Guest

Cisco Subscriber Edge Services Manager

Release Notes for Cisco Subscriber Edge Services Manager 3.3(1)

  • Viewing Options

  • PDF (350.6 KB)
  • Feedback
Release Notes for Cisco Subscriber Edge Services Manager 3.3(1)

Table Of Contents

Release Notes for Cisco Subscriber Edge Services Manager 3.3(1)

New Features and Enhancements

Whitelists Per Location For Non-Proxy Users

Location Configuration Using Multiple IP Ranges

File Poller for Dynamic Update of Whitelists and Location Configurations

Support for iPass Users

Display of RADIUS Reply Messages (Attribute 18 Messages)

Support for Always-on Connectivity (Trusted ID Solution)

Product Documentation

Related Documentation

Supported Versions of SSG

Downloading SESM from Cisco.com

Installing SESM 3.3(1)

Upgrading from Previous SESM Releases

Documentation Updates

SSL Script Generation for Testing

Preventing Memory and Performance Degradation

JRE and JDK_HOME variable

Known and Resolved Problems

Obtaining Documentation

Cisco.com

Documentation DVD

Ordering Documentation

Documentation Feedback

Cisco Product Security Overview

Reporting Security Problems in Cisco Products

Obtaining Technical Assistance

Cisco Technical Support Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information


Release Notes for Cisco Subscriber Edge Services Manager 3.3(1)


These release notes are for use with the Cisco Subscriber Edge Services Manager (SESM) 3.3(1). These release notes provide:

New Features and Enhancements

Product Documentation

Related Documentation

Supported Versions of SSG

Downloading SESM from Cisco.com

Installing SESM 3.3(1)

Upgrading from Previous SESM Releases

Documentation Updates

Known and Resolved Problems

Obtaining Documentation

Documentation Feedback

Cisco Product Security Overview

Obtaining Technical Assistance

Obtaining Additional Publications and Information

New Features and Enhancements

SESM 3.3(1) contains the following new features and enhancements:

Whitelists Per Location For Non-Proxy Users

Location Configuration Using Multiple IP Ranges

File Poller for Dynamic Update of Whitelists and Location Configurations

Support for iPass Users

Display of RADIUS Reply Messages (Attribute 18 Messages)

Support for Always-on Connectivity (Trusted ID Solution)

Memory management enhancements to improve performance.

Captive Portal is now installed when you run a Typical installation (no need for Custom installation).

Web portal PDA and WAP pages support UTF-8.

RDP can support non-SSG users.

You can now change the size of send and receive buffers in RDP and web applications.

Improved management of backlogs for handling new user requests. You can help to improve performance by configuring the time to wait for a RADIUS ID to become available.

You can now access session timeout RADIUS attribute information. If the user profile includes the session timeout attribute, you can access it from the SESM session API.

Support for Red Hat Enterprise Linux AS 3 and Red Hat Enterprise Linux ES 3.

Whitelists Per Location For Non-Proxy Users

The previous release of SESM supported the creation of location-specific whitelists to provide web proxy users with different free access destinations depending on location. This release of SESM extends the support of location-specific whitelists to non-proxy users.

For information about configuring location-specific whitelists, see Cisco Subscriber Edge Services Manager Administration and Configuration Guide.

Location Configuration Using Multiple IP Ranges

You can now use multiple, noncontiguous client IP address ranges to define location awareness using complete ID attributes in the Location MBean.

For information about configuring locations with multiple IP ranges, see Cisco Subscriber Edge Services Manager Administration and Configuration Guide.

File Poller for Dynamic Update of Whitelists and Location Configurations

This release of SESM provides a file poller mechanism that updates location and whitelist URL definitions without requiring you to restart the server. It can also be used to share a configuration file among several applications, so that a configuration that is contained in several applications needs to be maintained only in a single file.

For information about using the file poller, see Cisco Subscriber Edge Services Manager Administration and Configuration Guide.

Support for iPass Users

SESM support for roaming users enables iPass users to connect to the Internet from public hotspots using their iPass accounts. iPass is a software-enabled virtual network operator (VNO) that provides enterprise connectivity services permitting secure access to information and applications on corporate networks.

SESM enables iPass account holders to:

Connect to the Internet using the iPass Smart Client.

Connect to the Internet through a browser using the NWSP Login page.

For information about configuring SESM support for iPass users, see Cisco Subscriber Edge Services Manager Administration and Configuration Guide.

Display of RADIUS Reply Messages (Attribute 18 Messages)

NWSP now displays RADIUS attribute 18 messages (also known as RADIUS Reply Message) by default. An attribute 18 message can be returned as a response to an access request. NWSP extracts the attribute 18 messages from the response and displays them to the user in the appropriate pages.

Messages extracted from access-reject responses are displayed in the Login page, while messages extracted from access-accept responses are displayed in the Messages page.


Note In previous releases, SESM extracted attribute 18 messages but did not display them. If you already customized your web portal application to display RADIUS reply messages, you can disable this feature.


For information about configuring RADIUS attribute 18 message display, see Cisco Subscriber Edge Services Manager Web Portals Guide.

Support for Always-on Connectivity (Trusted ID Solution)

The trusted ID solution provides always-on connectivity and removes the need for users to authenticate through SSG more than once from the same device or location. Currently users must authenticate each time they connect. When the always-on connectivity is enabled, after users authenticate for the first time, user information (trusted ID) is saved so that a connection from the same user is recognized and automatically authenticated the next time the user connects. The trusted ID information is the user's MAC address.

The trusted ID solution is implemented using a SESM SPE installation and Cisco Access Registrar (AR) 3.5.4 or later, with SPE light installed.


Note The following known problem with trusted ID exists in AR 3.5.4:

CSCeg88981: Implicit login flag change does not have immediate effect.

Symptoms: User passes an implicit login with Implicit-Auth-Enabled set to FALSE.

Conditions: The Trusted ID flow is in use and the user's Implicit-Auth-Enabled has been changed from TRUE to FALSE. If the user is in the cache from a previous passing explicit login, the first implicit login request following the flag change will pass, but every one after will fail.

Workaround: After changing the flag, manually remove the user from the cache using the release-sessions command in aregcmd.

This problem has been fixed in later releases of AR.


SESM support for the trusted ID solution lets you enable and disable always-on connectivity in user profiles through CDAT, and lets users enable and disable always-on connectivity through the self-care pages in NWSP.

See Cisco Subscriber Edge Services Manager Introduction Guide for information about the trusted ID solution and SESM support for always-on connectivity.

For information about configuring AR for the trusted ID solution, see Cisco CNS Access Registrar User's Guide, 3.5. See Related Documentation for a link to the AR documentation online.

Product Documentation


Note We sometimes update the electronic documentation after original publication. Therefore, you should review the documentation on Cisco.com for any updates. Documentation for SESM 3.3 is online at
http://www.cisco.com/univercd/cc/td/doc/solution/sesm/sesm_33x/index.htm
and under the SESM product website at
http://www.cisco.com/en/US/products/sw/netmgtsw/ps4889/index.html.


Table 1 describes the documentation for SESM 3.3.

Table 1 SESM 3.3 Documentation Set

Document Title
Available Formats

Release Notes for Cisco Subscriber Edge Services Manager 3.3(1)

PDF (SESM331relnote.pdf) on the product CD-ROM.

On Cisco.com.

Cisco Subscriber Edge Services Manager Introduction Guide

PDF (SESM33intro.pdf) on the product CD-ROM.

On Cisco.com.

Cisco Subscriber Edge Services Manager Installation Guide

PDF (SESM33install.pdf) on the product CD-ROM.

On Cisco.com.

Cisco Subscriber Edge Services Manager Administration and Configuration Guide

PDF (SESM33adminconfig.pdf) on the product CD-ROM.

On Cisco.com.

Cisco Subscriber Edge Services Manager Web Portals Guide

PDF (SESM33webportal.pdf) on the product CD-ROM.

On Cisco.com.

Cisco Subscriber Edge Services Manager Profile Management Guide

PDF (SESM33profilemgmt.pdf) on the product CD-ROM.

On Cisco.com.

Cisco Subscriber Edge Services Manager Web Services Gateways Guide

PDF (SESM33wsg.pdf) on the product CD-ROM.

On Cisco.com.

Cisco Subscriber Edge Services Manager Web Developer Guide

PDF (SESM33webdev.pdf) on the product CD-ROM.

On Cisco.com.

Cisco Subscriber Edge Services Manager SDK Programmer Guide

PDF (SESM33sdkprog.pdf) on the product CD-ROM.

On Cisco.com.

Cisco Subscriber Edge Services Manager Troubleshooting Guide

On Cisco.com.


Related Documentation

Documentation for the Cisco SSG is online at:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/ssg/

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ssg/

Information related to configuring the SSG authentication, authorization, and accounting features is included in:

Cisco IOS Security Configuration Guide:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/sec_vcg.htm

Cisco IOS Security Command Reference

If you are including the Cisco Access Registrar (a RADIUS server) in your SESM deployment, see the documentation for Cisco Access Registrar (AR) online at:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cnsar/index.htm

Supported Versions of SSG

Cisco SESM works with any router running Cisco IOS software with the Cisco Service Selection Gateway (SSG).

The following devices have been verified to work with SESM when they are running Cisco IOS Release 12.3(8)T or later, with SSG enabled:

Cisco 72xx, 7301, and 74xx series high-performance multifunction routers.

Cisco 2651XM and 2691 routers.

Cisco 3725 and 3745 multiservice access routers.

Cisco MWAM blade on either the Catalyst 6000 chassis or 76xx chassis.

The following devices work with SESM when they are running Cisco IOS Release 12.3(7)XI2 with SSG enabled:

Cisco 10000 series router.


Note For more details about SSG support on these devices, see http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp.


Downloading SESM from Cisco.com

If you purchased a contract that allows you to obtain the SESM software from the Cisco website, you can access the Cisco images from the CCO Software Center, at http://www.cisco.com/cgi-bin/tablebuild.pl/sesm33-3des.

You must have a valid Cisco user ID and password.

Installing SESM 3.3(1)

For information about system requirements and instructions for installing SESM, see Cisco Subscriber Edge Services Manager Installation Guide.

Changes since SESM 3.2(2)

The default installation option is Typical installation.

Captive Portal is installed when you run the Typical installation.

Installation without SSG option is no longer available.

The Add Services option for configuring RDP is no longer available in Install. It is now enabled by default. The configuration can be changed after installation.

Information about memory requirements and performance are provided in Cisco Subscriber Edge Services Manager Installation Guide.


Note If you plan to raise the debugging level in SESM, you might need to increase the memory configuration.


Upgrading from Previous SESM Releases

For the following information about upgrading SESM from SESM 3.1(3) and later, see Cisco Subscriber Edge Services Manager Installation Guide:

Upgrading the LDAP directory.

Migrating SESM customizations and configurations.


Note You can use SESM 3.2(2) with an LDAP directory that has been upgraded for SESM 3.3.(1).


To upgrade from SESM 3.1(1), use the upgrade instructions in the Installation Guide for SESM 3.2.

Documentation Updates

This section provides additional information about using SESM:

SSL Script Generation for Testing

Preventing Memory and Performance Degradation

JRE and JDK_HOME variable

SSL Script Generation for Testing

You can generate self-signed SSL certificates for testing environments. The appendix in Cisco Subscriber Edge Services Manager Administration and Configuration Guide provides instructions for this procedure.

This procedure is based on the Sun Java Keytool utility. For more information about Keytool, see the Sun Java website.


Note This procedure is only for development, test, and trial environments. It must not be used in a production environment.


Preventing Memory and Performance Degradation

In session and memory management, the session scavenger daemon, which marks aged sessions for deletion, disrupts or prevents garbage collection from freeing memory. This can result in increased memory consumption, and might lead to performance degradation.

To prevent memory and performance degradation, ensure that:

The profileCachePeriod attribute is not less than one quarter of the sessionCachePeriod.

You do not use Agent View for constant monitoring of session status.

JRE and JDK_HOME variable

The startup scripts now inform you when the JRE version used is set from your JDK_HOME variable. If the JRE version used is earlier than JRE 1.4.2, a message informs you to which JRE version it was pointing.


Note You cannot use JRE 1.5.0 with SESM.


Known and Resolved Problems

Table 2 describes problems known to exist in this release; Table 3 describes problems resolved since the last release of SESM.


Note To obtain more information about known problems, access the Cisco Software Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl. (You will be prompted to log into Cisco.com.)


Table 2 Known Problems in SESM 3.3(1) 

Bug ID
Summary
Explanation
Installation Problems

CSCuk45717

INSTALL: Silent Install does not work on Windows.

The Silent mode installation option does not work on Windows.

Workaround: Use the GUI mode or Console mode installation option instead.

CSCuk46174

Duplicated by: CSCeg29076

Silent Install: #-P installLocation parameter does not work.

If you install SESM for the first time on a machine using the Silent mode installation, SESM will be installed in the default location regardless of the location specified in the installLocation parameter.

If you use the Silent mode installation on a machine that already has SESM installed, and you specify a location in the installLocation parameter that is different from the default installation directory, the installation program will attempt to install SESM in the previous installation directory. Installation will fail because you cannot install SESM in the same directory as an existing SESM installation.

Workaround: Use Silent mode installation only when you are installing to the default installation directory. When you use Silent mode installation, do not use the #-P installLocation parameter in the .iss file, and verify that there is no other SESM installation in the default installation directory.

CSCuk46065

Misc. Windows Services Problems.

Various Windows Services Problems:

There are no Windows Service scripts provided for installing as Windows Services for the Message Portal, Web Proxy, Web Services Gateway or Remote Management Interface. Please note that Application Management relies on the RMI running and so AM cannot be used as a Windows Service.

Startup of the RDP as a Windows Service is not successful.

Startup of the CDAT as a Windows Service is not successful.

Workaround: There are no workarounds for the above issues and so the SESM applications mentioned cannot be installed/used as Windows services.

CSCuk44745

SPE/iPlanet installation of SESM directly from CD-ROM.

SPE authentication fails if SESM is installed in SPE mode directly from a CD-ROM when you use iPlanet directory.

This is because the installer attempts to create a temporary file on the CD-ROM for modifications to the SPE. Although this is not possible, no installation errors occur unless logging is enabled during installation.

As a result, it is not possible to authenticate against the SPE after installation.

The same problem occurs if you run the installer from the hard disk but do not have write access to that location.

This problem affects all platforms.

Workaround: When you install SESM from a CD-ROM, we recommend that the contents of the CD-ROM are copied to hard disk and the installer is run from there. Make sure that you have write access to the location of the install image.

CSCuk49356

All application processes stay up after uninstall.

SESM processes that are not stopped before you uninstall SESM stay alive and associated ports remain busy.

Workaround: Before uninstalling SESM, stop all SESM applications.

Captive Portal Problems

CSCuk47561

CP: Wrong locationURL redirect with Location MBean.

Captive Portal does not redirect to the correct location URL when using the Location MBean. There is no problem when using the SSG MBean (and client IP hostkey).

Workaround: Change the value of the sesmSessionEnabled attribute in CPProxyHandler MBean to true. This ensures that the location is correct when the Captive Portal servlet redirects to the location URL.

NWSP Problems

CSCuk31287

NWSP: User autoconnected to service in unsubscribed service group.

A user group member is erroneously autoconnected to a service when the following conditions are true:

The user group has a subscribed service which is defined as auto-logon.

The service is a member of a service group, but the user is not subscribed to the service group.

When the user logs on, the service is autoconnected even though the user is not subscribed to the service group.

Workaround: Do not define services in a service group as auto-logon in a user group.

CSCuk47765

Activating tunnel service fails directly after subscribing.

When a user attempts to activate a Tunnel Service from the Service List immediately after subscribing to that Tunnel Service in the NWSP My Services page, service activation fails.

Workaround: Service activation is successful after the user logs out and back into NWSP, or after the SESM session has expired.

CSCuk55793

Attr18: reply message not displayed after proxy service logon.

After a successful proxy service activation, the reply-message from the remote RADIUS server is not displayed on the NWSP messages page.

Workaround: None

CSCuk55462

Attr18: successful authentication message displayed at svc logon.

This problem occurs if, after authenticating, and receiving a successful authentication message in the Messages page, you try to connect to a proxy service, but service logon fails (for example, because you entered incorrect credentials). In this case, both the original successful authentication message and the failed authentication message for the service logon are displayed on the Service Logon page.

Workaround: None

WSG Problems

CSCuk55324

High CPU utilization on initial load for WSG application.

After startup/initialization, the first authentication request results in high CPU utilization (a spike) and slow response time. Consequently, WSG is not able to support a normally sustainable load directly after startup.

Workaround: Prime WSG by sending an initial authentication request for each client subnet.

RDP Problems

CSCuk39441

RDP: Primary Service At Group Level not working.

If a subscriber has a Primary Service by virtue of inheriting it from a User Group, then the RDP will not pass the IP Pool associated with the Primary Service to the SSG.

Workaround: Either assign the Primary Service to the User profile or assign a Pool Name to the User Group profile.

CSCeh03068

Incorrect dynamic attribute parsing in RDP.

RDP incorrectly parses new attribute definitions when you dynamically define a new attribute using the syntax:

name([[type=]26],[vendorId=]vendorId,[vendo
rType=]vendorType,[dataType=]dataType)

Workaround: Use the syntax:

[attributeName](radiusAttributeId, 
vendorId, vendorSubattribute, datatype)

for example, demoVSA(26, 1, 1, BINARY)

CDAT Problems

CSCuk29592

CDAT deletion of auto svc does not remove attrib. in users profile.

If an administrator deletes a service from CDAT that is defined as an autoconnected service in a subscriber's profile, some service-related attributes might not be deleted from the directory. The problem occurs regardless of whether the subscriber is logged in or logged out. These redundant attributes do not have an impact on the subscriber.

Workaround: There is no impact in leaving these attributes in the directory, but administrators can manually remove the attributes if they wish.

CSCuk32178

CDAT block inheritance and service filter not inherited.

In CDAT, the Service Filters attributes are not inherited by the user from a user group.

Workaround: If these attributes are required, they must be directly assigned to each user.

Application Manager (AM) Problems

CSCeg12741

The CDAT AM creates an error after canceling the task.

When you try to cancel a task in AM by clicking the Cancel button, an error message appears and the task is not cancelled.

Workaround: Close and reopen the application.

CSCuk43101

CDAT-AM: Subnet Attribute only allows for an IP as a value.

In the SESM AM SSG page, you can create and edit only Subnet attributes for attribute type IP. Because the Attribute Value field must be IP, the following valid Subnet attributes cannot be specified on a per-subnet basis:

MASK

PORT

SECRET

TIMEOUTSECS

RETRIES

BUNDLE_LENGTH

SESSION_<attribute>

Workaround: To set any of the listed attributes on a per-subnet basis, edit the appropriate application configuration file.

For example, to create a new mapping for the 192.168.2.0/24 client subnet and a SESSION_LOCATION attribute (or type london) in NWSP, add a line similar to the following:

<Call 
name="setSubnetAttribute"><Arg>192.168.2.0<
/Arg><Arg>255.255.255.0 
</Arg><Arg>SESSION_LOCATION</Arg><Arg>londo
n</Arg></Call>

For these changes to take effect, save the configuration file and restart the application.

General Problems

CSCuk52355

Personal firewall page: parsing of valid ACLs fails.

3 problems have been identified when you configure personal firewall settings:

ACLs for AV pairs of the following form are not parsed correctly: Cisco_AV:ip:outacl#129=permit icmp any any <option>

Workaround: The AV-pair instead needs to be of the form: Cisco_AV:ip:outacl#129=permit icmp any any

ACLs for AV pairs of the following form are not parsed correctly: Cisco_AV:ip:outacl#129=permit <internet protocol> any <src port op> <src port> any <dest port op> <dest port>

Workaround: Provide ACLs using two AV pairs: Cisco_AV:ip:outacl#129=permit <internet protocol> any <src port op> <src port> any Cisco_AV:ip:outacl#129=permit <internet protocol> any any <dest port op> <dest port>

ACLs for AV pairs of the following form are not parsed correctly: Cisco_AV:ip:outacl#129=permit udp any any <port operator> <port alias>

where the port alias is the name of the UDP application.

Workaround: Use the actual port numbers when using UDP.

CSCuk55690

Scavenger thread Interferes with GC of sessions in soft cache.

In session and memory management, the scavenger thread, which marks aged sessions for deletion, disrupts or prevents garbage collection from freeing memory used by sessions in the soft cache. This can result in memory problems when configuring applications.

Workaround: Ensure that:

The profileCachePeriod attribute is not less than one quarter of the sessionCachePeriod.

You do not use Agent View for constant monitoring of session management.

CSCuk53972

Tomcat: Shutdown script does not kill NWSP.

When NWSP is running inside Tomcat (v4.1.30), the $catalina-home/bin/shutdown.sh script doesn't always kill the nwsp process. However, after running the script, you cannot access NWSP through the browser

Workaround:

If you are not using AM, remove rmi.xml from the application's configuration directory.

Stop the HTML Adaptor in Agent View before you invoke the Tomcat stop script.

CSCuk55340

Intermittent start script problem after Ctrl-C.

If you run a start script in the foreground, and then use Ctrl-C to kill it, the Java process dies, but the script might remain open for a while.

Workaround: To kill the process, use Ctrl-C and then use kill -9.


Table 3 Resolved Problems in SESM 3.3(1) 

Bug ID
Summary
Additional Information

CSCuk54916

Use of shape cache is not thread-safe.

This problem has been resolved.

CSCuk54584

Location mechanism broken for PBHK.

This problem has been resolved for configuring locations using the Location MBean (using complete ID attributes). You cannot configure locations using SSG MBean (using IP subnets) if PBHK is used.

CSCef27420

When DNS is down the welcome page get displayed in a big delay.

This problem is not due to SESM. The workaround for this problem is to reduce the DNS timeout and retry values. In Solaris, this is an entry in /etc/resolv.conf:

option timeout:t attempts:a

where t is the first timeout period in seconds and a is the number of attempts. An attempt value of 1 will turn off retries.

CSCed72147

start.sh fails if host IP address contains port number.

This problem has been resolved.

CSCef97636

DNS Proxy Failover not working as expected.

This problem has been resolved.

CSCuk47137

SESMSession should indicate that there was a PoEFailure.

If authentication or SSO fails for any reason, the resultant exception is added to the session as an attribute named authException. This attribute is cleared before authentication or SSO, so if either succeed no exception is stored. Anyone customizing the application can examine this property directly and see what caused the authentication to fail.

CSCuk49376

Authentication Request packet loss.

The receive and transmit buffer sizes are now configurable.

(Fixed in SESM 3.2(2) patch 1.)

CSCuk49549

WSG: Service Activation Fails after loss of communication with SSG.

This problem has been resolved.

CSCuk50176

WSG packet loss.

SESM now contains two global attributes to allow the send and receive buffer sizes to be set for RADIUS communication to an SSG. This allows the buffer size to be increased so that packets do not get lost when the system is under heavy load.

(Fixed in SESM 3.2(2) patch 2.)

CSCuk51837

Intermittent RDP Install Problem - No Add Services.

The Add Services option has been removed from the Installation program, and is automatically set to true. You can change the Add Services setting in the rdp.xml file.

CSCuk52069

Agent View: Start/stop operation in DNSProxy MBean throws exception.

The Start and Stop options now work correctly in the Agent View of the DNS Proxy application.

CSCuk50835

minThreads to be set to 20% of maxThreads.

The default setting for the minThreads attribute in the SESMSocketListener MBean and in the SESMSSLListener MBean is now 50.

CSCuk43204

No Message displayed to User when Service Activation Fails.

When service activation fails, a message is now displayed in the Messages page.

Note For a simple service authentication failure, no message is displayed; the user is asked to authenticate the service again.

CSCuk53624

page lock for cancel at service conf after unauth service red.

The problem that prevented you from returning to the home page after unauthenticated service redirection, if the service confirmation option was switched on, has been resolved.

CSCuk44912

The NONE Encryption option not working when installing against NDS.

This problem has been resolved.

CSCuk51208

RDP sends RADIUS command 0 on receiving AR with null password.

Fixed for SESM 3.2(2) patch3


Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation DVD

Cisco documentation and additional literature are available in a Documentation DVD package, which may have shipped with your product. The Documentation DVD is updated regularly and may be more current than printed documentation. The Documentation DVD package is available as a single unit.

Registered Cisco.com users (Cisco direct customers) can order a Cisco Documentation DVD (product number DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace.

Cisco Ordering tool:

http://www.cisco.com/en/US/partner/ordering/

Cisco Marketplace:

http://www.cisco.com/go/marketplace/

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool:

http://www.cisco.com/en/US/partner/ordering/

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 1 800 553-NETS (6387).

Documentation Feedback

You can send comments about technical documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

From this site, you can perform these tasks:

Report security vulnerabilities in Cisco products.

Obtain assistance with security incidents that involve Cisco products.

Register to receive security information from Cisco.

A current list of security advisories and notices for Cisco products is available at this URL:

http://www.cisco.com/go/psirt

If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a vulnerability in a Cisco product, contact PSIRT:

Emergencies — security-alert@cisco.com

Nonemergencies — psirt@cisco.com


Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive information that you send to Cisco. PSIRT can work from encrypted information that is compatible with PGP versions 2.x through 8.x.

Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one that has the most recent creation date in this public key server list:

http://pgp.mit.edu:11371/pks/lookup?search=psirt%40cisco.com&op=index&exact=on


In an emergency, you can also reach PSIRT by telephone:

1 877 228-7302

1 408 525-6532

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.

Cisco Technical Support Website

The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year, at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do


Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support Website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.


Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.

Severity 1 (S1)—Your network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

http://www.ciscopress.com

Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

World-class networking training is available from Cisco. You can view current offerings at this URL:

http://www.cisco.com/en/US/learning/index.html