Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco ASA 5500 Series Adaptive Security Appliances

Cisco ASA 5500 Series Release Notes, Version 7.0(5)

Downloads

Table Of Contents

Cisco ASA 5500 Series Release Notes Version 7.0(5)

Contents

Introduction

System Requirements

Memory Requirements

Determining the Software Version

Upgrading to a New Software Release

New Features

Command to Control DNS Guard

Enhanced IPSEC Inspection

Command to Disable RST for Denied TCP Packets

Increased Connections and VLANs

Password Increased in Local Database

Enhanced show interface and show traffic Commands

Important Notes

Important Notes in Release 7.0

FIPS 140-2

Hostname and Domain Name Limitation

WebVPN ACLS and DNS Hostname

Proxy Server and ASA

Mismatch PFS

ACS Radius Authorization Server

Readme Document for the Conduits and Outbound List Conversion Tool 1.2

User Upgrade Guide

Features not Supported in Version 7.0

MIB Supported

Downgrade to Previous Version

Caveats

Open Caveats - Release 7.0(5)

Resolved Caveats - Release 7.0(5)

Related Documentation

Software Configuration Tips on the Cisco TAC Home Page

Obtaining Documentation

Cisco.com

Documentation DVD

Ordering Documentation

Documentation Feedback

Cisco Product Security Overview

Reporting Security Problems in Cisco Products

Obtaining Technical Assistance

Cisco Technical Support Website

Submitting a Service Request

Obtaining Additional Publications and Information


Cisco ASA 5500 Series Release Notes Version 7.0(5)

April 2006

Contents

This document includes the following sections:

Introduction

System Requirements

New Features

Important Notes

Caveats

Related Documentation

Obtaining Documentation

Obtaining Technical Assistance

Obtaining Additional Publications and Information

Introduction

The Cisco ASA 5500 series security appliance delivers unprecedented levels of defense against threats to the network with deeper web inspection and flow specific analysis, improved secure connectivity through end-point security posture validation and voice and video over VPN support. It also provides enhanced support for intelligent information networks through improved network integration, resiliency, and scalability. This release introduces significant enhancements to all major functional areas, including: firewalling and inspection services, VPN services, network integration, high-availability services, and management/monitoring.

For more information on all the new features, see New Features.

Additionally, the Cisco ASA 5500 series security appliance software supports Adaptive Security Device Manager. ASDM is a browser-based, Java applet used to configure and monitor the software on the security appliances. ASDM is loaded from the security appliance, then used to configure, monitor, and manage the device.

System Requirements

The sections that follow list the system requirements for operating a Cisco ASA 5500 series security appliance. This section includes the following topics:

Memory Requirements

Determining the Software Version

Upgrading to a New Software Release

Memory Requirements

Table 1 lists the DRAM memory requirements for the Cisco ASA 5500 series security appliance.

Table 1 DRAM Memory Requirements 

ASA Model
DRAM Memory

ASA 5510

256 MB

ASA 5520

512 MB

ASA 5540

1 GB


All Cisco ASA 5500 series security appliances require a minimum of 64 MB of internal CompactFlash.

Determining the Software Version

Use the show version command to verify the software version of your Cisco ASA 5500 series security appliance.

Upgrading to a New Software Release

If you have a Cisco.com (CDC) login, you can obtain software from the following website:

http://www.cisco.com/kobayashi/sw-center/products.shtml

New Features

This section describes the new features in this release. This section includes the following topics:

Command to Control DNS Guard

Version 7.0(5) introduces a new global configuration command, dns guard to control the DNS guard function. In releases prior to 7.0(5), the DNS guard functions are always enabled regardless of the configuration of DNS inspection:

Stateful tracking of the DNS response with DNS request to match the ID

Tearing down the DNS connection when all pending requests are responded

This command is effective only on interfaces with inspect dns disabled. When DNS inspection is enabled, the DNS guard function is always performed. For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.

Enhanced IPSEC Inspection

The ability to open specific pinholes for ESP flows based on existence of an IKE flow is provided by the enhanced IPSec inspect feature. This feature can be configured within the MPF infrastructure along with other inspects. The idle-timeout on the resulting ESP flows is statically set at 10 minutes. There is no maximum limit on number of ESP flows that can be allowed.

A new policy-map command inspect ipsec-pass-thru is added to enable this feature.

For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.

Command to Disable RST for Denied TCP Packets

When a TCP packet is denied, the adaptive security appliance always sends a reset when the packet is going from a high security to a low security interface. The service resetinbound command is used to enable or disable sending resets when a TCP packet is denied when going from a low security to a high security interface. The service resetinbound command is introduced to control sending RESETs when a packet is denied when going from a high security to a low security interface. The existing service resetinbound command is enhanced to take an additional interface option.

[no] service resetoutbound [interface <ifc name>]

[no] service resetinbound [interface <ifc name>]

For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.

Increased Connections and VLANs

The maximum connections and VLANs is increased to the following numbers.

ASA5510 base license conns 32000->50000 vlans 0->10

ASA5510 plus license conns 64000->130000 vlans 10->25

ASA5520 conns 130000->280000 vlans 25->100

ASA5540 conns 280000->400000 vlans 100->200

Password Increased in Local Database

Username and enable password length limits increased from 16 to 32 in the LOCAL database.

Enhanced show interface and show traffic Commands

The traffic statistics displayed in both the show interface and show traffic commands now support 1 minute rate and 5 minute rate for input, output and drop. The rate is calculated as the delta between the last two sampling points. For a 1 minute rate and a 5 minute rate, a 1 minute timer and a 5 minute timer are run constantly for the rates respectively. An example of the new display follows:

1 minute input rate 128 pkts/sec, 15600 bytes/sec

1 minute output rate 118 pkts/sec, 13646 bytes/sec

1 minute drop rate 12 pkts/sec

5 minute input rate 112 pkts/sec, 13504 bytes/sec

5 minute output rate 101 pkts/sec, 12104 bytes/sec

5 minute drop rate 4 pkts/sec

Important Notes

Important Notes in Release 7.0

This section lists important notes related to release 7.0(5).

FIPS 140-2

The Cisco ASA 5500 series security appliance is on the FIPS 140-2 Pre-Validation List.

Hostname and Domain Name Limitation

When using ASDM, the hostname and domain names combined should not be more than 63 characters long. If the hostname and domain names combined is more than 63 characters, you will get an error message.

WebVPN ACLS and DNS Hostname

When a deny webtype URL ACL (DNS-based) is defined, but the DNS-based URL is not reachable, a "DNS Error" popup is displayed on the browser. The ACL hitcounter is also not incremented.

If the URL ACL is defined by an IP instead of DNS name, then the traffic flow hitting the ACL will be recorded in the hitcounter and a "Connection Error" is displayed on the browser.

Proxy Server and ASA

If WebVPN is configured to use an HTTP(S)-proxy server to service all requests for browsing HTTP and/or HTTPS sites, the client/browser may expect the following behavior:

1. If the ASA cannot communicate with the HTTPS or HTTPS proxy server, a "connection error" is displayed on the client browser.

2. If the HTTP(S) proxy cannot resolve or reach the requested URL, it should send an appropriate error to the ASA, which in turn will display it to the client browser.

Only when the HTTP(S) proxy server notifies the ASA of the inaccessible URL, can the ASA notify the error to the client browser.

Mismatch PFS

The PFS setting on the VPN client and the security appliance must match.

ACS Radius Authorization Server

When certificate authentication is used in conjuction with Radius authorization, the ACS server sends a bogus Group=CISCOACS:0003b9c6/5a940131/username and is displayed in the vpn-session database.

Readme Document for the Conduits and Outbound List Conversion Tool 1.2

The Cisco ASA 5500 series security appliance Outbound/Conduit Conversion tool assists in converting configurations with outbound or conduit commands to similar configurations using ACLs. ACL-based configurations provide uniformity and leverage the powerful ACL feature set. ACL based configurations provide the following benefit:

ACE Insertion capability - System configuration and management is greatly simplified by the ACE insertion capability that allows users to add, delete or modify individual ACEs.

User Upgrade Guide

For a list of deprecated features, and user upgrade information, go to the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/migr_vpn/index.htm

Features not Supported in Version 7.0

The following features are not supported in Version 7.0(5):

PPPoE

L2TP over IPSec

PPTP

MIB Supported

For information on MIB Support, go to:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

Downgrade to Previous Version

To downgrade to a previous version of the operating system software (software image), use the downgrade command in privileged EXEC mode. For more information and a complete description of the command syntax, see the Cisco Security Appliance Command Reference.

Caveats

The following sections describe the caveats for the 7.0(5) release.

For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:

Commands are in boldface type.

Product names and acronyms may be standardized.

Spelling errors and typos may be corrected.

Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:

http://www.cisco.com/support/bugtools

To become a registered cisco.com user, go to the following website:

http://tools.cisco.com/RPF/register/register.do

Open Caveats - Release 7.0(5)

Table 2 Open Caveats 

ID Number
Software Release 7.0(5)
Corrected
Caveat Title

CSCei47678

No

SNMP packet size standards in RFC3417 not fully supported.

CSCek21836

No

SIP: BYE embryonic connection timestamp not updated.

CSCsc36891

No

Higher CPU utilization for url filtering in recent releases.

CSCsc37965

No

IP-directed broadcasts no longer allowed through device.

CSCsc68575

No

CPU usage is higher for given traffic throughput in recent releases.

CSCsc97602

No

Traceback is sometimes observed in tmatch compile thread.

CSCsd00086

No

ASDM connection may cause packet loss

CSCsd08170

No

UDP 500 not removed from pat port pool when crypto map is applied

CSCsd59936

No

Registering to the RP for PIM fails if fragmented in more then 12 packs

CSCsd69625

No

EZVPN:IOS C876 Client can't connect to ASA using digi certs and noXauth

CSCsd75865

No

VPN address pool overlap may cause packet drop.

CSCsd78428

No

Traceback may occur in Checkheaps on standby unit

CSCsd79596

No

H245 connection going idle although traffic on RTP stream and H225.

CSCsd82355

No

Malformed syslog packets may be generated.

CSCsd82714

No

RTSP fails with Windows media player

CSCsd84394

No

IPSec: Invalid block submitted to outbound packet processing

CSCsd85345

No

Traceback may occur in fover_parse on 7.0.4

CSCsd89503

No

Traceback during failover in routing module

CSCsd93207

No

Show failover indicates different uptimes on devices in failover pair

CSCsd93380

No

Packets for VPN-l2l peer get dropped instead of encrypted


Resolved Caveats - Release 7.0(5)

Table 3 Resolved Caveats 

ID Number
Software Release 7.0(5)
Corrected
Caveat Title

CSCeh46345

Yes

Dynamic L2L could pass clear text traffic when tunnel terminates

CSCeh60845

Yes

Logginig queue incorrectly registers 8192 256-byte blocks

CSCeh70043

Yes

DOC: sh asp drop needs further clarification in doc

CSCeh90617

Yes

Recompiling ACLs can cause packet drops on low-end platforms

CSCei43588

Yes

traceback when trying to match a packet to acl with deny

CSCek21835

Yes

Higher metric OSPF external route is selected

CSCek21837

Yes

PDM with Command Authorization requires the write command for Read-Only

CSCek21838

Yes

SIP: fail to open a conn for Record route in NOTIFY

CSCek21843

Yes

SIP: Not translate c= address if first m= has port 0 in SDP body.

CSCek21849

Yes

Backspace sent in cut-through proxy authentication

CSCek26572

Yes

tftp fixup does not allow error message from client

CSCsc02485

Yes

Session Cmd: sendind 036xr to exit session to ssm causes Traceback

CSCsc03061

Yes

CLI should generate Warning if kerberos-relm is not in all uppercase

CSCsc07614

Yes

Minimum unit poll time causes trouble for failover with 4GE card

CSCsc08188

Yes

5540 crash during 1000+ tunnel, multi-encapsulation system testing

CSCsc12094

Yes

AAA fallback authentication does not work with reactivation-mode timed

CSCsc15434

Yes

Assertion violation w/icmp traffic and icmp inspection

CSCsc16041

Yes

'clear local host' results in memory leak

CSCsc16507

Yes

url-server: cannot remove despite having removed url-block cmd

CSCsc18444

Yes

Tunnel-group for specific peer not created upgrading to 7.0 w/ certs

CSCsc18911

Yes

ASA does not remove OSPF route for global PAT entry after deleting

CSCsc20102

Yes

webfo: traceback during bulk sync in vpnfol_thread_sync

CSCsc26331

Yes

PKI: CR should not be used to terminate certificate console input

CSCsc27972

Yes

Traceback when changing crypto maps when Answer-Only in lower sequence

CSCsc31762

Yes

Fixup RTSP does not re-write the SET Parameter to the NATed IP address

CSCsc31788

Yes

Failover Primary access-list delete problem crashes secondary

CSCsc33385

Yes

GTP - pdp context creation failed - GSN tunnel limit exceeded

CSCsc34022

Yes

ASA requires improved failover testing method

CSCsc36332

Yes

Crash with show running-config all when priority class configured

CSCsc36898

Yes

FIPS: POST Bypass test failure

CSCsc37492

Yes

ASA: snmp-server host is not working in some circumstances

CSCsc39334

Yes

Crash due to check-retransmission from the tcp-map

CSCsc39559

Yes

APPFW:Obfuscated characters causing alert with firefox browser

CSCsc42204

Yes

Syslog ID 111005 no longer being logged when user exits config mode

CSCsc44566

Yes

Traceback in Dispatch Unit - pm_rcv_cb_ids

CSCsc44591

Yes

Traceback in ARP Thread - arp_sendbp in mulicontext mode

CSCsc46976

Yes

SIP: crash when failed to pre-allocate early rtp

CSCsc48330

Yes

OpenSSL Security Advisory: Potential SSL 2.0 Rollback

CSCsc48463

Yes

Traceback on ASA 5510 in Thread Name: vpnfo_thread_msg

CSCsc49830

Yes

IKE daemon crashes after upgrading

CSCsc49873

Yes

VPN-filter not applied without for remote VPN clients without xauth

CSCsc56552

Yes

Adding user context causes traceback on Standby unit

CSCsc57901

Yes

Memory leak when the standby unit fails to parse IKE messages

CSCsc57935

Yes

ASA FO should give warning when there is OS version difference

CSCsc58416

Yes

ASA crash in Dispatch Unit thread

CSCsc59298

Yes

VPN: IPSec errors are reported when trying to fragment compressed pkts

CSCsc60506

Yes

Large banner from RADIUS is causing traceback

CSCsc67347

Yes

VPN locks up under throughput stress

CSCsc73580

Yes

traceback in logger_save after clear config logging

CSCsc73942

Yes

TCP RST is dropped when there is outstanding data that is not acked

CSCsc77884

Yes

GTP: should check spare bits in header

CSCsc78817

Yes

ASA crashes in FWTask() during clear config all

CSCsc78900

Yes

Reload with Thread Name: Dispatch Unit at tcp_check_packet

CSCsc81668

Yes

https://<ip>/config does not have the same privilege level as 'write'

CSCsc83854

Yes

ASA endlessly sends Radius Access-Requests when requesting a BIG dACL

CSCsc84291

Yes

When using SSL the warning message is not returned back

CSCsc86217

Yes

Voice Proxy Function does not preserve DSCP bits.

CSCsc90944

Yes

ASA sends malformed https proxy authentication page.

CSCsc92575

Yes

Upgrade Activation Key reduces permitted interfaces

CSCsc97846

Yes

CPU utilization increase when adding more logging hosts.

CSCsc97905

Yes

traceback when running codenomicon snmp suite. eip 0x00ebf294

CSCsc98336

Yes

Large group-policy names cause crash if used with IPSec

CSCsc99263

Yes

GTPv1: Subsequent Create Req to modify PDP context IEs are not processed

CSCsc99339

Yes

traceback when running ospf codenomicon suite.eip 0x00ef5f7c

CSCsc99364

Yes

SSL Certs from Verisign Managed PKI do not install

CSCsd00051

Yes

SNMP polling may cause packet loss

CSCsd00175

Yes

ASA5510 drops FIN/ACK packets resulting in half open FTP sessions

CSCsd01096

Yes

Primary active crash and both primary and secondary are non-active

CSCsd01722

Yes

ASA 7.0 logging message 419001 always sent in message lists

CSCsd02938

Yes

ASA doesn't reconnect if websense server goes down

CSCsd03391

Yes

TCP Intercept doesn't negate CPU impact when SYN flood from adjacent net

CSCsd04700

Yes

match port option for setting connection time-outs does not work

CSCsd08060

Yes

Memory corruption caused by session DB when events are out of sync..

CSCsd10138

Yes

Crash in Checkheaps thread when enabling LAN2LAN vpn

CSCsd11179

Yes

SNMP polling of resource MIBS may cause packet loss

CSCsd11511

Yes

Crash due to memory corruption in sanity check of the Checkheaps thread

CSCsd11908

Yes

Traceback in logger_save thread

CSCsd13334

Yes

ASA, Memory Leaking tunnel-group authorization-dn-attributes

CSCsd13938

Yes

Traceback and Assertion in "fover_dev.c", line 513

CSCsd16751

Yes

GTP: wrong service-policy used when connection is re-used

CSCsd22910

Yes

users with passwords longer than 11 chars can no longer authenticate

CSCsd25553

Yes

ASA crashes when VPN client tries to make connection to inside interface

CSCsd28581

Yes

ASA failover : Secondary crashes with Thread Name: IKE Daemon

CSCsd31068

Yes

platform image read as ascii if uploaded by asdm to flash:

CSCsd34070

Yes

H.245 inspection skipped when malformed GKRCS packet

CSCsd36030

Yes

in multiple policy-maps, packets should match the first map,not the last

CSCsd37075

Yes

DSH API should check for 0 handle

CSCsd38929

Yes

SSL Verisign imported certificate fails when establishing SSL session

CSCsd39029

Yes

Traceback with Thread Name: Dispatch Unit

CSCsd44349

Yes

PIM codenomicon suite crashes box - eip 0x010811f3

CSCsd45099

Yes

logging debug-trace should not prevent debugs from printing to console

CSCsd46111

Yes

Traceback when using sh xlate via telnet over VPN tunnel

CSCsd46922

Yes

High CPU usage when configuring/compiling ACL's

CSCsd48512

Yes

Duplicate ASP crypto table entry causes firewall to not encrypt traffic

CSCsd51884

Yes

Restore debug icmp trace functionallity - showing nat translation

CSCsd58620

Yes

H.323: Memory Leak Under Load

CSCsd58848

Yes

Memory allocated for connections not freed

CSCsd63673

Yes

ASA with dhcprelay doesnt reply with unicast DHCP offer

CSCsd64394

Yes

Deny syslog not generated for denied URLs trafic

CSCsd64912

Yes

url-server: tcp connections fail when tcp stack users are exhausted

CSCsd64920

Yes

url-server: url lookup requests are not retried when using tcp

CSCsd65209

Yes

url-block block: http response buffering feature does not work

CSCsd65215

Yes

Capture access-list shows only 1 hit count for outbound traffic

CSCsd67647

Yes

Traceback in obj-f1/tcp:_q_copydata+26 on copying image to ftp server

CSCsd70242

Yes

Some syslogs are incorrectly logged to an event list, when not specified

CSCsd70812

Yes

HA: Traffic Stall after config syncing running Act/Act fover

CSCsd72617

Yes

Dispatch Unit Crash when HTTP inspect enabled...ASA 7.1.2, 7.0.4-11

CSCsd72951

Yes

Traceback: Thread Name: IKE Daemon (Old pc 0x00507433 ebp 0x03bdc498)

CSCsd74964

Yes

SNP Inspect Http drops messages other than GET

CSCsd75794

Yes

MFW:R applfw crash on codenomicon http suite, test 39614 or 39615

CSCsd76384

Yes

dhcpc fails when management-access is configured

CSCsd77018

Yes

Traceback in obj-f1/snp_fp_main:_snp_fp_fragment+260

CSCsd77155

Yes

All out of order packets dropped by tcp normalizer

CSCsd78595

Yes

Global buffer drop output under show service-policy

CSCsd79775

Yes

ASA VPN: all packets for a l2l peer get dropped instead of encrypted

CSCsd81496

Yes

crash when websense service is restarted while requests are pending

CSCsd82114

Yes

Change of log options on the ACE doesn't take immediate effect

CSCsd83007

Yes

Need ability to disable dns guard in 7.0

CSCsd83863

Yes

Reload with Thread Name: Dispatch Unit

CSCsd85007

Yes

Dispatch unit crash at snp_fp_fragment with SSM card enabled

CSCsd85451

Yes

SAs not created when crypto map group and isakmp policy group are differ

CSCsd86841

Yes

F1 crash immediately after sending ping traffic thru GTP tunnel

CSCsd87779

Yes

fips self test power on never completes


Related Documentation

For additional information on the Cisco ASA 5500 series security appliance, refer to the following URL on Cisco.com:

http://www.cisco.com/en/US/products/ps6120/tsd_products_support_series_home.html

Software Configuration Tips on the Cisco TAC Home Page

The Cisco Technical Assistance Center has many helpful pages. If you have a CDC account you can visit the following websites for assistance:

TAC Troubleshooting, Sample Configurations, Hardware Info, Software Installations and more:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/tsd_products_support_series_home.html

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation DVD

Cisco documentation and additional literature are available in a Documentation DVD package, which may have shipped with your product. The Documentation DVD is updated regularly and may be more current than printed documentation. The Documentation DVD package is available as a single unit.

Registered Cisco.com users (Cisco direct customers) can order a Cisco Documentation DVD (product number DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace.

Cisco Ordering tool:

http://www.cisco.com/en/US/partner/ordering/

Cisco Marketplace:

http://www.cisco.com/go/marketplace/

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool:

http://www.cisco.com/en/US/partner/ordering/

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 1 800 553-NETS (6387).

Documentation Feedback

You can send comments about technical documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

From this site, you can perform these tasks:

Report security vulnerabilities in Cisco products.

Obtain assistance with security incidents that involve Cisco products.

Register to receive security information from Cisco.

A current list of security advisories and notices for Cisco products is available at this URL:

http://www.cisco.com/go/psirt

If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a vulnerability in a Cisco product, contact PSIRT:

Emergencies — security-alert@cisco.com

Nonemergencies — psirt@cisco.com

Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive information that you send to Cisco. PSIRT can work from encrypted information that is compatible with PGP versions 2.x through 8.x.

Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one that has the most recent creation date in this public key server list:

http://pgp.mit.edu:11371/pks/lookup?search=psirt%40cisco.com&op=index&exact=on

In an emergency, you can also reach PSIRT by telephone:

1 877 228-7302

1 408 525-6532

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.

Cisco Technical Support Website

The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year, at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do

Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support Website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

World-class networking training is available from Cisco. You can view current offerings at this URL:

http://www.cisco.com/en/US/learning/index.html

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

http://www.ciscopress.com

Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

World-class networking training is available from Cisco. You can view current offerings at this URL:

http://www.cisco.com/en/US/learning/index.html