Guest

CiscoWorks VPN/Security Management Solution

CiscoWorks VPN/Security Management Solution Installation Frequently Asked Questions

Document ID: 42886

Updated: Oct 17, 2008

   Print

Contents

Introduction

This document contains answers to the most frequently asked questions (FAQs) related to the CiscoWorks VPN Management Solution (VMS) 2.2 installation.

For more information on document conventions, refer to the Conventions Used in Cisco Technical Tips.

Q. Why do I receive the "Please insert disk number 1 of the spanned Zip file into drive C:" message? How do I fix this?

A. You receive this message when you do not use WinZip 8.1 or later. Upgrade your WinZip application in order to extract these files.

Q. What are the component versions in the latest CiscoWorks VMS software?

A. The latest CiscoWorks VMS 2.2 software includes these component versions:

Component Windows Solaris
Common Services with update 1 2.2 2.2
Management Center for Firewalls 1.3.1 1.2.2
Auto Update Server 1.1 1.1
Management Center for Router 1.3 1.3
Management Center for IDS Sensors 1.2.3 1.2.3
Monitoring Center for Security 1.2.3 1.2.3
Monitoring Center Performance 2.01 2.0
Management Center for CSA 4.02 -
VPN Monitor 1.2.1 -
RME 3.5 3.5

Q. How do I update to the latest CiscoWorks VMS software?

A. Complete these steps:

  1. Order the media kit for VMS 2.2 with update 1.
    • New customers can order the media kit for VMS 2.2 with update 1. The part numbers are CWVMS-2.2-UR-K9 (VMS 2.2 Restricted) or CWVMS-2.2-WINR-K9 (VMS 2.2 Unrestricted).

      For customers that need to manage six to twenty devices, Cisco recommends the VMS restricted license.

      For customers that need to manage more than twenty devices, or need to install on Solaris, Cisco recommends the VMS Unrestricted license. Further information is available at the CiscoWorks VMS Introduction page.

    • Existing VMS 2.x customers with a SAS contract can request the media kit at no additional cost with the Product Upgrade Tool (PUT) ( registered customers only) .

    • Existing VMS 2.x customers without a SAS contract can order the latest media kit:

      • CWVMS-DEC03RMR-K9 (for existing customers with a 2.x restricted license)

        or

      • CWVMS-DEC03URMR-K9 (for existing customers with a 2.x unrestricted license)

    • Existing CSPM 2.x or IDS Director customers with or without a SAS contract can order one of these VMS major upgrade kits:

      • CWVMS-2.2-WUPGR-K9 (VMS 2.2 Restricted)

        or

      • CWVMS-2.2-UPGUR-K9 (VMS 2.2 Unrestricted)

  2. Download components updated since the release of the media kit. See this table for a list of the components that have been updated after the release of the VMS media kit. Updates or patches are available for you to download from the CiscoWorks VMS Software Center Download page ( registered customers only) . Cisco recommends you check this download page for the latest component versions. This guide provides information on the current versions as of April 6, 2004.
      Windows Media Kit Components (see Note 1) Solaris Media Kit Components (see Note 2) Subsequent Component Update Releases (see Note 3) New Update Benefits New Update Comments
    Common Services 2.2 2.2      
    Management Center for Firewalls 1.2.2 1.2.2 1.3.1 update for Windows. ( registered customers only) New feature examples:
    • Site-to-Site VPN Support

    • EZ VPN Server Support

    • Basic Virtual Firewall Support

    • Policy NAT

    Requires VMS 2.2 with update 1 media kit
    Auto Update Server 1.1 1.1      
    Management Center for Routers 1.2.1 1.2.1 1.3 update for Windows and Solaris ( registered customers only) . New feature examples:
    • GRE based VPNs

    • IPSec High Availability Support

    • IOS Firewall config

    • IPSec based VPNs

    Requires VMS 2.2 with update 1 media kit
    Management Center for IDS Sensors 1.2.3 1.2.3      
    Monitoring Center for Security 1.2.3 1.2.3      
    Monitoring Center for Performance - 2.0 2.01 update for Windows. ( registered customers only) Improved functions for performance monitoring:
    • Monitor the status of VPN's

    • Monitor the real time stats for Firewalls

    • Monitor Cat CSM and SSL Module

    Replaces VPN Monitor
    Requires VMS 2.2 with update 1 media kit
    Management Center for CSA 4.01 n/a      
    VPN Monitor 1.2.1 n/a      
    Resource Manager Essentials 3.5 3.5      

    Note 1:VMS 2.2 with update 1 started shipping in the middle of January 2004. Note 2: VMS 2.2 with update 1 started shipping in the middle of 2004 Note 3: Installation of Common Services version 2.2 and update 1 delivered with the VMS media kit, is a prerequisite to the component updates. You can get the data sheets from the CiscoWorks VMS Introduction page.

Q. What are the system and software requirements?

A. These tables list the system and software requirements for the VMS installation for Windows, Solaris, and the VMS Client.

Windows
Hardware:
  • IBM PC compatible with 1GHz or faster Pentium CPU

  • 1 GB memory

  • 9 GB free hard drive space (see Note below)

  • CD-ROM drive

  • Color monitor with video card capable of 16-bit colors

  • 10/100 BaseT or faster network connection

Operating System:
  • Windows 2000 Professional

  • Windows 2000 Server

  • Windows Advanced Server

  • Service Pack 3

  • NTFS file system

  • 2 GB virtual memory

  • Sun Java plug-in 1.3.1-b24

Note: The actual amount of hard drive space required depends on the number of VMS components that you install and the number of devices that you manage and monitor.

Solaris
Hardware:
  • Sun UltraSPARC 60 MP with 440 MHz or faster CPU or Sun UltraSPARC III (Sun Blade 2000 Workstation or Sun Fire 280R Server)

  • CD-ROM drive

  • Color monitor with video card capable of 16-bit colors

  • 10/100 BaseT or faster network connection

Operating System:
  • Sun Solaris 2.8 full installation

Required Patches:
  • 108528-13

  • 108527-15

VMS Client
Hardware/Software:
  • IBM PC-compatible computer with 300 MHz or faster Pentium processor that runs one of these software packages:

    • Windows 2000 Server, or Professional Edition with Service Pack 3

    • Windows XP Professional, Service Pack 1 with Microsoft Virtual Machine

    • Solaris SPARCstation or Sun Ultra 10 with a 333 MHz processor that runs the Solaris 2.8 operating system

Hard Drive Space:
  • 400 MB virtual memory (for Windows)

  • 512 MB swap space (for Solaris)

Memory:
  • 256 MB minimum

Web Browser: You must install one of these browsers:
  • Microsoft Internet Explorer 6.0, Service Pack 1 for Windows operating systems with Microsoft Virtual Machine

  • Netscape Navigator 4.79 on any of these:

    • Windows 2000 Server

    • Professional Edition with Service Pack 3

    • Windows XP Professional with Service Pack 1

    • Netscape Navigator 4.76 for Solaris

Note: Firewall MC and Router MC are supported with Internet Explorer 6.0, but not with Netscape Navigator. Management Center for Intrusion Detection System Sensors (IDS MC) supports both Netscape Navigator and Internet Explorer.

Q. Can VMS 2.2 be installed on a Windows 2003 / .net server?

A. VMS 2.2 has been reported to work on a Windows 2003 / .net server but since it has not been regression tested by engineering, it is not supported by Cisco.

Q. Can VMS 2.2 be installed on Microsoft Windows 2000 with Service Pack 4?

A. VMS 2.2 can only work with Microsoft Windows 2000 with Service Pack 4 after you apply the VMS Update 1 to the VMS 2.2 server. You can download update 1 from the CiscoWorks VPN/Security Management Solution Software Download Page ( registered customers only) .

Q. What are the License(s) requirements?

A. Registering Common Services activates the Management Centers (MCs) that use common services. These include Firewall MC, Intrusion Detection System (IDS) MC, and Router MC. Without registering, these applications expire in 90 days. Cisco Security Agent (CSA) MC installs, but does not run without component registration. For further information, refer to Registration and Licensing Notes for CiscoWorks Common Services 2.2.

Note: CiscoWorks VMS 2.2 includes the CiscoWorks MC for CSAs and licenses for three server agents. These agents are used to protect the CiscoWorks MC for CSAs and other components of CiscoWorks VMS 2.2. Additional agent licenses are purchased separately from CiscoWorks VMS.

Q. Can I use the VMS 2.1 license for VMS 2.2?

A. Yes. You can import the VMS 2.1 license into the new VMS 2.2 install. However, it is essential to register VMS 2.2 and acquire the proper license. For further information and to obtain the license, refer to Registration and Licensing Notes for CiscoWorks Common Services 2.2. Cisco Security Agent (CSA) Management Center (MC) requires component registration. You must obtain a production license using the PAK label affixed to the claim certificate for CSA MC, located in the separate licensing envelope.

Q. I have an earlier version of CiscoWorks VMS 2.1. Do I get a free VMS 2.2 upgrade?

A. Yes. Order the latest VMS 2.2 version using the Product Upgrade Tool ( registered customers only) .

Also refer to Registration and Licensing Notes for CiscoWorks Common Services 2.2 for further information.

Q. Where can I find the VMS 2.2 Evaluation software?

A. You can find the Evaluation software on the CiscoWorks VMS Software Center ( registered customers only) download page.

Q. Is the VMS 2.2 Evaluation version on Cisco.com a full version of VMS 2.2?

A. No. It does not contain all of the components that you get from the full version. For instance, Resource Manager Essentials (RME) is not bundled into the evaluation copy on Cisco.com. The components on the evaluation copy are Common Services, Firewall Management Center (MC), Intrusion Detection System (IDS) MC, Cisco Security Agent (CSA) MC, Router MC, and AutoUpdate server.

Q. How can I order the complete version of VMS 2.2?

A. Customers can purchase these new products through their regular sales channels. Existing CiscoWorks VMS 2.x customers with current Software Application Services (SAS) contracts can request a CiscoWorks VMS 2.2 minor update kit with their contract number using the Product Upgrade Tool ( registered customers only) .

For more information on how to order part numbers, refer to the CiscoWorks VMS 2.2 Product Bulletin.

Q. What privileges are required for the VMS 2.2 installation?

A. The installation requires Local Administrator privileges.

Q. What is the VMS 2.2 installation procedure?

A. Installation can be done on top of an existing VMS 2.1 server installation. This maintains all of the VMS components and upgrades them to the new version. You need to uninstall Entercept Intrusion Detection System Host Sensor (HIDS) before you attempt the VMS 2.2 install.

Ensure there are no other CiscoWorks components that are reliant on the Common Management Foundation (CMF) 2.1 version. The VMS 2.2 installation upgrades the CMF to 2.2, breaking those CiscoWorks components that are not compatible with the newer CMF 2.2. Therefore, an upgrade of all components is required.

Alternatively, VMS 2.2 can be installed on a new server.

  1. Insert the VMS Management and Monitoring Centers 2.2 (VMMC) Startup Disk CD into the CD-ROM drive, and click Install on the Setup Program page.
  2. If the installation program does not start, select Start > Run from the Windows taskbar. Then enter d:\setup in the Run dialog box, where d is the drive letter of the CD-ROM drive.
  3. Press Enter to start the installation program. The VMMC 2.2 page of the CiscoWorks InstallShield wizard lists all VMMC products and requests that you select the check boxes next to the products you want to install. There are also options to Select All and to Cancel the installation.

    Note: You have to install the Common Services first, before any other components can be installed.

Q. Is remote installation of VMS 2.2 a problem?

A. Cisco does not recommend remote installation. Local installation is recommended for the target server, particularly with the use of a local keyboard and mouse. The use of remote control software for installations has led to many problems that are potentially not obvious until the install is complete. The VMS Management and Monitoring Centers (VMMC) Startup Disk might not perform optimally when accessed from a remote drive and network inconsistencies might cause installation errors if you are installing from a remote mount point.

Q. What are the known issues with installing on a system that has Terminal Services running in Remote Administration mode?

A. There is a known problem when you install Common Services on a system that has Terminal Services enabled in Remote Administration mode. Cisco bug ID CSCin33621 ( registered customers only) tracks this problem. The current workaround is to go to the Services Control Panel, and manually stop or disable Terminal Services before you install Common Services. When the installation is complete, Terminal Services can be reenabled.

Q. What are the known issues with installing on a system that has Terminal Services running in Application Server mode?

A. There are existing problems with the Sybase SQL Anywhere database running as a service on a machine that has Terminal Services enabled using Application Server mode. This issue is tracked by Cisco bug ID CSCdy31988 ( registered customers only) . These problems are outside of the control of Cisco, and are documented at the Terminal Services Application Compatibility Notes leavingcisco.com from Microsoft.

Under the Terminal Services Application Server Mode, there is an entry for Sybase SQL Anywhere on Page 16 which reads:

Sybase SQL Anywhere
--------------------
When SQL Anywhere is run as a service, compatibility problems 
with Terminal Services may result. To avoid such problems, you must run SQL 
Anywhere as a regular process. Sybase is currently working 
on a solution for this problem.

Q. What are the known issues with installing on a system that runs Microsoft IIS?

A. Installation on a system that runs Microsoft Internet Information Server (IIS) is not an officially supported configuration. This is because complete testing has not been done on such systems and their various configurations. Some obvious problems that can occur deal with resource contention. IIS tends to have an SSL enabled server that runs on the default https port (443). Since Common Services and PIX Management Center (MC) use this port for their web server, a race condition is caused every time the system is rebooted. In cases where IIS wins, any application that uses the Common Services' web server is rendered non-operational.

Q. What are the known issues with installing on a system that has any other type of server software running?

A. VMS has not been tested against every possible combination of software and services. Any problems that result from other programs should only be in relation to resource contention which either result in performance degredation (CPU/Memory related) or error messages and a broken VMS install (port related). For the port issues, there are several dialogs in the VMS installation that allow you to change the various ports. These dialogs display the initial default values, which are used if you do not elect to make any changes. Some ports are unable to be changed. These include:

  • 443 – SSL port for Common Services web server

  • 1751 – Port for Common Services web server

  • 1741 – Port for Common Management Foundation (CMF) web server

  • 1742 – SSL port for CMF web server (only used if the desktop itself is in SSL mode)

Q. Can I upgrade from VMS 2.1 to VMS 2.2?

A. Yes. The database and configurations of the VMS components are appropriately upgraded and maintained. As with any software and upgrade activities, database backup before an upgrade is recommended.

Q. Is it possible to backup my VMS 2.1 data and restore it to VMS 2.2?

A. Yes. VMS 2.1 backups can be restored to a VMS 2.2 server.

Q. Where is the Installation Guide for Solaris VMS 2.2?

A. Refer to the Installation and Setup Guide for CiscoWorks Common Services 2.2 (includes CiscoView 5.5) on Solaris.

Q. Are there any co-existence issues with other CiscoWorks components?

A. While VMS and LAN Management Solution (LMS) can coexist, it is recommended that they reside on separate servers for optimal performance. Cisco Threat Response is not compatible with VMS 2.2 installs. You must first uninstall Cisco Intrusion Detection System Host Sensor (HIDS) before you can install Cisco Security Agent (CSA) Management Center (MC). Because there cna potentially be incompatibilities between Cisco HIDS and CSA MC or agent software, you must uninstall the Cisco HIDS and Cisco HIDS Console software before installing CSA MC or its component "agent" software.

Q. Can I install Cisco Security Agent on the VMS server?

A. When you install Cisco Security Agent (CSA) Management Center (MC), an agent that contains the policies necessary to protect CSA MC and other CiscoWorks daemons and operations is automatically installed as well. The policies that are enforced by this agent protect CSA MC, other VMS components, and general CiscoWorks operations. CSA MC installation does not run without the appropriate production license. If you have not already done so, you must obtain a production license using the PAK label affixed to the claim certificate for CSA MC located in the separate licensing envelope. Refer to the Order of Installation for Windows documentation for further details.

Q. Are there any issues with Cisco Security Agent on the VMS server?

A. If you install or uninstall various VMS components, and you have a Cisco Security Agent (CSA) that protects VMS, disable the agent service before you begin the install or uninstall of any other VMS component. (You do not have to do this when you install/uninstall CSA Management Center [MC].)

Q. How do I disable / stop the Cisco Security Agent service?

A. Complete these steps to disable the Cisco Security Agent (CSA) service:

  1. From a command prompt enter net stop "Cisco Security Agent".
  2. If you receive a prompt that asks if you want to stop the agent service select Yes.
  3. Enter net start "Cisco Security Agent" in order to enable the service at any time.

Q. What happens if the Administrator level user who installed the system changes their password or is removed as a user?

A. For the VMS installation and its various components, it is critical that the same user and password be used throughout. If the user is removed or the password changed, the application breaks and prevents correct communication between the various services. This results in changes that do not get committed to the database, incorrect behavior of the application, and possibly services that do not respond correctly or do not get started at all.

There are several possible workarounds. One way to resolve this is to restore the removed user with the same user ID and password, or revert the existing user to the original password, under which the system is installed. In either of these cases, the Daemon Manager needs to be restarted. Alternatively, services can be modified to accommodate the new username and password. In order to do this, change the "Log On As" field, and restart the CiscoWorks 2000 Daemon Manager service. For further information, follow the instructions at Changing Service Passwords.

Q. What happens if the IP address of the machine changes?

A. Neither the Common Services framework, nor the Management Center (MC) applications are designed to deal with the IP address changing on the fly. If the IP address of the system changes, the CiscoWorks 2000 Daemon Manager needs to be restarted. This can be accomplished via the Services control panel, or by rebooting the system. When the Daemon Manager comes back up, the system works as it did prior to the change.

Q. What happens if the hostname of the machine changes?

A. If the hostname of the machine changes, the stability of the system is not guaranteed and it fails in some cases. It has been known to fail under such circumstances. The primary causes for failure is when the direct connection API is used (for example, direct login mechanism, or inter-application connections) or when communication between the Common Services web server and the Common Management Foundation (CMF) web server need to take place (for example, logout, inactivity timeout, and so forth). In these cases, the attempt to create a connection fails. This results in the failure of the operation. Errors can manifest themselves in many ways, but typically it is a failed authentication, an error stack trace, or certain features of the application working and then not working within the same session. The issue is tracked by Cisco bug ID CSCea14488 ( registered customers only) and it has a known workaround. These are included in the release note of Cisco bug ID CSCea14488 ( registered customers only) . Note that all the changes recommended for the workaround need to be implemented while the CiscoWorks 2000 Daemon Manager is shut down. After all the changes are made, restart the Daemon Manager.

As per the Release Notes of Cisco bug ID CSCea14488 ( registered customers only) , Common Services do not function if the hostname of a machine is changed. Use this workaround for this problem.

  1. Change the HOST_NAME and CMF_HOST_NAME values in the CSCOpx/MDC/tomcat/mdc/WEB-INF/web.xml file.
  2. Change the HostName entry in the CCR:
    1. Set LD_LIBRARY_PATH on Solaris to setenv LD_LIBRARY_PATH /opt/CSCOpx/MDC/lib;.
    2. cd to $NMSROOT/MDC/bin where NMSROOT is the location of CiscoWorks. For example, /opt/CSCOpx on Solaris or c:\program files\CSCOpx by using cd $NMSROOT/MDC/bin.
    3. Remove the HostName that contains the old host name by entering ccraccess -removeResource Core Custom Custom "" "" HostName.
    4. Add a new HostName entry with new host name by entering ccraccess -addResource Core Custom Custom <NewHostName> "" HostName.
    5. Check the new HostName entry from CCR by entering ccraccess -addResource Core Custom Custom "" "" HostName. You should see a new host name that is reported.

For VMS MC Components, modify these XML files to reflect the new hostname. When you change SystemConfig.xml, there are three places the file lives:

  • <install_dir>\MDC\etc\ids\xml\SystemConfig.xml

  • <install_dir>\MDC\tomcat\vms\ids-config\WEB-INF\classes\com\cisco\nm\mdc\ids\common\SystemConfig.xml

  • <install_dir>\MDC\tomcat\vms\ids-monitor\WEB-INF\classes\com\cisco\nm\mdc\ids\common\SystemConfig.xml

Change the file in all three places and restart the system.

Q. What are the different ways in which I can log in and access VMS 2.2 and its components?

A. From the supported browser, browse to http://ipaddressofvmsserver:1721. For SSL access, use https://ipaddressofvmsserver:1742.

Q. My other application requires a later version of Java. Can multiple versions of Java coexists on my client PC?

A. There are several applications, which includes those from Cisco, that require Java 1.4.1. At the same time, VMS 2.2 work only on Java 1.3.1. Both Java versions can be loaded on the client PC.

For all the applications to be accessed properly, from Internet Explorer, select > Tools > Internet Options > Advanced and Under Java (Sun), uncheck the box for Use Java 2 v1.4.1_03 <applet>.

Q. What information is required for troubleshooting?

A. For MDCSupportInformation:

  • Open a DOS window, run MdcSupport and send the CSCOpx/MDC/etc/MDCSupportInformation.zip file.

For Winmsd file:

  • At the DOS prompt run the command winmsd. From the winmsd window, click on the System Information, and then select Action > Save As Text File. Send this file.

Related Information

Updated: Oct 17, 2008
Document ID: 42886