Table Of Contents
Release Notes for Cisco Security Manager 3.0
Catalyst 6500/7600 Configuration
Site-to-Site VPN and Remote Access VPN Configuration
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Obtaining Technical Assistance
Cisco Technical Support & Documentation Website
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for Cisco Security Manager 3.0
Revised: March 27, 2006, OL-9952-01
CDC Date: March 27, 2006Contents
Introduction
This document contains release note information for the following:
•
Cisco Security Manager 3.0
Cisco Security Manager (Security Manager) enables you to manage security policies on Cisco security devices. Security Manager supports integrated provisioning of VPN and firewall services across IOS routers, PIX and ASA security appliances, and Catalyst 6500/7600 services modules (FWSM and VPNSM). Security Manager also supports provisioning of many platform-specific settings, for example, interfaces, routing, identity, QoS, logging, and so on.
Security Manager efficiently manages a wide range of networks, from small networks consisting of a few devices through to large networks with thousands of devices. Scalability is achieved through a rich feature set of shareable objects and policies and device grouping capabilities.
Security Manager supports multiple configuration views optimized around different task flows and use cases.
•
The Auto Update Server (AUS) is a tool for upgrading PIX security appliance software images, ASA software images, PIX Device Manager (PDM) images, Adaptive Security Device Manager (ASDM) images, and PIX security appliance and ASA configuration files. Cisco IOS routers that have dynamic IP addresses communicate with AUS that is running the Cisco Networking Services (CNS) Gateway Protocol to provide their IP addresses.
Cisco Security Manager (Security Manager) can interoperate with AUS. To manage the devices in Security Manager, you must provide the device identity and the AUS information when you add a device. Security Manager uses the device identity information to retrieve the device IP address from an AUS that can be reached.
•
Cisco Security Manager supports IPS provisioning with the IPS Manager for IPS Sensors. The predecessor of IPS Manager was Management Center for IPS Sensors (IPS MC).
This release note document includes ID numbers and headlines for each known problem identified in the document. Also included is a description of each. If you accessed this document from Cisco.com, you can click on any ID number, which takes you to the appropriate release note enclosure in the Bug Toolkit. The release note enclosure contains symptoms, conditions, and workaround information.
Cisco Security Manager
Notes
In IOS 12.3(14)T, many of the predefined inspection protocols were introduced; however, certain commands are not generated if inspection rules configured in Security Manager conflict with port definitions of predefined inspection protocols.
Known Problems
Catalyst 6500/7600 Configuration
Table 1 Catalyst 6500/7600 Configuration
Description: Manually adding a Catalyst 6500/7600 device and then immediately running Preview Configuration without defining policies results in an error.
Rolling back the system context configuration to full configuration in the archive pulled from CVDM fails because the order of the commands in the configuration is not correct. The configuration omits a version at the beginning.
Client Software
Table 2 Client Software
Description: Changes that you make under Group Setup and Network Configuration in Cisco Secure Access Control Server (ACS) 3.3(x) are not reflected in Security Manager, even after you restart CiscoWorks Common Services and the Security Manager Client.
Description: During a service pack or point patch installation, a system prompt tells you to uninstall Security Manager Client. Unless you click the OK button, an error message that contains no text is displayed.
Description: On a PC with many users, only the person who installs Security Manager Client can see the desktop and Start menu shortcuts that show that Security Manager Client is installed.
Configuration Archive
Table 3 Configuration Archive
Description: The Add button in the Configuration Archive is unavailable if you have approver privileges. If your CiscoWorks role is Approver, you cannot use the Add or Fetch features.
Description: The New Configuration Version dialog box sometimes does not close when you select Configuration > Add > Add New Version from the Tools menu in Workflow mode. This happens if you do not have an open activity. The selection configuration version is added correctly, even though the dialog box does not close.
Description: Device Credentials that were once displayed in the Device Properties menu can disappear after you roll back to an earlier configuration from Configuration Archive. This can occur when previous deployment was to file, or when previous deployment contained empty delta configurations.
Deployment
Table 4 Deployment
Description: Performing discovery or viewing the current configuration of a device while deployment is in progress might lead to unpredictable results.
Deployment fails if access rules containing certain options are associated with Layer 2 interfaces of ISR routers.
Description: While working in Security Manager from a client, the following error occurs: "Unknown Error. performBinaryRPC()..." When this occurs, "Premature EOF Error" entries are also logged in the client log file.
Description: The configuration on the device is erased if you deploy to the device before any policies have been defined in Security Manager.
Description: Deployment fails and the error messages that appear do not supply adequate information about the error.
Description: After you deploy configurations to multiple AUS-managed devices in a single job, deployment to some of the devices fails and a "CALLHOME-PARSER-INVALID_ELEMENT" message is recorded in the transcript.
Description: Deployment fails after you restart the Daemon Manager because the backend server process does not start.
Description: If a deployment job contains both CNS managed and non-CNS managed devices, deployment status might not accurately reflect the actual deployment status of all the devices in the job. For example, deployment status might be "deployed" before all the non-CNS managed devices have finished deploying.
Device Management
Table 5 Device Management
Description: If you try to import a system context that belongs to a multi-mode PIX Firewall 7.0 or an ASA device from DCR to Security Manager, the import fails and an error message results.
Description: The device icon in the Device selector does not match the device type and the Policies selector displays only the Flex Config policy when you click the Device View button in the tool bar.
Description: Deployment to Cisco IOS router fails when SSL is the transport protocol and you see a confusing error message.
Description: You cannot import an AUS-managed device from DCR to Security Manager.
Discovery
Table 6 Discovery
Description: If you discover a AAA server without a defined key on a Cisco IOS router, Security Manager does not properly discover and implement the global key in place of the missing server-specific key.
Description: If you discover AAA servers configured on an ASA device, the group accounting mode is not defined in Security Manager with the default value and the server port is not defined according to the server protocol.
Description: Discovery of a router that uses the backoff exponential parameter as part of the definition of a RADIUS AAA host causes the correct key to this host to be overwritten upon deployment.
Description: Under certain circumstances, Security Manager might generate a name for a AAA server group that exceeds the maximum length supported by firewall devices. Any policy that uses this AAA server group fails validation.
Description: Discovery fails after you change the Default Source Ports setting on the Policy Object page of the Security Manager - Administration window to Use Secure Ports.
Description: Under certain circumstances, performing rediscovery on PIX/ASA devices does not add the AAA servers defined on the device to the related AAA server group.
Firewall Services
Table 7 Firewall Services
Description: Security Manager does not support the ACE option "log input" when you configure access rules on IOS devices that are managed by Security Manager. As a result, during discovery, Security Manager drops the option.
Description: Security Manager does not support TCP flag specifications, such as urg, fin, psh, and ack, in access rules. As a result, during discovery, Security Manager drops the specifications.
Description: Security Manager does not support ACE options such as DSCP, ToS, or precedence. As a result, during discovery, Security Manager drops the options.
Description: Although the GUI allows you to enable the Object Group Search option for FWSM devices, the FWSM does not expand object groups when listing access rules after a "show access-list" command and Hit Count results are inaccurately displayed.
Description: Security Manager does not check if the firewall rules that you configured in Security Manager permit management traffic (SSH and HTTPS) to the IOS device being managed. As a result, after firewall rules are deployed to the device, connection to the device might be lost.
Description: Although IOS devices support ACEs that have the option "log-input," Security Manager does not support the feature. On deployment, the option is removed from the ACE.
Description: IOS 87x ISR routers do not support BGP as a routing protocol or as a service in ACLs when the device has only 24 MB of memory; however, BGP is supported when the device has more than 24 MB memory. Security Manager does not detect the amount of memory available on the device and cannot enforce any restrictions. As a result, job deployment containing an ACL with ACEs having BGP will fail.
Description: IOS devices require that HTTP is used as the traffic type for authentication proxy, which generates the command ip http server. Security Manager does not remove the CLI when authentication proxy is unassigned from the device in Security Manager.
Description: If an AuthProxy configured on an IOS device has a user-specified name that does not comply with the naming convention used by Security Manager, the name is not removed if the device is discovered and the policy is unassigned.
Description: If you create AAA or inspection rules for "all" interfaces on an IOS device, deployment fails if the device is using Layer 2 port.
Description: Even if you do not make changes to a configuration and the configuration is previewed or deployed, the filter commands are always cleared and redeployed.
Description: IOS devices use standard ACLs for filtering; however, standard ACLs are not recognized when Hit Count reports are generated.
Description: When you create an access rule for a PIX 6.x device, you can specify a time range in the GUI; however, the device does not support the time range feature in the ACE and no warning is displayed during activity validation or deployment.
Description: Security Manager sets the FWSM device to manual mode when you deploy firewall rule delta information, then resets the device to auto mode when deployment is completed; however, the device remains in manual mode and deployment fails.
Description: If Security Manager tries to deploy AAA server groups to a device that already has the maximum number of AAA server groups, deployment fails.
Description: After you import or discover a PIX 6.3 device with an ACE using the "interface" keyword and the ACE is bound to the interface by the access-group command, if you deploy to the same device without making any changes, the ACE is removed from the ACL. This occurs if the ACL has other ACEs, or the ACL contains only the ACEs using the "interface" keyword. The access-group command for the ACL is removed from the device when the ACL contains only the ACEs using the "interface" keyword.
Description: If you have no activity opened, then click "Show Source Contents," "Show Original Address Contents," or "Show Translated Address Contents" from the shortcut menu in the Translation Rules table, you are asked to open an activity. These operations are read-only and do not require an opened activity.
Description: GTP Map in Security Manager does not support the permit response subcommand that was introduced in later versions of PIX OS software. The permit response subcommand from GTP Map CLI in PIX 7.0(4) and greater are dropped during the discovery process and not deployed when the GTP Map is deployed to the device.
Description: When you configure transparent firewall on IOS devices, only one bridge group is supported. Bridge group 1 is dedicated to transparent firewall. If you use Bridge Group 1 for something else, and only one interface exists for that group, upon discovery, a validation error results.
Description: IOS inspection port-map commands are not generated if inspection rules configured in Security Manager conflict with port definitions of predefined inspection protocols.
Description: If you are specifying web filter settings for PIX/ASA devices for the first time, deployment might fail when you send url-block commands.
Description: A AAA Server host with LDAP protocol does not generate the subcommand "ldap-base-dn String" from Security Manager and the subcommand is removed from the device at deployment.
Description: If an IOS device does not have "bridge group 1 protocol ieee," "bridge 1 route ip," and "bridge irb" and you configure BVI1 IP address in both the interface UI page and Transparent Settings page, deployment fails.
Description: When you initially deploy an inspection rule with the gtp-map command, the deployment fails and an error message states that the signaling timeout value is less than the PDP timeout value.
Description: When source, destination, and service are in a policy query with no interface selected, and the source, destination, and service match rule values completely, the query and rule are deemed identical and the interfaces detail shows that "any" interface is identical to the rule interface value.
Description: If you are in Policy view and you query a rule with a service that is contained in a service group used in the rule, the query results are blank.
Description: An incorrect rule number results if you paste or add a rule at the same place more than once and logging is turned off.
Installation
Table 8 Installation
Description: PERL is installed and a system environment variable is set for PERL5LIB on the server. An error message during installation tells you that perl58.dll cannot be found. Installation fails.
Description: On your Security Manager server and on every PC where you install Security Manager Client, you must use either the English (United States) version or the Japanese version of Windows.
Description: If you reinstall Common Services 3.0.3, Security Manager and Auto Update Server (AUS) on an existing Security Manager server that already has Security Manager and AUS installed, the default home page is set to the CiscoWorks home page instead of the Security Manager home page.
Description: During installation of Security Manager, a dialog box shows that an interactive SQL error occurred. This problem occurs if a Sybase database engine is running while you are installing Security Manager.
Maps
Table 9 Maps
Description: Changes you made in Device view are lost after you edit the device in the undocked Map view. After you change the window focus from Device view to undocked Map view, you are not prompted to save the changes you made in Device view.
Description: If you minimize the undocked Map view, you cannot bring it to the front after clicking the Map View button on the toolbar or selecting the Show in Map View option.
Description: The undocked Map view is displayed on top of an active dialog box and does not respond to user interaction.
Miscellaneous Issues
Table 10 Miscellaneous Issues
Description: Under extreme circumstances, errors might occur when many users try to simultaneously perform operations that write to the Security Manager database.
Description: When you change a policy definition, other users are prevented from unassigning that policy from a different device.
Description: If you assign a policy to a device, a different user cannot assign the same policy to a different device.
Description: If you unassign a policy from a device, a different user cannot edit the contents of that policy until you submit your changes.
Description: Users with read-only (View) permissions can click the Add button in Policy view to create shared policies. In rare cases, this can lead to the deployment of blank policies that overwrite existing device configurations.
Description: Under certain circumstances, users who have Modify permissions in ACS mode cannot create or delete policies in Policy view.
NAT Configuration
Table 11 NAT Configuration
Description: If a NAT exemption rule on a PIX 6.3, PIX 7.0 or ASA device already contains user-defined exemption rules, and you select the Do Not Translate VPN Traffic check box in the Translation Options page, Security Manager does not generate additional NAT exemption rules for the VPN traffic.
PIX/ASA/FWSM Configuration
Table 12 PIX/ASA/FWSM Configuration
Description: If multiple service objects have different names but the same definitions, the wrong service object might be used during discovery. Because the service objects are equivalent, deployment using a service object with a different name does not cause problems.
Description: If you enter an interface name when you configure an NTP server for the system context of an ASA device in multiple context mode, validation for that device fails.
Description: If your remove a logical interface from Security Manager and you deploy the configuration to the device using AUS, the deployment fails.
Description: If you deploy a configuration to a device that uses a TCP Map object, then rediscover that configuration, a new object with a number appended to the object name might be added to the TCP Map objects list.
Description: Deployment fails for DHCP relay commands and an error message states that the subnet of the DHCP server address pool range is not the same as the subnet of the DHCP server interface.
Description: Deployment fails for NAT commands and an error message states that the NAT command is a duplicate and was already defined on the device.
Description: If you disable the DHCP server and then enable DHCP relay on the same interface, or if you disable DHCP relay and enable the DHCP server on the same interface, and you deploy both changes at the same time, deployment might fail.
Description: The audit report might contain a message saying that discovery failed even if discovery is successful. It is safe to ignore this message.
Description: Values in the Logging Level column of the Individually Rate Limited Syslog Messages table are not used and are overwritten after rediscovery.
Description: If you deallocate a subinterface from a security context and delete it from the interface table, deployment fails on PIX 7.x and ASA devices in multiple mode.
Description: If a device has duplicate MAC addresses in the static arp table and the static mac-address-table, or if Security Manager policies have duplicate MAC addresses in the arp table and the mac-address table, the AUS deployment might fail.
Description: Deployment fails for DHCP relay commands and an error message states that the device cannot receive DHCP requests and forward them on the same interface.
Description: If some boot images are already configured on an ASA device and you try to add another TFTP boot image, the deployment fails.
Description: Device import discovers an enabled policy map and its related commands as service policy rules and traffic flow objects. Security Manager does not preserve the original policy map names on a device.
Description: After you configure your username, password, and privilege level on the Contact Credentials page, the information is sent to the device during every deployment.
Description: The minimum Translation Slot (xlate) timeout that you can set on the Timeouts Policy page is 30 seconds for FWSM 2.3(3) devices. However, Security Manager requires a minimum timeout of 1 minute.
Description: The interface table in the Failover policy for FWSMs in single, transparent mode and security contexts in transparent mode contains no information. As a result, you cannot set these interfaces to be monitored.
Description: Configuring the "Suppressed" setting for a syslog message on the Platform > Logging > Server Setup page has no effect when you deploy the configuration to the device.
Policy Objects
Table 13 Policy Objects
Description: You should not use the Create Duplicate option for the following object types: GTP maps, TCP maps, time ranges, AAA server groups, and PKI enrollments.
Description: Security Manager does not remove unused access-list commands from a device, for example, if an access-list command has a user-defined name (a name not automatically generated by Security Manager) and is not used by any command, for example, access-group.
Description: If you enter an invalid time when you define a time range object, the error message that appears does not match the cause of the error.
Description: A AAA server object that is part of a AAA server group loses its defined protocol and becomes uneditable after you change the protocol and fail to specify a key.
Description: Deleting a policy object override causes the object on which the override is based to disappear from the Policy Object Manager.
Description: Activity validation fails on FWSM and PIX platform policies that contain network objects that refer to other network objects containing a single IP address.
Router Configuration
Table 14 Router Configuration
Description: The deployment of NAT interface commands (<CmdBold>ip nat inside<NoCmdBold> and <CmdBold>ip nat outside<NoCmdBold>) fails on Cisco 83x Series routers.
Description: The community strings defined in SNMP policies on Cisco IOS routers are displayed in clear text, even for users who are assigned roles with view-only permissions.
Description: Virtual interfaces remain intact in a Cisco IOS router configuration even after you delete these interfaces from the Interfaces page in Security Manager.
Description: You cannot reorder the classes in a QoS policy on a Cisco IOS router.
Description: Unassigning a routing policy from a Cisco IOS router does not remove all the CLI commands related to that policy from the device configuration.
Site-to-Site VPN and Remote Access VPN Configuration
Table 15 Site-to-Site VPN and Remote Access VPN Configuration
Description: If you have DMVPN or VRF configured on an IOS router and you try to change or remove this configuration in Security Manager, deployment will fail and you will receive a message that the IPSec profile is still in use and cannot be deleted. This is an IOS problem, not a problem intrinsic to Security Manager.
To work around this problem, reload the device, then manually remove the IPSec profile. If the configuration is saved to the startup-config, make a backup text file of the startup-config, remove the IPSec profile, reload the device, then copy the updated file to the device and save the changes to the startup-config.
Description: Deployment of a regular IPSec VPN fails on a PIX 6.3 device if one peer in the VPN topology uses an ACL to specify its protected networks and the other peers do not.
Description: If you delete a VPN that uses the Answer-only Connection Type option for VPN interface SA negotiation and you create a new one that uses the Originate-only option, deployment to a PIX 7.0.1-7.0.5 device will fail. This is due to a known bug on the device (CSCsc27972).
Description: In an EzVPN topology configuration, deployment fails if a 72xx series router is used as a remote client device. The EzVPN client is supported on PIX Firewalls and Cisco 800-3800 Series routers only.
Description: If you unassign a preshared key policy in a hub-and-spoke VPN topology, without first saving the policy, the Aggressive Mode option disappears from the UI page.
Description: If your VPN topology contains a Catalyst 6500 device and you have enabled the QoS Preclassify option in the IPSec Proposal, a message indicating that an internal error has occurred appears during validation.
Description: Deployment of a PKI policy fails if the URL specified for the CA server contains the CA server's hostname instead of its explicit IP address. Before the deployment failure, a "translating" notification appears to indicate that the device is trying to translate the host name.
User Interface
Table 16 User Interface
Description: When you use Security Manager's file selector to select a file on the Security Manager server, network drives that are mapped on the server are not listed.
Description: If you add files to the server when the "Choose File" dialog is open, the file selector does not refresh to display the new files.
Description: After changing the Windows display properties, the Security Manager client does not display correctly. For example, Device View and New/Delete Device buttons are not visible and the content area does not refresh correctly.
Description: The Security Manager client stops responding when the Cisco Secure ACS that is performing user authentication goes down or becomes unavailable.
Auto Update Server
Known Problems
Table 17 AUS
Description: A user logs out from the CiscoWorks session after launching AUS, but the AUS GUI remains open. If another user with a different role opens a new CiscoWorks session, other users can navigate the AUS GUI briefly in the original window. This problem occurs whether the CiscoWorks server or the Cisco Secure Access Control Server (ACS) manages authentication and authorization for AUS.
Description: When you deploy configurations from Cisco Security Manager to AUS, deployment fails and the "INVALID_ENABLEPASSWORD_LENGTH" error is recorded in the transcript. This problem occurs when an AUS-managed device is added to the Cisco Security Manager inventory with a blank Enable password.
Description: If you configure an ASA device in transparent mode and use AUS to deploy configuration changes from Security Manager to the device, deployment is shown as successful, although the device does not contain the deployed changes. The AUS event report shows that the file was successfully sent to the device without error and a "Wakeup information for process auto-update lost" message is recorded in the device log.
Description: Cisco IOS devices fail to connect to the CNS Event gateway running on AUS when the default CNS bootstrap password configured in AUS was not changed on the machine where you installed AUS.
Description: A blank screen appears if you launch AUS after you restore backed-up data from one server to another server.
Description: If you deploy configurations to several AUS-managed devices in a single job, deployment to some of the devices fails and a "CALLHOME-PARSER-INVALID_ELEMENT" message is recorded in the transcript.
IPS Manager
Notes
•
•
•
•
•
•
•
–
–
•
Known Problems
Configuration Comparison Tool
Table 18 Configuration Comparison Tool
Description: In IPS MC 2.1, Custom Signature Wizard (CSW) for IPS 5.x does not allow you to configure the engine parameters (tune parameters); instead, it asks you to go to the Signature Summary page to tune the newly created custom signature.
Description: You cannot update IDS sensor signatures from IPS MC. The update appears to proceed but nothing actually occurs (when logged into the sensor, the IPS MC does not show up when 'sh users' is run, and there is no broadcast indicating services are stopping for the update process).
Description: In the Configuration Compare tool, Custom Signatures are not displayed when the source is sensor and the destination is another Group/Sensor.
Description: Under certain conditions when using the Configuration Comparison tool, the master blocking sensor configuration doesn't appear on the Configuration Comparison page.
Description: IPS MC VMS backup stays at 10% and is not completed when a third-party backup system is being used.
Description: IPS MC throws java.text.ParseException when you have set a non-US locale in IPS MC Server.
Description: Changing the NAT value on the identification page and then doing a signature update does not work.
Description: The Configuration Comparison Tool does not list SigEvent Action Filters under the current configuration.
Description: Get Version fails to save after updating 5.0 Sensors if signature updates are out-of-band.
Description: A change in certificate on the device causes Query Interface to fail for an IPS 5.x device with the following incorrect message: "Object loading failed. An error occurred trying to get the interface information. An error occurred while trying to determine the sensor version. Detail = untrusted server cert chain".
Description: Config Copy tool does not list IOS IPS SDF Type in available items when you select all devices under a group as targets.
Description: Reimport of a sensor generates the following popup message box (in part): Re-import of sensor sensor9 failed. The error message should indicate that TLS enable changed.
Description: When you are using IPS MC 2.1 or 2.2 and VMS 2.3 to copy filters from sensors running 4.x to other sensors running 4.x, there is no "filters" option in the Copy Wizard.
Description: When you copy custom signatures from a device/group to another device/group, the Signature Copy wizard assigns a new signature ID for the destination signature in IPS MC. This behavior is seen on all supported device types: IDS 4, IPS 5, and IOS IPS.
Description: IDS logs are not created in the product log directory.
Description: EAFs configured with event variables are not properly copied using the Configuration Copy Wizard for IPS 5.x devices.
Description: Config Copy Tool does not copy the configuration to the group "Global."
Description: Master Blocking Sensors are not listed in Config-Diff for Last Generate/Last Deployed Configuration.
Custom Signature Wizard
Table 19 Custom Signature Wizard
Description: The Custom Signature Wizard will show event action options that are not supported by some engines (such as TROJAN-BO2K, TROJAN-TF2K, TROJAN-UDP)
Database
Table 20 Database
Description: The IDS_Import.log shows a database-related error if you add a 5.0(1) sensor and then try to add a second one too quickly. This symptom does not indicate a problem with IPS MC. Allow time for the addition of the first sensor to be finished.
Deployment
Table 21 Deployment
Description: Filter is not imported properly.
Description: Quick Deploy will generate and deploy a newly imported sensor configuration even if there have not been any changes to the config.
Description: For IPS 5.x devices, IPS MC 2.1 does not listen to sensor events after deployment to know the post deployment device status.
Description: After the creation of a custom signature from the IPS MC on a IPS 5.1 device with signature S205, deployment to the device will fail.
Description: IPS MC does not retain the user-profile names during deployment.
Description: IP address and netmask are not validated on Allowed Hosts page.
Description: NTP server settings cannot be deployed from the global level when NTP settings are configured at the device level.
Description: When using IPS MC 2.1 to create a custom signature for a 4.x device, IPS MC does not validate for all fields. If you do not tune the custom signature just created and try to generate and deploy to the device, deployment fails with a validation error.
Description: Custom filters added to or copied into sensor configurations from the IPS MC do not deploy because of an error. The IPS MC does not generate an error before deployment.
Description: Deploy to a sensor with configuration which requires sensor to rebuild its internal table. Immediately after the deployment, deploy it again. Deployment will fail.
Description: Deploy fails with the following error in Progress Viewer: BAD PARAMETER Missing Parameters at least one parameter must be specified
Description: Once device credentials settings are changed in IPS MC, deployment fails when you try to deploy configurations saved prior to device credential changes.
Description: In the IPS MC 2.2 IPS 5.x tuning applet, a custom signature's parameters that are not tuned show up as "User Defined" rather than "Defaulted". This bug does not affect any functionality. However, it is confusing to the user to see signature tuning parameters in the GUI marked as user defined, when they are actually the default values. Also when accessing the sensor via CLI, parameter values which have default values do not display a keyword "defaulted".
Description: Change in certificate on the device may cause the deployment from IPS MC to the device to fail with the following incorrect error message shown in the progress viewer window. "Unable to process Sensor Config Deploy - Can't get sensor version".
Description: The second reimport of a sensor fails with the following message while the first reimport for that sensor was successful: "ReImport Sensor Completed, sensor=<name>,status=A Sensor with the name <name> already exists in the system. re-import FAILED for <name>.
Description: IPS MC does not deploy OPSigs that were deleted from the device.
Description: Cannot set SDEE Max Alerts or Max Messages for IOS IPS 2.2(1).
Description: When an IOS IPS device has memory issues, they could be caused by a known problem about the SSH process not releasing memory. Deployment to the IOS device fails even though the UI may show that deployment succeeded.
Description: Re-import fails after downgrading the sensor.
Description: After you copy a custom signature for IPS 5.x device using Signature Copy Wizard, deployment might fail with following error message: "An exception occurred during deploy, file=signatureDefinition,detail= Export of the sensor file signatureDefinition failed:An exception occurred during the export of signatures, detail = Error on line 1: Attribute `xmlns' was already specified for element `struct'."
Description: If the license expires and is refreshed when IPS MC is running, operations such as Deploy/QuickDeploy/Signature Update/Auto download/Sensor health & welfare may not work even after license is refreshed.
Description: After you create a custom signature from the IPS MC on a IPS 5.1 device with signature S205, deployment to the device fails.
Description: After you upgrade a 5.0 sensor to 5.1, the deployment from IPS MC to that sensor fails with "unspecified" errors.
Intrusion Prevention System
Table 22 Intrusion Prevention System
Description: IPS MC window suspends operation when launched in the same IPS MC server box. Java does not launch from that server and the Java Control Panel or Java Web Start does not run.
Description: All signature updates and service pack/minor rev upgrades fail on 4.0(x) sensors.
Description: IOS IPS Rules configured on inactive interfaces (interface that is done) will not be imported.
Description: The Sensor Health and Welfare tool does not report out-of-band detection for devices were not imported into IPS Manager running on Security Manager.
Description: In IPS MC during reimport, deploying and saving the changes in the Identification page results in an error stating 'Invalid Sensor Name'.
Description: Reimporting IOS IPS devices fails with a error message of Null in the Progress Viewer.
Description: DbUpgrade process fails during syncing with Security Manager with the message "Error in connecting to Security Manager Device Manager".
Description: When changes are made to HTTP credentials in Cisco Security Manager, they are not propagated to IPS Manager. This occurs when HTTP credentials are changed to (1) HTTPS with IPS Config = enable-tls true, (2) HTTP with IPS Config = enable-tls false, or (3) HTTP with IPS Config = enable-tls false.
Description: The signature update fails with the following error message: The update of sensor <sensor-name> was stopped because the version the sensor is running is not compatible with the update package. The version in the configuration data is not the version reported by the sensor.
Description: This problem occurs when you configure Auto Download to download signature update files from Cisco.com. The download times out (after 2 hours) if there are too many files to download from Cisco.com.
Reports
Table 23 Reports
Description: Under certain conditions, an error message is seen in the Audit Log report after a signature update. This error occurs when a version number is in an unexpected format. IPS MC supports only major, minor, service pack, and signature level updates without virus numbers, for example, 5.0(2) S100.0. This error will occur when your version number is, for example, 5.0(0.2) S10. Note the "0.2" that causes the error.
Description: On the Completed Device Inventory report page, the "Go to" check box does not work.
Description: The IDS Sensor Versions report displays "N/A" as the value in the "Modified By" column for all types of devices.
Description: For IOS IPS devices imported with NAT address, IPS MC 2.1 shows the NAT address value as N/A in the Device Inventory report.
Signature Tuning
Table 24 Signature Tuning
Description: Deploying the configuration enabling all the Event Actions does not deploy all Event Actions.
Description: During signature tuning, if override of group level settings is chosen, the Signature Tuning page refreshes and loads with default settings instead of loading with group level settings.
Description: When a signature is tuned at the group level, the import overrides the source as device even though the device has default settings.
Description: The custom signature name cannot be changed in the signature tuning applet for IPS 5.x in IPS MC 2.1.
Description: In IPS MC 2.1, the signature tuning applet for IPS 5.x devices may not properly show the 'Changed/default' icon for Custom Signatures.
Description: If no event action is selected, the generate will fail with the following message: An error occurred while adding the IDS5 signature information into the generated configuration, id =65000 sigid=255. Details: null, id =0 sigid=0.
Description: Tuning some Normalizer engine parameters for sensor versions with signature level S149 or S150 (either at the Group level or the sensor level), then updating the sensor to S151 or beyond causes deployment to fail with the following error message from the Progress Viewer: "the union is protected".
Guest