Table Of Contents
Release Notes for Cisco Security Manager 3.1
What's New in Security Manager 3.1
Security Manager Resolved Problems
Security Manager Known Problems
Catalyst 6500/7600 Configuration
Diagnostics, Monitoring, and Troubleshooting Tools
Site-to-Site/Remote Access/SSL VPN Configuration
IPS and IOS IPS in Security Manager 3.1
IPS and IOS IPS in Security Manager Notes
IPS and IOS IPS in Security Manager Resolved Problems
IPS and IOS IPS in Security Manager Known Problems
New Features in Security Manager 3.1
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Notes for Cisco Security Manager 3.1
Revised: June 20, 2007, OL-11477-04CDC Date June 1, 2007Contents
Introduction
This document contains release note information for the following:
Note
Before using Cisco Security Manager 3.1, we recommend that you read this entire document. However, it is critical that you read the "Important Notes" section, the "Installation and Upgrade" section, and the Installation Guide for Cisco Security Manager 3.1 before installing or upgrading to Cisco Security Manager 3.1.
•
Cisco Security Manager (Security Manager) enables you to manage security policies on Cisco security devices. Security Manager supports integrated provisioning of VPN and firewall services across IOS routers, PIX and ASA security appliances, and Catalyst 6500/7600 services modules (FWSM and VPNSM). Security Manager also supports provisioning of many platform-specific settings, for example, interfaces, routing, identity, QoS, logging, and so on.
Security Manager efficiently manages a wide range of networks, from small networks consisting of a few devices through to large networks with thousands of devices. Scalability is achieved through a rich feature set of shareable objects and policies and device grouping capabilities.
Security Manager supports multiple configuration views optimized around different task flows and use cases.
•
The Auto Update Server (AUS) is a tool for upgrading PIX security appliance software images, ASA software images, PIX Device Manager (PDM) images, Adaptive Security Device Manager (ASDM) images, and PIX security appliance and ASA configuration files. Cisco IOS routers that have dynamic IP addresses communicate with AUS that is running the Cisco Networking Services (CNS) Gateway Protocol to provide their IP addresses.
Security Manager can interoperate with AUS. To manage the devices in Security Manager, you must provide the device identity and the AUS information when you add a device. Security Manager uses the device identity information to retrieve the device IP address from an AUS that can be reached.
•
Security Manager supports fully native IPS provisioning. The predecessor of this native IPS provisioning was the cross-launched component of Security Manager known as IPS Manager.
This release note document includes ID numbers and headlines for each known problem identified in the document and a description of each. This document also includes a list of resolved problems. If you accessed this document from Cisco.com, you can click any ID number, which takes you to the appropriate release note enclosure in the Bug Toolkit. The release note enclosure contains symptoms, conditions, and workaround information.
What's New in Security Manager 3.1
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
•
–
–
–
–
–
–
–
•
–
–
–
–
–
–
–
–
–
–
–
–
•
–
–
–
–
–
–
•
•
•
–
–
–
–
–
–
–
Security Manager 3.1
Important Notes
•
•
•
•
•
1.
2.
3.
4.
5.
6.
7.
Note
Security Manager Resolved Problems
The following problems were documented in the Security Manager 3.0.1 release notes as known problems and have since been resolved.
Table 1 Resolved Problems
Description: Security Manager does not support the ACE option "log input" when you configure access rules on IOS devices that are managed by Security Manager. As a result, during discovery, Security Manager drops the option.
Description: The PERL5LIB system environment variable is set on the server. During installation, an error message notes that perl58.dll cannot be found and installation fails.
Description: If you enter an interface name when you configure an NTP server for the system context of an ASA device in multiple context mode, validation for that device fails.
Description: Changes that you make under Group Setup and Network Configuration in Cisco Secure Access Control Server (ACS) 3.3(x) are not reflected in Security Manager, even after you restart CiscoWorks Common Services and the Security Manager Client.
Description: Changes you made in Device view are lost after you edit the device in the undocked Map view. After you change the window focus from Device view to undocked Map view, you are not prompted to save the changes you made in Device view.
Description: If you remove a logical interface from Security Manager and you deploy the configuration to the device using AUS, the deployment fails.
Description: Although IOS devices support ACEs that have the option "log-input," Security Manager does not support the feature. On deployment, the option is removed from the ACE.
Description: Deployment of a regular IPSec VPN fails on a PIX 6.3 device if one peer in the VPN topology uses an ACL to specify its protected networks and the other peers do not.
Description: While working in Security Manager from a client, the following error occurs: "Unknown Error. performBinaryRPC()..." When this occurs, "Premature EOF Error" entries are also logged in the client log file.
Description: The community strings defined in SNMP policies on Cisco IOS routers are displayed in clear text, even for users who are assigned roles with view-only permissions.
Description: You cannot reorder the classes in a QoS policy on a Cisco IOS router.
Description: Deployment fails for DHCP relay commands and an error message states that the subnet of the DHCP server address pool range is not the same as the subnet of the DHCP server interface.
Description: If you disable the DHCP server and then enable DHCP relay on the same interface, or if you disable DHCP relay and enable the DHCP server on the same interface, and you deploy both changes at the same time, deployment might fail.
Description: In an EzVPN topology configuration, deployment fails if a 72xx series router is used as a remote client device. The EzVPN client is supported on PIX Firewalls and Cisco 800-3800 Series routers only.
Description: Even if you do not make changes to a configuration and the configuration is previewed or deployed, the filter commands are always cleared and redeployed.
Description: Manually adding a Catalyst 6500/7600 device and then immediately running Preview Configuration without defining policies results in an error.
Description: You should not use the Create Duplicate option for the following object types: GTP maps, TCP maps, time ranges, AAA server groups, and PKI enrollments.
Description: Unassigning a routing policy from a Cisco IOS router does not remove all the CLI commands related to that policy from the device configuration.
Description: Security Manager does not remove unused access-list commands from a device, for example, if an access-list command has a user-defined name (a name not automatically generated by Security Manager) and is not used by any command, for example, access-group.
Description: If you unassign a preshared key policy in a hub-and-spoke VPN topology, without first saving the policy, the Aggressive Mode option disappears from the UI page.
Description: If a NAT exemption rule on a PIX 6.3, PIX 7.0 or ASA device already contains user-defined exemption rules, and you select the Do Not Translate VPN Traffic check box in the Translation Options page, Security Manager does not generate additional NAT exemption rules for the VPN traffic.
Description: Security Manager sets the FWSM device to manual mode when you deploy firewall rule delta information, then resets the device to auto mode when deployment is completed; however, the device remains in manual mode and deployment fails.
Description: After you import or discover a PIX 6.3 device with an ACE using the "interface" keyword and the ACE is bound to the interface by the access-group command, if you deploy to the same device without making any changes, the ACE is removed from the ACL. This occurs if the ACL has other ACEs, or the ACL contains only the ACEs using the "interface" keyword. The access-group command for the ACL is removed from the device when the ACL contains only the ACEs using the "interface" keyword.
Description: The audit report might contain a message saying that discovery failed even if discovery is successful. It is safe to ignore this message.
Description: If you minimize the undocked Map view, you cannot bring it to the front after clicking the Map View button on the toolbar or selecting the Show in Map View option.
Description: The undocked Map view is displayed on top of an active dialog box and does not respond to user interaction.
Description: When you change a policy definition, other users are prevented from unassigning that policy from a different device.
Description: If you assign a policy to a device, a different user cannot assign the same policy to a different device.
Description: If you unassign a policy from a device, a different user cannot edit the contents of that policy until you submit your changes.
Description: If your VPN topology contains a Catalyst 6500 device and you have enabled the QoS Preclassify option in the IPSec Proposal, a message indicating that an internal error has occurred appears during validation.
Description: If you have no activity opened, then click "Show Source Contents," "Show Original Address Contents," or "Show Translated Address Contents" from the shortcut menu in the Translation Rules table, you are asked to open an activity. These operations are read-only and do not require an opened activity.
Description: If you enter an invalid time when you define a time range object, the error message that appears does not match the cause of the error.
Description: GTP Map in Security Manager does not support the permit response subcommand that was introduced in later versions of PIX OS software. The permit response subcommand from GTP Map CLI in PIX 7.0(4) and greater are dropped during the discovery process and not deployed when the GTP Map is deployed to the device.
Description: The New Configuration Version dialog box sometimes does not close when you select Configuration > Add > Add New Version from the Tools menu in Workflow mode. This happens if you do not have an open activity. The selection configuration version is added correctly, even though the dialog box does not close.
Description: When you configure transparent firewall on IOS devices, only one bridge group is supported. Bridge group 1 is dedicated to transparent firewall. If you use Bridge Group 1 for something else, and only one interface exists for that group, upon discovery, a validation error results.
Description: A AAA server object that is part of a AAA server group loses its defined protocol and becomes uneditable after you change the protocol and fail to specify a key.
Description: After you configure a NAC policy on a router, validation fails. This is because Security Manager allows you to configure a NAC policy on routers that do not support NAC.
Description: Users with read-only (View) permissions can click the Add button in Policy view to create shared policies. In rare cases, this can lead to the deployment of blank policies that overwrite existing device configurations.
Description: Deployment fails for DHCP relay commands and an error message states that the device cannot receive DHCP requests and forward them on the same interface.
Description: If you reinstall Common Services 3.0.3, Security Manager, and Auto Update Server (AUS) on an existing Security Manager server on which Security Manager and AUS are already installed, the home page defaults to the CiscoWorks home page instead of the Security Manager home page.
Description: The Ea3syVPN tunnel is not created because Xauth authentication fails on the PIX 6.3 remote client. Security Manager does not configure the Xauth username and password that is required for authentication.
Description: Deleting a policy object override causes the object on which the override is based to disappear from the Policy Object Manager.
Description: Deployment of a PKI policy fails if the URL specified for the CA server contains the CA server's hostname instead of its explicit IP address. Before the deployment failure, a "translating" notification appears to indicate that the device is trying to translate the host name.
Description: If some boot images are already configured on an ASA device and you try to add another TFTP boot image, the deployment fails.
Description: If you discover a AAA server without a defined key on a Cisco IOS router, Security Manager does not properly discover and implement the global key in place of the missing server-specific key.
Description: Deployment fails and the error messages that appear do not supply adequate information about the error.
Description: If you discover AAA servers configured on an ASA device, the group accounting mode is not defined in Security Manager with the default value and the server port is not defined according to the server protocol.
Description: Discovery of a router that uses the backoff exponential parameter as part of the definition of a RADIUS AAA host causes the correct key to this host to be overwritten upon deployment.
Description: Activity validation fails on FWSM and PIX platform policies that contain network objects that refer to other network objects containing a single IP address.
Description: Under certain circumstances, Security Manager might generate a name for a AAA server group that exceeds the maximum length supported by firewall devices. Any policy that uses this AAA server group fails validation.
Description: Device Credentials that were once displayed in the Device Properties menu can disappear after you roll back to an earlier configuration from Configuration Archive. This can occur when previous deployment was to file, or when previous deployment contained empty delta configurations.
Description: Discovery fails after you change the Default Source Ports setting on the Policy Object page of the Security Manager - Administration window to Use Secure Ports.
Description: Under certain circumstances, performing rediscovery on PIX/ASA devices does not add the AAA servers defined on the device to the related AAA server group.
Description: The minimum Translation Slot (xlate) timeout that you can set on the Timeouts Policy page is 30 seconds for FWSM 2.3(3) devices. However, Security Manager requires a minimum timeout of 1 minute.
Description: The interface table in the Failover policy for FWSMs in single transparent mode and security contexts in transparent mode contains no information. As a result, you cannot set these interfaces to be monitored.
Description: If you are specifying web filter settings for PIX/ASA devices for the first time, deployment might fail when you send url-block commands.
Description: A AAA Server host with LDAP protocol does not generate the subcommand "ldap-base-dn String" from Security Manager and the subcommand is removed from the device at deployment.
Description: After you deploy configurations to multiple AUS-managed devices in a single job, deployment to some of the devices fails and a "CALLHOME-PARSER-INVALID_ELEMENT" message is recorded in the transcript.
Description: If a deployment job contains both CNS managed and non-CNS managed devices, deployment status might not accurately reflect the actual deployment status of all the devices in the job. For example, deployment status might be "deployed" before all the non-CNS managed devices have finished deploying.
Description: If an IOS device does not have "bridge group 1 protocol ieee," "bridge 1 route ip," and "bridge irb" and you configure BVI1 IP address in both the interface UI page and Transparent Settings page, deployment fails.
Description: When source, destination, and service are in a policy query with no interface selected, and the source, destination, and service match rule values completely, the query and rule are deemed identical and the interfaces detail shows that "any" interface is identical to the rule interface value.
Description: If you are in Policy view and you query a rule with a service that is contained in a service group used in the rule, the query results are blank.
Description: During installation of Security Manager, a dialog box shows that an interactive SQL error occurred. This problem occurs if a Sybase database engine is running while you are installing Security Manager.
Description: Configuring the "Suppressed" setting for a syslog message on the Platform > Logging > Server Setup page has no effect when you deploy the configuration to the device.
Description: Under certain circumstances, users who have Modify permissions in ACS mode cannot create or delete policies in Policy view.
Description: An incorrect rule number results if you paste or add a rule at the same place more than once and logging is turned off.
Description: When defining a policy that requires a single IP address, an error occurs if you create a network/host object that refers to a second network/host object on which the required IP address is defined.
Description: The deployment of NAC interface commands (eou max-retry and eou revalidate) fails on subinterfaces.
Description: Rollback of a context fails because the device certificate was changed. On the next device operation, an error message states that the certificate is not trusted.
Description: If a AAA server discovered from an IOS device contains a leading "7" in its shared key and if the shared key is reused by a PIX/ASA/FWSM device, an error is issued on the key during activity validation.
Description: The GUI adds notations next to user-input fields to indicate platform support. Currently, certain notations reference "ASA"; however, because the PIX 7.x platform uses the same software as ASA, the "ASA" notation applies to both ASA and PIX 7.x platforms (unless otherwise stated).
Description: When rollback of an admin context or another virtual context on ASA 7.0(5) multimode devices fails, it reverts to the factory default configuration instead of the device startup configuration.
Description: A data upgrade from Security Manager 3.0 to 3.0.1 fails if you install Security Manager 3.0.1 on a new server and in a different directory when compared to the directory in which it was originally installed. This might lead to a deployment failure because referenced configuration files are not available under configuration archive.
Description: After you upgrade and restore to Security Manager 3.0.1 from 3.0, any device operation produces an error message notes that the certificate is not trusted. This is because the certificate is not retrieved during upgrade.
Description: For both ASA and FWSM, the Bootstrap window is always displayed even if no changes are made to the LAN Failover policy.
Description: Deployment fails for ASA 7.1 devices configured with LAN failover in multi mode.
Description: Deployment to a device might fail if a URL server with protocol UDP is defined along with the URL buffer memory.
Description: If an inspection rule is configured with destination IP and protocol UDP, validation fails for UDP protocol with HTTP.
Description: If an inspection rule is configured with "aol" as the inspect protocol on unsupported devices, a validation error results.
Description: Deployment to a device might fail if two filter commands with the same source and destination addresses have overlapping service ports.
Description: In a remote access VPN, if you configure a Catalyst 6500/7600 device with a VRF-Aware IPSec policy and a FWSM blade, deployment fails due to the incorrect order of the CLI commands, which configure the FWSM blade before the VRF-Aware IPSec policy.
Description: A restore operation of Security Manager 3.0.1 fails if you install Security Manager 3.0.1 on a new server and in a different directory when compared to the directory in which it was originally installed. This might lead to a deployment failure because referenced configuration files are not available under configuration archive.
Description: If bridge-group is configured on an IOS device and its ID is not 1, the deployment of the transparent policy fails.
Description: An invalid validation warning might be issued about having an interface unbound to any access-lists.
Description: After you upgrade Security Manager from 3.0 to 3.0.1, deployment might fail for AAA RADIUS or SDI servers.
Description: You will receive a deployment error if you make the following configuration changes for an FWSM 3.1(x) device and deploy those changes in the same deployment job:
–
–
–
Description: If you change the failover mode for an FWSM running 3.1(x) from active/active to active/standby or from active/standby to active/active, you will receive the error "DOWNLOAD OPERATION FAILED : 24410 : Error parsing the show config response: Command Ignored, Configuration in progress..." when you deploy to the device.
Description: If you create multiple security contexts for an FWSM running 3.1(2) or 3.1(3) and deploy those security contexts in the same job, deployment fails with the error "DOWNLOAD OPERATION FAILED: 24410: Error parsing the show config response: Command Ignored, Configuration in progress..." for some security contexts and the error "DOWNLOAD OPERATION FAILED: 24015: IO error during SSL communication." for other security contexts.
Description: If you modify the Security Contexts policy for a system context of an FWSM and reference a VLAN that does not exist in the Interfaces policy for the same system context, the VLAN is created on the FWSM when you next deploy to the system context. However, because the VLAN is not added to the Interfaces policy in Security Manager, the next time you deploy to the system context, the VLAN will be removed and any future deployments to virtual contexts that refer to that VLAN will fail because the VLAN is no longer defined in the system context.
Security Manager Known Problems
Catalyst 6500/7600 Configuration
Table 2 Catalyst 6500/7600 Configuration
Description: Deployment fails when you attempt to change the running mode of the data port VLAN from Trunk (IPS) to Capture (IDS) from the IDSM Data Port VLANs dialog box and the following error message is displayed:
Command Rejected: Remove trunk allowed vlan configuration from data port 1 before configuring capture allowed-vlansDescription: If you modify the allowed VLANs of an IDSM data port that has been configured as a capture port and deploy configurations to the device, the following error occurs:
"Capture not allowed on a SPAN destination port"Description: Deployment might fail when you attempt to modify the physical port configuration type from access to trunk mode for a Catalyst switch and keep the Enable DTP negotiation check box selected in the trunk port mode.
Description: When you migrate a Security Manager 3.0 or 3.0.1 database to 3.1 in workflow mode, and try to discover the configuration of the upgraded Catalyst 6500 Series switch, Cisco 7600 Series router, or FWSM managed using the chassis before creating an activity, discovery fails.
Client Software
Table 3 Client Software
Description: During a service pack or point patch installation, a system prompt tells you to uninstall Security Manager Client. Unless you click the OK button, an error message that contains no text is displayed.
Description: On a PC with many users, only the person who installs Security Manager Client can see the desktop and Start menu shortcuts that show that Security Manager Client is installed.
Configuration Archive
Table 4 Configuration Archive
Description: After rolling back Failover configuration to the device, the secondary unit does not come up automatically and does not participate automatically in the Failover setup.
Deployment
Table 5 Deployment
Description: Performing discovery or viewing the current configuration of a device while deployment is in progress might lead to unpredictable results.
Deployment fails if access rules containing certain options are associated with Layer 2 interfaces of ISR routers.
Description: The configuration on the device is erased if you deploy to the device before any policies have been defined in Security Manager.
Description: Deployment fails after you restart the Daemon Manager because the backend server process does not start.
Description: Deployment appears to be successful; however, not all of the commands in the delta configuration are deployed to the device.
Description: Deployment to AUS-managed device fails if the deployment configuration contains the CLI command "enrollment url http:..."
Description: After Security Manager successfully deploys the configuration file to CNS, and Cisco IOS routers configured for CNS poll and apply the configuration changes at the predefined polling period, the Status column in the Deployment Manager window continues to display the job state as "Deploying".
Description: Security Manager deployment details may show ObjectGroup name warnings. For example, ObjectGroup Netbios.udp is created from Policy Object Netbios. On networks with a large number of deployments this may cause an exceedingly large number of warnings, making it hard to monitor the deployments.
Description: Security Manager deployment details may show name warnings of the sort: "Interface defined on device does not have a name." That is, some of the interfaces defined on a device do not have a defined name. Rules bound solely to these interfaces will not be deployed. On networks with a large number of deployments this may cause an exceedingly large number of warnings, making it hard to monitor the deployments.
Description: Security Manager deployment details may show 'Interface defined on device does not have a name' warnings if the interface name is empty. For example, some of the interfaces defined on a device do not have a name defined. Rules bound just to these interfaces will not be deployed.
Description: A device's certificate is changed after retrieving the config file from the AUS server. The certificate stored in Security Manager would be out of sync with the device, hence cause the preview to fail with certificate mismatched error.
Device Management
Table 6 Device Management
Description: If you try to import a system context that belongs to a multi-mode PIX Firewall 7.0 or an ASA device from DCR to Security Manager, the import fails and an error message results.
Description: The device icon in the Device selector does not match the device type and the Policies selector displays only the Flex Config policy when you click the Device View button in the tool bar.
Description: Deployment to Cisco IOS router fails when SSL is the transport protocol and you see a confusing error message.
Description: You cannot import an AUS-managed device from DCR to Security Manager.
Description: Authorization and duplicate display name errors occur when you add devices to a Security Manager server that uses Cisco Secure ACS for AAA.
Diagnostics, Monitoring, and Troubleshooting Tools
Table 7 Diagnostics, Monitoring, and Troubleshooting Tools
Description: When you test device connectivity while adding devices using the Add Device from Network or the Add New Device wizard, the device connectivity test takes a long time to complete if the device cannot be reached.
Description: When you install only Common Services 3.0.5 or AUS 3.1 from the Security Manager DVD, an IEV error message is displayed even if you did not select Security Manager 3.1 during installation.
Description: During installation of Security Manager server 3.1 on systems that do not contain C: drive, IEV server fails to install and an error message is displayed. Also, an error is logged in the server installation log file.
Description: After you perform configuration changes for Cisco IOS devices using SDM 2.4 started from the Security Manager client and click Discard Changes to reset to the previously applied configurations, many of the pages are blank or empty.
Description: Database archival feature that enables you to archive real-time events does not work in IEV started from Security Manager. However, this problem does not occur on a system in which IEV is installed separately from Cisco.com and started outside of Security Manager.
Description: You cannot start IEV client from Security Manager client on a system in which the Symantec Client Firewall Port Scanning Module or Symantec Secure Port application is running.
Discovery
Table 8 Discovery
Description: Discovery or deployment hangs for multimode FWSM with several virtual contexts.
Description: Device level overrides for policy objects corresponding to object groups can be created after discovering only the inventory policies like interfaces.
Description: On a 7.2 ASA/PIX with multiple AUS servers, changing the order of the AUS servers does not generate any commands.
Description: The interface parameter is not discovered for the AAA-server building block discovered from IOS routers.
Description: When Weighted Random Early Detection (WRED) is configured, discovery of an IOS device with a QoS policy fails to discover the QoS policy.
Firewall Services
Table 9 Firewall Services
Description: Security Manager does not support TCP flag specifications, such as urg, fin, psh, and ack, in access rules. As a result, during discovery, Security Manager drops the specifications.
Description: Security Manager does not support ACE options such as DSCP, ToS, or precedence. As a result, during discovery, Security Manager drops the options.
Description: Although the GUI allows you to enable the Object Group Search option for FWSM devices, the FWSM does not expand object groups when listing access rules after a "show access-list" command and Hit Count results are inaccurately displayed.
Description: Security Manager does not check if the firewall rules that you configured in Security Manager permit management traffic (SSH and HTTPS) to the IOS device being managed. As a result, after firewall rules are deployed to the device, connection to the device might be lost.
Description: IOS 87x ISR routers do not support BGP as a routing protocol or as a service in ACLs when the device has only 24 MB of memory; however, BGP is supported when the device has more than 24 MB memory. Security Manager does not detect the amount of memory available on the device and cannot enforce any restrictions. As a result, job deployment containing an ACL with ACEs having BGP will fail.
Description: IOS devices require that HTTP is used as the traffic type for authentication proxy, which generates the command ip http server. Security Manager does not remove the CLI when authentication proxy is unassigned from the device in Security Manager.
Description: If an AuthProxy configured on an IOS device has a user-specified name that does not comply with the naming convention used by Security Manager, the name is not removed if the device is discovered and the policy is unassigned.
Description: If you create AAA or inspection rules for "all" interfaces on an IOS device, deployment fails if the device is using Layer 2 port.
Description: IOS devices use standard ACLs for filtering; however, standard ACLs are not recognized when Hit Count reports are generated.
Description: When you create an access rule for a PIX 6.x device, you can specify a time range in the GUI; however, the device does not support the time range feature in the ACE and no warning is displayed during activity validation or deployment.
Description: If Security Manager tries to deploy AAA server groups to a device that already has the maximum number of AAA server groups, deployment fails.
Description: IOS inspection port-map commands are not generated if inspection rules configured in Security Manager conflict with port definitions of predefined inspection protocols.
Description: Some options are omitted from rules that are created using the Import Rules tool, for example, empty port values and destination port values that are not validated for 'eq' and 'neq' for IOS devices.
Description: For FWSM3.1(1) context, if you modify the AAA rules table, then deploy the change to the device, you might get the following deployment error:
ERROR: Unable to find AAA ACE Error acl_updated: aaa_acl_changed failed ERROR: Unable to delete ACE from dependent modulesDescription: Rule section changes are not reported in the activity reports.
Description: AAA Server policy objects cannot be reused because of mismatched interfaces. This might result from an interface role used to define an interface that is not matched to a physical interface after rediscovery. For PIX/ASA7.x devices, this might result from using "inside" (or an interface name that starts with "inside") to describe the interface.
Description: Deploying to FWSM 3.1(4) fails with an error saying "Specified remark does not exist" in the deployment transcript. This happens only when the "Let FWSM decide when to compile access-list" admin setting is unchecked and the access policies contain a number of comments.
Description: When you use Security Manager to roll back an ASA 7.2(2) device to a configuration that contains default inspection class-map and policy-map "global_policy". If you change Web Filter rules, then deploy the change, the deploy operation might fail.
Description: Deployment might fail if an IP address is configured with a non-standard mask for an address pool. Although the UI allows it, the only device version that allows non-standard masks is PIX/ASA 7.2+.
Description: Changes to the match-condition order for a gtp-map used in a PIX 7.0 or PIX 7.1 device do not get deployed to the device.
Description: When you associate interfaces with another bridge-group and provision it in Security Manager, the deployment shows an error; however, the device in this case has been provisioned correctly.
Description: If TCP Map is assigned in the "IPS, Qos and Connection Rules" then redundant tcp-options commands might be generated even if no changes are made to the TCP Map or related policy.
Description: If an access-list entry (ACE) with an object group is internally expanded into a number of ACEs and if one of the expanded ACEs is inserted into the access-list, FWSM 3.1(3)12 and later rejects this ACE with an error "found duplicate element".
Description: If two filter commands of the same type are defined with the same port ranges (service) or overlapping port ranges and overlapping networks, deployment to a device fails. The device does not accept overlapping filter commands.
Description: For ASA 7.2 HTTP Maps, if the body match maximum is set to 0 (zero), the device accepts the command as "body-match-maximum" but shows it in show run as "body-match-maximum 0". This causes the delta to always contain the removal of the http policy-map subcommands and adding them back.
Description: If you delete the transparent firewall rules from Security Manager and deploy to the device, the rules are not removed from the device; however, Security Manager continues to show those rules as deleted.
Description: When you change an access list that is shared between a static command and another command, deployment to the device might fail.
Description: The access rules table might not finish loading for a newly discovered device if the discovered configuration has access-list remarks that contain quotes or double quotes.
Description: The Hit Count option, which is accessed from the Tools menu that is located below the Access Rules table, is disabled when you select access rules that belong to an inherited policy.
Guest
