Guest

Cisco Secure Access Control Server for Windows

Field Notice: FN - 62663 - U.S. Daylight Savings Time Policy Changes Effective March 2007 - for ACS Windows


Revised March 9, 2007

March 1, 2007

NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.


Products Affected

Products Affected

CSACS SE - CSACSE-1111-K9

CSACS SE - CSACSE-1112-K9

ACS Windows

Problem Description

New U.S. Daylight Savings Times rules go into effect in March 2007. Consequently, customers whose network components rely on the default U.S. summertime clock settings within Cisco ACS software will be affected by the following problem.

For operating systems that have not been updated with the new U.S. DST policy changes, timestamps will exhibit a one hour time clock offset lasting three weeks beginning at 2 A.M. on the second Sunday in March of 2007. They will also exhibit a one hour time clock offset lasting one week beginning at 2 A.M. on the first Sunday in November.

Any time-dependent product features of Cisco ACS software will be affected by this problem unless you upgrade the software image or apply the workaround as herein described.

Example of potential concerns:

This could cause major problems in your network. If you are using Kerberos in your network, it will fail. Kerberos requires that the time between the client and server be within about five minutes. Other authentication devices could also fail when the times are off. It also makes troubleshooting more difficult because the log times are off by an hour.

Background

On August 8, 2005, the Energy Policy Act of 2005 (H.R.6.ENR), was signed into law. Section 110 of this Act modified the time change dates for Daylight Saving Time (DST) in the U.S.

Beginning in March of 2007, DST will begin on the second Sunday of March and end the first Sunday of November.

For 2007 and beyond, the daylight saving time period will be:

2:00 A.M. on the second Sunday in March

to

2:00 A.M. on the first Sunday in November

For more information on the Energy Policy Act of 2005, see H.R. 6. (See Section 110)

Problem Symptoms

Networking systems often make use of local time to mark logs, as well as to schedule certain events, such as IP SLA schedule starts, or the beginning or end of a time-based access-list.

In addition, inconsistencies between time zone definitions may impact event correlation systems as well as other management systems relating to problem escalation. Having accurately represented local time is a very big concern for most organizations. Local time may be reflected in logs and on phone displays. This is especially true of systems that require accurate time and time stamping for proper operations.

For networking systems, the clock or clock source is often derived from a trusted chronological source such as a private or public Atomic clock, often through Network Time Protocol (NTP). NTP communicates time in Coordinated Universal Time (UTC), colloquially known as GMT, and thus is not impacted, nor is a workaround for statutory time zone changes. Local time definitions, including summertime settings are part of the configuration of most Cisco products.

Network Time Protocol (NTP) Implications

Regardless of whether or not network components are configured to use differing clock sources such as UTC and NTP, networks will be affected when clock summer-time commands are enabled with incorrect parameters.

Workaround/Solution

Using NTP is not a workaround to this problem.

NTP does not carry any information about timezones or summertime settings.

For the ACS Appliance (1111, 1112 and 1113)

Solution:

Customers will need to use this file to patch your version of ACS - appl_w2k-DST_MS_HotFix.zip. The file can be found at the Cisco Secure Access Control Server Solution Engine Software Download (registered customers only) page.

This patch will work on all versions of ACS. Instructions for applying the patch can be found here:

About Appliance Upgrades and Patches

THIS PATCH HAS JUST BEEN REFRESHED BY MICROSOFT March 8, 2007.

Cisco strongly recommends that this most recent patch from MS is used for DST issues. If you have previously downloaded the patch for the CSACS Appliance prior to March 8, 2007 we recommend you download and apply this newest patch

This issue has been addressed in ACS version 4.1.3 which will be available on CCO at the Cisco Secure Access Control Server Solution Engine Download (registered customers only) page on April 25.

For ACS for Windows

Solution:

ACS software updates its system time from the underlying MicroSoft OS. You will need to ensure that the Daylight Savings Time patch from MS has been applied to the Windows hardware platform that hosts the ACS application. The patch can be found at the Daylight Saving Time Help and Support Center.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCsg24465 (registered customers only)

Update OS to support Daylight Saving Time for the 2007 energy bill

Revision History

Revision

Date

Comment

1.4

09-MAR-2007

Workaround/Soloution Section - Added 1113 as a hardware model. Added information on latest Microsoft patch. Added patch location to the ACS on Windows section.

1.3

07-MAR-2007

Updated URL for download of ACS 4.13 version.

1.2

06-MAR-2007

Corrected URL for ACS version 4.13 for Windows

1.1

05-MAR-2007

Added CSACS SE - CSACSE-1111-K9 and CSACS SE - CSACSE-1112-K9 to Products Affected section. Edited the Workaround/Solution section make the distinction between the solutions for the appliance and ACS on Windows more apparent and easier to follow.

1.0

01-MAR-2007

Initial Public Release

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.