Table Of Contents
Release Note for the Cisco Traffic Anomaly Detector Appliance
Contents
New Features in Software Version 6.1(2)
Upgrading to Software Version 6.1(x) From a Software Version Prior to 5.1(4)
Operating Considerations
MultiDevice Manager Commands Omitted from the Configuration Guide
mdm logging trap Command
mdm restore Command
show mdm Command
Software Version 6.1(5) Resolved and Open Caveats
Software Version 6.1(5) Resolved Caveats
Software Version 6.1(5) Open Caveats
Software Version 6.1(2) Resolved and Open Caveats
Software Version 6.1(2) Resolved Caveats
Software Version 6.1(2) Open Caveats
Related Documentation
Obtaining Documentation and Submitting a Service Request
Release Note for the Cisco Traffic Anomaly Detector Appliance
October 20, 2008
Note 
The most current Cisco documentation for released products is available on Cisco.com.
Contents
This release note applies to software versions 6.1(2) and 6.1(5) for the Cisco Traffic Anomaly Detector appliance (Detector). This release note contains the following sections:
•New Features in Software Version 6.1(2)
•Upgrading to Software Version 6.1(x) From a Software Version Prior to 5.1(4)
•Operating Considerations
•MultiDevice Manager Commands Omitted from the Configuration Guide
•Software Version 6.1(5) Resolved and Open Caveats
•Software Version 6.1(2) Resolved and Open Caveats
•Related Documentation
•Obtaining Documentation and Submitting a Service Request
New Features in Software Version 6.1(2)
The following new features are available in software version 6.1(2):
•New policies for persistent low rate attacker
•Traffic IP summarization
•Disable VLANs if physical interface is down
•Add zone name to capture file name
•Configurable log capacity
•Implicit Write Memory for router mode
•Restrict user access to management interface only
•Interfaces display order
•Monitoring system resources from the Web-Based Manager (WBM)
•Enhanced AAA support in WBM
Upgrading to Software Version 6.1(x) From a Software Version Prior to 5.1(4)
In software version 4.x, the Detector allowed you to configure illegal subnet masks. In software version 5.1(4), the Detector checks to ensure that subnet masks are legal. When you upgrade from a software version prior to 5.1(4) to version 6.1(x), the Detector corrupts all zone configurations that contain an illegal subnet mask. To prevent the Detector from corrupting a zone configuration that contains an illegal subnet mask, configure the zone configuration with a legal subnet mask by performing the following steps prior to upgrading the software:
Step 1 Use the no ip address command to delete the subnet mask.
Step 2 Use the ip address command to configure the subnet mask with a legal subnet.
For details on configuring zone IP addresses, see the "Configuring the Zone IP address Range" section in the Cisco Traffic Anomaly Detector Configuration Guide.
Software upgrade instructions are located in the "Upgrading the Detector Software Version" section in the Cisco Traffic Anomaly Detector Configuration Guide.
Operating Considerations
The following operating considerations apply to the Detector:
•The copy ftp command supports active mode only.
•The Detector must be running software version 6.1(x) to operate with the Cisco MultiDevice Manager software version 1.5(1).
•Downgrading software versions is not supported.
MultiDevice Manager Commands Omitted from the Configuration Guide
Three commands related to the Cisco DDoS MultiDevice Manager (MDM) software functionality on the Detector were introduced in software version 5.1(5), but were omitted from the Cisco Traffic Anomaly Detector Configuration Guide. The following sections describe these commands:
•mdm logging trap Command
•mdm restore Command
•show mdm Command
mdm logging trap Command
To configure traps for MDM logging, use the mdm logging trap command in global configuration mode. To disable logging functions, use the no form of this command.
The syntax for this command is as follows:
mdm logging trap {alerts | critical | debugging | emergencies | errors | informational | notifications | warnings}
The following table describes the keywords for the mdm logging trap command.
alerts
|
Immediate action needed (severity=1).
|
critical
|
Critical conditions (severity=2).
|
debugging
|
Debugging messages (severity=7).
|
emergencies
|
System is unusable (severity=0). This is the default.
|
errors
|
Error conditions (severity=3).
|
informational
|
Informational messages (severity=6).
|
notifications
|
Normal but significant conditions (severity=5).
|
warnings
|
Warning conditions (severity=4).
|
For example, to capture and log informational messages, use the mdm logging trap informational command in global configuration mode.
user@DETECTOR# configure
user@DETECTOR-conf# mdm logging trap informational
mdm restore Command
When you enable the MDM service on the Detector to allow you to manage the device using the MDM, the MDM automatically upgrades the RA on the device when it initiates a communication link with the device. While the MDM is upgrading the device RA, the operating state displays on the MDM as Initializing. The state changes to Connected when the RA upgrade is complete.
When a device appears to be constantly in a state of initialization, it may indicate that the MDM is attempting to upgrade the device RA but cannot do so.
Use the mdm restore command to resolve issues with upgrading and connecting the device RA. To return the device Remote Agent (RA) to the stub and force the MDM to reinstall the latest RA version, use the mdm restore command in global configuration mode.
The syntax for this command is as follows:
mdm restore
For example:
user@DETECTOR# configure
user@DETECTOR-conf# mdm restore
show mdm Command
To check the status of MDM connections and settings, use the show mdm command in EXEC mode. The syntax for this command is as follows:
show mdm
For example:
The following table describes the fields in the show mdm display.
Field
|
Description
|
MDM service state
|
Operating state of the MDM service: enabled or disabled.
|
MDM servers
|
List of MDM servers that you define on the device (permitting them to access the device) and the state of the key exchange process with each of the servers: key exchange is complete or key exchange is required.
|
Connected managers
|
MDM server currently connected to and managing the device.
|
MDM syslog level
|
Setting of the syslog server logging level: alerts, critical, debugging, emergencies, errors, informational, notifications, warnings.
|
Software Version 6.1(5) Resolved and Open Caveats
The following sections contain the resolved and open caveats in software version 6.1(5):
•Software Version 6.1(5) Resolved Caveats
•Software Version 6.1(5) Open Caveats
Software Version 6.1(5) Resolved Caveats
The following caveats were resolved in software version 6.1(5):
•CSCsi07283—The WBM does not reflect changes to the TimeZone definition until the Detector is rebooted.
•CSCsi21984—When you use the WBM to browse to a zone page, the response time is slow when the zone has been active for a long time and the zone logs have become extremely long.
•CSCso30607—This caveat applies to the WBM. The following sequence of events causes the Detector to incorrectly measure the traffic rate of a policy and produce dynamic filters even though the traffic rate does not exceed the policy threshold and there is no attack on the zone:
a. You modify a specific policy using the WBM Config Policy screen.
b. You activate anomaly detection.
c. The device detects traffic packets associated with the modified policy.
•CSCsq63421—CM subsystem failure and reload of the detector.
•CSCsu33377 and CSCso41927—Disk becomes full, different show commands stop working, and logs are not written.
Software Version 6.1(5) Open Caveats
The following caveats are open in software version 6.1(5):
•CSCsb05557—Remote activation and synchronization processes from a Detector appliance to a Guard appliance do not function when the Detector is located behind a device that is performing Network Address Translation (NAT). Workaround: Reconfigure the network configuration to disable NAT.
•CSCsb20206—The WBM remains unresponsive while the pop up window waits for results from the signature generation process. Even if you close the pop up window manually, the WBM remains unresponsive while signature generation is in progress. Workaround: Wait until the pop up window receives a result, or issue the no service wbm CLI command in configuration mode.
•CSCsb29083—You cannot use the same name to create packet dumps in different zones. Workaround: Assign unique names to manual packet dumps.
•CSCsc05116—The Detector may stop functioning or start logging errors after reaching 100 percent anomaly detection engine memory utilization. Workaround: Use the show resources command in global mode to view the amount of anomaly detection engine memory currently being used by the Detector. Reducing the number of active zones may free up memory.
•CSCsc49737—If the Detector issues and logs an error message, and then attempts two additional loads, the accelerator card may fail to load on the first attempt during the reload or bootup process. Workaround: None.
•CSCsc69508—After you import an HTML file to serve as login banner, some SSH clients may not be able to connect to the Detector. Workaround: Remove the login banner.
•CSCsc77155—After a Detector reloads 1,024 consecutive times, you cannot access it from the network. Workaround: Reboot the Detector.
•CSCsd39569—After several hundred consecutive reloads, the Detector may automatically reboot. Workaround: None.
•CSCsd71002—When you use the dst-ip-by-name activation method to define a zone on the Detector and an attack occurs on several IP addresses from the zone range, the Detector does not create and activate all child zones that are being attacked. If global policies are active while the dst_ip policy is not, only the first recognized IP address is protected successfully. Workaround: Make sure the dst_ip policies are active on the zone.
•CSCse08139—The CLI session terminates when you press Ctrl-Z several times after issuing the more 0 command. Workaround: None.
•CSCse27876—When you press Ctrl-C during an import of a new software version or configuration, you interrupt the import process and the CLI session may get disconnected. Workaround: Do not press Ctrl-C during the import process.
•CSCse31042—A zone configuration with ip_scan or port_scan policies cannot be imported into the Detector. Workaround: None.
•CSCsg42338—The Detector CPU usage may reach 100 percent. Workaround: Reboot the Detector.
•CSCsq70377—On rare occasions, shortly after the detector returns from the "Detect" to "Detect&Learn" state, the watchdog process may reload the detector. Workaround: None required. The reload is a result of the watchdog process recognizing an internal failure and the detector is operational once the reload is complete.
Software Version 6.1(2) Resolved and Open Caveats
The following sections contain the resolved and open caveats in software version 6.1(2):
•Software Version 6.1(2) Resolved Caveats
•Software Version 6.1(2) Open Caveats
Software Version 6.1(2) Resolved Caveats
The following caveats were resolved in software version 6.1(2):
•CSCsg76448—Multiple vulnerabilities exist in the OpenSSL library. The vulnerabilities described in the Cisco Security Response are present in Guard and Detector sensor software, in versions 5.0(3) and higher. See the Cisco Security Response at http://www.cisco.com/warp/public/707/cisco-sr-20061108-openssl.shtml
•CSCsi50185—When synchronizing time with the NTP server, the Detector intermittently detects a major clock change (16 seconds or more) and issues a log message.
•CSCsj27292—The Detector does not count bypass filters correctly, which may cause the watchdog to reload the Detector.
•CSCsk40023—The policy snapshot time that is shown in the Web-Based Manager (WBM) or Central Manager (CM) is incorrect after an upgrade from version 5.1.
•CSCsk51827—The zone list in the WBM is empty when there are recommendations on at least one of the zones.
•CSCsl07921—All reports may be removed during the log rotation procedure.
Software Version 6.1(2) Open Caveats
The following caveats are open in software version 6.1(2):
•CSCsb05557—Remote activation and synchronization processes from a Detector appliance to a Guard appliance do not function when the Detector is located behind a device that is performing Network Address Translation (NAT). Workaround: Reconfigure the network configuration to disable NAT.
•CSCsb20206—The WBM remains unresponsive while the pop up window waits for results from the signature generation process. Even if you close the pop up window manually, the WBM remains unresponsive while signature generation is in progress. Workaround: Wait until the pop up window receives a result, or issue the no service wbm CLI command in configuration mode.
•CSCsb29083—You cannot use the same name to create packet dumps in different zones. Workaround: Assign unique names to manual packet dumps.
•CSCsc05116—The Detector may stop functioning or start logging errors after reaching 100 percent anomaly detection engine memory utilization. Workaround: Use the show resources command in global mode to view the amount of anomaly detection engine memory currently being used by the Detector. Reducing the number of active zones may free up memory.
•CSCsc49737—If the Detector issues and logs an error message, and then attempts two additional loads, the accelerator card may fail to load on the first attempt during the reload or bootup process. Workaround: None.
•CSCsc69508—After you import an HTML file to serve as login banner, some SSH clients may not be able to connect to the Detector. Workaround: Remove the login banner.
•CSCsc77155—After a Detector reloads 1,024 consecutive times, you cannot access it from the network. Workaround: Reboot the Detector.
•CSCsd39569—After several hundred consecutive reloads, the Detector may automatically reboot. Workaround: None.
•CSCsd71002—When you use the dst-ip-by-name activation method to define a zone on the Detector and an attack occurs on several IP addresses from the zone range, the Detector does not create and activate all child zones that are being attacked. If global policies are active while the dst_ip policy is not, only the first recognized IP address is protected successfully. Workaround: Make sure the dst_ip policies are active on the zone.
•CSCse08139—The CLI session terminates when you press Ctrl-Z several times after issuing the more 0 command. Workaround: None.
•CSCse27876—When you press Ctrl-C during an import of a new software version or configuration, you interrupt the import process and the CLI session may get disconnected. Workaround: Do not press Ctrl-C during the import process.
•CSCse31042—A zone configuration with ip_scan or port_scan policies cannot be imported into the Detector. Workaround: None.
•CSCsg42338—The Detector CPU usage may reach 100 percent. Workaround: Reboot the Detector.
•CSCsi07283—The WBM does not reflect changes to the TimeZone definition until the Detector is rebooted. Workaround: Reboot the Detector.
•CSCsi21984—When you use the WBM to browse to a zone page, the response time is slow when the zone has been active for a long time and the zone logs have become extremely long. Workaround: Export the zone logs to an external server and then clear the log files from the Detector database.
•CSCso30607—This caveat applies to the WBM. The following sequence of events causes the Detector to incorrectly measure the traffic rate of a policy and produce dynamic filters even though the traffic rate does not exceed the policy threshold and there is no attack on the zone:
a. You modify a specific policy using the WBM Config Policy screen.
b. You activate anomaly detection.
c. The device detects traffic packets associated with the modified policy.
Workaround: If you can apply the policy change to more than one policy, configure the policies using the WBM Config Policy Group screen, which you access by selecting multiple policies to configure. If you need to apply the change to one policy only, use the device CLI.
If the problem exists already, use the one of the following methods to correct it:
–Use the device CLI to export the zone configuration and then import it back under a different zone name (do not use the "copy-from" operation).
–Use the WBM or device CLI to remove the service associated with the policy and then add it back to the zone configuration. For example, if the problem exists with the http/80/analisys/syns/src_ip policy, remove the http/80 service and then add it back to the zone configuration. After you add the service, you must allow the device to perform the threshold tuning phase of the learning process. This method does not work for services that are built in, such as the tcp_services/any and dns_udp/53 services, because these services cannot be removed.
Related Documentation
The following Detector documents are available:
•Cisco Guard and Traffic Anomaly Detector Hardware Installation and Configuration Note
•Cisco Traffic Anomaly Detector Configuration Guide
•Cisco Traffic Anomaly Detector Web-Based Manager Configuration Guide
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0809R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2008 Cisco Systems, Inc. All rights reserved.
