Table Of Contents
Release Notes for Cisco Security Manager 3.0.1
What's New in Security Manager 3.0.1
Security Manager Resolved Problems
Security Manager Known Problems
Catalyst 6500/7600 Configuration
Site-to-Site VPN and Remote Access VPN Configuration
Auto Update Server (AUS) 3.0.1
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Obtaining Technical Assistance
Cisco Technical Support & Documentation Website
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for Cisco Security Manager 3.0.1
Revised: July 18, 2006, OL-9952-03
CDC Date: July 26, 2006Contents
Introduction
This document contains release note information for the following:
•
Cisco Security Manager 3.0.1
Cisco Security Manager (Security Manager) enables you to manage security policies on Cisco security devices. Security Manager supports integrated provisioning of VPN and firewall services across IOS routers, PIX and ASA security appliances, and Catalyst 6500/7600 services modules (FWSM and VPNSM). Security Manager also supports provisioning of many platform-specific settings, for example, interfaces, routing, identity, QoS, logging, and so on.
Security Manager efficiently manages a wide range of networks, from small networks consisting of a few devices through to large networks with thousands of devices. Scalability is achieved through a rich feature set of shareable objects and policies and device grouping capabilities.
Security Manager supports multiple configuration views optimized around different task flows and use cases.
•
The Auto Update Server (AUS) is a tool for upgrading PIX security appliance software images, ASA software images, PIX Device Manager (PDM) images, Adaptive Security Device Manager (ASDM) images, and PIX security appliance and ASA configuration files. Cisco IOS routers that have dynamic IP addresses communicate with AUS that is running the Cisco Networking Services (CNS) Gateway Protocol to provide their IP addresses.
Security Manager can interoperate with AUS. To manage the devices in Security Manager, you must provide the device identity and the AUS information when you add a device. Security Manager uses the device identity information to retrieve the device IP address from an AUS that can be reached.
•
Security Manager supports IPS provisioning with the IPS Manager for IPS Sensors. The predecessor of IPS Manager was Management Center for IPS Sensors (IPS MC).
This release note document includes ID numbers and headlines for each known problem identified in the document and a description of each. This document also includes a list of resolved problems. If you accessed this document from Cisco.com, you can click any ID number, which takes you to the appropriate release note enclosure in the Bug Toolkit. The release note enclosure contains symptoms, conditions, and workaround information.
What's New in Security Manager 3.0.1
•
•
–
–
–
–
•
•
•
•
•
•
–
–
–
–
•
Security Manager 3.0.1
Security Manager Notes
•
1.
2.
3.
4.
5.
6.
7.
Note
•
•
•
Security Manager Resolved Problems
The following problems were documented in the Security Manager 3.0 release notes as known problems and have since been resolved.
Table 1 Resolved Problems
Description: Security Manager does not support the ACE option "log input" when you configure access rules on IOS devices that are managed by Security Manager. As a result, during discovery, Security Manager drops the option.
Description: The PERL5LIB system environment variable is set on the server. During installation, an error message notes that perl58.dll cannot be found and installation fails.
Description: If you enter an interface name when you configure an NTP server for the system context of an ASA device in multiple context mode, validation for that device fails.
Description: Changes you made in Device view are lost after you edit the device in the undocked Map view. After you change the window focus from Device view to undocked Map view, you are not prompted to save the changes you made in Device view.
Description: If you remove a logical interface from Security Manager and you deploy the configuration to the device using AUS, the deployment fails.
Description: Although IOS devices support ACEs that have the option "log-input," Security Manager does not support the feature. On deployment, the option is removed from the ACE.
Description: Deployment of a regular IPSec VPN fails on a PIX 6.3 device if one peer in the VPN topology uses an ACL to specify its protected networks and the other peers do not.
Description: The community strings defined in SNMP policies on Cisco IOS routers are displayed in clear text, even for users who are assigned roles with view-only permissions.
Description: You cannot reorder the classes in a QoS policy on a Cisco IOS router.
Description: Deployment fails for DHCP relay commands and an error message states that the subnet of the DHCP server address pool range is not the same as the subnet of the DHCP server interface.
Description: If you disable the DHCP server and then enable DHCP relay on the same interface, or if you disable DHCP relay and enable the DHCP server on the same interface, and you deploy both changes at the same time, deployment might fail.
Description: In an EzVPN topology configuration, deployment fails if a 72xx series router is used as a remote client device. The EzVPN client is supported on PIX Firewalls and Cisco 800-3800 Series routers only.
Description: Even if you do not make changes to a configuration and the configuration is previewed or deployed, the filter commands are always cleared and redeployed.
Description: Manually adding a Catalyst 6500/7600 device and then immediately running Preview Configuration without defining policies results in an error.
Description: You should not use the Create Duplicate option for the following object types: GTP maps, TCP maps, time ranges, AAA server groups, and PKI enrollments.
Description: Security Manager does not remove unused access-list commands from a device, for example, if an access-list command has a user-defined name (a name not automatically generated by Security Manager) and is not used by any command, for example, access-group.
Description: If you unassign a preshared key policy in a hub-and-spoke VPN topology, without first saving the policy, the Aggressive Mode option disappears from the UI page.
Description: Security Manager sets the FWSM device to manual mode when you deploy firewall rule delta information, then resets the device to auto mode when deployment is completed; however, the device remains in manual mode and deployment fails.
Description: After you import or discover a PIX 6.3 device with an ACE using the "interface" keyword and the ACE is bound to the interface by the access-group command, if you deploy to the same device without making any changes, the ACE is removed from the ACL. This occurs if the ACL has other ACEs, or the ACL contains only the ACEs using the "interface" keyword. The access-group command for the ACL is removed from the device when the ACL contains only the ACEs using the "interface" keyword.
Description: If you minimize the undocked Map view, you cannot bring it to the front after clicking the Map View button on the toolbar or selecting the Show in Map View option.
Description: The undocked Map view is displayed on top of an active dialog box and does not respond to user interaction.
Description: When you change a policy definition, other users are prevented from unassigning that policy from a different device.
Description: If you assign a policy to a device, a different user cannot assign the same policy to a different device.
Description: If you unassign a policy from a device, a different user cannot edit the contents of that policy until you submit your changes.
Description: If your VPN topology contains a Catalyst 6500 device and you have enabled the QoS Preclassify option in the IPSec Proposal, a message indicating that an internal error has occurred appears during validation.
Description: If you have no activity opened, then click "Show Source Contents," "Show Original Address Contents," or "Show Translated Address Contents" from the shortcut menu in the Translation Rules table, you are asked to open an activity. These operations are read-only and do not require an opened activity.
Description: If you enter an invalid time when you define a time range object, the error message that appears does not match the cause of the error.
Description: GTP Map in Security Manager does not support the permit response subcommand that was introduced in later versions of PIX OS software. The permit response subcommand from GTP Map CLI in PIX 7.0(4) and greater are dropped during the discovery process and not deployed when the GTP Map is deployed to the device.
Description: The New Configuration Version dialog box sometimes does not close when you select Configuration > Add > Add New Version from the Tools menu in Workflow mode. This happens if you do not have an open activity. The selection configuration version is added correctly, even though the dialog box does not close.
Description: A AAA server object that is part of a AAA server group loses its defined protocol and becomes uneditable after you change the protocol and fail to specify a key.
Description: Users with read-only (View) permissions can click the Add button in Policy view to create shared policies. In rare cases, this can lead to the deployment of blank policies that overwrite existing device configurations.
Description: Deployment fails for DHCP relay commands and an error message states that the device cannot receive DHCP requests and forward them on the same interface.
Description: Deleting a policy object override causes the object on which the override is based to disappear from the Policy Object Manager.
Description: Deployment of a PKI policy fails if the URL specified for the CA server contains the CA server's hostname instead of its explicit IP address. Before the deployment failure, a "translating" notification appears to indicate that the device is trying to translate the host name.
Description: If some boot images are already configured on an ASA device and you try to add another TFTP boot image, the deployment fails.
Description: If you discover AAA servers configured on an ASA device, the group accounting mode is not defined in Security Manager with the default value and the server port is not defined according to the server protocol.
Description: Discovery of a router that uses the backoff exponential parameter as part of the definition of a RADIUS AAA host causes the correct key to this host to be overwritten upon deployment.
Description: Activity validation fails on FWSM and PIX platform policies that contain network objects that refer to other network objects containing a single IP address.
Description: Under certain circumstances, Security Manager might generate a name for a AAA server group that exceeds the maximum length supported by firewall devices. Any policy that uses this AAA server group fails validation.
Description: Discovery fails after you change the Default Source Ports setting on the Policy Object page of the Security Manager - Administration window to Use Secure Ports.
Description: Under certain circumstances, performing rediscovery on PIX/ASA devices does not add the AAA servers defined on the device to the related AAA server group.
Description: The minimum Translation Slot (xlate) timeout that you can set on the Timeouts Policy page is 30 seconds for FWSM 2.3(3) devices. However, Security Manager requires a minimum timeout of 1 minute.
Description: The interface table in the Failover policy for FWSMs in single transparent mode and security contexts in transparent mode contains no information. As a result, you cannot set these interfaces to be monitored.
Description: If you are specifying web filter settings for PIX/ASA devices for the first time, deployment might fail when you send url-block commands.
Description: A AAA Server host with LDAP protocol does not generate the subcommand "ldap-base-dn String" from Security Manager and the subcommand is removed from the device at deployment.
Description: When source, destination, and service are in a policy query with no interface selected, and the source, destination, and service match rule values completely, the query and rule are deemed identical and the interfaces detail shows that "any" interface is identical to the rule interface value.
Description: If you are in Policy view and you query a rule with a service that is contained in a service group used in the rule, the query results are blank.
Description: During installation of Security Manager, a dialog box shows that an interactive SQL error occurred. This problem occurs if a Sybase database engine is running while you are installing Security Manager.
Description: Configuring the "Suppressed" setting for a syslog message on the Platform > Logging > Server Setup page has no effect when you deploy the configuration to the device.
Description: Under certain circumstances, users who have Modify permissions in ACS mode cannot create or delete policies in Policy view.
Description: An incorrect rule number results if you paste or add a rule at the same place more than once and logging is turned off.
Description: For both ASA and FWSM, the Bootstrap window is always displayed even if no changes are made to the LAN Failover policy.
Security Manager Known Problems
Catalyst 6500/7600 Configuration
Table 2 Catalyst 6500/7600 Configuration
Description: Rolling back the system context configuration to full configuration in the archive pulled from CVDM fails because the order of the commands in the configuration is not correct. The configuration omits a version at the beginning.
Client Software
Table 3 Client Software
Description: Changes that you make under Group Setup and Network Configuration in Cisco Secure Access Control Server (ACS) 3.3(x) are not reflected in Security Manager, even after you restart CiscoWorks Common Services and the Security Manager Client.
Description: During a service pack or point patch installation, a system prompt tells you to uninstall Security Manager Client. Unless you click the OK button, an error message that contains no text is displayed.
Description: On a PC with many users, only the person who installs Security Manager Client can see the desktop and Start menu shortcuts that show that Security Manager Client is installed.
Configuration Archive
Table 4 Configuration Archive
Description: Device Credentials that were once displayed in the Device Properties menu can disappear after you roll back to an earlier configuration from Configuration Archive. This can occur when previous deployment was to file, or when previous deployment contained empty delta configurations.
Deployment
Table 5 Deployment
Description: Performing discovery or viewing the current configuration of a device while deployment is in progress might lead to unpredictable results.
Deployment fails if access rules containing certain options are associated with Layer 2 interfaces of ISR routers.
Description: While working in Security Manager from a client, the following error occurs: "Unknown Error. performBinaryRPC()..." When this occurs, "Premature EOF Error" entries are also logged in the client log file.
Description: The configuration on the device is erased if you deploy to the device before any policies have been defined in Security Manager.
Description: Deployment fails and the error messages that appear do not supply adequate information about the error.
Description: After you deploy configurations to multiple AUS-managed devices in a single job, deployment to some of the devices fails and a "CALLHOME-PARSER-INVALID_ELEMENT" message is recorded in the transcript.
Description: Deployment fails after you restart the Daemon Manager because the backend server process does not start.
Description: A data upgrade from Security Manager 3.0 to 3.0.1 fails if you install Security Manager 3.0.1 on a new server and in a different directory when compared to the directory in which it was originally installed. This might lead to a deployment failure because referenced configuration files are not available under configuration archive.
Description: A restore operation of Security Manager 3.0.1 fails if you install Security Manager 3.0.1 on a new server and in a different directory when compared to the directory in which it was originally installed. This might lead to a deployment failure because referenced configuration files are not available under configuration archive.
Description: If a deployment job contains both CNS managed and non-CNS managed devices, deployment status might not accurately reflect the actual deployment status of all the devices in the job. For example, deployment status might be "deployed" before all the non-CNS managed devices have finished deploying.
Description: Deployment appears to be successful; however, not all of the commands in the delta configuration are deployed to the device.
Description: Deployment to AUS-managed device fails if the deployment configuration contains the CLI command "enrollment url http:..."
Description: Rollback of a context fails because the device certificate was changed. On the next device operation, an error message states that the certificate is not trusted.
Description: When rollback of an admin context or another virtual context on ASA 7.0(5) multimode devices fails, it reverts to the factory default configuration instead of the device startup configuration.
Device Management
Table 6 Device Management
Description: If you try to import a system context that belongs to a multi-mode PIX Firewall 7.0 or an ASA device from DCR to Security Manager, the import fails and an error message results.
Description: The device icon in the Device selector does not match the device type and the Policies selector displays only the Flex Config policy when you click the Device View button in the tool bar.
Description: Deployment to Cisco IOS router fails when SSL is the transport protocol and you see a confusing error message.
Description: You cannot import an AUS-managed device from DCR to Security Manager.
Description: Authorization and duplicate display name errors occur when you add devices to a Security Manager server that uses Cisco Secure ACS for AAA.
Discovery
Table 7 Discovery
Description: Discovery or deployment hangs for multimode FWSM with several virtual contexts.
Description: If you discover a AAA server without a defined key on a Cisco IOS router, Security Manager does not properly discover and implement the global key in place of the missing server-specific key.
Firewall Services
Table 8 Firewall Services
Description: Security Manager does not support TCP flag specifications, such as urg, fin, psh, and ack, in access rules. As a result, during discovery, Security Manager drops the specifications.
Description: Security Manager does not support ACE options such as DSCP, ToS, or precedence. As a result, during discovery, Security Manager drops the options.
Description: Although the GUI allows you to enable the Object Group Search option for FWSM devices, the FWSM does not expand object groups when listing access rules after a "show access-list" command and Hit Count results are inaccurately displayed.
Description: Security Manager does not check if the firewall rules that you configured in Security Manager permit management traffic (SSH and HTTPS) to the IOS device being managed. As a result, after firewall rules are deployed to the device, connection to the device might be lost.
Description: IOS 87x ISR routers do not support BGP as a routing protocol or as a service in ACLs when the device has only 24 MB of memory; however, BGP is supported when the device has more than 24 MB memory. Security Manager does not detect the amount of memory available on the device and cannot enforce any restrictions. As a result, job deployment containing an ACL with ACEs having BGP will fail.
Description: IOS devices require that HTTP is used as the traffic type for authentication proxy, which generates the command ip http server. Security Manager does not remove the CLI when authentication proxy is unassigned from the device in Security Manager.
Description: If an AuthProxy configured on an IOS device has a user-specified name that does not comply with the naming convention used by Security Manager, the name is not removed if the device is discovered and the policy is unassigned.
Description: If you create AAA or inspection rules for "all" interfaces on an IOS device, deployment fails if the device is using Layer 2 port.
Description: IOS devices use standard ACLs for filtering; however, standard ACLs are not recognized when Hit Count reports are generated.
Description: When you create an access rule for a PIX 6.x device, you can specify a time range in the GUI; however, the device does not support the time range feature in the ACE and no warning is displayed during activity validation or deployment.
Description: If Security Manager tries to deploy AAA server groups to a device that already has the maximum number of AAA server groups, deployment fails.
Description: When you configure transparent firewall on IOS devices, only one bridge group is supported. Bridge group 1 is dedicated to transparent firewall. If you use Bridge Group 1 for something else, and only one interface exists for that group, upon discovery, a validation error results.
Description: IOS inspection port-map commands are not generated if inspection rules configured in Security Manager conflict with port definitions of predefined inspection protocols.
Description: If an IOS device does not have "bridge group 1 protocol ieee," "bridge 1 route ip," and "bridge irb" and you configure BVI1 IP address in both the interface UI page and Transparent Settings page, deployment fails.
Description: If a AAA server discovered from an IOS device contains a leading "7" in its shared key and if the shared key is reused by a PIX/ASA/FWSM device, an error is issued on the key during activity validation.
Description: The GUI adds notations next to user-input fields to indicate platform support. Currently, certain notations reference "ASA"; however, because the PIX 7.x platform uses the same software as ASA, the "ASA" notation applies to both ASA and PIX 7.x platforms (unless otherwise stated).
Description: Deployment to a device might fail if a URL server with protocol UDP is defined along with the URL buffer memory.
Description: If an inspection rule is configured with destination IP and protocol UDP, validation fails for UDP protocol with HTTP.
Description: If an inspection rule is configured with "aol" as the inspect protocol on unsupported devices, a validation error results.
Description: Deployment to a device might fail if two filter commands with the same source and destination addresses have overlapping service ports.
Description: If bridge-group is configured on an IOS device and its ID is not 1, the deployment of the transparent policy fails.
Description: An invalid validation warning might be issued about having an interface unbound to any access-lists.
Description: After you upgrade Security Manager from 3.0 to 3.0.1, deployment might fail for AAA RADIUS or SDI servers.
Installation and Upgrade
Table 9 Installation and Upgrade
Description: On your Security Manager server and on every PC on which you install Security Manager Client, you must use either the English (United States) or Japanese version of Windows.
Description: If you reinstall Common Services 3.0.3, Security Manager, and Auto Update Server (AUS) on an existing Security Manager server on which Security Manager and AUS are already installed, the home page defaults to the CiscoWorks home page instead of the Security Manager home page.
Description: After you upgrade and restore to Security Manager 3.0.1 from 3.0, any device operation produces an error message notes that the certificate is not trusted. This is because the certificate is not retrieved during upgrade.
Description: During installation of Security Manager 3.0.1 over 3.0, the message "ccraccess Dlls are not found. Installation will abort." is displayed.
Miscellaneous Issues
Table 10 Miscellaneous Issues
Description: Under extreme circumstances, errors might occur when many users try to simultaneously perform operations that write to the Security Manager database.
Description: Certificate mismatch or not trusted errors result during deployment and discovery for IOS devices.
NAT Configuration
Table 11 NAT Configuration
Description: If a NAT exemption rule on a PIX 6.3, PIX 7.0 or ASA device already contains user-defined exemption rules, and you select the Do Not Translate VPN Traffic check box in the Translation Options page, Security Manager does not generate additional NAT exemption rules for the VPN traffic.
PIX/ASA/FWSM Configuration
Table 12 PIX/ASA/FWSM Configuration
Description: If multiple service objects have different names but the same definitions, the wrong service object might be used during discovery. Because the service objects are equivalent, deployment using a service object with a different name does not cause problems.
Description: If you deploy a configuration to a device that uses a TCP Map object, then rediscover that configuration, a new object with a number appended to the object name might be added to the TCP Map objects list.
Description: Deployment fails for NAT commands and an error message states that the NAT command is a duplicate and was already defined on the device.
Description: The audit report might contain a message saying that discovery failed even if discovery is successful. It is safe to ignore this message.
Description: Values in the Logging Level column of the Individually Rate Limited Syslog Messages table are not used and are overwritten after rediscovery.
Description: If you deallocate a subinterface from a security context and delete it from the interface table, deployment fails on PIX 7.x and ASA devices in multiple mode.
Description: If a device has duplicate MAC addresses in the static arp table and the static mac-address-table, or if Security Manager policies have duplicate MAC addresses in the arp table and the mac-address table, the AUS deployment might fail.
Description: Device import discovers an enabled policy map and its related commands as service policy rules and traffic flow objects. Security Manager does not preserve the original policy map names on a device.
Description: After you configure your username, password, and privilege level on the Contact Credentials page, the information is sent to the device during every deployment.
Description: The suspend-config-sync option was removed from Security Manager because of a problem in configuration rollback.
Description: If you use one job to roll back the configurations of both an FWSM and a Catalyst device, the FWSM rollback fails. You must roll back the Catalyst device first, then use a second job to roll back the FWSM.
Description: Changing the admin context in multi- or mixed mode causes the connection between Security Manager and the device to be lost.
Description: After discovering FWSM 2.x security context devices, some of the vlan interfaces are missing from the devices' interface table.
Description: After you add and discover a FWSM 3.1(x) multi-mode, mixed OS mode device from a configuration file, all security context devices are created in Security Manager as "router" OS mode, even though some of them might really be "transparent" OS mode.
Description: Deployment fails for ASA 7.1 devices configured with LAN failover in multi mode.
Description: Security Manager does not support interface alias for FWSM devices. If you try to configure interface alias on an FWSM, it might result in deployment failure for a security context.
Description: You will receive a deployment error if you make the following configuration changes for an FWSM 3.1(x) device and deploy those changes in the same deployment job:
–
–
–
Description: If you change the failover mode for an FWSM running 3.1(x) from active/active to active/standby or from active/standby to active/active, you will receive the error "DOWNLOAD OPERATION FAILED : 24410 : Error parsing the show config response: Command Ignored, Configuration in progress..." when you deploy to the device.
Description: If you create multiple security contexts for an FWSM running 3.1(2) or 3.1(3) and deploy those security contexts in the same job, deployment fails with the error "DOWNLOAD OPERATION FAILED: 24410: Error parsing the show config response: Command Ignored, Configuration in progress..." for some security contexts and the error "DOWNLOAD OPERATION FAILED: 24015: IO error during SSL communication." for other security contexts.
Description: If you modify the Security Contexts policy for a system context of an FWSM and reference a VLAN that does not exist in the Interfaces policy for the same system context, the VLAN is created on the FWSM when you next deploy to the system context. However, because the VLAN is not added to the Interfaces policy in Security Manager, the next time you deploy to the system context, the VLAN will be removed and any future deployments to virtual contexts that refer to that VLAN will fail because the VLAN is no longer defined in the system context.
Policy Objects
Table 13 Policy Objects
Description: When you deploy an inspection rule with the gtp-map command, the deployment fails and an error message states that the signaling timeout value is less than the PDP timeout value.
Description: When defining a policy that requires a single IP address, an error occurs if you create a network/host object that refers to a second network/host object on which the required IP address is defined.
Router Configuration
Table 14 Router Configuration
Description: The deployment of NAT interface commands ip nat inside and ip nat outside fails on Cisco 83x Series routers.
Description: Virtual interfaces remain intact in a Cisco IOS router configuration even after you delete these interfaces from the Interfaces page in Security Manager.
Description: Unassigning a routing policy from a Cisco IOS router does not remove all the CLI commands related to that policy from the device configuration.
Router Platform
Table 15 Router Platform
Description: After you configure a NAC policy on a router, validation fails. This is because Security Manager allows you to configure a NAC policy on routers that do not support NAC.
Description: The deployment of NAC interface commands (eou max-retry and eou revalidate) fails on subinterfaces.
Site-to-Site VPN and Remote Access VPN Configuration
Table 16 Site-to-Site VPN and Remote Access VPN Configuration
Description: If you have DMVPN or VRF configured on an IOS router and you try to change or remove this configuration in Security Manager, deployment will fail and you will receive a message that the IPSec profile is still in use and cannot be deleted. This is an IOS problem, not a problem intrinsic to Security Manager.
To work around this problem, reload the device, then manually remove the IPSec profile. If the configuration is saved to the startup-config, make a backup text file of the startup-config, remove the IPSec profile, reload the device, then copy the updated file to the device and save the changes to the startup-config.
Description: If you delete a VPN that uses the Answer-only Connection Type option for VPN interface SA negotiation and you create a new one that uses the Originate-only option, deployment to a PIX 7.0.1-7.0.5 device will fail. This is due to a known bug on the device (CSCsc27972).
Description: The EasyVPN tunnel is not created because Xauth authentication fails on the PIX 6.3 remote client. Security Manager does not configure the Xauth username and password that is required for authentication.
Description: If you change the slot or subslot of a VPNSM or VPN SPA blade on a Catalyst 6500/7600 device, either in a VPN topology that was deployed, or in an IPSec proposal that was assigned to the device in a remote access VPN and deployed, deployment fails when you try to redeploy the VPN topology or device.
Description: In a remote access VPN, if you configure a Catalyst 6500/7600 device with a VRF-Aware IPSec policy and a FWSM blade, deployment fails due to the incorrect order of the CLI commands, which configure the FWSM blade before the VRF-Aware IPSec policy.
Tools
Table 17 Tools
Description: Backup/restore fails when Cygnus Solutions software is installed and Cygnus mounted drives are being used.
User Interface
Table 18 User Interface
Description: When you use Security Manager's file selector to select a file on the Security Manager server, network drives that are mapped on the server are not listed.
Description: If you add files to the server when the "Choose File" dialog is open, the file selector does not refresh to display the new files.
Description: After changing the Windows display properties, the Security Manager client is not displayed correctly. For example, Device View and New/Delete Device buttons are not visible and the content area does not refresh correctly.
Description: The Security Manager client stops responding when the Cisco Secure ACS that is performing user authentication goes down or becomes unavailable.
Auto Update Server (AUS) 3.0.1
AUS Resolved Problems
Table 19 Resolved Problems
Description: A blank screen appears if you launch AUS after you restore backed-up data from one server to another server.
Description: Cisco IOS devices fail to connect to the CNS Event gateway running on AUS if the default CNS bootstrap password configured in AUS was not changed on the machine where you installed AUS.
AUS Known Problems
Table 20 Known Problems
Description: A user logs out from the CiscoWorks session after launching AUS, but the AUS GUI remains open. If another user with a different role opens a new CiscoWorks session, other users can navigate the AUS GUI briefly in the original window. This problem occurs whether the CiscoWorks server or the Cisco Secure Access Control Server (ACS) manages authentication and authorization for AUS.
Description: When you deploy configurations from Cisco Security Manager to AUS, deployment fails and the "INVALID_ENABLEPASSWORD_LENGTH" error is recorded in the transcript. This problem occurs when an AUS-managed device is added to the Cisco Security Manager inventory with a blank Enable password.
Description: If you configure an ASA device in transparent mode and use AUS to deploy configuration changes from Security Manager to the device, deployment is shown as successful, although the device does not contain the deployed changes. The AUS event report shows that the file was successfully sent to the device without error and a "Wakeup information for process auto-update lost" message is recorded in the device log.
Description: If you deploy configurations to several AUS-managed devices in a single job, deployment to some of the devices fails and a "CALLHOME-PARSER-INVALID_ELEMENT" message is recorded in the transcript.
Description: The error "HTTP Status 500 - Internal Server Error" is displayed when you try to launch AUS from a Security Manager server using a backup that was previously created from another Security Manager server.
Description: The error "HTTP Status 500 - Internal Server Error" is displayed when you try to launch AUS after you upgrade to Security Manager 3.0.1.
Description: CALLHOME-PARSER-ERROR is received when the AUS-managed ASA device tries to contact the AUS server. This occurs when the ASA device is running an older version of ASDM.
IPS Manager 3.0.1
IPS Manager Notes
•
•
•
•
•
•
•
Follow this procedure to diagnose this problem:
a.
b.
c.
Follow this procedure to work around this problem:
a.
b.
c.
IPS Manager Resolved Problems
Table 21 Resolved Problems
Description: Deploying a configuration to an IPS 5.x device from the IPS MC results in an error upon completion. Viewing the status messages from the real-time Progress Viewer shows a message that reports a regex error.
Description: Sensor Health tool does not report the mainApp failure correctly.
Description: During signature tuning, if override of group level settings is chosen, the Signature Tuning page refreshes and loads with default settings instead of loading with group level settings.
Guest
