Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco PIX Firewall Software

Cisco PIX Security Appliance Release Notes Version 7.1(1)

Downloads

Table Of Contents

Cisco PIX Security Appliance Release Notes Version 7.1(1)

Contents

Introduction

System Requirements

Memory Requirements

Software Requirements

Maximum Recommended Configuration File Size

Cisco VPN Software Interoperability

Cisco VPN Client Interoperability

Cisco Easy VPN Remote Interoperability

Determining the Software Version

Upgrading to a New Software Release

New Features

Important Notes

Important Notes in Release 7.1

Maximum Security Contexts and VLANs Supported

IKE Delete-with-Reason

User Upgrade Guide

Readme Document for the Conduits and Outbound List Conversion Tool 1.2

Features not Supported in Version 7.1

MIB Supported

Downgrade to Previous Version

Caveats

Open Caveats - Release 7.1(1)

Resolved Caveats - Release 7.1(1)

Related Documentation

Software Configuration Tips on the Cisco TAC Home Page

Obtaining Documentation

Cisco.com

Product Documentation DVD

Ordering Documentation

Documentation Feedback

Cisco Product Security Overview

Reporting Security Problems in Cisco Products

Obtaining Technical Assistance

Cisco Technical Support & Documentation Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information


Cisco PIX Security Appliance Release Notes Version 7.1(1)

February 2006

Contents

This document includes the following sections:

Introduction

System Requirements

New Features

Important Notes

Caveats

Obtaining Documentation

Documentation Feedback

Cisco Product Security Overview

Obtaining Technical Assistance

Obtaining Additional Publications and Information

Introduction

Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.1.

The Cisco PIX 500 series security appliance delivers unprecedented levels of defense against threats to the network with deeper web inspection and flow-specific analysis, improved secure connectivity through end-point security posture validation and voice and video over VPN support. It also provides enhanced support for intelligent information networks through improved network integration, resiliency, and scalability. This release introduces significant enhancements to all major functional areas, including: firewalling and inspection services, VPN services, network integration, high-availability services, and management/monitoring.

For more information on all the new features, see New Features

Additionally, the security appliance software supports ASDM. ASDM is a browser-based, Java applet used to configure and monitor the software on the security appliances. ASDM is loaded from the security appliance, then used to configure, monitor, and manage the device.

System Requirements

The sections that follow list the system requirements for operating a security appliance.

Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.1.

Memory Requirements

If you are using a PIX 515/515E running PIX Version 6.2/6.3, you need to upgrade your memory before performing an upgrade to PIX Version 7.0. PIX Version 7.0 requires at least 64 MB of RAM for Restricted (R) licenses and 128 MB of RAM for Unrestricted (UR) and Failover (FO) licenses. The following security appliance platforms require at least 64 MB of RAM. Table 1 lists Flash memory requirements for Version 7.1.

Table 1 Flash Memory Requirements 

Security Appliance Model
Flash Memory Required in Version 7.1

PIX 515/515E

16 MB

PIX 525

16 MB

PIX 535

16 MB


For more information on minimum memory requirements, see "Minimum Memory Requirements" section in the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0.

Software Requirements

Version 7.1(1) requires the following:

1. The minimum software version required before performing an upgrade to PIX Version 7.1 is PIX Version 7.0. If you are running a PIX release prior to PIX Version 6.2, you must first upgrade to PIX Version 6.2 or PIX Version 6.3 before you can begin the upgrade to PIX Version 7.0.

To upgrade your PIX software image, go to the following website: http://www.cisco.com/pcgi-bin/tablebuild.pl/pix

2. For information on specific licenses supported on each model of the security appliance, go to the following websites: www.cisco.com/go/license

3. If you are upgrading from a previous PIX version, save your configuration and write down your activation key and serial number. See the "http://www.cisco.com/pcgi-bin/tablebuild.pl/pix" for new installation requirements.

Maximum Recommended Configuration File Size

For the PIX 525 and PIX 535, the maximum supported configuration file size is 2 MB for Version 7.1(1). For the PIX 515/515E, the maximum supported configuration file size is 1 MB for Version 7.1(1). If you are using ASDM, we recommend no more than a 500 KB configuration file because larger configuration files can interfere with the performance of ASDM on your workstation.

While configuration files up to 2 MB are supported on the PIX 525 and PIX 535, be aware that such large configuration files can reduce system performance. For example, a large configuration file is likely to noticeably slow execution times in the following situations:

While executing commands such as the write terminal and show running-config commands

Failover (the configuration synchronization time)

During a system reload

Cisco VPN Software Interoperability

Cisco VPN Series
Interoperability Comments

Cisco IOS routers

Version 7.1(1) requires Cisco IOS Release 12.3(T)T or higher running on the router when using IKE Mode Configuration on the security appliance.

Cisco VPN 3000 concentrators

Version 7.1(1) requires Cisco VPN 3000 concentrator Version 3.6 or higher for correct VPN interoperability.


Cisco VPN Client Interoperability

Cisco VPN Client
Interoperability Comments

Cisco VPN client v3.x/4x

(Unified VPN client framework)

Version 7.1(1) supports the Cisco VPN client Version 3.6 or higher that runs on all Microsoft Windows platforms. It also supports the Cisco VPN client Version 3.6 or higher that runs on Linux, Solaris, and Macintosh platforms.


Cisco Easy VPN Remote Interoperability

Cisco Easy VPN Remote
Interoperability Comments

Cisco PIX Security Appliance Easy VPN Remote v6.3

Version 7.1(1) Cisco Easy VPN server requires the Cisco PIX security appliance Version 6.3 Easy VPN remote that runs on the PIX 501 and PIX 506 platforms.

VPN 3000 Easy VPN remote v3.x/4x

Version 7.1(1) Cisco Easy VPN server requires the Version 3.6 or higher of the Easy VPN remote that runs on the VPN 3002 platform.

Cisco IOS Easy VPN remote Release 12.2(16.4)T

Version 7.1(1) Cisco Easy VPN server interoperates with Cisco IOS 806 Easy VPN remote Release (16.4)T.


Determining the Software Version

Use the show version command to verify the software version installed on your security appliance.

Upgrading to a New Software Release

If you have a Cisco.com (CDC) login, you can obtain software from the following website:

http://www.cisco.com/cgi-bin/tablebuild.pl/pix

If you want to upgrade or downgrade from Version 7.0.(x) to 7.1(1) and vice versa You must follow the steps below because older versions of the security appliance images does not recognize new ASDM images, new security appliance images does not recognize old ASDM images.

To upgrade from Version 7.0.(x) to 7.1(1), you must perform the following steps:

Step 1 Load the new Version 7.1(1) image from the following website: http://www.cisco.com/pcgi-bin/tablebuild.pl/asa

Step 2 Reload the device so that it will start using the Version 7.1(1) image.

Step 3 Copy new ASDM Version 5.1(1) image from the following website: http://www.cisco.com/pcgi-bin/tablebuild.pl/asa.

To downgrade from Version 7.1(1) to 7.0.(x), you must perform the following steps:

Step 1 Load the new Version 7.1(1) image from the following website: http://www.cisco.com/pcgi-bin/tablebuild.pl/asa

Step 2 Reload the device so that it will be use the Version 7.0(x) image.

Step 3 Copy the ASDM Version 5.0(x) image from the following website: http://www.cisco.com/pcgi-bin/tablebuild.pl/asa..

New Features

Version 7.1(1) is a maintenance release which includes several caveat resolutions.

Important Notes

Important Notes in Release 7.1

This section lists important notes related to Version 7.1(1).

Maximum Security Contexts and VLANs Supported

The maximum security contexts supported in release 7.1(1) for the PIX 535 are 50 tiers. The maximum number of VLANs supported are 150. For more information on the feature support for each platform license, see the "Platform Feature Licenses" section in the Cisco Security Appliance Command Line Configuration Guide

IKE Delete-with-Reason

IKE syslogs for Delete-with-Reason will not contain the reason text unless the clients support this feature. Currently the VPN 3002 Version 4.7 and PIX 501 Version 6.3(4) hardware clients do not support this feature.

Note The PIX 501security appliance is not supported in software Version 7.1.

User Upgrade Guide

Before upgrading to Version 7.1(1), read the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading in Cisco PIX Software Version 7.0. This guide also includes information about deprecated features and other changes in the Cisco PIX Software Version7.0. For a list of deprecated features, and user upgrade information, go to the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/pix_upgd/index.htm

Caution If you share the Stateful Failover update link with a link for regular traffic such as your inside interface, you must change your configuration before upgrading. Do not upgrade until you have corrected your configuration, as this is not a supported configuration and Version 7.1(1) treats the LAN failover and Stateful Failover update interfaces as special interfaces. If you upgrade to Version 7.1(1) with a configuration that shares an interface for both regular traffic and the Stateful Failover updates, configuration related to the regular traffic interface will be lost after the upgrade. The lost configuration may prevent you from connecting to the security appliance over the network.

Readme Document for the Conduits and Outbound List Conversion Tool 1.2

The security appliance Outbound/Conduit Conversion tool assists in converting configurations with outbound or conduit commands to similar configurations using ACLs. ACL-based configurations provide uniformity and leverage the powerful ACL feature set. ACL based configurations provide the following benefits:

ACE insertion capability - System configuration and management is greatly simplified by the ACE insertion capability that allows users to add, delete or modify individual ACEs.

Outbound ACLs and Time-based ACLs - Gives administrators improved flexibility for defining access control policies by adding support for outbound ACLs and time-based ACLs.

Enabling/Disabling of ACL Entries - Provides a convenient troubleshooting tool that allows administrators to test and fine-tune ACLs, without the need to remove and replace ACL entries.

Features not Supported in Version 7.1

The following features are not supported in Version7.1(1) release:

PPPoE

L2TP over IPSec

PPTP

MIB Supported

For information on MIB Support, go to:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

Downgrade to Previous Version

To downgrade to a previous version of the operating system software (software image), use the downgrade command in privileged EXEC mode.

For more information and a complete description of the command syntax, see the Cisco Security Appliance Command Reference.

Caution Do not load a previous version of software if your PIX security appliance is currently running PIX Version 7.0 or later. Loading a software image from monitor mode, on a PIX security appliance that has a PIX Version 7.0 file system, results in unpredictable behavior and is not supported. We strongly recommend that you use the downgrade command from a running PIX Version 7.0 image that facilitates the downgrade process.

Caveats

The following sections describe the caveats for the 7.1(1) release.

For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:

Commands are in boldface type.

Product names and acronyms may be standardized.

Spelling errors and typos may be corrected.

Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:

http://www.cisco.com/support/bugtools

To become a registered cisco.com user, go to the following website:

http://tools.cisco.com/RPF/register/register.do

Open Caveats - Release 7.1(1)

Table 2 Open Caveats 

ID Number
Software Release 7.1(1) 
Corrected
Caveat Title

CSCsd11908

No

Traceback in logger_save thread

CSCsc15434

No

Assertion violation w/icmp traffic and icmp inspection

CSCsd21821

No

Traceback eip:sessmgrmain:_CheckSubRecConnectTime+23 after appl. act-key

CSCsd05080

No

inspect ftp cli creating unexpected error

CSCej04099

No

static xlate breaks management-access inside

CSCsc83495

No

dhcpc: client doesn't issue DISCOVER after server loses it's bindings

CSCsd17794

No

If FTP-Inspection is disabled in the ASA CLI the FTP-data is not scanned

CSCsd18563

No

Must ignore SPI field in Notify messages

CSCsd20882

No

Repeated Error messages on console

CSCsd21066

No

Static bypass in multicontext mode seems not working

CSCsd22425

No

multi-transparent mode ftp redirect is not working in my configuration

CSCsd23946

No

In Active-active failover, WCCP does not perform redirect correctly

CSCsb92848

No

ASA drops pkts with nat/global from third to outside


Resolved Caveats - Release 7.1(1)

Table 3 Resolved Caveats 

ID Number
Software Release 7.1(1)
Corrected
Caveat Title

CSCsc53448

Yes

Traceback while adding an Admin context

CSCei68679

Yes

Traceback on telnet TACACS+ authentication through the firewall.

CSCsb53407

Yes

MFIB: tracebacks when bouncing multicast-routing

CSCsb55550

Yes

traceback in pki_ctm:_pki_ctm_verify_signature+164 - 8192 bit certs conn

CSCsc25780

Yes

Traceback Thread Name: pix_flash_config_thread (Old pc 0x00723a09 ebp 0x

CSCsc73580

Yes

traceback in logger_save after clear config logging

CSCsc02574

Yes

pki: ID cert signature validation failure allows successful connection

CSCsc56552

Yes

Adding user context causes traceback on Standby unit

CSCsc09932

Yes

Assertion in file vf_api.c, line 264, traceback in strdup:_int3+4

CSCeh97228

Yes

cTCP: cTCP connection are dropped sporadically when connected F1 Bet

CSCsc36187

Yes

traceback after OWA 2003 log on to email.cisco.com while page is opening

CSCsb76426

Yes

DACL fails intermittently in PIX 7.0 code with ACL can't be found

CSCsb76995

Yes

%PIX-3-113001: Unable to open AAA session. Session limit [32] reached

CSCei29277

Yes

Performance of Skinny calls through PIX is poor

CSCei33166

Yes

Crash while pinging through a L2L tunnel w/ 10,000 byte pings

CSCsb77397

Yes

Traceback: eip 0x00c3426c strcpy:_strcpy+12, using deb menu ike commands

CSCei52906

Yes

Routes assoc. w/ net ext tunnels fail to get removed after tun drop

CSCsc50830

Yes

Memory corruption and traceback in strdup with inspect sqlnet config

CSCsc50177

Yes

rsh not working with fixup and nat0 acl configured

CSCei57279

Yes

Cascading ACL: Deny rules not working after tunnel established

CSCei64608

Yes

GTP: box reloads when Create Response has 3rd party GSN addr

CSCei71868

Yes

Deny message for inbound traffic with no access-list changed

CSCsb79950

Yes

FTP put hangs and timesout on put both active and passive

CSCei83304

Yes

clear conf sec doesnt clear igmp and ospf param in ifx submode

CSCsb81575

Yes

key gen causes an assert if ASA/PIX has DES only license

CSCei92828

Yes

Authentication failing for virtual telnet/http in transperent mode

CSCei93790

Yes

Clear configure all in single transparent mode causes traceback

CSCsb97680

Yes

traceback in radpact:_RADPBldHWClientReauth+260 during 3002 New Pin Mode

CSCsb82583

Yes

PIX515E with VAC+ fails FIPS validation test and reboots

CSCej08898

Yes

tcpintercept caused trcback.embconn=0,maxconn!=0,eip:0x00c32dbc

CSCsc06282

Yes

fover: ip local pool fails to replicate after issuing from grp submode

CSCsb45373

Yes

Traceback tcp_slow after vpn system test script strtd snd cfg setupUUT

CSCsb46603

Yes

GTP: Responses that reject Create Requests are dropped

CSCsb47825

Yes

F1 fails to establish TCP remote access sessions with 3002 HW client

CSCsb49125

Yes

F1 crashes at <show debug> command

CSCsb56247

Yes

traceback in crypto_pki:_crypto_pki_poll_crl+52 - with crl opt PKI

CSCsb58364

Yes

VPNFO: tunnels get dropped when fover occurs

CSCsb61027

Yes

mcast: secondary crashes shortly after sync'd with primary

CSCsb62617

Yes

VPN: assertion 0 failed: file malloc.c, line 4570 RA dial/hang test

CSCsb63920

Yes

CLI: no ssl trust-point cmmd causes traceback, ssl_chain:_ssl_trustpoint

CSCsc09527

Yes

VPNFO: cannot establish a vpn tunnel session limit reached sa cnt -1

CSCsb71198

Yes

incorrectly formatted DL ACL causes traceback in IKE daemon

CSCsc24671

Yes

DHCP address set does not trigger reg_invoke_ip_address_change()

CSCsb72803

Yes

Crash triggered when system is out of memory

CSCsc88348

Yes

traceback eip 0x006c80d9 obj-f1/snp_asdp_dev:_snp_asdp_pkt_rx+821

CSCsc88444

Yes

Traceback seen: obj-f1/snap:_snap_mini_dump+26

CSCsc89279

Yes

Standby Traceback, eip 0x006be09e obj-f1/snp_sp_main:_snp_sp_action_conn

CSCsd00427

Yes

eip: ctm_ipsec:_ctm_ipsec_create_sa+2266 when 750-3.6 client con to 5520

CSCsd01134

Yes

assertion addr->ip_version == IP_VERSION_6 failed: file printf.c

CSCei85052

Yes

IPv6:Copy TFTP fails, acknowledgement is sent to different port

CSCei89095

Yes

SAs not coming up when initiator has multiple transform sets

CSCei90839

Yes

1550 block leak after active switch to standby under load

CSCei92225

Yes

show interface will show negative number in input error under load

CSCei93593

Yes

IPv6: If MTU set less than 1500, bigger size pckt doesnt go thru

CSCej02689

Yes

traceback - ssh_init thread - eip 0x00a30b8a.ssh protocol test.

CSCej04201

Yes

IPv6:Bigger size pckts > mtu size dont go thru without inspect icmp

CSCej12122

Yes

no routing interface <if_name> does not reset youngest md5 key

CSCej12123

Yes

OSPF external routes preferred over internal with multiple processes

CSCej12600

Yes

After upgrade from 7.0.1, not-monitored inf became monitored

CSCsb50946

Yes

High cpu due to shun command

CSCsb51869

Yes

PKI: subject-name help should give a DN syntax example

CSCsb52950

Yes

With banner exec command and # as delimiter replication not correct

CSCsb53288

Yes

max conn limit not applied for multicast

CSCsb55104

Yes

Syslog message 710003 is overloaded; behaves different than in PIX 6.3

CSCsb56772

Yes

Skinny: conn torndown because TCP proxy sends more data than peer window

CSCsb57307

Yes

Scopy hangs when copying a file from f1 when using ssh version 2

CSCsb58444

Yes

downloadable ACL not removed on vpn termination

CSCsb58749

Yes

auto-detect not working for downloadable acl wildcard mask

CSCsb59776

Yes

Traceback in radius_snd when using - test aaa-server to Radius/SDI

CSCsb61644

Yes

PIX crashes when acessing ASDM over IPSec/TCP-10000 tunnel

CSCsb61990

Yes

Traceback in IKE Daemon (eip 0x00c2af18 memcpy:_memcpy+216) RadiusExpiry

CSCsb63002

Yes

snmp traceback with GetNext-Bulks with arbitrary OIDS--rem-access mib

CSCsb63781

Yes

VPN L2L Phase2 negotiation fails when using NAT-T and rekey on data

CSCsb65869

Yes

clear configure secondary does not clear global configurations

CSCsb66250

Yes

VPNFO: error bad vPifNum when write standby on vpnlb master

CSCsb67119

Yes

Inspect ESMTP incorrectly rewrites smtp reply containing 220 in text

CSCsb67664

Yes

Failover command needs to support input of hex keys

CSCsb68910

Yes

TCP MSS exceeded syslog number changed in 7.0.3.x

CSCsb71010

Yes

show vpn-sessiondb detail l2l displays 0 for rekey info for IKE sa

CSCsb72665

Yes

PIX may drop valid TCP segments that carry data in final segment

CSCsb74946

Yes

AAA authorization command accepts access-list with remark only

CSCsb76280

Yes

Traceback on replication attempt, on secondary with active-active config

CSCsb76955

Yes

MSIE Proxy Method in Default Policy Group is not initialized properly

CSCsb77249

Yes

doing no firewall trans, gives Failed to clear stats for . message

CSCsb77693

Yes

VPN-Session detail missing subnet masks for 501 management tunnels

CSCsb79023

Yes

Failover help message needs update for failover hex key

CSCsb79135

Yes

Failover hex key lost after reload

CSCsb79160

Yes

terminal width is not sync from the primary while failover config sync

CSCsb79387

Yes

Media-type unknown when install 1GE card to PIX-535 and PIX-525

CSCsb79601

Yes

Downloadable user ACL for IPSec clients not getting deleted

CSCsb80196

Yes

DHCP ID String is limited to 50 characters, should be 128

CSCsb82618

Yes

VPN: an abundance of removing peer from peer table failed events

CSCsb82663

Yes

Out of order TCP packets degrade HTTP inspection performance

CSCsb82686

Yes

AUS: after replace update, no pager still gives more prompt

CSCsb85087

Yes

Support timeouts for channel connections

CSCsb85124

Yes

VPNFO: certificate removal commands are not replicated properly

CSCsb86351

Yes

config missing on secondary for failover

CSCsb88991

Yes

Traceback: Thread Name: IKE Daemon (Old pc 0x00195bfd ebp 0x031bf44c)

CSCsb89147

Yes

certificate-to-username mapping broken for some DN attributes

CSCsb89384

Yes

VPN Failover: Timer processing stops after failover...

CSCsb93634

Yes

Can't assign host mask (255.255.255.255) to ip pools

CSCsb94618

Yes

copy command is broken - cannot copy files beginning with the letter c

CSCsb94651

Yes

Overlapping static statements should be allowed

CSCsb95044

Yes

VPNLB: default should not be a VPN Load Balancing submode command...

CSCsb95152

Yes

FIPS: Test Vector changes to support external algorithm testing

CSCsb95259

Yes

No hits shown on access-list associated to a group-policy vpn-filter

CSCsb96197

Yes

FIPS: pairwise key test not executed upon asdm connection

CSCsb98407

Yes

VOIP: outside NAT configuration fails for SIP/SKINNY Scripts

CSCsb98925

Yes

PIX-3-210007: LU allocate xlate failed is logged on the standby PIX

CSCsb99192

Yes

Show access-list | inc xxx causes traffic through device to be delayed

CSCsb99360

Yes

Logging queue 0 is wrongly shown as being unlimited queue

CSCsb99760

Yes

pix 7.0.2 extended split acl reverse of 6.3 format

CSCsb99778

Yes

Logging:logging class cmds using external host shouldnt exist in sys ctx

CSCsb99792

Yes

PATed ICMP conn stops PIX from responding to ICMP Echo-Requests

CSCsb99907

Yes

Long deny-message values do not get displayed via the show command

CSCsc01105

Yes

ASDM needs to return multiple lines - CRL retrieval error being reported

CSCsc02230

Yes

nat entry with outside keyword : ERROR: unable to download policy

CSCsc03061

Yes

CLI should generate Warning if kerberos-realm is not in all uppercase

CSCsc06273

Yes

LU allocate xlate failed for ftp data flow when PAT is configured

CSCsc06619

Yes

memory malloc error during import of certificate or pkcs12

CSCsc06702

Yes

VPN: Interface counters are incorrectly incremented on decrypted packets

CSCsc06839

Yes

GTP: F1 hit crash after <clear config all> + create + delete PDP req.

CSCsc07532

Yes

When changing password on radius server user gets logged off

CSCsc08684

Yes

PIX 7.0.2 built connection number shows up as negative on syslog

CSCsc09472

Yes

CTCP: max CTCP connections limit to 5 when CTCP port is TELNET/SSH port

CSCsc10182

Yes

telnet connections to the appliance are refused on active state change

CSCsc11493

Yes

Implement Syslog to ACL Rule Correlation

CSCsc14591

Yes

xlate and xlate perfmon print graph are all zeros

CSCsc14600

Yes

Traceback in _snp_nat_api_iface_portlist_cleanup+19 on clear conf all

CSCsc15015

Yes

Memory corruption in route_list_erase

CSCsc15378

Yes

Telnet to pix outside interface through IPSEC connection fails

CSCsc15737

Yes

VPNFO: vpnlb cmds produce error on standby after a no participate cmd

CSCsc16014

Yes

PIX 7.0 Spoofed TCP SYN packets can block legitimate TCP connections

CSCsc16503

Yes

Transparent firewall ASR UDP out traffic got errors and inbound failed

CSCsc22130

Yes

capture command does not accept smaller buffer sizes

CSCsc25161

Yes

In reboot loop after auto-update loaded image

CSCsc26331

Yes

PKI: CR should not be used to terminate certificate console input

CSCsc26445

Yes

some esmtp commands not supported in server responses

CSCsc27972

Yes

Traceback when changing crypto maps when Answer-Only in lower sequence

CSCsc28889

Yes

Upgrade pix 6.3.5 to 7.0.4 with PFS does not maintain ipsec group

CSCsc31195

Yes

PIX traceback in thread name: uauth (Old pc 0x009edcc1 ebp 0x0147281c)

CSCsc31564

Yes

memory corruption when copying image from a https server on PIX

CSCsc32430

Yes

vPif_isVpifNumValid:.. strings displayed when exiting telnet session

CSCsc32795

Yes

ERROR % displayed for Cryptochecksum after reboot

CSCsc34059

Yes

PIX denies FTP authorization for a user authorized for all IP traffic

CSCsc35308

Yes

VPNFO: P1 SA reference count should not be a stack variable...

CSCsc35952

Yes

Failover units lost synchronization

CSCsc36129

Yes

FTP passive mode does not work with dynamic NAT

CSCsc38604

Yes

In sh-acl output, display unique-id printed in syslog when that line hit

CSCsc41241

Yes

Port fix of CSCsc41236 from 3k to F1

CSCsc42204

Yes

Syslog ID 111005 no longer being logged when user exits config mode

CSCsc49830

Yes

PIX repeatedly rebooting after upgrading and using VPN

CSCsc49873

Yes

VPN-filter not applied for remote VPN clients without xauth enabled

CSCsc50543

Yes

ping traffic authorized when user configured to permit telnet only

CSCsc50781

Yes

active ftp fails with nat-exemption

CSCsc51711

Yes

MGCP not working with nat 0 acl

CSCsc57901

Yes

Memory leak when the standby unit fails to parse IKE messages

CSCsc57935

Yes

Failover should give warning when there is OS version difference

CSCsc58031

Yes

VPNLB: cluster encryption remains enabled even after a clear config all

CSCsc58416

Yes

PIX traceback in Dispatch Unit thread

CSCsc59298

Yes

VPN: IPSec errors are reported when trying to fragment compressed pkts

CSCsc60506

Yes

Large banner from RADIUS is causing traceback

CSCsc61078

Yes

rand() should not depend upon dbgtrace()

CSCsc65309

Yes

FO: lan failure doesn't invoke failover if config lacks standby IP addre

CSCsc65328

Yes

CTM ERROR: Failed to issue a command to the hardware messages on console

CSCsc65532

Yes

ASDM login page doesn't paint logo after clicked on Applet mode launch.

CSCsc67347

Yes

VPN locks up under throughput stress

CSCsc68126

Yes

PIX may run out of free TCP Sockets

CSCsc68390

Yes

sa_noise tool persuades users to log themselves out

CSCsc70975

Yes

Port numbers to be used while calculating ACE hash

CSCsc71588

Yes

VPNLB: vpn load-balancing will not work after issuing a clear config all

CSCeg80301

Yes

sh cpu cont all doesnt show load from ctxs when conns not inspected

CSCsc74542

Yes

Potential crash in ifs_image_destroy

CSCeh81062

Yes

wrong ip addr on outgoing packets when PAT and static port are used

CSCeh81351

Yes

GTP:Cannot create PDP Context when u clear config all and re-apply

CSCeh90617

Yes

Recompiling ACLs can cause packet drops on low-end platforms

CSCei00497

Yes

PIX/ASA 7.0 doesnt encrypt packets if next hop is PIX interface.

CSCsc77884

Yes

GTP: should check spare bits in header

CSCei02273

Yes

1st log message is not sent by mail in transparent firewall

CSCei15147

Yes

Cannot make more than 12 url-server persistent TCP connections

CSCei20466

Yes

Increase in CPU utilization when OSPF is enabled

CSCei24458

Yes

show ip local pool broken - doing show run ...

CSCei24685

Yes

priority-queue submode prompt does not start with config-

CSCei28659

Yes

Static Analysis doesnt run after make native

CSCei33696

Yes

reload after attempting to authenticate a ca after first try fails.

CSCsc81031

Yes

Missing RADIUS accounting information

CSCsc81236

Yes

PIX may reload unexpectedly when processing ICMP Error packets

CSCsc81302

Yes

RSA/SDI New Pin Mode doesn't work with RSA ACE Server 6.0

CSCei38636

Yes

VPN3K Port: Change to confidence interval

CSCei38646

Yes

VPN3K Port: IKE ID check

CSCei41326

Yes

AAA: fallback to LOCAL authentication does not work for SSH

CSCei51867

Yes

Usability - crypto config should be grouped together in CLI output

CSCei60811

Yes

Running config for specific banner cannot be displayed.

CSCei61532

Yes

VPNFO: Cant create IPSec SA on standby box with downloadable ACLs

CSCei62347

Yes

acl interval default value not shown when inactive parameter used

CSCei65306

Yes

IPv6-icmp build connection syslog does not get generated

CSCsc90254

Yes

TCP intercept not triggered with TCP module

CSCsc90434

Yes

Internal TCP echo server and client can be enabled with nat command

CSCsc91618

Yes

object-group is not included in calculation for syslog-to-ace hash

CSCei67562

Yes

TCP tunnel doesnt come up in some cases

CSCei69065

Yes

bad vPifNum error msg seen when config ssl trust-point

CSCei74588

Yes

Add support for showing/clearing NAT policies

CSCei74698

Yes

IPv6 Fragmented does not work for more than 24 fragments

CSCei77763

Yes

Tcp conn limit exceeded syslog not generated on telnet sess limit

CSCei83234

Yes

F1 err w show os <pid> <area> if area is in dotted IP format

CSCsd00536

Yes

OWA 5.5 error unable to get inbox and no authentication page

CSCsd00557

Yes

Login to CiscoWorks fails with 'Cookies Disabled';Refresh allows login

CSCsd00621

Yes

D/L access-lists do not get removed under certain conditions - svc fails

CSCsd00695

Yes

Block in http redirect should be freed using freeb(), not free()..

CSCsd00771

Yes

Distinguish SSL and IPSec in Load Balancing

CSCei83942

Yes

PPTP connection throug PIX dropped after 2 min of inactivity

CSCsd01166

Yes

show service policy set conn detail shows non-existent connection


Related Documentation

Use this document in conjunction with the PIX Firewall and Cisco VPN client Version 3.x documentation at the following websites:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_71/index.htm

http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm

Software Configuration Tips on the Cisco TAC Home Page

The Cisco Technical Assistance Center has many helpful pages. If you have a CDC account you can visit the following websites for assistance:

TAC Troubleshooting, Sample Configurations, Hardware Info, Software Installations and more:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/tsd_products_support_series_home.html

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/techsupport

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Product Documentation DVD

The Product Documentation DVD is a comprehensive library of technical product documentation on a portable medium. The DVD enables you to access multiple versions of installation, configuration, and command guides for Cisco hardware and software products. With the DVD, you have access to the same HTML documentation that is found on the Cisco website without being connected to the Internet. Certain products also have .PDF versions of the documentation available.

The Product Documentation DVD is available as a single unit or as a subscription. Registered Cisco.com users (Cisco direct customers) can order a Product Documentation DVD (product number DOC-DOCDVD= or DOC-DOCDVD=SUB) from Cisco Marketplace at this URL:

http://www.cisco.com/go/marketplace/

Ordering Documentation

Registered Cisco.com users may order Cisco documentation at the Product Documentation Store in the Cisco Marketplace at this URL:

http://www.cisco.com/go/marketplace/

Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m. (0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere by calling 011 408 519-5055. You can also order documentation by e-mail at tech-doc-store-mkpl@external.cisco.com or by fax at 1 408 519-5001 in the United States and Canada, or elsewhere at 011 408 519-5001.

Documentation Feedback

You can rate and provide feedback about Cisco technical documents by completing the online feedback form that appears with the technical documents on Cisco.com.

You can submit comments about Cisco documentation by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

From this site, you will find information about how to:

Report security vulnerabilities in Cisco products.

Obtain assistance with security incidents that involve Cisco products.

Register to receive security information from Cisco.

A current list of security advisories, security notices, and security responses for Cisco products is available at this URL:

http://www.cisco.com/go/psirt

To see security advisories, security notices, and security responses as they are updated in real time, you can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed. Information about how to subscribe to the PSIRT RSS feed is found at this URL:

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you have identified a vulnerability in a Cisco product, contact PSIRT:

For Emergencies only — security-alert@cisco.com

An emergency is either a condition in which a system is under active attack or a condition for which a severe and urgent security vulnerability should be reported. All other conditions are considered nonemergencies.

For Nonemergencies — psirt@cisco.com

In an emergency, you can also reach PSIRT by telephone:

1 877 228-7302

1 408 525-6532

Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been encrypted with PGP versions 2.x through 9.x.

Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

The link on this page has the current PGP key ID in use.

If you do not have or use PGP, contact PSIRT at the aforementioned e-mail addresses or phone numbers before sending any sensitive material to find other means of encrypting the data.

Obtaining Technical Assistance

Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Technical Support & Documentation website on Cisco.com features extensive online support resources. In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not have a valid Cisco service contract, contact your reseller.

Cisco Technical Support & Documentation Website

The Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do

Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.

Severity 1 (S1)—An existing network is down, or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operations are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of the network is impaired, while most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief product overviews, key features, sample part numbers, and abbreviated technical specifications for many Cisco products that are sold through channel partners. It is updated twice a year and includes the latest Cisco offerings. To order and find out more about the Cisco Product Quick Reference Guide, go to this URL:

http://www.cisco.com/go/guide

Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

http://www.ciscopress.com

Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification a