Cisco Security Manager

Table Of Contents

Release Notes for Cisco Security Manager 3.1.1

Contents

Introduction

What's New in Security Manager 3.1.1

Installation Notes

Cisco Security Manager 3.1.1 Download and Installation Instructions

Cisco Security Manager 3.1.1 Service Pack 3 Download and Installation Instructions

Important Notes

IPS and IOS IPS Notes

Resolved Problems

Known Problems

Catalyst 6500/7600 Configuration

Client Software

Deployment

Device Management

Diagnostics, Monitoring, and Troubleshooting Tools

Discovery

Firewall Services

Installation and Upgrade

IPS and IOS IPS

Miscellaneous Issues

PIX/ASA/FWSM Configuration

Policy Objects

Router Configuration

Site-to-Site/Remote Access/SSL VPN Configuration

Tools

User Interface

Auto Update Server (AUS) 3.1.1

AUS Known Problems

Documentation Updates

IPS Event Viewer

New Features in Security Manager 3.1

Discovering Remote Access VPN Policies

Device OS Version Interoperability with Device Managers Started from Security Manager

Where To Go Next

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines

Release Notes for Cisco Security Manager 3.1.1

---

Revised: April 14, 2008

CDC Date: April 14, 2008

Contents

Introduction

This document contains release note information for the following:

•Cisco Security Manager 3.1.1 (including Service Packs 1, 2, and 3)

Cisco Security Manager (Security Manager) enables you to manage security policies on Cisco security devices. Security Manager supports integrated provisioning of firewall, VPN, and IPS services across IOS routers, PIX and ASA security appliances, and Catalyst 6500/7600 services modules (FWSM, VPNSM, VPN SPA, and ISDM-2). Security Manager also supports provisioning of many platform-specific settings, for example, interfaces, routing, identity, QoS, logging, and so on.

Security Manager efficiently manages a wide range of networks, from small networks consisting of a few devices through to large networks with thousands of devices. Scalability is achieved through a rich feature set of shareable objects and policies and device grouping capabilities.

Security Manager supports multiple configuration views optimized around different task flows and use cases.

•Auto Update Server 3.1

The Auto Update Server (AUS) is a tool for upgrading PIX security appliance software images, ASA software images, PIX Device Manager (PDM) images, Adaptive Security Device Manager (ASDM) images, and PIX security appliance and ASA configuration files. Cisco IOS routers that have dynamic IP addresses communicate with AUS that is running the Cisco Networking Services (CNS) Gateway Protocol to provide their IP addresses.

Security Manager can interoperate with AUS. To manage the devices in Security Manager, you must provide the device identity and the AUS information when you add a device. Security Manager uses the device identity information to retrieve the device IP address from an AUS that can be reached.

---

Note Before using Cisco Security Manager 3.1.1, we recommend that you read this entire document. However, it is critical that you read the "Important Notes" section, the "Installation and Upgrade" section, and the Installation Guide for Cisco Security Manager 3.1 before installing or upgrading to Cisco Security Manager 3.1.1.

---

This release note document includes ID numbers and headlines for each known problem identified in the document and a description of each. This document also includes a list of resolved problems. If you accessed this document from Cisco.com, you can click any ID number, which takes you to the appropriate release note enclosure in the Bug Toolkit. The release note enclosure contains symptoms, conditions, and workaround information.

What's New in Security Manager 3.1.1

•Upgrade from Security Manager 3.0.2 and 3.1.

•Ability to cross-launch ASDM 5.0(7) from Security Manager for ASA 7.0(1) through ASA 7.0(7) and PIX 7.0(1) through PIX 7.0(6). For more information, see Device OS Version Interoperability with Device Managers Started from Security Manager.

•Ability to cross-launch the following most recently released device managers from Security Manager for the OS versions running on a device (Reference CSCsj51974).

–ASDM 5.2(3) support for ASA and PIX 7.2.

–PDM 4.1(5) support for FWSM 2.x.

–ASDM 5.2(2)F support for FWSM 3.x.

–SDM 2.4.1 support for the most recent and previous releases of Cisco IOS software running on your Cisco router.

•Cisco Security Manager 3.1.1 Service Pack 1 problem resolutions (Table 3) and additional device support:

Cisco IPS 4270 Sensor - http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/index.html

•Cisco Security Manager 3.1.1 Service Pack 2 problem resolutions (Table 2).

•Support for Windows 2003 Server SP2.

•The ability to start the device manager from Security Manager for security appliances even if the HTTPS port number on the device is changed to any port number other than the default value of 443. In Security Manager 3.1, you could start the device manager from Security Manager only if the HTTPS port number on the device was retained at the default value.

If you started the device manager for a device with a different HTTPS port number than the currently configured value, the changed port number does not take effect for the first instance of device manager launch. This failure occurs because Security Manager attempts to establish a connection with a device with the cached port number, based on the connection timeout and retry count values specified in the Device Communication page. However, subsequent attempts to start the device manager are successful because Security Manager connects to the device using the changed port number.

•A new export utility, which runs from the command line, that you can use to generate and export a device inventory report in csv format.

•The option to control whether devices are automatically preselected for deployment.

•Improvements to activity approval notifications. Only users who are viewing data that has been updated by another user are prompted to refresh their view of the data.

Installation Notes

You can install Security Manager 3.1.1 server software directly, or you can upgrade the software on a server where either Security Manager 3.1 or Security Manager 3.0.2 is installed. In addition to reading the following installation notes, we strongly recommend that you refer to the Installation Guide for Cisco Security Manager 3.1 for important information regarding server requirements, server configuration, and post-installation tasks.

•Upgrading to Security Manager 3.1.1 from version 3.0.2 or 3.1: Before you can successfully upgrade to Security Manager 3.1.1 from a prior version of Security Manager (versions 3.0.2 or 3.1 only), you must make sure that the Security Manager database does not contain any pending data, in other words, data that has not been committed to the database. If the Security Manager database contains pending data, you must commit or discard all uncommitted changes, then back up your database before you perform the upgrade. For instructions, see "Upgrading Server Applications" in the Installation Guide for Cisco Security Manager 3.1.

•Upgrading to Security Manager 3.1.1 from version 3.0.2: Before you can successfully upgrade to Security Manager 3.1.1 from Security Manager 3.0.2, you need to uninstall Cisco Security Agent (CSA) then reboot your system for the upgrade to be successful. After you manually uninstall the old CSA and reboot, you need to invoke the 3.1.1 upgrade script to execute the actual upgrade.

•Service Packs: Service packs cannot be installed by themselves. They are intended for installation on an existing installation of Cisco Security Manager 3.1.1. Service Pack 3 is superset of Service Pack 2, (and Service Pack 2 is a superset of Service Pack 1), so you can install Service Pack 3 with or without installing Service Pack 2 first. For more information, see Cisco Security Manager 3.1.1 Service Pack 3 Download and Installation Instructions.

Cisco Security Manager 3.1.1 Download and Installation Instructions

To download and install Cisco Security Manager 3.1.1:

---

Step 1 Log in to Cisco.com.

Step 2 Go to http://www.cisco.com/go/csmanager, then click Download Software.

---

Note RME is not included in the downloadable version of the installation utility. For information on installing Resource Manager Essentials, please refer to the Installation Guide for Cisco Security Manager 3.1.

---

Step 3 Download fcs-csm-311-w2k-k9.exe.

---

Note Save the installation utility on a disk that is local to your server. Installation cannot succeed over a network connection to a remote volume, even if installation seems to succeed.

---

Step 4 Run the file that you downloaded.

The InstallShield Wizard extracts files to a temporary directory and checks their integrity while it constructs the Cisco Security Manager Setup application, which starts automatically.

---

Note For detailed installation instructions, refer to the Installation Guide for Cisco Security Manager 3.1.

---

---

Tip If an error message says the file contents cannot be unpacked, we recommend that you empty the Temp directory, scan for viruses, delete the C:\Program Files\Common Files\InstallShield directory, then reboot and retry.

---

---

Cisco Security Manager 3.1.1 Service Pack 3 Download and Installation Instructions

---

Note The 12 known problems that were resolved in Security Manager 3.1.1 SP3 are not available in Security Manager 3.2. Therefore, if you upgrade to 3.2.0 from 3.1.1 SP3, you will lose the added functionality that was provided in SP3.

---

To download and install Cisco Security Manager 3.1.1 Service Pack 3:

---

Step 1 Log in to Cisco.com.

Step 2 Navigate to http://www.cisco.com/cgi-bin/tablebuild.pl/csm-app.

Step 3 Download the file fcs-csm-311-sp3-w2k-k9.exe.

Step 4 To install the service pack, close all open applications, including the Cisco Security Manager Client.

Step 5 Manually stop the Cisco Security Agent (CSA) from Start > Settings > Control Panel > Administrative Tools > Services.

Step 6 Install the Security Manager 3.1.1 FCS build (with or without Service Pack 1) on your server if you have not already done so.

Step 7 Run the fcs-csm-311-sp1-w2k-k9.exe file that you previously downloaded.

Step 8 In the Install Cisco Security Manager 3.1.1 Service Pack 3 dialog box, click Next and then Install in the next screen.

Step 9 After the updated files have been installed, click Finish to complete the installation.

---

Note The Daemon Manager will be automatically stopped and restarted during the installation process.

---

Step 10 After the patch has been applied, navigate to the client installation directory and clear the cache file, for example, <Client Install Directory>/cache.

---

Important Notes

•When you perform a policy query in Security Manager, interface names are not case sensitive. However, when you perform a policy query in a Cisco Security Monitoring, Analysis, and Response System Appliance (MARS appliance), interface names are case sensitive. For example, outside and Outside are considered exclusive by a MARS appliance, while they are equivalent in Security Manager. As a result, a name logged in the syslog event might not match the name in Security Manager. Syslog messages use lowercase for all interface names. To work around this problem, use lowercase for all interface names and in the definition of interface roles in Security Manager.

•When you back up the Security Manager 3.1.1 database that does not contain Resource Manager Essentials (RME) data from one server, and restore it to a different server running RME, a licensing error occurs. This problem occurs if you installed Security Manager 3.1.1 using the free evaluation license. To work around this error, reinstall RME on the server where you want to restore the Security Manager database.

•In IOS 12.3(14)T, many of the predefined inspection protocols were introduced; however, certain commands are not generated if inspection rules configured in Security Manager conflict with port definitions of predefined inspection protocols.

•You might receive a persistent error message such as "Internal Error, please save the logs and contact TAC." If this should occur, please select Tools  > Security Manager Diagnostics and send the resulting CSMDiagnostics.zip file to the Technical Assistance Center.

•If you have a device that uses commands that were unsupported in previous versions of Security Manager, these commands are not automatically populated into Security Manager as part of the upgrade to Security Manager 3.1.1. If you deploy back to the device, these commands are removed from the device because the commands are not part of the target policies configured in Security Manager. We recommend that you set the correct values for the newly added attributes in the Security Manager GUI so that the next deployment will correctly provision these commands. You can also rediscover the platform settings from the device; however, you will need to take necessary steps to save and restore any shared Security Manager policies that are assigned to the device.

•If you upgrade to Security Manager 3.1.1 from Security Manager 3.0.2, the ordering of BGP CLI "neighbor distribute-list acl" may be shown incorrectly in preview full configuration due to Security Manager 3.0.2 bugs CSCsk55138 and CSCsk55140. To correct this, please rediscover this device.

•For the Cisco Security Monitoring, Analysis, and Response System Appliance (MARS) cross-launch panel to appear on the Cisco Security Manager Suite home page, you need to manually register the MARS appliance on the Common Services application registration page. To do this, perform the following:

1. From the Cisco Security Manager Suite home page, click the Server Administration link. The Common Services Admin page appears.

2. Select HomePage Admin > Application Registration. The Application Registrations Status page appears.

3. Click Register. The Choose Location for Registrations page appears.

4. Select Register From Templates, then click Next.

5. Select Monitoring, Analysis and Response System, then click Next.

6. Enter the server name, server display name, and port and protocol information for the MARS appliance, then click Next.

7. Verify registration information, then click Finish. The MARS launch point will now appear from the Cisco Security Manager Suite homepage.

---

Note If you choose to add the cross-launch to MARS later, simply launch your web browser and enter http://SecManServer:1741, where SecManServer is the name of the computer where Cisco Security Manager Suite is installed. If you are using SSL, the default URL is https://SecManServer:443.

---

IPS and IOS IPS Notes

•A Cisco Services for IPS service license is required for the installation of signature updates on IPS 5.x appliances, Catalyst and ASA service modules, and router network modules.

•Avoid connecting to the database directly, because doing so can cause performance reductions and unexpected system behavior.

•Do not run SQL queries against the database.

•If an online help page displays blank in your browser view, refresh the browser.

•With the release of the S227 signature update on May 12, 2006, the minimum required version for 5.x signature updates was incremented from IPS version 5.0(5) to 5.0(6). Sensors running IPS 5.x software versions earlier than the minimum required version will fail until the sensor is upgraded to the supported level. Note that the minimum required version for 5.x signature updates is generally set to the latest available service pack within 30 to 45 days of that service pack's release.

---

Caution If you did not set Category CLI commands on your IOS IPS device to select a subset of IPS signatures that the device will attempt to compile, Security Manager will push CLI commands to enable the IOS IPS Basic category to prevent the device resources from being overloaded. These CLI commands are not managed by Security Manager after they are deployed. You can change these manually on the device to select another set of signatures to compile.

---

Resolved Problems

Service Pack 3 is superset of Service Pack 2 and Service Pack 1, so it contains all problem resolutions included in Service Pack 2 and Service Pack 1, as well as those in Service Pack 3.

•Table 1 identifies the problems resolved by Security Manager 3.1.1 (Service Pack 3).

•Table 2 identifies the problems resolved by Security Manager 3.1.1 (Service Pack 2).

•Table 3 identifies the problems resolved by Security Manager 3.1.1 (Service Pack 1).

•Table 4 identifies the problems that were documented in the Security Manager 3.1 release notes as known problems and that have since been resolved. For information on resolved problems that were resolved in earlier releases, please refer to the release note document for each previous release.

---

Note The 12 known problems that were resolved in Security Manager 3.1.1 SP3 are not available in Security Manager 3.2. Therefore, if you upgrade to 3.2.0 from 3.1.1 SP3, you will lose the added functionality that was provided in SP3.

---

Table 1 Resolved Problems in Service Pack 3 

CSCsl13680—Cannot load rule table when policies have duplicated order_id Description: Under a rare condition, the Access Rules table cannot be loaded after you add or delete rules in the table.

CSCsl13733— Two policies in the same policy group have same order_id Description: A duplicate order_id in the same policy group might occur when multiple firewall policy groups are modified with an insertion.

CSCsm15485—xDM:IPS Device Manager relaunch always prompts about previous instance Description: When you start IPS Device Manager (IDM) from a Security Manager client, you are prompted with a message stating that an instance is already open even if no previous instance of device manager is running.

CSCsm72772—Firewalls unable to access AUS; apache reports access violation error Description: Firewall devices (PIX/ASA running 6.x, 7.x) are not able to access the AUS server. Apache generates "Access Violations."

CSCsm79337—Performance tuning on platform validations Description: While submitting changes to the device, Security Manager hangs for a long time at the validating screen.

CSCso00786—FWSM discovery completed before the policy discovery of VCs Description: All policies are deleted on the Security Contexts when you deploy to a device or when you do a preview config.

CSCso04982—Should undo device target type change for IOS/IPS Description: After an IOS device is added to Security Manager, the device target type cannot be changed unless it is deleted, then added again.

CSCso20860—"access-list mode auto-commit" sent to standby unit fails discovery Description: Security Manager 3.1.1 discovering an FWSM 3.1(x) blade in multi-context mode with active/active failover configured fails.

CSCso23669—Invalid VPN hard validation error for non-support for TACACS+ Description: TACACS+ should be supported for authentication for remote access purposes.

CSCso46954—Remove log error entry in Device Access Utility to avoid false alarm Description: Each time a PIX or ASA device is accessed in Security Manager, unwanted error log entries are printed in vmsbesvcs.log.

CSCso52320—Deployment to PIX 6.3 devices fails with error in transcript Description: When you deploy large configuration changes to PIX 6.2 devices, deployment fails with the "Error: 24112 : IO error during SSL communication" message recorded in the transcript.

CSCso52353—Wrong error message during 3.1.1 SP3 installation Description: When you install Security Manager 3.1.1 SP3 on top of 3.1.1 that is already running on a server, an error message is displayed at the end of the installation, even though the operation is successful.

Table 2 Resolved Problems in Service Pack 2 (Also included in Service Pack 3) 

CSCsl45826—Static NAT does not allow networks with non-host addresses Description: When adding a Static NAT to a PIX/ASA/FWSM device, the original address and translated address fields report an error if a network object that contains a non-host address is selected.

CSCsl62051—Deploy url-mempool up to 10240 should be allowed on single context FWSM Description: For multiple context FWSMs, Security Manager allows url-mempool to be configured to a value between 2-512 and fails to deploy configurations with a value set greater than 512. For single context FWSMs, Security Manager should allow the deployment of configurations with a url-mempool value between 2-10240.

CSCsl70798—IOS-NAT: Incorrect editing of ACL used in dynamic NAT policy Description: When a dynamic NAT rule on IOS is referring to an ACL policy object, and the ACL policy object is modified in Security Manager, after deployment, the ACEs (contents) of the ACL on the device might be in a different order than the order of the ACEs in Security Manager.

CSCsj59435—ASA 8.0 new URL Description: Unable to import ASA 8.0 if SSL VPN/WEBVPN is enabled on the device.

CSCsk77124—Not all entries logged to CSV are available in ACS when switching to ACS Description: Not all Cisco Security Manager activity is being logged to the ACS server.

CSCsl50379—ACL policy object conflict detection is performance inefficient Description: In the case of ACL policy objects, each ACL can refer to multiple ACE policy objects. Each ACE policy object could in turn refer to multiple Network policy objects. This kind of nested references makes conflict detection a performance intensive task. Each additional ACE object in the system makes a perceivable difference in the performance of discovery.

CSCsl77673—IOSIPS:Device target type change is not allowed after device is added Description: When an IOS router device is added to Cisco Security Manager without IPS capability, later if the user reimages the ISR with an IOS image which supports IPS, rediscovering the ISR will not discover IPS policies.

CSCsl30739—Security Manager - IPS License Sort by Expires: Alphabetical Instead of Chronological Description: When sorting the IPS licenses by "Expires On", the licenses become sorted in alphabetical order rather than chronological expiration order.

CSCsl52675—Security Manager does not allow 32 bit subnet mask for PPPoE interface Description: Security Manager does not allow 255.255.255.255 subnet mask to be configured for interfaces. This check should be removed for PPPoE interfaces with setroute enabled.

CSCsm01861—Security Manager might hang and not respond while discovering large number of devices Description: Security Manager might hang not respond while discovering large number of devices.

Table 3 Resolved Problems in Service Pack 1 (Also included in Service Pack 2) 

CSCsi82908—Need to easily add subcommands to policy map using flexconfig Description: Security Manager's flexconfig does not contain a system variable for the dynamic "policy-map" and "class-map" names that are generated on PIX/ASA/FWSM devices. To apply an advanced inspection map that is not supported by Security Manager, you must use the flexconfig; however, since the names are dynamic, you must preview the configuration and manually change the flexconfig every time a change is made in order to match the dynamic name. This enhancement uses system variables that allow you to reference policy-map or class-map names in the flexconfig for ASA/PIX/FWSM devices.

CSCsj39745—Removing filter resets position of the selection bar Description: If you create a filter in the access rules table, then select an entry within the table some table-pages down, if you click Clear, the access rules browser jumps to the beginning of the table and the rule is no longer selected.

CSCsj82904—Ignore CE reply saying device already on CE after CSM add device to CE Description: This is an enhancement. CNS CE reply states the device already exists in CE when Security Manager creates a device via CE API call. CE might return misinformation in some cases.

CSCsj83293—Restarting server then launching SDP servlet causes exception Description: When you restart the Security Manager server without launching the Security Manager client, initiating flexconfig through the SDP servlet causes a class not found exception.

CSCsj97405—AAA include/exclude command modeled incorrectly Description: The AAA include/exclude commands can each have multiple instances, but the current rule file models them as a single instance command and, therefore, leaves only one instance after processing.

CSCsj97990—Printing from VMS diff dialog has incomplete lines Description: Printing from a diff dialog (e.g. Tools -> Preview Configuration, Tools -> Configuration Archive -> View diff) might produce an incomplete document. "Incompleteness" includes: the document might be missing its last several rows; some rows might be cropped along the right-hand side; and page breaks might occur in the middle of row text.

CSCsj99578—Error when copying policy to device regarding NTP settings Description: When you add a new Device to Security Manager 3.1, then copy a shared policy, the following error message results: "Both NTP and Clock are configured on same Device".

CSCsk01014—Unreferenced Object Groups are created by Security Manager Description: When you make a simple change to the access rule table, you might see several unreferenced object groups deployed to a device.

CSCsk15141—User Group Address Pool client validation fails for singleton IP address Description: IOS User Group validation fails in the GUI when the IP Address Pool is configured with a singleton address. IP address ranges can be configured fine in the IOS User Group Address Pool.

CSCsk28731—Discovery of protocol object is not displayed properly Description: A protocol object-group containing TCP and UDP protocols that is used in an access-list (access-rule) is not discovered correctly.

CSCsk35151—Failed to generate delta config - #provF1ExtendedAce($aclname $access $p Description: When you deploy multiple devices in the same job, you might encounter a deployment failure.

CSCsk41945—Restart "stopped" CNS job if device in the job is in Queue state Description: After the CNS server has been rebooted, it sets all CNS jobs to the 'stopping' state, which is the failed CNS job status. The Security Manager monitor will then treat this state as a failure, mark the Security Manager job as 'failed' and clear the CNS job.

CSCsk43245—FAILOVER Active/Active discovery action message misleading Description: If a PIX/ASA or FWSM firewall is configured for Active/Active Failover, adding the 'Management IP Address' within the respective Security Contexts' > Device Properties > General section will be removed after the initial deployment if it is not replicated within the System Execution Space's (System Contex) > Security Context policy page.

CSCsk45589—QoS needs to support 'set ip precedence' for discovery and provision Description: The following QoS commands cannot be discovered into Security Manager: match ip precedence x match ip dscp x set ip precedence x set ip dscp x

CSCsk46053—Multiple remarks generated from a single NAT command Description: There are two symptoms: 1) When you add multiple NAT-0 rules that have the same interface and direction, the remarks for these rules are generated multiple times. 2) When the "Do not translate VPN traffic" checkbox is enabled, the NAT-0 rules are not generated.

CSCsk49274—Deployment Manager refresh causes selected job focus to be lost Description: A selected row in the deployment job table is no longer visible/selected on screen.

CSCsk50690—CSM may redeploy the ACL used in router SNMP with reordered entries Description: Security Manager deploys the standard ACL used in the router SNMP configuration. Under certain conditions, in a subsequent deployment, even if no changes are made to the ACL, Security Manager might remove the standard ACL that was previously deployed and redeploy a new ACL with the entries (ACEs) re-ordered.

CSCsk51104—Dirtiness calculation is returning more devices than it should Description: VPN operations keep getting slower and slower with time. In some cases, even if you modify one spoke policy, all spokes show up in the "Modified Device List" during deployment.

CSCsk56996—CSM allows multiple deployment jobs to be created for the same device Description: Security Manager allows multiple deployment jobs to be created for the same device, which might cause deployment to fail.

CSCsk59006—Add VPN API to getNodesForDevices Description: Added new API to VpnToolAPI for getting the Vpn Nodes given to the devices.

CSCsk60352—Incorrect out-of-band (OOB) check-in for failover configuration Description: Incorrect OOB message might be reported in a failover configuration. If a failover occurs after you deploy to the active unit, a subsequent deployment might report the following out-of-band change: !< !failover lan unit primary !> !failover lan unit secondary !>>>> End of differences. !Out of Band (OOB) change detected on device: <device-name>. Stop !provisioning.

CSCsk60919—Out Of Memory error during deployment, job loading, or creation Description: When several devices exist in the system and there are several deployment jobs, sometimes when the Deployment Manager GUI is invoked, the GUI hangs and an Out Of Memory error is observed in the server log.

CSCsk66500—Need IP address support in ASA transparent mode with OS 7.2 and later Description: The IP address is negated for Management0/0 interface.

CSCsk71303—Recreate CNS job after CNS reload Description: When the CNS server reboots, all pending CNS jobs will be put in the STOP state, but they are actually in the INVALID state. This means that restarting the jobs will not put them back in a valid pending state. Security Manager must delete these CNS jobs and recreate new ones, then correspond these new CNS jobs with existing Security Manager jobs when the CNS server reboots.

CSCsk71349—VPN device deletion logic should prevent dangling device in VPN Description: When a device is deleted from Device view and the device participates in a VPN, you should get a warning or error message that explains if the device can or cannot be deleted from the VPN. If you proceed, the device is also removed from the VPN. In some specific conditions, the warning or error message is not displayed and the device is deleted from Security Manager, but the VPN still maintains a reference to the device, which causes database inconsistencies that result in errors to activity validation and deployment.

CSCsk71804—CNS job recreation results in peculiar behavior Description: In rare cases, a Cisco CNS server might not update CNS job status to the Completed state after the status of all devices inside the CNS job has already been updated to a final state. As a result, Security Manager cannot update the corresponding Security Manager job status.

CSCsk71815—API to check if a user is in Security Manager session Description: There is not an easy way to track Security Manager client user login session information from the Security Manager itself (either through an API or DesktopServlet command).

CSCsk72256—Password not being URL encoded when sent to the server Description: Deployment or cross-launch to other applications from Security Manager might not work.

CSCsk83049—Preview Config > IOS (Full) diff Running Config shows PKI cert deleted Description: If a Crypto RSA key (chain) is generated within an ISR's configuration, and is imported into Security Manager, a Preview Configuration operation will display that the key material is marked red for deletion.

CSCsk83637—DMVPN: No IP on protected interface results in 0.0.0.0 Description: Security Manager generates '0.0.0.0' as part of the VPN dynamic routing protocol.

CSCsk83674—Failover: FWSM 3.1.x negates stateful failover link after discovery Description: If a configuration pre-exists on the FWSM firewall where the LAN failover and stateful failover interfaces are shared, for example: failover failover lan unit primary failover lan interface failover Vlan2 failover replication http failover link failover Vlan2 failover interface ip failover 1.1.1.1 255.255.255.252 standby 1.1.1.2 After the import, performing a preview configuration shows that the stateful failover link is incorrectly removed from the configuration with the next deployment: no failover link failover vlan 2

CSCsk88551—Transcript does not reflect commands sent to device in failure condition Description: Transcript does not exist, although Security Manager has started with device communication.

CSCsk90736—Aborted job starts immediately instead of scheduled time Description: When a deployment job is created and then aborted, if it is deployed after and scheduled to run at a later time, it starts immediately, within 5 minutes.

CSCsk95039—Stateful failover link exception if interface has no PIM and no IGMP Description: Security Manager generates "pim" and "igmp" CLI on those interfaces that mutlicast is not enabled.

CSCsk95480—Security Manager login not working for IPS for deployment Description: Failure to update IPS signatures or deploy changes to IPS from Cisco Security Manager.

CSCsk96974—VPN discovery fails because of transformset mismatch Description: VPN discovery fails.

CSCsk97453—DMVPN discovery on Catalyst 6500 Series fails with database exception Description: When discovering a DMVPN between a catalyst 6500 or cisco 7600 device and any other router, the VPN discovery fails with an error message that states there was a DatabaseException.

CSCsl04866—3.1.1 SP1 should check for base version before installation Description: 3.1.1 SP1 can be installed on versions such as 3.0.2, 3.0 etc.

CSCsl04942—Set CNS device image ID when creating a device Description: Even though CNS doesn't integrate with CNS image service, it would be beneficial if Security Manager can set the image ID when creating a CE device for customers who use CNS image service, such as CiscoIT. This should be a feature that can be turned on/off in a property file, since the set image ID will create a separate object in the CE database. For a customer that doesn't use image service, this is not desired.

CSCsl06586—Need to unregister plugins for policies not managed by Security Mgr Description: Security Manager might still manage the CLIs for unmanaged policies that are configured from Tools > Administration > Policy Management.

CSCsl12476—GRE mode policy cannot be saved in Policy View Description: In the Policy View the policy "GRE Modes" cannot be saved after any change is made to the default values

CSCsl13103—ASA5505: duplex is not properly discovered Description: For an ASA 5505, the speed and duplex of the switchports are set to be auto/auto no matter what the speed and duplex are set to on the device.

CSCsl14080—aaa-server commands always in delta in some cases Description: The aaa-server <aaa_tag> (inside) host command is always generated in delta and deployed to the device in some cases.

CSCsl15364—IPsec + HSRP: protected networks not discovered Description: When discovering a VPN with HSRP configured on the hubs, the protected networks are not discovered. Discovery status reports that the protected networks are not discovered.

CSCsl27209—Deployment causes IPS signature updates to be tuned back to default Description: When you use Security Manager to deploy IPS signature updates, Security Manager changes tuned signatures back to default if the update contains modified signatures.

CSCsl29732—Edit Address Pool - Exception on launching Network Selector Description: When the Address Pool selector in the Address Pool Wizard has its select button clicked, nothing happens and an exception is seen in the client log.

CSCsl33369—Table Filters: Sometimes 2nd and 3rd dropdowns are disabled Description: The second and third columns are greyed out and you cannot create any filters.

CSCsl40954—CCO credentials in cleartext in tomcat stdout.log during CCO license upd Description: After an update via CCO operation for any sentinel license type of devices, CCO credentials are displayed in clear text inside the CCO request xml string in stdout.log.

Table 4 Resolved Problems in Security Manager 3.1.1 

CSCsh64420—Deployment fails modifying ACE in AAA ACL on FWSM3.1.1 Description: For FWSM3.1(1) context, if you modify the AAA rules table, then deploy the change to the device, you might get the following deployment error: ERROR: Unable to find AAA ACE Error acl_updated: aaa_acl_changed failed ERROR: Unable to delete ACE from dependent modules

CSCsh96644—FWSM ACL remarks may cause inline editing manual commit failure Description: Deploying to FWSM 3.1(4) fails with an error saying "Specified remark does not exist" in the deployment transcript. This happens only when the "Let FWSM decide when to compile access-list" admin setting is unchecked and the access policies contain a number of comments.

CSCsi11697—Deploy fails after rollback operation followed by URL filter change Description: When you use Security Manager to roll back an ASA 7.2(2) device to a configuration that contains default inspection class-map and policy-map "global_policy". If you change Web Filter rules, then deploy the change, the deploy operation might fail.

CSCsi16937—FWSM: Need validation for non-standard netmask in address pool Description: Deployment might fail if an IP address is configured with a non-standard mask for an address pool. Although the UI allows it, the only device version that allows non-standard masks is PIX/ASA 7.2+.

CSCsi23773—TCP Map: Always generates range CLI for TCP map Description: If TCP Map is assigned in the "IPS, Qos and Connection Rules" then redundant tcp-options commands might be generated even if no changes are made to the TCP Map or related policy.

CSCsi27421—Deploy removes ACEs when creating ObjectGroup disabled for FWSM 3.1(3-4) Description: If an access-list entry (ACE) with an object group is internally expanded into a number of ACEs and if one of the expanded ACEs is inserted into the access-list, FWSM 3.1(3)12 and later rejects this ACE with an error "found duplicate element".

CSCsi29146—Deployment using AUS fails after upgrade from 3.0 to 3.1 Description: Security Manager deployment details may show 'Interface defined on device does not have a name' warnings if the interface name is empty. For example, some of the interfaces defined on a device do not have a name defined. Rules bound just to these interfaces will not be deployed.

CSCsi49748—Transparent rules not removed from device when deleted in Security Mgr Description: If you delete the transparent firewall rules from Security Manager and deploy to the device, the rules are not removed from the device; however, Security Manager continues to show those rules as deleted.

CSCsi49794—AclNamePreserv: Deploy fails due to diff source addr in delta for static Description: When you change an access list that is shared between a static command and another command, deployment to the device might fail.

CSCsi51974—Hit Count: Disabled for inherited rules Description: The Hit Count option, which is accessed from the Tools menu that is located below the Access Rules table, is disabled when you select access rules that belong to an inherited policy.

CSCsi54973—Network objects with non-std netmask show "no value" with show cell cmd Description: Show cell contents for Sources/Destinations might show empty contents or "no value" if the cell contains a network with a non-standard mask.

CSCsi56443—Unable to create network obj from cell if cell contains IP address range Description: The Create Network from Cell contents or Create Network from Selected Contents does not work if the cell contains an IP address range.

CSCsi66073—CSM 3.1 Installation Has a Link To The Non-Existent IPS Manager Description: You receive a 404 error when attempting to access IPS Manager in CSM 3.1. This link should not exist, because Security Manager 3.1 manages IPS devices in the client, not through the IPS Manager.

CSCsi76604—Data archival does not work in IEV started from Security Manager Description: Database archival feature that enables you to archive real-time events does not work in IEV started from Security Manager. However, this problem does not occur on a system in which IEV is installed separately from Cisco.com and started outside of Security Manager.

CSCsi91028—Need to upgrade network hashcode Description: During import, a network policy object might not get reused, even if the contents in Security Manager are the same as the contents of the network being imported.

CSCsi96716—Security Mgr 3.1: Upgrade from 3.0 - aip-ssm coverts to 'Unknown' in DCR Description: Users are unable to add AIP-SSM devices from DCR into Security Manager 3.1. This occurs when the user was previously managing AIP-SSM devices with Security Manager 3.0, upgraded from Security Manager 3.0 to 3.1, and then attempted to add these devices from DCR.

CSCsj55213—ExportIpsCredentials.pl fails with stack trace Description: Some IPS MC 2.2 backups contain sensor information that is not complete. This can happen if a default device is added and never discovered before a backup is made.

CSCsj85371—Security Manager: does not deploy bypass-mode 'on' to IPS sensor Description: When deploying to an IPS sensor with the bypass mode set to 'on', the 'on' is replaced with 'auto' during deployment, causing the sensor to come out of bypass mode.

CSCsj57610—IPS Licensing - Update from CCO Failed Description: Attempts to update the sensor license from Cisco.com fail.

CSCsj43832—Autodownload does not work when proxy server uses NTLM auth mechanism Description: When downloading from Cisco.com and using an IIS proxy server, the download will fail.

Known Problems

This section contains information about the problems known to exist in Cisco Security Manager 3.1.1 (including Service Packs 1 and 2).

Catalyst 6500/7600 Configuration

Table 5 Catalyst 6500/7600 Configuration 

CSCsi17582—Cannot change the data port VLAN running mode after negating CLI on IDSM Description: Deployment fails when you attempt to change the running mode of the data port VLAN from Trunk (IPS) to Capture (IDS) from the IDSM Data Port VLANs dialog box and the following error message is displayed: Command Rejected: Remove trunk allowed vlan configuration from data port 1 before configuring capture allowed-vlans

CSCsi17608—Deployment fails when allowed VLAN ID is modified on IDSM capture port Description: If you modify the allowed VLANs of an IDSM data port that has been configured as a capture port and deploy configurations to the device, the following error occurs: "Capture not allowed on a SPAN destination port"

CSCsi24091—Deploy fails if you change access to trunk mode & enable DTP negotiation Description: Deployment might fail when you attempt to modify the physical port configuration type from access to trunk mode for a Catalyst switch and keep the Enable DTP negotiation check box selected in the trunk port mode.

CSCsi31232—Catalyst 6500/7600 chassis discovery fails after upgrade from 3.0 to 3.1 Description: When you migrate a Security Manager 3.0 or 3.0.1 database to 3.1 in workflow mode, and try to discover the configuration of the upgraded Catalyst 6500 Series switch, Cisco 7600 Series router, or FWSM managed using the chassis before creating an activity, discovery fails.

Client Software

Table 6 Client Software 

CSCsd39354—Some Windows users see no desktop shortcut or Start menu shortcut Description: On a PC with many users, only the person who installs Security Manager Client can see the desktop and Start menu shortcuts that show that Security Manager Client is installed.

Deployment

Table 7 Deployment 

CSCsc22934—ACL limitations on Layer 2 interfaces on IOS ISR devices Deployment fails if access rules containing certain options are associated with Layer 2 interfaces of ISR routers.

CSCse23064—Enrollment URL CLI causes failure in deployment to AUS managed device Description: Deployment to AUS-managed device fails if the deployment configuration contains the CLI command "enrollment url http:..."

CSCsi09797—Job state for completed jobs is "Deploying" for CNS-managed IOS routers Description: After Security Manager successfully deploys the configuration file to CNS, and Cisco IOS routers configured for CNS poll and apply the configuration changes at the predefined polling period, the Status column in the Deployment Manager window continues to display the job state as "Deploying".

CSCsi31224—Preview failed after deploying config to AUS server Description: A device's certificate is changed after retrieving the config file from the AUS server. The certificate stored in Security Manager would be out of sync with the device, hence cause the preview to fail with certificate mismatched error.

Device Management

Table 8 Device Management 

CSCsc51908—Cannot add a system context from DCR into Security Manager Description: If you try to import a system context that belongs to a multi-mode PIX Firewall 7.0 or an ASA device from DCR to Security Manager, the import fails and an error message results.

CSCsd49045—Unclear error message when IOS SSL deployment exceeds maximum size Description: Deployment to Cisco IOS router fails when SSL is the transport protocol and you see a confusing error message.

CSCsd71001—Not able to import AUS device from DCR Description: You cannot import an AUS-managed device from DCR to Security Manager.

CSCse70089—RBAC-Authorization and duplicate display name errors when adding devices Description: Authorization and duplicate display name errors occur when you add devices to a Security Manager server that uses Cisco Secure ACS for AAA.

Diagnostics, Monitoring, and Troubleshooting Tools

Table 9 Diagnostics, Monitoring, and Troubleshooting Tools 

CSCsi04942—IEV error while installing only Common Services 3.0.5 or AUS 3.1 Description: When you install only Common Services 3.0.5 or AUS 3.1 from the Security Manager DVD, an IEV error message is displayed even if you did not select Security Manager 3.1 during installation.

CSCsi08390—IEV installation fails on systems without C: drive Description: During installation of Security Manager server 3.1 on systems that do not contain C: drive, IEV server fails to install and an error message is displayed. Also, an error is logged in the server installation log file.

CSCsi27178—Several pages are blank in SDM 2.4 after discarding changes Description: After you perform configuration changes for Cisco IOS devices using SDM 2.4 started from the Security Manager client and click Discard Changes to reset to the previously applied configurations, many of the pages are blank or empty.

CSCsi86335—Cross-launch of IEV client fails if Symantec application is running Description: You cannot start IEV client from Security Manager client on a system in which the Symantec Client Firewall Port Scanning Module or Symantec Secure Port application is running.

Discovery

Table 10 Discovery 

CSCse99139—Rediscovery of inventory alone can create device-override building blocks Description: Device level overrides for policy objects corresponding to object groups can be created after discovering only the inventory policies like interfaces.

CSCsi33347—Auto-update:Changing order of AUS servers does not generate commands Description: On a 7.2 ASA/PIX with multiple AUS servers, changing the order of the AUS servers does not generate any commands.

CSCsi45142—AAA - source intf disc from global cmd instead of aaa subcommand Description: The interface parameter is not discovered for the AAA-server building block discovered from IOS routers.

Firewall Services

Table 11 Firewall Services 

CSCsa81103—Unable to create an access rule with TCP flags Description: Security Manager does not support TCP flag specifications, such as urg, fin, psh, and ack, in access rules. As a result, during discovery, Security Manager drops the specifications.

CSCsa81104—Unable to create an access rule to match QoS parameters Description: Security Manager does not support ACE options such as DSCP, ToS, or precedence. As a result, during discovery, Security Manager drops the options.

CSCsa98978—Hit Count does not expand FWSM devices with object-group enabled Description: Although the GUI allows you to enable the Object Group Search option for FWSM devices, the FWSM does not expand object groups when listing access rules after a "show access-list" command and Hit Count results are inaccurately displayed.

CSCsb85487 —Need warning when ACL deployment to IOS devices can cut off access Description: Security Manager does not check if the firewall rules that you configured in Security Manager permit management traffic (SSH and HTTPS) to the IOS device being managed. As a result, after firewall rules are deployed to the device, connection to the device might be lost.

CSCsc81905—QIT: Empty ACL is deployed on 87x series routers for BGP port Description: IOS 87x ISR routers do not support BGP as a routing protocol or as a service in ACLs when the device has only 24 MB of memory; however, BGP is supported when the device has more than 24 MB memory. Security Manager does not detect the amount of memory available on the device and cannot enforce any restrictions. As a result, job deployment containing an ACL with ACEs having BGP will fail.

CSCsc84443—IP HTTP server cli is not removed after the policy is unassigned Description: IOS devices require that HTTP is used as the traffic type for authentication proxy, which generates the command ip http server. Security Manager does not remove the CLI when authentication proxy is unassigned from the device in Security Manager.

CSCsc85416—User configured AAA/AuthProxy CLIs are not removed from the device Description: If an AuthProxy configured on an IOS device has a user-specified name that does not comply with the naming convention used by Security Manager, the name is not removed if the device is discovered and the policy is unassigned.

CSCsc87646—Deployment to IOS device fails if AuthProxy is assigned to L2 interface Description: If you create AAA or inspection rules for "all" interfaces on an IOS device, deployment fails if the device is using Layer 2 port.

CSCsd26482—IOS "access-list" Standard ACL is not supported by Hit Count Description: IOS devices use standard ACLs for filtering; however, standard ACLs are not recognized when Hit Count reports are generated.

CSCsd30481—PIX 6.3: needs warning for the Time Range object in access rules Description: When you create an access rule for a PIX 6.x device, you can specify a time range in the GUI; however, the device does not support the time range feature in the ACE and no warning is displayed during activity validation or deployment.

CSCsd33025—Deployment fails on a device with too many AAA server groups Description: If Security Manager tries to deploy AAA server groups to a device that already has the maximum number of AAA server groups, deployment fails.

CSCsd60788—No port-map command generated if rules and predefined protocols conflict Description: IOS inspection port-map commands are not generated if inspection rules configured in Security Manager conflict with port definitions of predefined inspection protocols.

CSCsg35578—Import ACE: Validation not done if the config is not in show run format Description: Some options are omitted from rules that are created using the Import Rules tool, for example, empty port values and destination port values that are not validated for 'eq' and 'neq' for IOS devices.

CSCsh68101—Activity Report: Issues with access rules table Description: Rule section changes are not reported in the activity reports.

CSCsh94210—Problems matching interface when reusing AAA policy objects Description: AAA Server policy objects cannot be reused because of mismatched interfaces. This might result from an interface role used to define an interface that is not matched to a physical interface after rediscovery. For PIX/ASA7.x devices, this might result from using "inside" (or an interface name that starts with "inside") to describe the interface.

CSCsi18871—PIX 7.1 gtp-map subcommand order is not preserved Description: Changes to the match-condition order for a gtp-map used in a PIX 7.0 or PIX 7.1 device do not get deployed to the device.

CSCsi23683—Deployment fails when you reconfigure bridge-groups in transparent rules Description: When you associate interfaces with another bridge-group and provision it in Security Manager, the deployment shows an error; however, the device in this case has been provisioned correctly.

CSCsi34298—Webfilter: Deployment fails if overlapping filter commands are defined Description: If two filter commands of the same type are defined with the same port ranges (service) or overlapping port ranges and overlapping networks, deployment to a device fails. The device does not accept overlapping filter commands.

CSCsi35479—HTTP policy: Commands generated for every deployment Description: For ASA 7.2 HTTP Maps, if the body match maximum is set to 0 (zero), the device accepts the command as "body-match-maximum" but shows it in show run as "body-match-maximum 0". This causes the delta to always contain the removal of the http policy-map subcommands and adding them back.

CSCsi50493—DataLoader's load method needs to handle quotes Description: The access rules table might not finish loading for a newly discovered device if the discovered configuration has access-list remarks that contain quotes or double quotes.

CSCsi87422—Security Mgr does not allow overlapping globals on different interfaces Description: When you create overlapping global rules on different interfaces for PIX/ASA/FWSM devices, Security Manager returns an error about overlapping IP ranges even though the global interfaces are different.

CSCsj16898—Inspection rule for WAAS is not discovered in FWSM 3.2(0)89 Description: WAAS inspection ru