the standard Cisco IOS startup, you will need to erase the configuration file.
To erase the existing configuration and take advantage of the Cisco IOS startup sequence, perform the following steps. This will leave SDM on the router if you later decide you want to use it, but you will need to configure the router manually before you can begin using SDM. Please refer to your router's Quick Start Guide and to the SDM FAQ (available at http://www.cisco.com/go/sdm) for information about the minimum configuration required for using SDM.
Step 1
Step 2
Step 3
Step 4
yourname> enablePassword: ciscoyourname#Step 5
yourname# erase startup-configStep 6
Step 7
yourname# reloadStep 8
After the router completes the reload operation, it enters into the standard IOS startup sequence. You can use the startup sequence to give your router a configuration manually, or to copy a configuration file from the network. If you later decide you want to use SDM to change an existing configuration, refer to the instructions on starting SDM included in the Quick Start Guide for your router.
Unable to perform `squeeze flash'
If your router is using a Cisco IOS image with a version earlier than 12.3 in the T release, or 12.2(13)ZH, it may be necessary to use the squeeze flash command to reclaim Flash memory after repeated use of SDM. If this becomes necessary, SDM will inform you that the squeeze flash command must be used, and will execute the command upon your confirmation.
However, the squeeze flash command will not work if an erase flash command has never been executed on the router. If this is the case you will receive an "Unable to perform `squeeze flash'" warning message, and you will need to run the erase flash: command to enable the use of the squeeze flash command.
Executing the erase flash: command will remove SDM and the Cisco IOS image from the router's Flash memory, and you will lose your connection to the router. Complete the following steps to save files in Flash, execute erase flash:, and copy the files back so you can reconnect to SDM.
Step 1
Step 2
Step 3
Step 4
Step 5
copy flash: filename tftp://tftp-server-address/filename
Example:
copy flash: sdm.tar tftp://10.10.10.3/SDM.tar
Note
a.
http://www.cisco.com/kobayashi/sw-center/
b.
c.
Step 6
Step 7
Step 8
copy tftp://tftp-server-address/filename flash:
Example:
copy tftp://10.10.10.3/SDM.tar flash:
Note
Step 9
Now that an erase flash: has been performed on the router, you will be able to execute the squeeze flash command when necessary.
Restrictions and Limitations
This section describes restrictions and limitations that may apply to SDM.
Restrictions for SDM Running on Cisco 7204VXR, 7206VXR, and 7301 Routers
The following restrictions apply to SDM running on Cisco 7204VXR, 7206VXR, and 7301 Routers:
•
•
•
•
Caveats
Caveats describe unexpected behavior in SDM. Severity 1 caveats are the most serious caveats, severity 2 caveats are less serious, and severity 3 caveats are the least serious of these three severity levels.
Open Caveats - Release 1.1
This section lists caveats that are open in release 1.1.
•
If a firewall is configured for an interface which already has a Management Access policy associated with it, selecting Replace in the Merge/Replace dialog might prevent access to certain networks.
This occurs because selecting "Replace" causes the policy access control entries (ACEs) to be disassociated from the interface but not from the vty or http line.
Workaround:
On running Firewall wizard in an interface configured with Management Access policy select Merge option instead of Replace and proceed.
•
If SDM is launched in Netscape, using the Secure Shell (SSH) protocol, an SDM wizard launched for the first time will not deliver the configuration to the router when you click Finish. This problem occurs on PCs with processors slower than Pentium III processors, or on PCs with low memory.
Workaround:
While in SDM, select Advanced Mode and click Deliver. The configuration generated in Wizard mode will be delivered to the router. Once this configuration has been delivered to the router using the Deliver button, the LAN, WAN, Firewall, and other wizards will deliver the configuration when you click Finish.
Alternatively, you can close SDM, and relaunch it using Internet Explorer 5.5 or later. If you want to use Netscape, invoke SDM using the Telnet protocol. Do this by starting SDM as usual, and clicking Cancel in the Enter SSH Credentials window. SDM will display another username and password dialog. Enter the username and password in that window and click OK.
•
If the Intrusion Detection Device Manager (IDM) is launched using SDM set to automatic discovery of IP address, IP address discovery may fail. This is a rare problem that occurs when the SSH protocol is used to launch SDM in Netscape 4.79.
Workaround:
Close SDM. Clear the browser cache and try to relaunch the IDM after a short time. You can also try using Internet Explorer 5.5 or later to launch SDM.
•
When updating SDM, if any of the uploaded SDM files shows a size of zero bytes when show flash is invoked, no operations such as copy or delete can be performed on flash. This problem rarely occurs.
Workaround:
Restart the router to be able to perform operations on flash. If files of zero bytes are shown in a show flash display, restart the router before starting SDM.
•
In routers running a Cisco IOS image of version 12.2(11)T6, SDM treats PPPoE connections that do not contain the vpdn-enable, vpdn-group, request-dialin, and protocol pppoe commands as read only. The Edit button is not enabled in the Interfaces and Connections window, and the connection is treated as "Other" in the WAN window.
If SDM is subsequently used to configure another PPPoE connection on the router, those commands are added, and the original PPPoE connections are made complete. However SDM will not show these original connections as editable.
Workaround
Select Refresh from the View menu to make SDM display these PPPoE connections as editable.
•
Port Address Translation (PAT) rules configured with no access list using the CLI are not removed when using SDM to delete WAN connections the rules are associated with.
Workaround
Remove the PAT rules using the CLI.
•
When performing Security Audit from a PC with more than one Network Interface Card (NIC) which is in one of the directly connected Inside Interface networks (as chosen by the user), "Access class not set on VTY lines" security problem as reported cannot be fixed.
•
Router does not reload with default configuration when user executes Reset To Factory Defaults in SDM.
If router is running a Cisco IOS image of version 12.2(11)T6, and the last 4 bits of the config-register value are set to 0, for example 0x2100 or 0x1100, the router does not reload when the user performs a Reset To Factory Defaults. SDM indicates that it has sent a reload command to router and shuts down, and the default configuration is copied to the startup-config, but the reload command has not executed, and the router is still using the running configuration that was present before the Reset operation.
Workaround
Use the CLI config-register command to ensure that the last 4 bits of the config register are not set to 0 (zero).
•
SDM may require up to 10 seconds to launch when being run using Internet Explorer version 6.0 with service pack 1 and JRE version 1.4.1_01 to configure a new serial WAN connection in Wizard mode.
Workaround
Upgrade the Java Plug-in to the latest version available from the Sun website at the following URL:http://java.sun.com/.
Alternatively, disable the Java plug-in. In Internet Explorer, click Tools, select Internet Options, click Advanced, and uncheck the Use Java 2 v1.4.1_01 option. In Netscape, click Edit, select Preferences, click Advanced, and uncheck Enable Java Plug-in.
•
Text display is cut and scrolling causes loss of text in Security Audit when browser uses the Java Runtime Environment (JRE) 1.3.1_07 plug-in.
Various text messages are cut and not displayed properly in the Security Audit feature if JRE 1.3.1_07 is installed on the system. For example, the report card contains incomplete sentences, and scrolling up and down in the "Fix It" window causes many of the lines to disappear or to appear incomplete.
The problem is seen only when the plug-in is installed.
Workaround
Upgrade Java Plug-ins to the latest version available from the Sun website at the following URL:
Alternatively, disable the Java plug-in. In Internet Explorer, click Tools, select Internet Options, click Advanced, and uncheck the Use Java 2 v1.3.1_07 option. In Netscape, click Edit, select Preferences, click Advanced, and uncheck Enable Java Plug-in.
•
If you delete a WAN connection that you created in Wizard mode, an ip nat inside command may still remain in a LAN interface configuration.
Workaround
To delete the ip nat inside command from the LAN interface configuration, go to Interfaces and Connections in Advanced Mode, select the LAN interface, click Edit, and delete the association in the Association tab.
•
Enabling AES encryption or IP Compression in the Add/Edit IKE Policy or Add/Edit Transform Set windows might not work even though the IOS image running on the router supports AES encryption or IP Compression. This may happen in the following circumstances:
–
–
Workaround
Do one of the following:
–
–
For more info on VPN Modules, refer to the document at the following URL:
http://www.cisco.com/en/US/products/hw/routers/ps259/products_data_sheet09186a0080088750.html
•
In Advanced Mode Static Routing, if a virtual-template interface is configured as the next hop interface in a static route, SDM generates corresponding CLI commands. Delivering such commands to the router may fail on some platforms.
Workaround
Do not configure a virtual-template interface as a next hop interface if it is not supported on your router.
•
After the SDM Startup Wizard has been completed by the user, SDM terminates and all browser windows close except the browser window hosting the Applet area, when run in Netscape Communicator version 4.79.
Workaround
Manually close the browser window(s) that remain open.
•
When SDM runs with a Cisco IOS image of a version earlier than 12.3 in the T release, or earlier than version 12.2(13)ZH, the HTTP server appends unnecessary characters to names of files it displays. As a result, when SDM is started, the web browser displays the warning "Content does not match the signature."
Workaround
Disregard the warning and click Yes to continue.
•
When an Easy VPN tunnel is active, using SDM to apply a NAT configuration to the Easy VPN inside and outside interfaces will deliver 'ip nat inside' and 'ip nat outside' commands to the router, but the running configuration will not be changed. SDM displays no error message when this is attempted.
Workaround
To apply a NAT configuration to interfaces that have been designated as Easy VPN "inside" or "outside" interfaces, complete the following steps in SDM:
–
–
–
•
When SDM is run in Internet Explorer using Java Plug-in 1.3.1_07, some text in the Wizard Mode Reset to Factory Defaults screen gets cut off.
Workaround
Resize the SDM window to display all text.Upgrade Java Plugins to the latest version available from the Sun website at the following URL:
•
When run using Netscape version 4.79, all SDM windows display a blank signature in the lower left corner. The text "Signed by:" appears, but no signature text follows.
Workaround
None needed. This does not affect the operation of the router.
•
Due to an IOS caveat, if you configure an Ethernet connection with a dialer-pool command, such as a PPPoE connection, subsequently delete the connection, then configure an ATM connection with PPPoE, and then recreate the Ethernet connection with the dialer-pool command, that Ethernet configuration will contain multiple dialer-pool statements, and be read-only in SDM.
Workaround
Use the CLI to remove all PPPoE and dialer-pool statements from the Ethernet interface configuration. After saving the configuration, save the running configuration to the startup configuration. Then, reload the router and reconfigure the Ethernet connection.
•
SDM will not start on a Cisco 831 router with 32 MB of memory if run from Netscape. An exception will be displayed in the Java console window and in the router console window indicating a memory allocation failure.
Workaround
Run SDM using Internet Explorer version 5.5 or later. Or, if you want to continue to use Netscape, log onto the router CLI and enter the following memory-size command in global configuration mode:
Router# memory-size iomem 10•
XAuth authentication intermittently fails and Easy VPN tunnels cannot be established using SDM on routers running IOS version 12. 3(4)T. When the user attempts to do an Xauth authentication in SDM, the following error message is displayed:
"Unable to establish a session with the router to process XAUTH request from the Easy VPN server. Easy VPN tunnel cannot be successfully brought up."
This message is followed by another indicating that the connect command was delivered to the router, but that the tunnel was not established.
Workaround:
In the VPN Connections window, select the Easy VPN tunnel configuration and click the "Reset Tunnel" button to clear the tunnel and reconnect it. If this does not bring up the tunnel, use the "Login" button, more than once if necessary, to bring up the tunnel.
•
When SDM runs with a Cisco IOS image of version 12.2(15)T, SDM fails to download the configuration file from the CNS server through startup wizard. Please refer Bug CSCin65539 for more details. This issue occurs only with Cisco IOS image version 12.2(15)T.
Workaround:
Upgrade to Cisco IOS image version 12.3(4)T or later.
•
On Cisco 7x00 routers, the SDM Update feature is supported if the current SDM files were loaded onto the router's Flash Disk or compact Flash Disk. However, the SDM Updates feature fails to upload new SDM files to the router if the current SDM files were installed in Flash memory. The SDM Updates feature uses RCP protocol to upload the new SDM files to the router, but the RCP Server misinterprets the "flag" sent by the RCP Client for the above mentioned file systems.
Workaround:
If the current SDM files were loaded into Flash memory, update to the new SDM version by manually copying the new SDM files to the file system of the router using a TFTP server. To make use of the automatic SDM Update feature, always install SDM files on the Flash Disk or compact Flash Disks (disk0, disk1, disk2).
•
SDM should not get invoked from boot images such as kboot images on 72xx routers. Such boot images are a subset of the Cisco IOS software and do not support all router functions.
Workaround:
Boot the router with an SDM-supported IOS image, and then invoke SDM. See Table 1 for the Cisco IOS versions that SDM supports.
•
On 72xx platforms, encryption is not supported on PA-4T port adapters. Because the CLI does not support crypto maps for these type of interfaces, SDM will fail to assign crypto maps to these interfaces. The PA-4T port adapter will not support future compression and encryption features.
Workaround:
Upgrade your 72xx router hardware to 4t+ PA.
•
Whenever any unconfigured interface contains the description "$FW_INSIDE$," on a router configured with a firewall, adding a new NTP server will not modify the firewall ACLs to allow NTP passthrough traffic. Instead, when the user edits the firewall's outside interface in the Interfaces and Connections window, SDM prompts the user to add the NTP passthrough traffic.
Workaround:
Use the CLI to manually remove the description $FW_INSIDE$ from the unconfigured interface.
•
If the interface used for the primary backup connection is configured for PPPoE encapsulation, the backup connection will not function properly if the next hop address is specified during configuration. An IOS bug (CSCin64336) has been filed for this problem. If the interface used for the primary backup connection is an Ethernet interface configured without encapsulation, the backup connection will not function properly if the next hop address is not specified during configuration.
Workaround:
For PPPoE connections: Do not provide the next hop IP address when you configure the primary backup connection.
For Ethernet connections without encapsulation: DO provide the next hop IP address when you configure the primary backup connection.
•
If the WAN wizard is used to configure an Analog Modem connection as a primary backup connection, and the analog modem connection is deleted in Wizard Mode, SDM may report that the interface contains unsupported configuration parameters.
Workaround:
Click Refresh on the SDM toolbar, and delete the connection.
•
When shutting down SDM by clicking the X button in the top-right corner of the browser window, occasionally the parent Internet Explorer windows do not close, and it is necessary to restart the PC in order to close the window and restart SDM. Another instance of SDM cannot be opened if the parent windows of a previous instance of SDM are still open. This problem occurs on PCs running Windows 98 SE.
•
The Interfaces and Connections window may display the Backup option in disabled state for Async interfaces on Cisco 831 and Cisco 837 routers. This will occur when the following operations have been performed:
–
–
–
When the IP address of the Primary interface is changed, SDM displays a Yes or No warning popup asking if you want to remove the backup configuration. If you select Yes, SDM removes the backup configuration, but the Interfaces and Connections window still shows the backup option as disabled, preventing you from selecting the Async interface as a backup interface. The same problem occurs in Wizard Mode if you change the IP Address type of the Primary interface using the Edit button in the Wizard Mode window.
Workaround:
Delete the Async interface configuration using the Interfaces and Connections window.
•
When all WAN connections have been configured, the SDM WAN wizard may not display the Edit Connection and the Delete Connection buttons when the WAN wizard window is resized. This problem does not always occur.
Workaround:
If you need to use the Edit Connection or Delete Connection button, try the following to redisplay the buttons:
–
–
–
–
•
The Show Running Configuration window is blank when the size of the running configuration approaches 200 KB. This problem occurs when SDM is run under Windows 98, using Internet Explorer 6.0 running JRE.1.3.1.08.
Workaround:
Either disable the plugin, or upgrade the JRE plugin to version 1.4.1 or later.
•
When the router is configured to use PPPoE, a user may not be able to download a file using FTP or display web pages from Internet hosts that he is able to ping or telnet to. This can happen if SDM is being used on a router with interfaces that SDM does not support, such as Token Ring or VLAN interfaces. SDM does not deliver the command ip tcp adjust-mss 1452 to unsupported interfaces.
Workaround:
Use the CLI to add the ip tcp adjust-mss 1452 command to the VLAN or Token Ring interface configuration. Telnet to the router and enter the following command in VLAN or Token Ring interface configuration mode.
ip tcp adjust-mss 1452
•
The SDM Startup Wizard may not deliver the configuration to a 2691 router running IOS images of versions 12.2(15)T or 12.2(15)ZJ when SSH is used to communicate between SDM and the router. When SDM is invoked using the string https://router-IP-address, SDM uses SSH.
Workaround:
When launching SDM, click cancel in the SSH credentials window. SDM will use the Telnet protocol to communicate with the router. Enter the login ID and password in the Telnet credentials window.
•
SDM may take up to 12 seconds to display the DMVPN Hub and Spoke wizard after it is selected and the Launch the selected task button is clicked. This latency may occur if a JRE plugin of any version is running in the browser, or if SDM is using the SSH or Telnet communications module.
•
SDM may take several seconds to display screens in the DMVPN wizard. This latency may occur if a Jave plugin is running in the browser.
•
Using an interface configured with IP unnumbered as a DMVPN tunnel source may cause the Cisco IOS to crash. An interface configured as IP unnumbered uses the IP address of another interface on the router. This IOS problem does not always occur.
Workaround:
Instead of using an IP unnumbered interface as the DMVPN tunnel source, use the interface that is referenced in the ip unnumbered command. If you are configuring a hub, the interface must have a static IP address.
•
SDM cannot be launched successfully using Internet Explorer if the browser is using java plugin 1.3.1 or 1.4.1 and java plugin 1.4.2 is installed but not integrated in Internet Explorer.
Workaround:
Use custom installation mode to install java plugin 1.4.2, and select the option to integrate the plugin with Internet Explorer.
•
The router reloads when an NHRP tunnel interface is removed. This is an IOS caveat which you may encounter when deleting a Dynamic Multipoint VPN tunnel. This caveat duplicates CSCed41641. There is no workaround for this problem.
•
If an Analog Modem or ISDN connection is deleted using SDM, the dialer interface may not be deleted from the configuration and the router may reload. This is due to an IOS caveat, CSCin69090. This occurs on routers using Cisco IOS images of version 12.3(4)XG or later, or Cisco IOS version 12.3(7)T. There is no workaround for this problem.
•
An ISDN connection configured using SDM may not come up if the router is running Cisco IOS versions 12.3(7)T or 12.3(6) and if the ISDN connection was created after deleting an existing ISDN connection.
Workaround:
Click Refresh on the SDM tool bar. Go to the Advanced Mode Interface and Connections window. Select the BRI interface that was configured for the ISDN connection, and click the Disable button.
•
On routers running Cisco IOS version 12.3(6), IOS may reload if SDM is started using HTTPS.
Workaround:
Start SDM by entering http://<ip-address>. Do not use https://<ip-address>.
Resolved Caveats - Release 1.1
This section lists caveats that are resolved in release 1.1.
•
When updating SDM using Netscape 4.79, SDM occasionally is unable to contact the Cisco.com webserver when the webserver is running, and displays the message "Contacting Cisco.com for SDM updates. Please wait ..."for an indefinite time. The user has to shut down the web browser to dismiss the message. If the web server is actually down, the following message is displayed:
"SDM failed to contact Cisco.com. Please check that your internet connection is up. Then try again."
This problem has been fixed in this release.
•
In SDM updates, back up will fail for the image 12.2(13)T8. This is because the time stamps that the SDM backup feature checks to compare modification dates are not present in Flash memory. If the file being checked is an SDM file, the back up of that file fails. This problem has been fixed in this release.
•
Configuration of NTP client using SDM fails if an interface configured as a firewall trusted interface is deleted. This problem has been fixed in this release.
•
SDM can take more than 30 seconds to switch from Advanced Mode to Wizard Mode. This problem has been fixed in this release.
Documentation Updates
The following sections explain how documentation may be inaccurate or incomplete.
Omissions
The following sections explain information that was not included in documentation.
Cisco Security Device Manager (SDM) Quick Start Guide: Disable Proxy Settings
SDM will not launch when run under Internet Explorer using JRE plugin versions 1.3.1, 1.4.0, 1.4.1, or 1.4.2 and proxy settings are enabled. To correct this problem, select Internet Options from the Tools menu, click the Connections tab, and then click the LAN settings button. In the LAN Settings window, disable the proxy settings.
SDM Default Configuration File
SDM includes a default configuration file. The configuration does the following:
•
•
•
•
Note
Caution
SDM Is Not Supported on SOHO 91, SOHO 96, and SOHO 97 Routers.
The Cisco 831, 836, and 837 Cabling and Setup Quick Start Guides do not state that SDM is not supported on the SOHO 91, SOHO 96, and SOHO 97 routers. The SOHO series of routers do not support SDM.
Modifying the Default Configuration File in Cisco 3620 and 3640 Routers
The instructions provided in the Cisco 3620 and 3640 Modular Access Routers Quick Start Guide for Starting SDM might not work.
The initial communication between a browser running on a PC and SDM is controlled by the default configuration file for the router. On most supported routers, SDM uses a fixed Fast Ethernet port at address `0`, Fast Ethernet 0/0 or Fast Ethernet 0. The PC is connected to this interface, and the interface is given an IP address in the default configuration file that SDM recognizes.
For the 3620 and 3640 routers there are no fixed Ethernet ports.
By convention many of these routers ship with a Fast Ethernet capable network module in Slot 0. SDM assumes this to be the case in its default configuration file. If this is not true for your router, you need to modify the default configuration file to enable and provide an IP address for an Ethernet interface before SDM can communicate with the router.
Perform the following steps to enable SDM to communicate with the browser:
Step 1
Step 2
Step
Guest
