Table Of Contents
Release Notes for Cisco Configuration Professional 1.0
April 26, 2010
These release notes support Cisco Configuration Professional (Cisco CP) version 1.0. They should be used with the documents listed in the "Related Documentation" section.
These release notes are updated as needed. To ensure that you have the latest version of these release notes, go to http://www.cisco.com/go/ciscocp. In the Support box, click General Information > Release Notes. Then, find the latest release notes for your release.
This document contains the following sections:
Cisco CP is a graphical configuration tool that allows you to create and manage router communities, and to configure LAN and WAN interfaces, routing, Network Admission Control (NAC), Network Address Translation (NAT), firewalls, the Intrusion Prevention System (IPS), Virtual Private Networks (VPNs), and many other router features. Cisco CP is installed on a PC.
Routers that are ordered with Cisco CP are shipped with Cisco Configuration Professional Express (Cisco CP Express) installed in router flash memory. Cisco CP Express enables a user to configure a LAN and WAN connection, make security settings to protect the router, and, configure a basic firewall, and Network Address Translation.
This sections describes PC and router system requirements. It contains the following parts:
PC System Requirements
Table 1 lists the system requirements for a PC running Cisco CP.
Router System Requirements
Router System Requirements are described in the following parts:
This section lists the routers that Cisco CP supports, by series.
Note Cisco CP does not support Telco/CO router models.
Cisco 800 series:
Cisco CP is supported on the following Cisco 1800 series routers:
Cisco CP is supported on the following 2800 series routers:
Cisco CP is supported on the following Cisco 3800 series routers:
Cisco CP is supported on the following Cisco 7000 series routers:
Supported Adapters, Cards and Network Modules
Cisco CP supports the following network modules:
•NM-4A/S (synchronous only)
•NM-8A/S (synchronous only)
Cisco CP supports the following EtherSwitch Service Network Modules:
Cisco CP supports the following Wide Area Application Services (WAAS) modules:
Cisco CP supports the following WAN interface cards:
•WIC-2A/S (Frame Relay, PPP, HDLC, no asynchronous)
Cisco CP supports the following high-speed WAN interface cards (HWICs):
Cisco CP supports the following advanced integration modules (AIMs):
•AIM-VPN/BP II PLUS
•AIM-VPN/EP II PLUS
•AIM-VPN/HP II PLUS
Cisco CP supports the following port adapters on Cisco 7000 family routers:
Cisco CP supports the following Network Processing Engines and Network Service Engines on Cisco 7000 family routers.
Cisco CP supports the following service adapters on Cisco 7000 family routers:
Cisco IOS Releases
Cisco CP is compatible with the Cisco IOS releases listed in Table 2.
Cisco IOS IPS Feature History
Table 3 shows the Cisco IOS IPS feature history, and lists the Cisco IOS releases that offered each set of features, beginning with the latest release. This information is available in the Cisco IOS IPS Deployment Guide available at the following link.
Note Cisco CP supports Cisco IOS version 12.4(9)T and later.
Determining the Cisco IOS Release
To determine the release of Cisco IOS software currently running on your Cisco router, log in to the router and enter the show version EXEC command. The following sample output from the show version command indicates the Cisco IOS release on the second output line:Router> show versionCisco Internetwork Operating System SoftwareIOS (tm) C1700 Software (c1700-k8sv3y7-mz) Version 12.2(13)ZH
Although the Cisco CP application requires JRE to run, the Cisco CP Express application included with Cisco CP can run under the native Java Virtual Machine in the supported browsers, and also JRE.
Router Configuration Requirements
In order to run Cisco CP, a router configuration must meet the requirements shown in Table 4.
The default configuration file meets all Cisco CP requirements. The default configuration file has the name cpconfig-model_number.cfg. For example, the configuration file for the Cisco 860 and Cisco 880 routers is cpconfig-8xx.cfg.
Cisco CP Ordering Options
Table 5 describes the ordering options under which Cisco CP can be ordered. Cisco Configuration Professional Express (Cisco CP Express) is a product that is shipped in router flash memory when the router is ordered with Cisco CP.
Limitations and Restrictions
This section describes restrictions and limitations that may apply to Cisco CP. It contains the following parts:
Cisco CP Requires Microsoft Windows Vista Be Installed in Administrator Mode
In order to run Cisco CP under Microsoft Windows Vista, Microsoft Windows Vista must be installed in Administrator mode.
Cisco CP Minimum Screen Resolution
Cisco CP requires a screen resolution of at least 1024 x 768.
Restrictions for Cisco 7204VXR, Cisco 7206VXR, and Cisco 7301 Routers
The following restrictions apply to Cisco CP running on Cisco 7204VXR, Cisco 7206VXR, and Cisco 7301 Routers:
•The Cisco CP Express application is not supported. You must use the Cisco IOS CLI to give the router an initial configuration that will enable you to connect to the router using a browser.
•WAN configuration is not supported. Cisco CP supports configuration of Ethernet and Fast Ethernet interfaces.
•The Cisco CP Reset feature is not available.
•No default configuration file is supplied. To run Cisco CP, you must provide a configuration that includes the commands necessary to support operation of Cisco CP.
This section contains important information for Cisco CP. It contains the following sections:
Cisco IOS Enforces One-Time Use of Default Credentials
To address CSCsm25466, Cisco IOS images included with recent shipments of Cisco 800, Cisco 1800, Cisco 2800, and Cisco 3800 routers, enforce the one-time use of the default user name and password provided in the Cisco CP configuration file. If you bypass Cisco CP or Cisco CP Express and use a console or Telnet connection to log into the router, the login and exec banners warn you that you must change the user name "cisco" and password "cisco" before you log off of the router. If you do not change the credentials as directed, you will not be able to log on to the router the next time that you attempt to do so.
The following Cisco IOS releases enforce the one-time use of the default credentials:
•12.4(11)T or later
•12.4(11)SW, 12.4(11)SW1, 12.4(11)XV, 12.4(11)XJ
Follow the procedure in this section to secure the router by creating a new username and password, to remove the login banner and exec banner warnings, and to save the configuration changes to the router startup configuration.
Note If you login to the router using a Telnet or a console connection but do not complete the steps in this procedure, be aware of the following:
•If you do not change the default username and password, and then log off the router, you will not be able to log into the router again without entering the reload command. No additional warning is given before you log off.
•If you do not change the default username and password, but do enter the write memory command before ending the session, future logins will be disabled. In this case, you will need to follow the password recovery procedure at the following link:
To secure the router, remove the banner warnings and save the changes to the router startup config, complete the following steps:
Step 1 Connect the light blue console cable, included with your router, from the blue console port on your router to a serial port on your PC. Refer to your router's hardware installation guide for instructions.
Step 2 Connect the power supply to your router, plug the power supply into a power outlet, and turn on your router. Refer to your router's quick start guide for instructions.
Step 3 Use HyperTerminal or a similar terminal emulation program on your PC, with the terminal emulation settings of 9600 baud, 8 data bits, no parity, 1 stop bit, and no flow control, to connect to your router.
Step 4 When prompted, enter the username cisco, and password cisco.
Step 5 Enter configuration mode by entering the following command:yourname# configure terminal
Step 6 Create a new username and password by entering the following command:yourname(config)# username username privilege 15 secret 0 password
Replace username and password with the username and password that you want to use.
Step 7 Remove the default username and password by entering the following command:yourname(config)# no username cisco
Step 8 To remove the login banner, enter the following command:yourname(config)# no banner login
The login banner warning will no longer appear.
Step 9 To remove the exec banner, enter the following command:yourname(config)# no banner exec
The exec banner warning will no longer appear.
Step 10 Leave configuration mode, by entering the following command:yourname(config)# end
Step 11 Copy the configuration changes to the startup configuration by entering the following command:yourname# copy running-config startup-config
When logging into the router in the future, use the username and password that you created in Step 6.
Cisco CP Merge and Replace Configuration Functions Fail Under Some Conditions
The problem described here is caveat CSCsj21989. If you attempt to merge configuration changes made using the Cisco CP Config Editor feature, or replace the running configuration with a configuration from the Config Editor, the router configuration will not be changed if there is a network device with a Network Address Translation (NAT) IP address, or a cache engine in the connection between the PC and the router. If you need to make changes to the router configuration that you would normally make using the Cisco CP Config Editor, use the Cisco IOS CLI instead.
Cisco CP Security Dashboard May Display Threats Unrelated to Your Cisco IOS IPS Installation
Some (or all) of the top threats you obtain using the Cisco CP Security Dashboard may not pertain to your Cisco IOS IPS installation. After you deploy the signatures applicable to the top threats displayed by the Cisco CP Security Dashboard, the dashboard may still display some (or all) top threats with a red icon because applicable signatures could not be found. Those remaining top threats are unrelated to your Cisco IOS IPS installation and not a danger to your router running Cisco IOS software.
Cisco CP May Not Launch Using IP Address of SSL VPN Gateway
This information provides more information about the caveat CSCek33306. When Cisco CP attempts to connect to a router with a SSL VPN gateway configured using the Cisco IOS CLI, it might not launch from the IP address used by that gateway if the CLI statements necessary for Cisco CP access are not included.
For example, if you have configured a SSL VPN connection on the interface Fe 0/0 with the gateway IP address 10.10.10.1, and the gateway name MySSLVPN, you may not be able to launch Cisco CP using that IP address.
To be able to launch Cisco CP using that IP address, add the following Cisco IOS CLI commands:Router# config tRouter(config)# interface loopback next-available-loopback-numberRouter(config-if)# description Do not delete - SDM SSLVPN generated interfaceRouter(config-if)# ip address 192.168.1.1 255.255.255.252Router(config-if)# no shutdownRouter(config-if)# ip nat insideRouter(config-if)# exitRouter(config)# ip nat inside source static tcp 192.168.1.1 443 10.10.10.1 4443Router(config)# router(config)# webvpn gateway MySSLVPNRouter(config-webvpn-gateway)# http-redirect port 80Router(config) # interface FastEthernet 0/0Router(config-if)# ip nat outsideRouter(config-if)# exit
After adding these commands, you can launch Cisco CP by entering the following IP address and port in the browser:https://10.10.10.1:4443
If you remove the SSL VPN gateway that was modified for Cisco CP access, you must remove the loopback interface and NAT rule that you created to allow access in the first place. Enter the commands shown in the description of caveat CSCek38259.
Cisco CP May Lose Connection to Network Access Device
This note concerns the Network Admission Control (NAC) feature.
If the PC used to invoke Cisco CP returns a posture state (Healthy, Infected, Checkup, Quarantine, or Unknown) and if the group policy on the ACS server attached to the posture token assigned to the PC has a redirect URL configured, the connection between Cisco CP and the router acting as the Network Access Device (NAD) may be lost. The same problem can occur if an exception list entry attached to a policy with a redirect URL is configured with the IP address or MAC address of the PC.
If you try to reinvoke Cisco CP from this PC, you will not be able to do so because the browser will be redirected to the location specified in the redirect URL.
There are two workarounds for this problem:
•Ensure that the PC that you use to invoke Cisco CP attains a posture token which has an associated group policy on the ACS server that is not configured with a redirect URL.
•Alternatively, use Cisco CP to create a NAC exception list entry with the IP address or MAC address of the PC you use to invoke Cisco CP. Note that the exception list entry created for the PC should be associated to an exception policy which does not have a redirect URL configured in it.
For more information, see the links in the Cisco CP NAC online help pages.
Popup Blockers Disable Cisco CP Online Help
If you have enabled popup blockers in the browser you use to run Cisco CP, online help will not appear when you click the help button. To prevent this from happening, you must disable the popup blocker when you run Cisco CP. Popup blockers may be enabled in search engine toolbars, or may be standalone applications integrated with the web browser.
Microsoft Windows XP with Service Pack 2 blocks popups by default. In order to turn off popup blocking in Internet Explorer, go to Tools > Pop-up Blocker > Turn Off Pop-up Blocker.
If you have not installed and enabled third-party pop up blockers, go to Tools >Internet Options > Privacy, and uncheck the Block popups checkbox.
Disable Proxy Settings
Cisco CP will not start when run under Internet Explorer with proxy settings enabled. To correct this problem, choose Internet Options from the Tools menu, click the Connections tab, and then click the LAN settings button. In the LAN Settings window, disable the proxy settings.
Security Alert Dialog May Remain After Cisco CP Launches
When Cisco CP is launched using HTTPS, a security alert dialog box that informs you of possible security problems and asks you if you want to proceed with program launch may appear. This can happen if the router does not have the following global configuration command in the running configuration:ip http timeout-policy idle 600 life 86400 requests 10000
Caveats describe unexpected behavior in Cisco CP. Severity 1 caveats are the most serious caveats, severity 2 caveats are less serious, and severity 3 caveats are the least serious of these three severity levels.
Open Caveats—Cisco CP 1.0
This section lists caveats that are open in Cisco CP 1.0.
On routers using Cisco IOS images from release 12.4.15(XY) to 12.4(15)XY2, you will receive a "Page not found" error if you attempt to launch the Wireless application.
Workaround: Use another supported Cisco IOS release.
After successfully importing an IPS signature from the PC or from router Flash memory, the Choose dialog may reappear multiple times.
Workaround: Click Cancel to close the dialog.
The text in the Update button of the IPS Signature Statistics tab is clipped.
When clicking the link for configuring the WAAS NM- Central Manager in Cisco CP, the following warning message is displayed: "Are you sure want to navigate away from this page?" If you click OK, Cisco CP closes.
Workaround: In Internet Explorer, go to Tools > Internet options -> Advanced. Uncheck the "Reuse windows for launching shortcuts" option .
When configuring a switch type for an ISDN interface in the Cisco CP Interfaces and Connections screen, command delivery fails.
Workaround: In the Edit Interfaces and Connections screen, do the following:
a. Click Disable.
b. Choose the BRI interface.
c. Click Edit.
d. Change the switch type in the Edit dialog.
When the Java heap memory size is set to 256 MB, and two or more routers running the version of Cisco IOS IPS available beginning with Cisco IOS 12.4(11)T are discovered, an Out of Memory exception may be generated when working on Cisco IOS IPS signatures.
Workaround: Increase the Java heap memory size to 512 MB.
When a Certificate Authority (CA) server is configured using the CA Server wizard, deleted using the no crypto pki server caserver command, and then recreated using the CA Server wizard, the CA server will not be listed in the Manage CA Server screen.
Workaround: Relaunch Cisco CP, and rediscover the router on which the CA server is configured. The CA server will be displayed.
When Cisco CP is run under Internet Explorer 7 and JRE 1.5x or 1.6x, Cisco IOS IPS cannot be run unless the Jave heap size is set to 256 MB. This problem occurs under Microsoft Windows XP and Microsoft Windows Vista.
Workaround: If you don't want to increase the Java heap size and the PC is running Microsoft Windows XP, you can downgrade to Internet Explorer 6. If the PC is running Microsoft Windows Vista, there is no workaround.
If you discover two devices, and the respective user accounts used for discovery are configured for different CLI views, some Cisco CP features may be disabled when switching from one device to another.
Workaround: To avoid disabling features, either discover the devices separately, or place the devices in different communities.
If you discover a device with the credentials of a a user account configured for a specific CLI view, such as firewall, monitor, or Easy VPN Remote, and then change the user credentials for the device to that of a user with admin (level 15) privileges, the controls of the Configure > Basic Router > Router Access > User Accounts/View screen will be disabled.
Workaround: Relaunch Cisco CP and rediscover the device.
When using the wizard to configure an Easy VPN server after a firewall is configured, and the Enable cTCP option is chosen in the wizard, the match protocol user-ctcp-ezvpnserver Cisco IOS CLI command is not delivered to the router.
If you launch Cisco Router and Security Device Manager (SDM) with the Java console enabled, and then launch Cisco CP on the same PC, both applications use the same Java console. If you shut down SDM first, the Java console window and Cisco CP close. This problem occurs whether SDM was launched from router Flash memory, or from the PC.
Workaround: Launch Cisco CP first, then launch SDM. A separate Java console is established for each application.
Cisco CP shortcut keys do not function in Cisco CP, but perform their equivalent function in Internet Explorer.
A spurious error message may be displayed during the discovery process which directs the user to clear all vty lines before proceeding with discovery. Pressing OK without clearing any vty lines allows the discovery process to continue.
When Cisco CP is pinging a device, an hourglass cursor fails to appear to indicate that the operation is in progress.
When Cisco CP is launched, the splash screen hides the Java applet digital signature screen. The user must click on the digital signature screen to bring it in focus so that he or she can click Run and start using Cisco CP.
Discovery fails for a user when the user is not configured for both vty access and HTTP access using the same authentication method. For one user, the credentials for vty access and HTTP access must be the same, and the authentication method must be the same. For example, the authentication method may be authentication local, or authentication aaa, but it must be the same for both types of access.
This caveat is caused by Cisco IOS caveat CSCsl42697. When configuring a radio interface using the Cisco CP Wireless application, QoS access commands such as max-contention and min-contention window settings are not delivered to the router.
This caveat is caused by Cisco IOS caveat CSCsl39285. Registration with the WAAS Central Manager from the WAAS NM tab fails when the username, password, and primary interface are entered and the user clicks OK.
When a AAA network authorization policy is being added, the delivery of IOS CLI commands to the router fails if the if-authenticated method is selected along with other methods,
Due to a Cisco IOS 12.4(15)T1 issue, when an Easy VPN Server is configured with the split DNS option, and an Easy VPN remote client is configured on another router, the details screen on the remote client does not display split DNS details for the Easy VPN server.
When Cisco CP is used to configure Cisco IOS IPS on a Cisco 7301 router, Cisco CP may take as much as 10 minutes to launch and correctly display Cisco IOS IPS signatures. If Cisco CP launches without delay, Cisco IOS IPS signatures are not displayed correctly, and errors can be seen when the Edit Signatures window is displayed. When the Cisco CP display is refreshed in these circumstances it may take up to 10 minutes for the signatures to be displayed correctly,
This problem has been found on 7301 routers running Cisco IOS 12.4(11)T3, when Cisco CP is run under Internet Explorer 6.0 using Java Runtime Environment 1.6.0_03.
Due to a Cisco IOS problem described in CSCsk67302, the output of the show running-config command will not show SSL VPN gateways associated with SSL VPN contexts. This problem has been found in Cisco IOS 12.4(15)T and 12.4(15)T1 images
For a description of this caveat, see Cisco CP Merge and Replace Configuration Functions Fail Under Some Conditions.
Because of a Cisco IOS IPS problem, when migrating a Cisco IOS IPS configuration created using a Cisco IOS image older than version 12.4(11)T to a 12.4(11)T or later environment, user-modified signatures are not migrated.
Workaround: After migrating, use the Add or Edit controls in the Edit IPS window to create the signature in the new format.
Because of Cisco IOS caveat CSCek68311, a Certificate Authority (CA) server created using the Cisco CP CA Server wizard will be shown as stopped. This problem occurs when the router is running a Cisco IOS 12.4(11)T image.
Workaround: Upgrade the Cisco IOS image on the router to version 12.4(11)T2.
When the router is running a Cisco IOS image older than 12.4(11)T the Easy VPN Server Status screen in Monitoring mode displays the IP address of a client configured with a Dynamic Virtual Template Interface (DVTI) as 0.0.0.0.
You may be unable to delete a DVTI-based Easy VPN Remote configuration using Cisco CP.
Workaround: Click Refresh in the Cisco CP toolbar and then delete the configuration.
When a firewall is configured using Cisco CP, and then Cisco CP is used to create an SSL VPN configuration on the router, a NAT passthrough configuration is added by the SSL VPN wizard. No NAT passthrough configuration is added when creating an SSL VPN configuration using the SSL VPN edit windows.
When Cisco CP installed on a PC is invoked in Internet Explorer 7.0 using either HTTP or HTTPS, the popup window asking for the IP address of the router appears again after the IP address has been entered in the first popup window.
When Cisco CP installed on router flash memory invoked in Internet Explorer 7.0 using HTTPS, a certification error is displayed. Cisco CP starts if you choose Continue to this website (not recommended).
If the router is configured to allow Cisco CP access through a SSL VPN gateway that listens on the standard port 443, and that gateway is modified to listen on another custom port, the commands that were added for Cisco CP access are not automatically removed, and must be removed using the Cisco IOS CLI. The SSL VPN gateway may have been configured using the SSL VPN wizard, or it may have been configured manually and then modified to allow Cisco CP access by adding the commands described in Cisco CP May Not Launch Using IP Address of SSL VPN Gateway.
To safely edit the SSL VPN gateway to listen to a port other than 443, do the following:
–Go to Configure > VPN > SSLVPN > Edit SSL VPN, select the gateway and click Edit.
–Uncheck the Enable secure access through IP address checkbox is checked, uncheck it, and click OK to deliver the configuration change to the router.
–Click Edit again and enter the port number that you want the SSL VPN gateway to use.
–Remove the loopback interface that was created for Cisco CP access by clicking Configure > Interfaces and Connections > Edit Interfaces/Connections and removing the loopback interface.
–To remove the NAT rule, click Configure > NAT > Edit NAT Configuration, and remove the NAT rule that was added. Do not remove the NAT rule if it is being used by other parts of the configuration.
Cisco CP can now be invoked using the standard HTTPS port 443.
If you prefer to use the Cisco IOS CLI, enter the following commands to remove the loopback interface and NAT rule that were added to allow Cisco CP access. In these steps, Loopback 0 with an IP address of 192.168.1.1, and FastEthernet 0/0 with an IP address of 10.20.30.40 are used as examples.Router# config tRouter(config)# no interface Loopback0Router(config)# interface FastEthernet0/0Router(config-if)# no ip nat outsideRouter(config-if)# exitRouter(config)# no ip nat inside source static tcp 192.168.1.1 443 10.20.30.40 4443Router(config)# exit
Note Do not enter the no ip nat inside command if other NAT translation rules are using it. If no other rules use this command, remove it.
Cisco CP may not launch from an interface with a CLI-configured SSL VPN if the CLI commands necessary for Cisco CP access have not been added. This includes SSL VPNs configured with the command webvpn enable SSLVPNname IP-address SSLVPN.
For more information about this caveat, see the "Cisco CP May Not Launch Using IP Address of SSL VPN Gateway.
When Cisco CP is run on the PC, the Load File from PC function available from the File Management window may not work properly.
Workaround: With a TFTP server application on the PC, copy files to the router using the copy tftp flash command.
The SDM_HIGH security policy may not block Instant Messaging (IM) applications. The application security feature blocks IM applications using the server deny name command. New servers may become available, and if they do, IM applications may connect to them.
Workaround: Complete the following steps:
–Turn on firewall logging for IM applications. The names of the servers that the IM applications connect to will be revealed in the log.
–Use the CLI to block the new servers. The following example uses the server newserver.yahoo.com:router# config trouter(config)# appfw policy-name SDM_HIGHrouter(cfg-appfw-policy)# application im yahoorouter(cfg-appfw-policy-ymsgr)# server deny name newserver.yahoo.comrouter(cfg-appfw-policy-ymsgr)# endrouter#
Note•IM applications are able to communicate over nonnative protocol ports, such as HTTP, and through their native TCP and UDP ports. Cisco CP configures block and permit actions based on the native port for the application, and always blocks communication conducted over HTTP ports.
•Some IM applications, such as MSN Messenger 7.0, use HTTP ports by default. To permit these applications, configure the IM application to use its native port.
When the applications security policy blocks some Peer-to-Peer (P2P) applications, but permits others, blocked applications may be able to download files.
Workaround: Instead of permitting some P2P applications and blocking others, exclude the applications that you want to permit from the application security policy by unchecking the box next to the application name.
Because of a problem with the Cisco IOS NBAR feature, some Peer-to-Peer applications are able to download files even when application security is configured to block them. When the Cisco IOS NBAR feature is used to block Peer-to-Peer applications, only those applications and protocols supported by the NBAR feature will be successfully blocked.
Because of a problem with Cisco IOS (CSCin92327), a connection between an Easy VPN Remote client and an Easy VPN Server may timeout before the user has time to enter the credentials.
Due to a JVM bug (http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4110094) Cisco CP IPS may crash when large Signature Definition Files (SDF) are imported. When Cisco CP is used to import large SDFs such as virtualsensor.xml or IOS-S178.zip, Cisco CP crashes when dismissing the Import Signature dialog. This problem does not always occur.
Workaround: Set the java heap size to -Xmx256m and try to import the file again. If you need to use Cisco CP to perform a critical operation, complete that operation before reattempting to import the file.
VPN status in the Monitor windows do not show IPsec security association (SA) parameters for DMVPN when CLI status commands report that the crypto tunnels are up and traffic is passing through. The DMVPN tunnel is shown as established in the IKE SA tab.
Workaround: Use the CLI to view DMVPN status.
When the crypto identity ca command is used, the Loopback0 interface is shown as having no configured IP address in the Edit Interfaces and Connections window when an IP address has been configured.
Workaround: Disregard the IP address information in the Interfaces and Connections window. If you need to view the IP address, choose the interface and click the Edit button.
When an Easy VPN Server is configured using Digital Certificates for authentication, and an Easy VPN Remote connection is configured on another router, the client statistics for the Easy VPN server are all shown as 0 in the VPN Status window.
Workaround: To view client statistics, choose Tools > Telnet. Log in to the router, and issue the show crypto session command.
When adding a new signature to the ATOMIC.ICMP engine, you may see the error message "[Enum(xxx)-StorageKey-ATOMIC.ICMP] the value AaBb is not a valid value."
Workaround: In the Add Signature window, go to the parameter StorageKey, and click the green square to enable editing for this parameter. the green square icon will change to a red diamond icon. Choosing any value from the drop down box will fix this problem.
If an Easy VPN Remote configuration has connections to more than one Easy VPN server configured, VPN troubleshooting deactivating may report troubleshooting results for only one VPN server or give incorrect recommendations. This issue is seen only in some Cisco IOS images.
Invoking Cisco CP with a user associated with SDM_Monitor view adds a PKI trust point and an Easy VPN profile. This behavior does not affect the running configuration.
Workaround: Invoke Cisco CP with a user associated with a different CLI view, or with a user of privilege level 15.
Cisco CP filenames are case sensitive. If the Cisco CP files are copied from the PC hard disk to a flash card, File Explorer changes the names to uppercase. When this happens, Cisco CP cannot be invoked from this flash card.
Workaround: Before removing the flash card from the PC, restore the filenames to lowercase.
When the router is running a Cisco IOS image that does not support the show pppoe session command, WAN troubleshooting may not report any reasons for failure or recommended actions for PPPoE connections that are found to be down.
If a firewall is configured for an interface which already has a Management Access policy associated with it, choosing Replace in the Merge/Replace dialog box might prevent access to certain networks.
This occurs because choosing Replace causes the policy access control entries (ACEs) to be disassociated from the interface but not from the vty or HTTP line.
Workaround: When running Firewall wizard on an interface configured with Management Access policy, choose Merge option instead of Replace and proceed.
VPN troubleshooting may report a possible Maximum Transmission Unit (MTU) problem in the passthrough network when the tunnel is up. If the VPN interface is a dialer interface configured on an asynchronous interface, this problem may not always exist, and the displayed recommended action will have no effect.
Workaround: Ignore this message and the corresponding recommendation.
Due to a problem with Cisco IOS, if a custom protocol is mapped to a port and the same custom protocol is specified for matching under a classmap, and then the mapping of the custom protocol is deleted from the configuration, Cisco IOS does not give any warning message that the user should first delete the match protocol custom-01 commands that make use of the custom protocol mapping.
Workaround: Do the following:
–Configure the custom protocol again.
–Remove all the match protocol statements that reference the custom protocol that you configured.
–Remove the custom protocol from the configuration.
When you update Cisco CP, if any of the uploaded files shows a size of zero bytes when show flash is invoked, no operations such as copy or delete can be performed on flash memory. This problem rarely occurs.
Workaround: Restart the router to be able to perform operations on flash memory. If files of zero bytes are shown in a show flash display, restart the router before starting Cisco CP.
Router does not reload with default configuration when a' user executes a Reset To Factory Defaults operation in Cisco CP.
If the router is running Cisco IOS Release 12.2(11)T6, and the last 4 bits of the config-register value are set to 0, for example 0x2100 or 0x1100, the router does not reload when the user performs a Reset To Factory Defaults. Cisco CP indicates that it has sent a reload command to the router and shuts down, and the default configuration is copied to the startup-config, but the reload command has not executed, and the router is still using the running configuration that was present before the Reset To Factory Defaults operation.
Workaround: Use the CLI config-register command to ensure that the last 4 bits of the config register are not set to 0 (zero).
If you delete a WAN connection that you created, an ip nat inside command may still remain in a LAN interface configuration.
Workaround: To delete the ip nat inside command from the LAN interface configuration, go t o Edit Interfaces and Connections, choose the LAN interface, click Edit, and delete the association in the Association tab.
Enabling AES encryption or IP compression in the Add/Edit IKE Policy or Add/Edit Transform Set windows might not work even though the Cisco IOS image running on the router supports AES encryption or IP Compression. This may happen in the following circumstances:
–Hardware encryption is enabled.
–The router has a VPN module that does not support AES encryption or IP compression.
Workaround: Do one of the following:
–Disable hardware encryption by adding the no crypto engine accelerator command to the configuration file using the CLI interface. This command tells the router to use Cisco IOS software for encryption instead of using the encryption provided by the VPN module.
–Upgrade your hardware VPN module to one that supports AES or IP compression.
For more info on VPN Modules, see the data sheet at the following link: VPN data sheet.
When Cisco CP runs with a Cisco IOS image of a release earlier than 12.3T, or earlier than Release 12.2(13)ZH, the HTTP server appends unnecessary characters to names of files it displays. As a result, when Cisco CP is started, the web browser displays the warning "Content does not match the signature."
Workaround: Disregard the warning and click Yes to continue.
When an Easy VPN tunnel is active, using Cisco CP to apply a NAT configuration to the Easy VPN inside and outside interfaces will deliver ip nat inside and ip nat outside commands to the router, but the running configuration will not be changed. Cisco CP displays no error message when this is attempted.
Workaround: To apply a NAT configuration to interfaces that have been designated as Easy VPN inside or outside interfaces, complete the following steps in Cisco CP:
–Choose the Easy VPN tunnel in the VPN Connections window and click Disconnect. If the Connect/Disconnect button is disabled, choose the interface in the Interfaces and Connections window, open the Association tab for that connection and change the Easy VPN association to None.
–Open the NAT window, click Designate NAT Interfaces, and designate NAT inside and NAT outside interfaces.
–Select the Easy VPN tunnel, and click Connect. If you had to disassociate the Easy VPN tunnel from the connection, return to the Association tab, and choose the Easy VPN connection name again.
XAuth authentication intermittently fails, and Easy VPN tunnels cannot be established using Cisco CP on routers running Cisco IOS Release 12.3(4)T. When the user attempts to do an Xauth authentication in Cisco CP, the following error message is displayed:Unable to establish a session with the router to process XAUTH request from the Easy VPN server. Easy VPN tunnel cannot be successfully brought up.
This message is followed by another indicating that the connect command was delivered to the router, but that the tunnel was not established.
Workaround: In the VPN Connections window, choose the Easy VPN tunnel configuration and click the Reset Tunnel button to clear the tunnel and reconnect it. If this does not bring up the tunnel, use the Login button, more than once if necessary, to bring up the tunnel.
On Cisco 7x00 routers, the Cisco CP Update feature is supported if the current Cisco CP files were loaded onto the router flash disk or Compact Flash disk. However, the Cisco CP Update feature fails to upload new files to the router if the current Cisco CP files were installed in flash memory. The Cisco CP Update feature uses RCP protocol to upload the new Cisco CP files to the router, but the RCP Server misinterprets the "flag" sent by the RCP Client for the above mentioned file systems.
Workaround: If the current Cisco CP files were loaded into flash memory, update to the new Cisco CP version by manually copying the new Cisco CP files to the file system of the router using a TFTP server. To make use of the automatic Cisco CP Update feature, always install Cisco CP files on the flash disk or Compact Flash disks (disk0, disk1, disk2).
Cisco CP should not get invoked from boot images such as kboot images on 72xx routers. Such boot images are a subset of the Cisco IOS software and do not support all router functions.
Workaround: Boot the router with an Cisco CP-supported Cisco IOS image, and then invoke Cisco CP. See Table 2 for the Cisco IOS releases that Cisco CP supports.
On 72xx platforms, encryption is not supported on PA-4T port adapters. Because the CLI does not support crypto maps for these types of interfaces, Cisco CP will fail to assign crypto maps to these interfaces. The PA-4T port adapter will not support future compression and encryption features.
Workaround: Upgrade your 72xx router hardware to the 4t+ PA port adapter.
Whenever any unconfigured interface contains the description $FW_INSIDE$, on a router configured with a firewall, adding a new NTP server will not modify the firewall ACLs to allow NTP passthrough traffic. Instead, when the user edits the firewall's outside interface in the Interfaces and Connections window, Cisco CP prompts the user to add the NTP passthrough traffic.
Workaround: Use the CLI to manually remove the description $FW_INSIDE$ from the unconfigured interface.
If the interface used for the primary backup connection is configured for PPPoE encapsulation, the backup connection will not function properly if the next hop address is specified during configuration. A Cisco IOS caveat (CSCin64336) has been filed for this problem. If the interface used for the primary backup connection is an Ethernet interface configured without encapsulation, the backup connection will not function properly if the next hop address is not specified during configuration.
Workaround: Do one of the following:
–For PPPoE connections: Do not provide the next hop IP address when you configure the primary backup connection.
–For Ethernet connections without encapsulation: Do provide the next hop IP address when you configure the primary backup connection.
If the WAN wizard is used to configure an analog modem connection as a primary backup connection, and the analog modem connection is deleted, Cisco CP may report that the interface contains unsupported configuration parameters.
Workaround: Click Refresh on the Cisco CP toolbar, and delete the connection.
The Interfaces and Connections window may display the Backup option in disabled state for asynchronous interfaces on Cisco 831 and Cisco 837 routers. This will occur when the following operations have been performed:
–The interface used for the primary backup connection is configured with an Cisco CP-supported IP address type.
–The asynchronous interface is configured as the backup for a primary interface.
–The IP address of the primary interface is changed.
When the IP address of the primary interface is changed, Cisco CP displays a Yes or No warning popup asking if you want to remove the backup configuration. If you choose Yes, Cisco CP removes the backup configuration, but the Interfaces and Connections window still shows the backup option as disabled, preventing you from choosing the asynchronous interface as a backup interface.
Workaround: Delete the asynchronous interface configuration using the Interfaces and Connections window.
When the router is configured to use PPPoE, users may not be able to download a file using FTP or display web pages from Internet hosts that they are able to ping or access using telnet. This can happen if Cisco CP is being used on a router with interfaces that Cisco CP does not support, such as Token Ring or VLAN interfaces. Cisco CP does not deliver the command ip tcp adjust-mss 1452 to unsupported interfaces.
Workaround: Use the CLI to add the ip tcp adjust-mss 1452 command to the VLAN or Token Ring interface configuration. Use Telnet to access the router and enter the following command in VLAN or Token Ring interface configuration mode:Router# ip tcp adjust-mss 1452
When launching the Dynamic Multipoint Virtual Private Network (DMVPN) Hub and Spoke wizard, Cisco CP may take up to 12 seconds to display the first wizard window. This latency may occur if a JRE plug-in of any version is running in the browser, or if Cisco CP is using the SSH or Telnet communications module.
Cisco CP may take several seconds to display screens in the DMVPN wizard. This latency may occur if a Java plug-in is running in the browser.
If an Analog Modem or ISDN connection is deleted using Cisco CP, the dialer interface may not be deleted from the configuration and the router may reload. This is due to a Cisco IOS caveat, CSCin69090. This occurs on routers using Cisco IOS images of Release 12.3(4)XG or later, or Cisco IOS Release 12.3(7)T.
Workaround: There is no workaround for this problem.
Cisco CP does not issue the ntp update-calendar Cisco IOS command on Cisco 7200 routers if there are no new settings to enter and if the Network Time Protocol (NTP) server was configured using the CLI, only one NTP server IP address was provided and no ntp update-calendar Cisco IOS command was present in the running configuration.
Workaround: Use Cisco CP to delete the NTP server configuration entry, click Refresh, and then re-create the entry, or make changes to the existing NTP server entry.
Because of a Cisco IOS issue (CSCee63313), if Cisco CP is used to enable IPS on an interface, and then used to disable IPS on that interface, the router crashes.
A download exception message may appear in the Java console when Cisco CP is launched on a PC running Japanese Windows 2000, or Japanese Windows XP. This problem does not prevent Cisco CP from starting or from being used.
The Cisco CP installation program does not use HTTPS to back up files from the router.
When Cisco CP is installed on a PC running Windows XP with Service Pack 2, Internet Explorer will display a message bar at the top of the browser window stating: "To help protect your security, Internet Explorer has restricted this file from showing active content that access your computer. Click here for options..." Clicking Allow blocked content does not enable Cisco CP to launch.
Workaround: In Internet Explorer, go to Tools > Internet Options > Advanced. Then scroll to the Security section, check Allow active content to run in files on my computer, and click Apply. Then relaunch Cisco CP.
When Cisco CP is run with certain Cisco IOS images, the number of Open Shortest Path First (OSPF) processes created can be greater than the number of interfaces in the administratively UP state. However, the running configuration does not display the value of the area configured for these additional networks. Thus, Cisco CP is unable to display the networks for these additional OSPF processes. This problem has been reported with the following Cisco IOS images:
If signatures are imported using Cisco CP IPS on a router running Cisco IOS Release 12.3(11)T3, system variables parameters are ignored by Cisco IOS.
Workaround: Upgrade to a Cisco IOS image that supports SystemVariables.
The Cisco CP Update from PC feature will not operate when the CPEXPRESS-Vnn.zip file is placed in a shared folder with read-only access.
Workaround: Do not place the SDM-Vnn.zip file in a folder with read-only access.
Because of a problem with Cisco IOS (CSCeg63077), VPN troubleshooting will not detect the IKE mismatch in site-to-site VPN configuration. Instead it will give a generic recommendation to apply the mirror configuration generated by Cisco CP which would solve this problem.
Workaround: Follow the recommendation displayed in the VPN troubleshooting window to apply mirror configuration on both the devices.
Cisco CP displays a splash screen when it is launching. The splash screen does not indicate any launch progress.
If you take more than 2 minutes to accept the security certificates for https connections, device discovery fails.
Workaround: Rediscover the device.
When you go to View > Default Rules > Access Rules, Cisco CP does not display the Access Rules screen.
Workaround: Click on any other branch in the Cisco CP defaults tree and then click Access Rules. The access rules are displayed.
When a Cisco 7204 router with Flash cards is discovered along with other devices, and IPS is configured on the Cisco 7204 and another device, the Flash information for the Cisco 7204 is displayed when selecting an SDF file for the other device.
After configuring an Easy VPN Remote client and establishing a VPN tunnel with the Easy VPN server and activating the tunnel, a failure message is displayed when Test Tunnel is clicked. The message displayed is "Easy VPN server server_IP is responding but the tunnel is not established."
Workaround: Continue to use the Easy VPN connection. The tunnel is established.
When a device configured with a version of Cisco IOS IPS earlier than that available with Cisco IOS 12.4(11)T or later is discovered along with a device running Cisco IOS IPS available beginning with 12.4(11)T, in the same community, the following problem occurs:
When attempting to download the zip file required to deploy signatures for the top threats, the Security Dashboard asks for a zip file of the format IOSxx.zip. However, when such a file is chosen, a warning message is displayed, indicating that the filename is not of the format SDMxx.zip, the format required for the later version of Cisco IOS IPS. This warning message should not be displayed.
Workaround: Either place these devices in different communities before discovering and configuring the device with the earlier version of Cisco IOS IPS, or discover and configure these devices separately.
The Help button in `Add a G.SHDSL Connection' dialog displays a "Help not implemented yet" error message.
Workaround: If you need help on this screen, click the large question mark (?) icon at the upper left of the screen, and choose Routing and Security. Once in the Routing and Security help system is launched, click the Search button in the help system banner, and search for "Add a G.SHDSL Connection." Then, click on the search result for that text to read the help topic.
Cisco CP fails to show signature details on Cisco 7204 routers running Cisco IOS IPS available before Cisco IOS 12.4(11)T. A Cisco IOS caveat (CSCso59783) has been filed for this problem.
During discovery, several Java Null Pointer Exception are seen on the Java Console screen. These Null Pointer Exceptions are seen under the following conditions:
–When Cisco CP is installed in a non-default location
–When Cisco CP is run under the windows vista business edition and JRE 1.60_03.
Workaround: Install Cisco CP in the default location.
Although Cisco CP prevents the keyboard entry of an IP address with more than 4 periods, you can copy and paste an illegal IP address with more than 4 periods in the Add or Edit community member screen.
Workaround: Do not copy and paste IP addresses into the IP address field.
If Microsoft Windows Vista is not installed in Administrator mode, Cisco CP will not start.
Workaround: To run Cisco CP under Microsoft Windows Vista, reinstall Microsoft Windows Vista in Administrator mode.
The Cisco CP icon in the upper-lefthand corner of the window changes to the Internet Explorer icon after the application has been opened for a period of time.
It is possible to add more than 10 devices to a community after you have filtered the devices. The Add button is enabled after you filter the devices, and when you have selected a filtered device.
It is possible to add more than 25 communities to a Cisco CP configuration after you have filtered the communities. The Create button is enabled after you filter the communities, and when you have selected a filtered community.
When toggling between two devices with a Certificate Authority (CA) server configured, the Edit CA Server screen for one of the devices may appear misaligned.
The Print button in the User License Agreement screen does not display a print dialog, but instead displays the Save As dialog.
The Cisco CP Routing and Security online help displays help for features that are not available in Cisco CP. These features are Ping, Reset to Factory Defaults, Update from CCO, Refresh, and Preferences.
Other documents with information on Cisco CP or Cisco CP Express are listed below.
•Release Notes for Cisco Configuration Professional Express 1.0
•Cisco Configuration Professional Express 1.0 User Guide
•Cisco Configuration Professional Community User Guide
•Cisco Configuration Professional Routing and Security User Guide
These documents are available from the following link:
Note For information on obtaining documentation and technical assistance, product security, and additional information, see What's New, which also lists new and revised documents each month.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Copyright © 2008 Cisco Systems, Inc. All rights reserved.