Guest

Cisco VPN Solution Center

Release Notes for VPNSC 2.0

  • Viewing Options

  • PDF (571.8 KB)
  • Feedback
Release Notes for Cisco VPN Solutions Center, Release 2.0

Table Of Contents

Release Notes for
Cisco VPN Solutions Center, Release 2.0

Contents

Materials

Introduction

What Is New in Release 2.0 of VPNSC

API Partitioning and Necessary Modification to Third-Party Client Code

Auditor—Migration

Auditor—New Features

Download and Upload Mechanism—Telnet Gateway Server (TGS)

Download Console

Executing IOS Commands

Hardware Support

IPsec Provisioning

IPsec Provisioning API CORBA Server

IPsec Provisioning GUI

IPsec Provisioning SLA Automatic Configuration

Journaling

Licensing

Multiple Telnet Gateway Servers (Multi-TGS)

Non-loopback Interfaces as Tunnel End Points

Recovery

Repository Migration from Release 1.x to Release 2.0

Secondary Devices

SLA Collection

SLA History Data—Raw

SLA Traps Configuration

SNMPv3 Support

Template Console

Version Console

System Recommendations

IPsec VPN Solution System Recommendations

MPLS VPN Solution System Recommendations

Other System Recommendations

Time Zones for NetFlow Collection

Task API Usage: TaskFactory::createGetSLAData() Operation

MPLS Problems Fixed Since Cisco VPN Solutions Center: MPLS Solution, Release 1.2.1

Provisioning

Graphical User Interface

Collection

API

Other

IPsec Known Problems in Cisco VPN Solutions Center, Release 2.0

Installation

Provisioning

Graphical User Interface

Collection

API

Other

MPLS Known Problems in Cisco VPN Solutions Center, Release 2.0

Installation

Provisioning

Graphical User Interface

Collection

API

Other

Obtaining Technical Assistance

Cisco.com

Technical Assistance Center

Contacting TAC by Using the Cisco TAC Website

Contacting TAC by Telephone


Release Notes for
Cisco VPN Solutions Center, Release 2.0



Note Printed documentation, including this Release Notes for Cisco VPN Solutions Center, Release 2.0 document and any or all of the parts of the documentation set, may be upgraded.


The information in the Release Notes for Cisco VPN Solutions Center, Release 2.0 document supersedes all information in the documentation set for Cisco VPN Solutions Center: IPsec Solution, referred to as IPsec VPN Solution and Cisco VPN Solutions Center: MPLS Solution, referred to as MPLS VPN Solution.


Note Please read this document prior to reading any other manual for Cisco VPN Solutions Center: IPsec Solution or Cisco VPN Solutions Center: MPLS Solution.


All patches are available at: http://www.cisco.com/cgi-bin/tablebuild.pl/vpnsc, where in tablebuild.pl, the last character is the lower-case letter "l."


Note The VPN Solutions Center is referred to as VPNSC.



Note To use the Import/Export utilities, the Import/Export license key is required. E-mail csg-license@cisco.com for access to this license key.


Contents

The information in this release note is organized into the following sections:

Contents

Materials

Introduction

What Is New in Release 2.0 of VPNSC

System Recommendations

Time Zones for NetFlow Collection

Task API Usage: TaskFactory::createGetSLAData() Operation

MPLS Problems Fixed Since Cisco VPN Solutions Center: MPLS Solution, Release 1.2.1

IPsec Known Problems in Cisco VPN Solutions Center, Release 2.0

MPLS Known Problems in Cisco VPN Solutions Center, Release 2.0

Obtaining Technical Assistance

Materials


Note For all products there is a Right to Use document with a license key.


The materials for the IPsec VPN Solution product are as follows:

Cisco VPN Solutions Center: IPsec Solution and MPLS Solution product (Part Number: 80-5897)

Documentation Road Map for Cisco VPN Solutions Center: IPsec Solution 2.0 (Part Number: 78-12376)

Release Notes for Cisco VPN Solutions Center, Release 2.0 (Part Number: 78-11639)

Cisco VPN Solutions Center Installation Guide (Part Number: 78-12191)

Cisco VPN Solutions Center: IPsec Solution Provisioning and Operations Guide (Part Number: 78-11117)

Cisco VPN Solutions Center: IPsec Solution User Reference (Part Number: 78-11638)

The materials for the MPLS VPN Solution product are as follows:

Cisco VPN Solutions Center: IPsec Solution and MPLS Solution product (Part Number: 80-5897)

Documentation Road Map for Cisco VPN Solutions Center: MPLS Solution 2.0 (Part Number: 78-12393)

Release Notes for Cisco VPN Solutions Center, Release 2.0 (Part Number: 78-11639)

Cisco VPN Solutions Center Installation Guide (Part Number: 78-12191)

Cisco VPN Solutions Center: MPLS Solution Provisioning and Operations Guide (Part Number: 78-12189)

Cisco VPN Solutions Center: MPLS Solution User Reference (Part Number: 78-11637)

For the Cisco VPN Solutions Center: IPsec Solution API upgrade, refer to the following:

Release Notes for Cisco VPN Solutions Center, Release 2.0 (Part Number: 78-11639)

Cisco VPN Solutions Center: IPsec Solution API Programmer Reference, Release 2.0 (Part Number: 78-11729)

For the Cisco VPN Solutions Center: MPLS Solution API upgrade, refer to the following:

Release Notes for Cisco VPN Solutions Center, Release 2.0 (Part Number: 78-11639)

Cisco VPN Solutions Center: MPLS Solution API Programmer Guide, Release 2.0 (Part Number: 78-11727)

Cisco VPN Solutions Center: MPLS Solution API Programmer Reference, Release 2.0 (Part Number: 78-11730)

Introduction

Using the architecture of Cisco VPN Solutions Center (hereafter referred to as VPNSC) Release 1.2.1, VPNSC Release 2.0 continues to provide features such as provisioning, auditing, and SLA monitoring for Multi Protocol Label Switching (MPLS) and has added these features for Internet Protocol security (IPsec). VPNSC is a network service and management system for Service Providers. VPNSC allows Service Providers to seamlessly provision and manage intranet and extranet VPNs.

VPNSC focuses on provisioning, auditing, and monitoring the links between a customer's edge routers through the Service Provider's network. The set of CORBA APIs available for the MPLS VPN Solution, Release 1.2.1, is still available for the MPLS VPN Solution, Release 2.0, and some APIs are also available for the IPsec VPN Solution, Release 2.0.

In an IPsec network, a Customer Premises Equipment (CPE) router in one site connects to another CPE in a second site, as defined by the IPsec protocol. The IP traffic is encrypted and encapsulated at the CPE's secure interface, and then sent to the destination CPE through the IPsec tunnel, thus providing privacy and security for the data. The VPNSC provisioning engine for IPsec accesses the configuration files on both the CPEs to compute the necessary changes required to set up an IPsec VPN.

Starting with this release, Cisco IP Manager is no longer required and therefore is not bundled with this product. Incorporated into this product, as for Release 1.2.1, is the Telnet Gateway Server (TGS) for downloading and uploading configuration files. Additionally, this is the first release for which the Template Console GUI is integrated with VPNSC.

What Is New in Release 2.0 of VPNSC

The major change between Release 1.2.1 and Release 2.0 is the addition of an IPsec provisioning and auditing engine.

The following topics (listed alphabetically) are new or the implementation was changed dramatically from Release 1.2.1 to this Release 2.0:

API Partitioning and Necessary Modification to Third-Party Client Code

Auditor—Migration

Auditor—New Features

Download and Upload Mechanism—Telnet Gateway Server (TGS)

Download Console

Executing IOS Commands

Hardware Support

IPsec Provisioning

IPsec Provisioning API CORBA Server

IPsec Provisioning GUI

IPsec Provisioning SLA Automatic Configuration

Journaling

Licensing

Multiple Telnet Gateway Servers (Multi-TGS)

Non-loopback Interfaces as Tunnel End Points

Recovery

Repository Migration from Release 1.x to Release 2.0

Secondary Devices

SLA Collection

SLA History Data—Raw

SLA Traps Configuration

SNMPv3 Support

Template Console

Version Console

API Partitioning and Necessary Modification to Third-Party Client Code

In this release, the CiscoVpnServiceModel::VpnInvMgr Interface Definition Language (IDL) has been partitioned into four interfaces: VpnInvMgrCommon, VpnInvMgrMPLS, VpnInvMgrIPsec, and VpnInvMgr. VpnInvMgrMPLS and VpnInvMgrIPsec are derived from VpnInvMgrCommon, and VpnInvMgr is derived from VpnInvMgrMPLS and VpnInvMgrIPsec.

To use third-party client code that was developed using a previous release, you must perform some minor modifications to your code to ensure it works properly with this release. For a complete explanation of the necessary modifications, see Part 1 of the Cisco VPN Solutions Center: IPsec Solution API Programmer Guide or the Cisco VPN Solutions Center: MPLS Solution API Programmer Guide, as is applicable to your license.

Auditor—Migration

It is extremely important that you delete all active Audit tasks from the Task list that were created in previous MPLS VPN Solution releases.

To do this, navigate as follows in vpnconsole -mode mpls:

Navigate Tools > Tasks. Then in the Task Manager window, highlight the active Audit tasks and choose Actions > Delete Task.

The MPLS Audit reports from previous releases are not automatically migrated. You must rerun the Auditor to get the reports.


Note In previous releases, Auditing was a choice in the menu task bar. This is no longer the case. In this release, right-click on a specific Customer or VPN in the hierarchy pane. To schedule an Audit task, choose Audit Service Requests. To check the Audit task status, navigate to Tools > Task Logs. To access Audit results, choose List Service Requests and navigate to the Audit Detail selection.


Auditor—New Features

The Auditor verifies that a Service Request is correctly deployed. In this release, the Auditor has the added functionality to verify IPsec Service Requests. The Auditor continues to verify MPLS Service Requests as in previous releases.

The following features are new in the Auditor:

Auditing of IPsec Service Requests

Just-in-time (JIT) auditing

If JIT is turned on, the Auditor verifies the Service Request in real time. This means the Auditor collects router configuration files (for the MPLS VPN Solution and the IPsec VPN Solution) and VFIT tables (for the MPLS VPN Solution only) in real time. Unlike previous releases, there is no need to perform a scheduled collection before you run the Auditor. (See the "System Recommendations" section.)

Download and Upload Mechanism—Telnet Gateway Server (TGS)

This version of VPNSC incorporates the Telnet Gateway Server (TGS) to download and upload information. You can choose telnet or tftp for the IPsec VPN Solution and the MPLS VPN Solution. TGS is the only download and upload mechanism.


Warning Telnet and tftp options are incorporated into this product. Secure Shell (SSH), a download mechanism for the IPsec VPN Solution, is not incorporated into this product. SSH is separately available through CCO. For more information about accessing SSH, refer to the section Installing the Secure Shell (SSH) Module for VPN Solutions Center 2.0 in Chapter 2 of the Cisco VPN Solutions Center Installation Guide.


For information about the Multi-TGS feature, see the "Multiple Telnet Gateway Servers (Multi-TGS)" section.

Download Console

The Download Console allows you to download configuration files, configlets, and router commands.

Executing IOS Commands

The Exec Command allows you to send IOS commands to Cisco routers. This web-based interface can be launched by navigating in either the IPsec or MPLS mode from the menu task bar, Tools > Exec Command. In the top frame of the browser, you select the network, the target devices, and the IOS command(s) to be issued. A pre-existing file of IOS commands can also be loaded into the commands field. The results of the issued IOS commands then appear in the bottom frame of the browser.

Hardware Support

For MPLS, the new hardware supported in this release is the Cisco 10000 Edge Services Router (ESR) with the Channelized DS3/T3 interface module.

For IPsec, the following hardware is supported:

1700

2600

3600

4500

7100

7200

ubr900

Fixed Wireless Module in the 2600 and 3600.

IPsec Provisioning

This release handles CPE-to-CPE IPsec provisioning and CPE routing and interfaces provisioning relating to IPsec. The provisioning flow involves uploading of the configuration file from the CPE and downloading of the computed configlet to the CPE, both handled through the Telnet Gateway Server (TGS).

IPsec Provisioning API CORBA Server

For the IPsec VPN Solution, like the MPLS VPN Solution, the provisioning service model CORBA API is exposed through the VPN Inventory Server (VpnInvServer).

You can use the APIs to create IPsec provision-required data, so the provisioning engine can leverage this information. The APIs can also be used to browse provision-related data.

IPsec Provisioning GUI

To open the IPsec GUI, you start by entering vpnconsole -mode ipsec on the command line. To open the MPLS GUI, you start by entering vpnconsole -mode mpls on the command line.

IPsec Provisioning SLA Automatic Configuration

This new convenience feature allows you to automatically configure SLA probes when defining an IPsec Service Request.

A Create SLA task is automatically created for you. When this task is executed, it configures SLA probes on all SA Agent-enabled CPEs in the Service Request.

The types of probes that are created and their parameters are specified in the csm.properties file. The related properties start with the common prefix netsys.vpn.autoProbeConfig. Additionally, the GUI allows you to choose which specific edge devices are to be automatically configured, and whether the probe request packets should be sent inside or outside the IPsec tunnel.

Journaling

The journaling feature records every change made to the Repository database. By default, the changes are recorded in the following four files: col.jnl; dir.jnl; vi.jnl; and task.jnl in the journal subdirectory of the Repository. A different path for the journal subdirectory can be specified in the csm.properties file. The four journal files are used by the Recovery feature explained in the "Recovery" section.

Licensing

To install Release 2.0, you must enter an authorized license key for IPsec or MPLS. This license key is specified on your Right to Use document included in your product. This license key authorizes a maximum number of edge devices for IPsec or MPLS, dependent on your order. Additionally, if you ordered an API upgrade for IPsec or MPLS, you will be issued an authorized license key, which is specified on the Right to Use document sent with your API product. This license key must be entered, but it is essential that this license key be entered after the license key for the IPsec or MPLS product.

Once you approach the limit of the license, you are notified by e-mail. You may then choose to upgrade the maximum number of edge devices for your IPsec or MPLS system. You will need to enter the authorized license key(s) for each level through which you upgrade.


Note For evaluation customers, you can access a demo version (for 20 edge devices only) of this product (without API). For a demo license for IPsec, enter: 130c07010e0f4a787b6a787d6772. For a demo license for MPLS, enter: 011e16084845545f6f1c005b49.



Note To use the Import/Export utilities, the Import/Export license key is required. E-mail csg-license@cisco.com for access to this license key.


Multiple Telnet Gateway Servers (Multi-TGS)

A Telnet Gateway Server (TGS) is a CORBA server that is used to communicate with a device or router. With a single TGS, all the communication with the routers, for example uploading and downloading of configuration files, is done using the same TGS. This can be a bottleneck if a large number of requests have to be sent to the routers.

Multi-TGS is a feature that enables the use of multiple Telnet Gateway Servers in the system. It is used for load balancing and performance improvement. When you install this product, the default is to install one TGS. You can dynamically add and remove separate TGS packages on different machines running in the network. When these other Telnet Gateway Servers are started, they are automatically detected and used to service requests. When a Telnet Gateway Server is stopped, this is also detected.


Note A minimum of one TGS must always be running.


If you are installing the Telnet Gateway Server software on a remote network, you must set up TIBCO Rendezvous Routing Daemons so that TGS can communicate with VPNSC.

Non-loopback Interfaces as Tunnel End Points

Each IPsec edge device router must have a tunnel endpoint. The tunnel endpoint interface can be either a loopback interface or a numbered interface that is not a loopback (with the IP address in the Service Provider's address space).


Note Cisco recommends that the tunnel endpoint interface and the management interface for that device must be the same.


If you assign a non-loopback interface as the tunnel endpoint interface, that interface is also assigned as the secured interface.


Note VPNSC can allow only one secured interface configured for an edge device.


Recovery

The Recovery feature consists of a tool that merges all messages from the four journal files, explained in the "Journaling" section, in the order they are created. The Recovery feature calls functions appropriate for each message of the merged files, in order. The payload of each message is used to set values for the function arguments. This Recovery feature can be used in conjunction with the Restore feature to recover the database in case of data corruption.

Repository Migration from Release 1.x to Release 2.0

If you are using Release 1.x, you must use the Repository Migration Tool to migrate your data from the 1.x schema to the new and extended 2.0 schema.


Caution For backup purposes, always be sure to make a copy of your Repository before attempting the Repository Migration.

If you have pre-existing 1.x data (except 1.1 and before Accounting data), you must use the Repository Migration Tool immediately after you install the Release 2.0 product.


Note Accounting data for Releases 1.1 and before cannot be migrated to the new schema for this release.


Secondary Devices

A secondary edge device can be assigned in the same site as the primary device. Secondary devices can be brought up either for loadsharing or in the event that the primary edge device goes down:

You can assign a secondary edge device for loadsharing for all the routing protocol options (Static route, OSPF, RIPv2, and EIGRP), except None.

You can only designate a secondary edge device in the event that the designated primary edge device goes down, and this is only possible for the None and Static options.

SLA Collection

SLA collection is supported for edge devices in IPsec VPNs.

For information about the new convenience feature that automatically configures SLA probes, see the "IPsec Provisioning SLA Automatic Configuration" section.

For information about the enhanced security features related to SLA collection, see the "SNMPv3 Support" section.

For information about traps configuration for monitoring SLA violations, see the "SLA Traps Configuration" section.

SLA History Data—Raw

SLAs can be configured to record the raw round trip time values in addition to the aggregated statistics. Each time an operation occurs, a new value is kept in a history bucket. The buckets are kept in a rollover table. You need to specify the number of buckets.

All types of SLAs except Jitter and HTTP can be configured to keep the raw history data.

The option to configure an SLA to keep raw data was added to both the Create SLA task (for both MPLS and IPsec) and to the IPsec Provisioning SLA Automatic Configuration feature.

SLA Traps Configuration

SLA traps are used to monitor SLAs in real time. A trap is sent when an SLA is violated either because a connection was lost, a timeout occurred, a delay exceeded the rising threshold value, or a delay fell below the falling threshold value.

The option to configure traps while creating SLAs is in both the Create SLA task (for both MPLS and IPsec) and the IPsec Provisioning SLA Automatic Configuration feature. Traps can be disabled or enabled on existing probes by using new task options under Monitoring > Provision SLA Definitions and Collect SLA Data.


Note You must configure a device as the trap recipient on the router by using the Command Line Interface (CLI) command: snmp-server host....


SNMPv3 Support

Simple Network Management Protocol Version 3 (SNMPv3) is an interoperable standards-based protocol for network management that is supported for SLA data collection.

The SNMPv3 groups and users must be configured on the router and entered into the Repository, through the Edit Target pane. SNMPv3 authentication, with or without encryption, can be performed in any of the SLA tasks by navigating to Monitoring > Provision SLA Definition and Collect SLA Data.

The security features provided in SNMPv3 are:

Message integrity—ensuring that a packet has not been tampered with in-transit

Authentication—determining that the message is from a valid source

Encryption—scrambling the contents of a packet to prevent it from being seen by an unauthorized source.

Template Console

This is the first release for which the Template Console GUI is integrated with VPNSC. It is available for the MPLS VPN Solution and the IPsec VPN Solution. It provides you with the ability to manage templates and their associated files, instantiate and download configurations, and associate templates and data files with a Service Request during the service creation process.

To launch the Template Console, from either the MPLS or IPsec menu tool bar, select Tools > Template Console.

Version Console

Version Console is a versioning tool that provides a list of configuration file versions. It also provides the time stamps for when the versions of the configuration file were written to the Repository.

The information gathered from this versioning tool can be used to determine the version to use when exporting configuration files to disk. It can also be used to determine the version to use when using the Download Console to download any version saved on disk, to the router.

System Recommendations

The system recommendations are explained in the following categories:

IPsec VPN Solution System Recommendations

MPLS VPN Solution System Recommendations

Other System Recommendations

IPsec VPN Solution System Recommendations

The following are the system recommendations for the IPsec VPN Solution:

For the workstation recommendations, see Table 1.

Table 1 Workstation Recommendations for IPsec VPN Solution 

Number of CPEs
Workstation
RAM
Disk Space

Up to 500

Minimum: Ultra™ 60 (1 CPU)

For Growth: Enterprise™ 250 (2 CPUs)

1 GB

Standard hard disk

500 to 1,500

Minimum: Ultra™ 60 (2 CPUs)

For Growth: Enterprise™ 250 (2 CPUs)

1 GB

Standard hard disk

1,500 to more than 3,000

Enterprise™ 450 (4 CPUs)

1 GB

Standard hard disk


Solaris 2.6 or Solaris 7 with recommended patches.


Note When you install Solaris 2.6 or Solaris 7, be sure to choose either the Developer System Support or the Entire Distribution software groups. Do not choose the End User System software group. The Developer System Support and Entire Distribution software groups contain the software required for a correct operating system installation (such as the SUNWbtool and SUNWsprot packages).


CD-ROM drive. The product is installed from a CD-ROM.

For IPsec CPEs: Cisco IOS 12.2(1) or later k8 or k9 images.


Note Hardware encryption is not available in these releases.


MPLS VPN Solution System Recommendations

The following are the system recommendations for the MPLS VPN Solution:

For the workstation recommendations, see Table 2.

Table 2 Workstation Recommendations for MPLS VPN Solution 

Number of CEs
Workstation
RAM
Disk Space

Up to 500

Minimum: Ultra™ 60 (1 CPU)

For Growth: Enterprise™ 250 (2 CPUs)

1 GB

20+ GB

500 to 1,500

Minimum: Ultra™ 60 (2 CPUs)

For Growth: Enterprise™ 250 (2 CPUs)

1 GB

20+ GB

1,500 to more than 3,000

Enterprise™ 450 (4 CPUs)

1 GB

20+ GB



Note The 20+ GB disk space recommendation in Table 2 is only required when NetFlow collection is being used. Otherwise, the standard hard disk that comes with the system is sufficient.


Solaris 2.6 or Solaris 7 with recommended patches.


Note When you install Solaris 2.6 or Solaris 7, be sure to choose either the Developer System Support or the Entire Distribution software groups. Do not choose the End User System software group. The Developer System Support and Entire Distribution software groups contain the software required for a correct operating system installation (such as the SUNWbtool and SUNWsprot packages).


CD-ROM drive. The product is installed from a CD-ROM.

For NetFlow accounting data, install NetFlow Collector 3.0 on a workstation that is separate from the MPLS VPN Solution workstation. The minimum recommendation for this workstation is an Ultra™ 1with 256 MB RAM and 20+ GB disk space.


Note The recommendation is that one NetFlow workstation be located on a LAN connected directly to each PE.


For MPLS PEs: Cisco IOS 12.1(5a)T or later.

For MPLS CEs: Cisco IOS 12.0 or later.

Other System Recommendations

In addition to the IPsec VPN Solution and the MPLS VPN Solution system requirements, a Web Browser is needed. Netscape 4.7 or later is recommended.


Note The Web Browser is specified during installation and in the csm.properties file.



Caution Make sure that the file descriptor limit is not set in the VPN Solutions Center workstation login shell file (which can be the  .login file, the  .cshrc file, or the  .kshrc file). If the login shell file contains a line with the ulimit -n command (for example, " ulimit -n <number>"), comment out this command line in the file.

VPN Solutions Center cannot override the file descriptor limitation setting in the login shell file. If the value is set incorrectly, VPN Solutions Center experiences operational problems.

Time Zones for NetFlow Collection

For the MPLS VPN Solution Only: Be sure that the time and the time zones for all devices from which data is being collected are synchronized. For NetFlow collection, this means that not only does the MPLS VPN Solution system need to be synchronized to the NetFlow Collector, but that the PE routers must also be set to the same time and time zone. Otherwise, data will not be displayed or will be inaccurately displayed based on the router's time stamp embedded in the data.

Task API Usage: TaskFactory::createGetSLAData() Operation

For this release, use the GUI interface (refer to the section Provision SLA Definitions and Collect SLA Data in the Cisco VPN Solutions Center: MPLS Solution User Reference and the Cisco VPN Solutions Center: IPsec Solution User Reference) to create, collect, and delete Service Level Agreements (SLAs).

MPLS Problems Fixed Since Cisco VPN Solutions Center: MPLS Solution, Release 1.2.1

The problems fixed since Release 1.2.1 are presented numerically in the following categories:

Provisioning

Graphical User Interface

Collection

API

Other.

Provisioning

CSCdp37895 - Provisioning ATM sub-interface > 4096 causes error

CSCdr10909 - Removal of a service request should remove the rate-limit

CSCdr54038 - Modify FR to FR-IETF causes new loopback interface generation on PE

CSCdr69226 - Management VPN creation requires another VPN definition

CSCdr75079 - Management VPN ACL and route map changed when modifying unrelated

CSCdr95038 - PE-CE link for cable maintenance should not allow subinterface

CSCds02029 - Audit failed but the state stays at Pending

CSCds03955 - Service Request can't remove if part of gray, if gray Service Request removed

CSCds06438 - Need audit check for subnet keyword on redistributions for OSPF

CSCds09933 - Service Request goes Invalid when using lower case letter c for cable interface

CSCds11216 - Modification of Service Request to disjoin management VPN is missing command

CSCds32771 - Accept pre-provisioned loopback interface

CSCds35943 - Duplicate IP address on Frame Relay major interface not recognized

CSCds35975 - Frame Relay Service Request download inserts encapsulation HDLC on major interface

CSCds40742 - Cannot provision Grey management

CSCds41565 - Statement "no ip route-cache" incorrectly added to interface

CSCds41847 - Grey management access-list increasing

CSCds50408 - Configlet download error due to non-warning found

CSCds66560 - Hardcoded paths in deploy task log embedded XML

CSCds67439 - Deploying duplicated IP address over ATM interface

CSCdt01890 - Service Request remains pending after audit and invalid route accepted

CSCdt16672 - VpnInvExport1.2 tool core dumps while exporting Repository in XML format

CSCdt19012 - Duplicate IP/Network Address should not be accepted for different VPNs

CSCdt21333 - 2035 error code occurs intermittently when using TGS to upload and download

CSCdt21357 - TGS tcl script has problem reading from socket

CSCdt21370 - TGS download fix to download banner command

CSCdt25911 - Rate limit commands are removed from a subinterface when modifying

CSCdt41901 - Failed deploy when removing Service Request

Graphical User Interface

CSCdm52106 - Schedule window too small in wizard

CSCdm78883 - Tools >Task Logs does not bring browser if not in $PATH

CSCdm85670 - Target retries and timeout entry confusing

CSCdm87862 - Editing a region may remove it from the region listing

CSCdp04528 - Provider Administrative Domain creation failure results in multiple error message windows

CSCdp06525 - Issues with topology - possible hang of vpnconsole

CSCdp13406 - Audit and Provisioning wizards get confused if run simultaneously

CSCdp16093 - Memory for applet limited by browser

CSCdp19726 - Topology opens behind the vpnconsole with some window behaviors

CSCdp22523 - Exception thrown by topology with right mouse click

CSCdp50127 - Vpnconsole window should close when the watchdog goes down

CSCdp54481 - Refresh of Task Manager window does not reread the repository

CSCdp67283 - SLA Connectivity % report/Chart for all > extra character of 1

CSCdp85830 - Topology no longer appears in applet

CSCdp86843 - All VPN topology view is not scalable

CSCdp86936 - The symmetric view of the topology needs to display names better

CSCdp93423 - GUI should not allow multiple selection of customer/network in CAR MIB Reports

CSCdr22854 - Task/deployment log - problem status message

CSCdr51000 - Tab key stopped working after error

CSCdr58069 - Request to change the configlet directory

CSCdr66294 - Java error when hitting space bar in Service Request report

CSCdr92346 - Do not allow spaces in data entry fields of GUI

CSCdr92352 - Cable provision GUI needs to disable CE IP address options

CSCdr92550 - Create works as Edit if the user already exists

CSCdr96786 - Allow OSPF redistribution on CE when OSPF is the selected protocol

CSCds00560 - Inaccurate error msg when creating SLA task through the GUI

CSCds04950 - Pressing Cancel button to cancel topology, still brings up the topology

CSCds12369 - Lose user information when switch to new installation of VPNSC

CSCds21402 - Check box fields lost when moving between screens

CSCds21486 - Reload of browser window loses Show All display

CSCds27182 - VPNSC ability to delete logs segregated by task manager
CSCds42683 - DIPMServer - not setting tftp server and path
CSCds56486 - Multiple SLA deletions fail

CSCds59001 - Space accepted as suffix for Target name

CSCds63395 - VPN Inventory changes not visible in second instance of the GUI

CSCds65683 - Failed downloads through CIPM can succeed when write memory enabled
CSCds74034 - Templating should have no hard coded paths or dependencies

CSCds84609 - CEs are not displayed when selecting customer from the list

CSCdt22963 - Create new target forces entry of terminal server port number

CSCdt30483 - Service Request wizard hangs after confirming with Gigabit Ethernet

Collection

CSCdr15295 - Memory leak in Aggregator Server

CSCdr34322 - Some APIs in DCDirectory module are not supported

CSCdr41598 - Task Log reports wrong status for SA Agent collection task

CSCdr68586 - Vpnconsole displays memory leak, while provisioning

CSCdr90276 - Default retry and timeout value need tuning

CSCds15382 - Exception thrown by accounting report with no data present

CSCds63940 - SLA Data Collection Timing in VPNSC

CSCds71756 - New option to enable / disable SLA traps

CSCds78000 - Configuring the SLA to keep raw history data (History)

CSCds81591 - JRUN problem with Exec Command tool

CSCds89632 - Make ToS label configurable in SLA reporting

API

CSCdp22355 - CiscoAcctMonitor: Need to clean up IDL files

CSCdp96865 - createImportRouterConfigTask() check dirPath & network validation

CSCdp97442 - Task server should do range checking for hr, min, and sec

CSCdr68089 - CiscoEventGateway.idl: IDL Code is not CORBA compliant

CSCdr75731 - Non-CORBA compliant struct in CiscoSlaMonitor.idl file

CSCdr92324 - ServiceProvider1_grey_mgmt_vpn should not be allowed to create VPNs

CSCds00434 - Non-synchronized behavior of GUI and API for SLA Task creation

CSCds08139 - VpnInvImport should give proper error message when required data is missing

CSCds10071 - VpnInvImport is not working when InterfaceType is set to Cable

CSCds11962 - VpnInvImport does not import VRFDef for Grey-Management VPN

CSCds16296 - VpnInvMgr::removePEFromRep() failed to remove PE target

CSCds53617 - VpnInvMgr::findIPsecSRByID() should be supported

CSCds57058 - Want to add API to return VPNSC version number

CSCdt10382 - Need API to return Service Request state history

CSCdt11613 - EventGateway C++ client using bind not working

Other

CSCds63298 - CERC definitions cannot be edited

CSCdt03447 - Not accepting 0.0.0.0/0 for static routes

IPsec Known Problems in Cisco VPN Solutions Center, Release 2.0

The known problems in Release 2.0 are presented numerically in the following categories:

Installation

Provisioning

Graphical User Interface

Collection

API

Other

Installation

CSCdt78240 - Install not up to date with Solaris Patches for 2.6
The Installer is not up to date with Solaris 2.6 Patch releases. When installing a monolithic patch upgrade, the installer says that there is a patch that is required that is missing. The missing patch is actually included under a different patch number from Sun in the 2.6 Recommended patch. What we are looking for and the latest numbers from Sun do not match.

Workaround: Select yes to advance the installation. Note: You would not know if this was the correct action to take. You might conclude that a required part of the system was not updated when in fact it had been updated by installation of a patch with another number.

Provisioning

CSCdt17650 - With static route, the secondary will not get activated if the primary fails
Steps to Reproduce the problem:

(1) Topology:

ence12------------ence143|--------- | | | | |------------ence124(secondary) |

(2) Create a Service Request with two devices: ence12 and ence143. Add the device: ence124 as secondary for device ence143. Select the routing protocol as Static. Deploy the Service Request.

When the Service Request is deployed in ence, two tunnels are created; one tunnel is created to ence143 (primary) and one tunnel is created to ence124 (secondary). There are also two static routes pointing to the same network behind ence143, ence124 (say 20.0.0.0) 1. One static route to 20.0.0.0 through tunnel 0 (primary) 2. Second route to 20.0.0.0 through tunne1 with an admin distance 10 (secondary). ShowIP route only shows the primary route and is through tunnel 0.

When the primary goes down because the Generic Routing Encapsulation (GRE) tunnel will not get any update about the primary failure, the primary route never goes down and the secondary route never gets activated. This problem occurs because there is no keep alive mechanism between the GRE tunnel interfaces.

Workaround: The only way to make the secondary route active is to: manually go to each device and delete the primary route, delete the primary tunnel interface, or make the admin distance of the primary a greater value than the secondary.

CSCdt17752 - Removing a nonsecure interface does not remove the prefix
This is a limitation of the current Service Model. When a nonsecure interface or prefix is deleted, the provisioning engine does not see the deleted interfaces/prefixes, instead it sees only the existing interfaces/prefixes of an edge device.

Workaround: Remove the edge device from the Service Request, subsume the Service Request, and deploy it. Next, add the same edge device back to the Service Request, subsume the Service Request, and deploy it.

CSCdt18749 - Ingress Access Control List not removed when device is removed from VPN/Service Request
This happens only when 'no internet access' is chosen as the extended services option. When a node (CPE) is removed from a Service Request, you decommission the IPsec service from that removed node (CPE). While decommissioning, you remove all IPsec related configurations, except an Ingress ACL that contains the following standard Access Control Entries (filters): permit secure traffic—this includes AH, ESP, and ISAKMP; permit management traffic—this includes an access control entry for each protocol mentioned as the element: netsys.provisioning.ingressAclProtoList in the csm.properties file.

CSCdt24007 - Decommission not removing all in partial mesh topology
When a node is removed from a Service Request, VPNSC removes tunnel-specific configuration information from both the nodes (the node being removed and its peer), such as crypto ACL, crypto map entry, and pre-shared key; and optionally GRE tunnel and static routes (if routing over VPN is configured using Static Routes). Next, VPNSC checks to see if there are any more crypto map entries with VPNSC signatures on the router. If any entry exists, decommissioning stops. Otherwise, VPNSC removes all IPsec configurations relating to VPNSC from the respective node.

In this example, the common device was touched by two Service Requests. In other words, there are crypto map entries from two Service Requests (SR1 and SR2) that are present on the router. When one Service Request (SR2) is decommissioned, the crypto map entry list is non-empty and hence this behavior.

Thus, VPNSC does not remove IPsec configuration information from a router that it thinks is in-use by other Service Requests.

CSCdt29303 - VPNSC overwrites if tunnel exists with same source and destination
By design, VPNSC re-uses any existing GRE tunnels on the router that has a source and destination the same as that generated by VPNSC. This may result in a corner case bug if a GRE tunnel is being used by Customers to exchange clear traffic between VPN sites. With VPNSC re-using the same GRE, that traffic will go out secure instead of in the clear.

CSCdt32750 - Remote TGS does not work using TGS_TFTP mode through terminal server
When the router connection is through a terminal server and TGS_TFTP is used as the download mechanism, intermittently the following problem occurs:

1. The download task fails with error 2007 return code. Unable to configure element. Check TFTP Server connection and TFTP directory write permission.

2. The download task hangs for a long time (~30 minutes) and Multi-Telnet Gateway Server may retry if an alternate remote TGS is available.

The problem seems to appear only when TFTP is used and the connection to the router is through the terminal server.

Workaround: Connect directly to the router rather than through the terminal server when using TFTP. That is, remove association to the terminal server for the router, when the mode is TFTP.

CSCdt34070 - Ingress Access Control List (ACL) not removed after a single Service Request modification
When setting the netsys.provisioning.routingprotocol attribute in the csm.properties file to allow routing protocol updates through the secured interface, it is possible that the ingress Access List and the reference to the ingress Access List in the secured interface will not be removed when decommissioning a Service Request that was modified.

Workaround: Use the Template console to remove the ingress Access List and references to it, or manually remove them.

CSCdt38428 - Multi-TGS fail download with 2006 randomly in Download Console
Intermittently, SSH times out with the return code 2006. SSH generates temporary keys and this takes some time to generate.

Workaround: Try setting the mode to Telnet. If the mode must be SSH, then increase the timeout attribute netsys.tgs.opTimeout in the csm.properties file. The default is 1200, so increase this to 2400 to give more time to generate these keys without a timeout.

CSCdt39020 - GUI allows devices with no physical Secure Interface in Service Request

In the GUI, if you select a loopback interface for a Tunnel End Point, that same loopback interface also appears as a Secure Interface in the IPsec interfaces window. This makes it possible to add this device to a Service Request even though a physical interface is not defined as a Secure Interface, resulting in an incorrectly commissioned service. You are expected to select at least one physical interface as Secure Interface.

Workaround: Confirm that at least one physical interface is defined as a Secure Interface in the IPsec interfaces window before adding that device to a Service Request.

CSCdt39648 - OSPF network statement not removed from an Area Border Router (ABR) when a Service Request is decommissioned

A CPE that functions as an OSPF ABR is touched by more than one Service Request. Decommissioning of one of the Service Requests will not remove the corresponding network/area statement from the OSPF command in the ABR CPE. Also, from within a Service Request, if the OSPF ABR CPE is removed, the network/area corresponding to that Service Request will not be removed from the ABR CPE.

VPNSC deals at a Service Request level and not at an Inter-Service Request level. In other words, VPNSC does not remove the network/area statement from an ABR CPE simply because it is possible for that network/area statement to be in use by other Service Requests and there is no deterministic way for VPNSC to know whether that network/area statement is indeed in use.

On the contrary, when the last Service Request touching the ABR CPE is decommissioned, VPNSC will remove the network/area statement corresponding to the last Service Request, as it knows for a fact that there are no more Service Requests touching the ABR CPE. This it ascertains from the fact that there are no more VPNSC signatured Crypto Map Entries left on the router.

When all Service Requests touching the ABR CPE have been decommissioned, the network/area statements of all Service Requests, except the last to be decommissioned, will be left in the OSPF command of the ABR CPE.

Workaround: You can hand remove the network statement or use a template to do so. Such a network statement should not affect the operation of the VPN.

CSCdt39793 - Download through Terminal Server success/failure not consistent with SSH
This situation occurs when you have a router associated with a terminal server and in the vpnconsole target for the terminal server, you do not enter an IP address. However, this may work even if you do not enter an IP address for the terminal server, if the terminal server has in its running configuration file:

ip host <TERM_SRVR_NAME> <IP_ADDR_OF_TERM_SRVR>

The better way to handle this is not to make any assumption about what is on the terminal server configuration, and resolve this by adding an IP address to the terminal server in the vpnconsole target editor.

An IP address is never required if the router is accessed directly without using a terminal server.

CSCdt39832 - Unknown status for Secondary status when Service Request is under the Requested state
If you create an IPsec Service Request through an API under the Requested state and open the Tunnel Detail Report window to verify everything, an error of Secondary device's state is found. It reports an error by highlighting the line in yellow, and says "State: Unknown" for the Secondary endpoint #1.

This is a GUI problem.

Workaround: The secondary endpoint state should be the same as the primary endpoint state. Such a problem should not affect provisioning.

CSCdt40507 - Reschedule of existing audit task fails
When rescheduling an existing audit task (audit all Service Requests with just-in-time), the task logs show that the auditor is not running. This is due to the fact that the auditor is being attempted on a subsumed Service Request. When one Service Request has been modified and is in Pending state and another Service Request, which was new, was just moved from Requested to Pending state, the audit did not run on either Service Request. The error in the task log only references a problem with the Service Request that has subsumed Service Requests associated with it. Both Service Requests remain in the Pending state.

Workaround: When any Service Request in the VPN or when any Customer is modified, and you want to audit all Service Requests in that VPN or Customer, delete the audit all task and re-create one.

CSCdt44915 - Service Request can be Deployed with same Protected IP address as Secured Tunnel
The Service Request allows the use of the same IP address for different secured interfaces.

Workaround: Do not use the same IP address for the provider facing secured interfaces.

CSCdt46676 - MTGS download failed with CORBA Exception when stop remote TGSs
When multiple remote TGSs are used, if remote TGSs were stopped during massive download, one or two device downloads may fail with the error message, "CORBA General Exception Generated while contacting MTGS/TGS".

Workaround: Do not bring down remote TGSs during download, that is, before the outstanding tasks are completed. If the network or remote servers are so unstable that the remote TGSs can get disconnected often, use single TGS or no more than one remote TGS.

CSCdt47094 - Error message of empty pre-shared key when provisioning a hub-and-spoke Service Request
An IPsec Service Request fails to change the status from Requested to Pending/Audit if it has some specific preshared keys setting for specific tunnels in this IPsec Service Request.

Workaround: Create a hub-and-spoke IPsec Service Request with a default value to tunnel's key.

CSCdt53003 - Removing device from Service Request with secondary device does not remove secondary tunnels
For an IPsec Service Request that has a secondary device associated with it, removing the device from the Service Request will not remove the tunnel configuration on the secondary device.

Workaround: To remove the tunnels from a secondary device, either use the template console or manually modify the configuration.

CSCdt54077 - Auditing task steps differ between task manager and hierarchy tree invocation
Scheduling of audit task can occur from the hierarchy tree or the task manager. The process of setting up the task differs in these two cases.

Workaround: The proper way to run an audit is from the hierarchy tree, by right clicking on the VPN and selecting Audit Service Requests.

Graphical User Interface

CSCdm19511 - Vpnconsole hangs with fast <return> keystrokes
In some cases in the vpnconsole, typing in quick successive Return keystrokes in text fields causes the vpnconsole to hang.

Workaround: Restart the vpnconsole.

CSCdm59399 - Vpnconsole windows have bad sizing behavior under X emulators
The vpnconsole has shown bad sizing behavior when used with X emulators, such as XVision on Windows, NCD Xterminals, and Reflection X.

Workaround: Resize the windows manually (if possible) or display to a Solaris workstation's display.

CSCdm59856 - Icons may not be displayed in topology
When using the topology, sometimes the icons may not display immediately.

Workaround: Close the topology and reopen it.

CSCdm65063 - Inconsistent behavior of modal windows in vpnconsole
The vpnconsole window handling is inconsistent. For most modal windows, if an attempt is made to click outside the window, an audible beep indicates that this is not allowed. However, if a nonmodal window is displayed and a modal window is then opened, it is possible to click on the nonmodal window and hear no beep.

Workaround: None

CSCdm80371 - Cursor does not appear in editable fields when using OpenLook Window Manager (olwm)
When using the olwm, the cursor does not appear in text fields in the vpnconsole.

Workaround: Change window manager to CDE.

CSCdp04969 - Default route disappears when modifying a Service Request
A problem occurs when modifying a Service Request that is using Static routing between a PE and CE. The default route specified in the original Service Request is no longer displayed.

Workaround: Re-add the default route (0.0.0.0).

CSCdp19379 - Vpnconsole hangs during refresh of Task Manager window
The vpnconsole can hang when using the Task Manager window. If this happens, you can start a new vpnconsole process.

Workaround: To avoid this problem entirely, use the drop-down menus from the menu task bar to start tasks instead of using the Task Manager.

CSCdp25127 - Xclipboard functionality limited
There is currently no way to copy text out of an VPNSC window and paste it into another Xclient window using mouse-based copy and paste. The Sun keyboard Copy and Paste keys appear to work for certain windows but not globally.

Workaround: None

CSCdp33118 - Double-click on chart pops up report
Double-clicking on a chart brings the report forward and covers the chart.

Workaround: None. Does not hurt the operation.

CSCdr17172 - Task logs not being deleted from tmp directory
Logs are not deleted from the vpn/tmp directory according to schedule.

Workaround: Leave default configuration for csm.properties file as true, to clean up log files.

CSCdr33852 - Color coded list of Service Requests
Want to see Service Request status in the Service Request list report to be color-coordinated.

Workaround: This is an enhancement request. Service Request status is currently visible in text form in the Service Request list (that is, no information is missing). The request is to have better visuals.

CSCdr68917 - Tab key does not highlight the target field
On both the General and Passwords panels of the Edit Multiple Targets panel, when you tab to the check boxes in front of each choice, there is no highlighted blue underline box like other click boxes such as OK and Cancel have. It looks like the cursor has disappeared. When you tab to a check box, the box should be highlighted/dimmed/underlined and so on, to show that the cursor is positioned at the box.

Workaround: None

CSCdr76434 - Resizing some router chooser windows becomes unusable
If the target chooser window is resized, the table size becomes too small and in some cases it might become unusable.

Workaround: Resize the target chooser window to a bigger size until the table size is restored to its original size.

CSCdr92734 - PE-CE provision screen accepts different IP network addresses
When creating PE-CE links, the GUI allows the PE and CE IP addresses to be in different networks.

Workaround: None

CSCdr97462 - Multiple user feature compounds data report memory leak
A vpnconsole uses large amounts of memory, especially when displaying large reports. There is also a memory leak with some reports. When multiple users concurrently run vpnconsoles from the same machine, this memory problem multiplies.

Workaround: Avoid opening large reports and running multiple vpnconsoles concurrently.

CSCds13047 - Service Request Audit Report window should avoid links to non-existing reports
Service Request Audit Report window creating link to non-existing target files to access the audit reports.

Workaround: None

CSCds59838 - Application hangs when opening Task manager window with 30+ tasks
GUI hangs when trying to open the Task Manager window.

Workaround: Reboot the vpnconsole.

CSCds77244 - Special characters are being allowed as the first character
If you enter an invalid character past the first position and then delete characters until the invalid character is the first character, invalid characters can be entered into the first character position for Customer, Site, VPN, and other names.

Workaround: The first character of the name may only contain alphabetic characters. Do not enter a nonalphabetic character past the first position and then delete until it is in the first position.

CSCds80652 - Show Topology should be greyed out when there is no topology to display
Show Topology should be greyed out when there is no topology to display. When there are no VPNs and there is no topology to display, the Show Topology option should be greyed out.

Workaround: No work around required. If there is no topology, a blank screen is displayed.

CSCds85924 - GUI accepts nonprintable characters
The GUI allows copy and paste of non-printable characters like new-line or Carriage-Return, under some circumstances.

Workaround: None, except taking special care of how import text is created.

CSCdt03521 - Task Log shows extra lines than the actual log file
Task Log Stdout/Stderr has extra lines that are not in the original log file.

CSCdt04666 - Vpnconsole will not restart after Repository is restored
Workaround: Stop watchdog and kill the orbixd process. Restart Orbix, watchdog, and vpnconsole.

CSCdt05079 - Numeral is being allowed as the starting character in target name
GUI allowed entry of a number as the first character of a target name. This is not allowed in the Repository. GUI now does not allow a number to be entered as the first character. There is still a problem when adding targets through setup.

Workaround: Do not enter a numeral as the first character in a target name.

CSCdt10571 - Topology not proper with secondary
Topology display of IPsec VPNs do not correctly show secondary edge devices.

Workaround: None

CSCdt16925 - Delete Confirmation window message needs customization for IPsec
While trying to purge all the closed service requests, the 'Delete Confirmation' window appears and asks you to confirm. Because a VPN can have more than one Service Request, selection of the Service Request for closing is also important.

Workaround: Highlight the Service Request to be closed.

CSCdt17722 - Edit Edge device window > IPsec interface > Cancel button saves changes
Pressing any of the buttons on the IPsec Interfaces screen (such as, Make Secure, Make Nonsecured) commits the action to the repository.

Workaround: The Cancel button does not roll back the changes; you must manually roll back any inadvertent changes.

CSCdt20166 - Vpnconsole core dumps when exiting watchdog first
Stopping the watchdog before exiting VPNSC will cause an exception.

Workaround: Do not close the watchdog before exiting VPNSC.

CSCdt20544 - Unable to read print result in Service Request history report
Printout from Service Request report text is too small.

Workaround: None

CSCdt25940 - Only one right click menu option available, after Service Request creation
Right mouse click for edit menu options of new Service Request are not available.

Workaround: Access edit menu options from the Actions menu.

CSCdt27798 - With multiple proposal showing duplicate proposals when opens
When you press the Add button in the Policy Editor multiple times without actually editing the proposals and presses the OK button, all proposals are saved unedited. To make the fields unique, you need to double-click the field and either select from the pull-down or type in data. Performance may be effected if you have duplicate proposals.

Workaround: Select the duplicate proposals and delete them using the Delete button.

CSCdt28386 - Interface can not remove after purged Service Request
Can not remove an interface from an edge device, even after the Service Request that referenced the interface has been purged.

Workaround: Delete and re-add the edge device after purging the Service Request.

CSCdt28519 - Service state in the GUI is not updating
Closing a Service Request while in the middle of deploying that Service Request only sets the state to Closed for a short time, and then resets the state when the deploy completes.

Workaround: Close the Service Request once the deploy has completed.

CSCdt28736 - Cannot cancel edits of individual Service Requests when making multiple edits
In the VPN Editor window, when making changes to multiple Service Requests, selecting an individual Service Request and pressing the Cancel button cancels all of the edits and closes the window.

Workaround: This works as designed. You should be aware that pressing the Cancel button will cancel all changes made.

CSCdt28826 -Unavailable item should be greyed out to prevent performing actions
It is currently possible to select Deploy Service Request on the VPN Editor screen while that Service Request is currently being deployed.

Workaround: Do not attempt to deploy a Service Request that is currently being deployed.

CSCdt28933 - Caught exception after delete Nonsecure interface
You can not delete an interface from an edge device that is part of an active service request. When you try to do this, a database error/exception is thrown. The database error is not being translated into user-friendly text.

Workaround: If you need to remove one of these interfaces, you must first close the Service Request that the edge device is part of, then purge the Service Request. The edge device can now be updated, because it is not part of a Service Request. Now re-create the Service Request.

CSCdt31773 - Right click menu popup is based on mouse position not object already selected in tree
Tree popup menus are associated with the current mouse position, not the selected tree item.

For example: Under the Customers tab, expand the VPN Customers. Select (highlight) a customer. Move the mouse to be over another customer, and right click. The popup menu is actually for the current mouse customer. If you add a new site, that site will be added not to the currently selected customer, but to the customer associated with the mouse position. If you try to delete the customer, you will not delete the selected customer, but the customer associated with the mouse position. This problem exists not just with customers. It is pervasive throughout the tree.

Workaround: You need to position the mouse on the selected tree item before bringing up the menu (right clicking).

CSCdt33880 - Error and Exception while evaluating a port number
Edit fields do not prevent you from entering invalid characters and/or ranges.

Workaround: Enter the proper range/characters.

CSCdt34496 - Unable to attach a template when decommissioning a Service Request
You can not attach a template to a device when decommissioning the service request.

Workaround: First you must attach a negate template to the service request and then deploy it. Then you can decommission the service request.

CSCdt35956 - The edge device should not disappear from the GUI hierarchical tree view
VPNSC indicates that an item has been deleted from the hierarchical tree when actually it cannot be deleted because of another reason, but the tree removes the item any way.

Workaround: Use refresh to bring back the item.

CSCdt36889 - Incorrect error message displayed for the Service Request history report
On a rare instance, an Exception was encountered while trying to display the History Report for a Service Request. The displayed error message was incorrect.

Workaround: None

CSCdt37428 - Edit IP address is not functioning well
If you attempt to edit an IP Address that is found to be an interface, the IP Address is saved as 0.0.0.0. IP Address interfaces are not allowed to be edited.

Workaround: If an IP address is changed to 0.0.0.0, it can be added correctly with the Add button. You can edit other IP addresses that have been added.

CSCdt38618 - Not recognizing update of location information
Some editors in VPNSC do not recognize when a page is "dirty" and the changes need to be saved. Because of this, no warning message is issued if the editor is closed without saving the information first.

Workaround: Make sure to press the OK button to save any changes made.

CSCdt40913 - Removing secondary device from a Service Request not provisioning the device
When a secondary edge device is removed from a deployed Service Request, the corresponding secondary end-point is removed from the Repository. At the time of provisioning, the provisioning filter sees only those tunnels that belong to primary edge devices and those have already been deployed. As there is nothing in the Repository indicating the removal of the secondary end-point, provisioning does not get to see anything pertaining to the removed secondary end-point and so provisioning does not do anything to the secondary edge device. The result is: IPsec service is not decommissioned from the secondary edge device.

Workaround: Remove the primary edge device from the Service Request. Deploy the subsumed Service Request. This results in IPsec service getting decommissioned from both a primary edge device and its corresponding secondary edge devices. Next, re-add the primary edge device back to the subsumed Service Request, this time without any secondary edge devices. Deploy the new Service Request. This results in the primary edge device getting commissioned with IPsec service.

CSCdt43815 - Exception on making an interface with no IP address Secure/nonsecure
On rare occasions, an interface with No IP Address can be made available for selection as a secured or nonsecured interface in the Edge Device Editor. If you try to select on of these interfaces, an exception occurs.

Workaround: Interfaces with No IP Address should not be selected as Secured or NonSecured.

CSCdt44064 - When selecting policy, Service Request gets subsumed
If you select the Policy drop-down from the table in the VPN Editor for an existing Service Request, but does not actually change the existing Policy selection and then hits the Apply button, the existing service request will be subsumed. If you then deploy this new service request, a configlet is generated and sent to the devices associated with the service request.

Workaround: Be careful not to ensure the service request is actually changed (that is, by changing the Policy from Gold to Silver) before hitting the Apply button to subsume an existing service request. Instead, click the Cancel button.

CSCdt44551 - Unique name is not generated for a new data file in a folder
When you create a data file folder for a template, the defaults provided are not unique names.

Workaround: When saving the file, specify a unique name.

CSCdt45432 - Import Templates needs to verify permissions errors
No objects appear in the tree view after the import feature for Template files is utilized.

Workaround: Verify that there is enough disk space available to support a copy command, and verify that the permissions of the files you are importing are set correctly.

CSCdt46034 - Template Console does not refresh after configuration file deletion
After deleting a configuration file from the Template Console, the GUI might appear to be hung.

Workaround: Select another menu item from the tree view; right mouse click; and select open. The GUI refreshes when the selection is opened.

CSCdt46923 - Default mask is out of range of protected IP address range
While editing the IP address in the protected IP address panel of the edge device, the IP address editor may not accept masks greater than 29.

Workaround: None

CSCdt48049 - Error occurs while trying to copy and paste license key
Copying a license from an xterm window and pasting it into VPNSC may not work. The reason for this is that motif does not automatically copy the selected text into the system clipboard.

Workaround: An explicit Copy operation has to be performed to copy the selected text into the system clipboard. Once the text is in the system clipboard, VPNSC is able to paste the text into the license key text field.

CSCdt52679 - Exception when opening History Report for a Service Request in Requested state
Exception when opening a History Report for a Service Request that is in Requested state.

Workaround: Open a History Report after the deployment of the Service Request only.

CSCdt66303 - Edit Management Interface option in target editor not working
When editing a Management Interface in the IP addresses tab of the Edit Target window, unchecking the Management checkbox does not work. The operation appears to be successful in the GUI, but the update is not stored in the repository.

Workaround: Delete the interface that was selected as the Management Interface and, if required, manually add that same IP address without selecting the Management Interface option. This will allow the selection of another interface or IP address as the Management Interface.

CSCdt67365 - Problem occurs when creating an IPsec Service Request in full mesh topology with more than 35 edge devices
This problem only occurs for full mesh topology, when you set up more than 35 edge devices.

Workaround: Contact TAC for the fix.

CSCdt69260 - IP addresses not updated after collecting configuration files
Configuration files are parsed for their IP addresses during setup. When collecting from live routers, this parsing process for different IP addresses does not take place.

Workaround: Navigate and execute Monitoring > Configure Traps > Populate Interface Information for Cisco Router Targets or manually add the IP addresses in the target window.

CSCdt74465 - Creation of targets based on configuration file import may fail in part when more than 100 configuration files are imported
Targets are created in the VPNSC Repository without error. However, the error occurs when extracting passwords from configuration files. This problem is of importance only when the configuration file contains clear text or a hidden password (reversible encryption). When using one-way encryption (irreversible encryption), the target editor must be used to manually set the passwords anyway.

Workaround: Use the target editor to manually set the passwords.

CSCdt80545 - VPNSC GUI takes a long time to initialize with a large repository
When you have a large repository, the initialization of the GUI can be extremely slow.

Workaround: None

CSCdt80557 - Tunnel node in VPNSC console tree not scalable
The listing of specific tunnels in the VPNSC console tree does not scale.

Workaround: Access this information through Provisioning > List All Service Requests.

CSCdt81382 - Vpnconsole will not start
With large repositories, the VPNSC console can receive an Out Of Memory Error when starting.

Workaround: Add more memory to the host and/or modify the execjava.sh script to modify the initial and maximum Java heap size.

Collection

CSCdp54370 - No support to bypass the login password field
The collection engine requires the router to be configured with a login password. The collection will fail if the router is configured to bypass login.

Workaround: Configure the router to require a password to login.

CSCdp66724 - Self-monitoring tool Dataset.Server, causing Java memory leak
Self-monitoring tool does not contain current data or it appears to stop updating.

Workaround: From the terminal window that launched the Watchdog, type: wdclient restart dataset.server.

CSCds77876 - EventGateway exception when watchdog started for the second time
Sequence of events: 1) install VPNSC; 2) start orbixd and the watchdog—no problems during this startup; 3) stop the watchdog; 4) start the watchdog again -- this is when the EventGateway exception occurs (the watchdog reports that it is unable to register itself); 5) stop the watchdog, then kill orbixd; 6) start orbixd and the watchdog—no problems during this startup, as well as all subsequent ones.

Workaround: None

CSCdt36291 - No error message is generated when a delete SLA task is run with no such probes existing
If SLA probes have already been deleted, scheduling to delete them again does not give an error message.

CSCdt36449 - Repeatedly create new probes on the router with each SLA collection
When executing SLA Collection tasks in SNMPv3 (in either authentication no encryption or authentication and encryption mode) when the router contains probes with configured history data, sometimes new SA Agent probes are created.

Workaround: Use SNMPv2 (in no authentication no encryption mode) for SLA collection, or configure probes without history data.

CSCdt44821 - Register/Deregister for traps task continues in running state
Register/Deregister for Traps task does not complete, and the status remains running in the Task Logs.

Workaround: Look in the Log itself to check for which devices the task failed and why.

CSCdt44834 - Selective Dataset Purge does not work correctly
You may not be able to delete certain datasets from the Repository with the Selective Dataset Purge tool.

Workaround: None

CSCdt47930 - Deselecting Management Interface deletes IP address of target
Unselecting an interface to no longer be Managed in the Edit Target window causes the IP address to revert to 0.0.0.0.

Workaround: Run Populate MIB Interface task to repopulate interface addresses.

CSCdt57264 - Tasks will not finish because of memory leak
When you schedule multiple tasks to run hourly, the scheduled tasks remain in the running state and never finishes.

Workaround: Stop the watchdog and restart.

CSCdt62470 - Time synchronization problem for SA Agent probes and VPNSC data collection
VPNSC needs to have the capability of time synchronizing the SA Agent probes. If a router goes down and comes back up again, the router will not have filled its data bucket by the next time VPNSC comes around and performs a data collection. VPNSC will not pick up the data from the router that reloaded because the bucket was not full. The next time VPNSC does the data collection, and the router bucket is full, the time information will be out of synchronization.

Workaround: None

CSCdt78548 - WDGUI hangs after several minutes on screen and becomes a ghost
WDGUI hangs after several minutes on the screen. It then becomes a ghost process and cannot be closed or killed. This occurs on the console of the machine where VPNSC is installed and on remote clients; both Sun workstations and HP machines running Reflection X.

Workaround: None

API

CSCds56378 - VsmInterfaceEncapsulation.Unknown_Encap is not recognized by system
VsmSecuredInterfaceCreator::setInterfaceEncapsulation(VsmInterfaceEncapsulation encap) —The system dumps an error message (116 errMessage) when the input parameter is given as the following value: VsmInterfaceEncapsulation.Unknown_Encap

Workaround: None

CSCdt19300 - No persistent task created when CPE is auto-sla probe creation enabled
When CiscoVsmFWIPsecCreator::VsmEdgeDeviceCreator.setAutoSLAProbeCreation(true) is set, a persistent task for SLA probe creation should have been created for the Edge Device. This is not yet implemented in CORBA API.

Workaround: None

CSCdt33737 - setFirewallACLGenerated/setInternetAccessType should be combined
setFirewallAclGenerated() and setInternetAccessType() are provided to indicate the level of extended service. However, a valid Service Request only allows the following combinations on FirewallACL and InternetAccessType:

setFirewallAclGenerated InternetAccessType Extended Service True True Internet Access True False No Internet False False Ignore

If you did not set the correct combinations as above, the exception will be thrown out.

Workaround: None

CSCdt34010 - VpnInvExport:setSRState has unwanted values
VpnInvExport::setSRState has unwanted Service Request states. The DTD in the case of the Export tool consists of certain states (namely broken and functional) to which an IPsec Service Request will never transition.

Workaround: None

CSCdt44849 - VpnInvImport makes two entries for same Protected Ip Address Range
VpnInvImport makes duplicate entries in the Protected IP Address Range list.

Workaround: After Import, delete the duplicated entry of the Protected IP Address Range.

CSCdt44880 - VpnInvImport is not importing password details of the devices
VpnInvImport is not importing the password details of the devices in IPsec mode.

Workaround: Define the passwords for all the imported devices before performing tasks like collect configuration, deployment of the Service Request, and so on.

CSCdt44896 - Exception when importing IPsec Repository into the initialized Repository
Exception when importing IPsec Repository into the initialized Repository.

Workaround: Import in the Empty Repository not in the initialized Repository.

CSCdt44947 - VpnInvExport does not support Secondary Edge Device
VpnInvExport tool does not support Secondary Edge Device.

Workaround: Define the Secondary Edge Device after Importing.

CSCdt44957 - Hub CPE become Spoke during Export-Import
Hub becomes spoke when performing the Export-Import procedure.

Workaround: In the imported Repository, update the Service Request by checking the Is Hub check box before using the Service Request.

CSCdt52477 - API incorrectly allows routing protocol to change to existing IPsec Service Requests in limited cases
You should not be able to change the routing protocol of an existing IPsec Service Request. This is not allowed in the GUI, but can be changed by using one of the following APIs: noRouting; Static; RIPv2.

Workaround: None

CSCdt56862 - Customer object should not be allowed to be removed if VPN/Policy is associated
A Customer object can be deleted even if IPsecVPN objects are associated with it. This causes an error later when the IPsecVPN objects are deleted.

Workaround: Make sure all IPsec VPN objects are deleted first before removing a Customer object.

CSCdt57994 - Import from remote host is not going through
Error when importing an XML file from the remote host.

Workaround: None

CSCdt67365 - Problem occurs when creating an IPsec Service Request in full mesh topology with more than 35 edge devices
This problem only occurs for full mesh topology, when you set up more than 35 edge devices.

Workaround: Contact TAC for the fix.

CSCdt79094 - VsmDeviceCreator:setRole() needs enumerator as input parameter
CiscoVsmFWIPsecCreator::VsmDeviceCreator::setRole() takes strings rather than enumerators as input parameters. The strings that appear are: Cisco Router, Netflow, and Terminal Server, but only Cisco Router is supported.

Workaround: None

CSCdt79107 - VsmDeviceCreator: No support for terminal server
There is currently no API to add a Terminal Server to the target database.

Workaround: None

CSCdt80505 - VsmDeviceCreator:: Need API to set transport and description
In the interface VsmFWIPsecCreator VsmDeviceCreator, the following APIs do not exist:

1) API to set the transport mode
2) API to set the description string

Workaround: Use the GUI to set these fields.

CSCdt91603 - VsmIPsecProposalCreator:ESPEncrytionNone not accepted
CiscoVsmFWIPsecCreator::VsmIPsecProposalCreator::setESPEncryption() does not accept the enumerator CiscoVsmBrowser::VsmESPEncryption::ESPEncryptionNone as input.

An IPsec proposal with ESPEncryptionNone can be created only through the GUI.

Workaround: None

Other

CSCdp06576 - Hardwired path in Repository
Workaround: When changing the location of the Repository, make sure old tasks are deleted. These tasks may still refer to the old Repository location.

CSCdt15912 - IPsec Templating needs $remotehostname[] variable
This is an enhancement request.

CSCdt18993 - IDL compilation error
The module VPIM uses an internal variable with name errno. This may cause conflict with UNIX's system variable with the same name.

Workaround: None

CSCdt28840 - Same Service Request deployed twice; second one finished earlier than first
The scheduler kicks off tasks at minute boundaries. As a result, if you schedule two tasks, there is no guarantee of the order of execution. This is a corner case.

Workaround: If you want to guarantee the order of execution, make sure that the Service Requests are scheduled at least a few minutes apart.

CSCdt32526 - Recovery tool not recovering gsrBlob and endptExt
Workaround: None

CSCdt54342 - Renaming customer, site, vpn
Certain objects like VPN, Customer, Customer Site, and so on cannot be renamed. Also, there exists interdependency between objects. For example, the Customer object cannot be deleted until all Customer Site objects that belong to this Customer are deleted; Customer Site can not be deleted until all CEs are deleted; and so on.

Workaround: Delete all child objects first before deleting the parent objects.

CSCdt64087 - Collection Repository cleanup functions
When devices are deleted from the Directory repository, collection records and collection devices that reference these deleted devices from the Collection repository become dangling. This enhancement calls for a utility that will clean up the Collection repository by removing those dangling entities.

Workaround: None

CSCdt65013 - Watchdog does not come up in Alaska time zone
When the machine time zone is set to US/Alaska, occasionally watchdog does not come up.

Workaround: Set the machine time zone to AST (Australia, Alaska Daytime saving) or GMT+9 (Japan).

CSCdt65851 - http server results in a JRun error when deleting a task log
When deleting one or more task logs, a JRun error occurs. An OutOfMemory error appears in the http server log and other logs. This occurs on a dual-cpu machine but not on a single-cpu machine.

Workaround: When the JRun error occurs, restart the http server by running the command wdclient restart httpd.

CSCdt70266 - SSH key mismatch, known-hosts file is updated with new key
In SSH mode, if VPNSC receives a public key from a device that does not match the key in the known_hosts file, the known_hosts file is updated with the new key.

Workaround: None

MPLS Known Problems in Cisco VPN Solutions Center, Release 2.0

The known problems in Release 2.0 are presented numerically in the following categories:

Installation

Provisioning

Graphical User Interface

Collection

API

Other

Installation

CSCdt78240 - Install not up to date with Solaris Patches for 2.6
The Installer is not up to date with Solaris 2.6 Patch releases. When installing a monolithic patch upgrade, the installer says that there is a patch that is required that is missing. The missing patch is actually included under a different patch number from Sun in the 2.6 Recommended patch. What we are looking for and the latest numbers from Sun do not match.

Workaround: Select yes to advance the installation. Note: You would not know if this was the correct action to take. You might conclude that a required part of the system was not updated when in fact it had been updated by installation of a patch with another number.

Provisioning

CSCdm58306 - SelectIPAddress step in Add VPN service wizard needs more checks
During the Add VPN Service to CE wizard, you may enter specific IP address information. While basic validation is done on the IP address, more sophisticated checks of the address are not done. For example, 0.0.0.0/0, 127.0.0.0/0, and 255.255.255.255/32 are all allowed.

Workaround: Manually check that the addresses being entered are correct.

CSCdp82730 - Time not displayed for the first 3001 Service Requests on the Service Request list
When 20,000 Service Requests were created through the API, it is observed that for the first 3001 Service Requests, the 'Created At' and the 'Last State Change' columns do not show the time at which that event took place. Instead, the message 'Not Available' is seen in these two columns. The remainder of the Service Requests are fine.

Workaround: None

CSCdr10527 - Enhancement for the channelized E1 provisioning
This is an enhancement request regarding the provisioning of channelized E1 between the CE/PE and the E1 controller configuration.

Workaround: Available through template provisioning.

CSCdr36264 - Changing router name from the Command Language Interface (CLI) > tftp 2007 error
If the router hostname is changed through the router CLI and the hostname is not changed in VPNSC through the GUI, then a configuration download might fail.

Workaround: Change the hostname in VPNSC through the GUI as well.

CSCdr45541 - BGP/static results in global static route to the CE loopback
When selecting BGP as the protocol between the CE/PE and Static as the redistributed protocol, Customer Protocol List = static in the service request detail report. The loopback0 on the CE is given a static route in the VRF table on the PE. VPNSC also places the same static route outside the VRF table. In effect it creates two static routes to the same loopback, one inside and one outside the VRF.

Workaround: This design is too complicated a design and the global static route to the CE loopback should be removed.

CSCdr58372 - Support for pre-address unnumbered links
It is not possible to re-use an existing IPv4 link by VPNSC on the PE, because if the link is IPv4 and unnumbered, then the loopback in question will not have an "ip vrf forwarding <vrf_name>" command configured and the loopback search algorithm on the PE uses the vrf_name and other parameters to determine which loopback to pick.

Workaround: Configure the vrf_name before deploying the Service Request on the loopback interface.

CSCdr89392 - Service Request states broken due to Grey Management CE None found in prefix
Audits using VPN Routing Information will fail, causing Service Requests to go to the Broken state. This affects only those Service Requests for CEs that join the management VPN. The Service Request for the MCE will be unaffected and will move to the "Functional" state. This occurs only when the MPE/MCE routing protocol selected is either Static or BGP, and when "Redistribute Connected" has not been selected. In versions prior to 1.2, "Redistribute Connected" was automatically generated in any configlet that contained the PE routing protocol configuration.

Workaround: To avoid this scenario, select Redistribute Connected when the MPE/MCE routing protocol selected is either Static or BGP.

CSCds01621 - Modifying OSPF process ID on CE should remove network statement
When modifying the OSPF process ID on the CE device, the existing network statement is left intact in the original OSPF process, while the new OSPF process is configured with the original network statement. This is not a valid OSPF configuration.

Workaround: Remove the current Service Request and create a new Service Request with the desired OSPF process ID.

CSCds23470 - DIPMServer internal API can return incorrect return code
When checking for IOS warning, if one is found, the return code is not reset to 0.

Workaround: See if the description is null. This is only for the configlet return code and description, not the overall request return code and description.

CSCds36011 - setCIPMUserPassword utility dumps core
Run the setCIPMUserPassword utility and specify the user name and password. The utility core dumps, though the user id and password are set correctly in the Repository.

Workaround: Use the tool. The user and password are set correctly

CSCds36473 - Remove Service Request downloads no IP address to CE Ethernet interface
Deploying remove service request results in loss of connectivity if the PE-CE link is used to download the remove service request.

Workaround: Recommend using a different link to the CE to remove a service request on the CE.

CSCds44423 - When remove Service Request with template, the template was appended
Templates that have been added to a service request will be appended to the remove service request.

Workaround: Modify the service request and remove the template and deploy. Then remove the service request.

CSCds50694 - VRF override RD is not correctly generated in configlet
If the attribute VRFRDOverride.unix is true in the csm.properties file, when you enter values for the RD that are within the router's valid limit, VPNSC changes it to a different value in the configlet when deploying the Service Request. A signed long might be used instead of the unsigned long.

Workaround: None

CSCds53994 - IP unnumbered + specified IP address, check is not the management one
Defined a target with the loopback IP address. Then defined management VPN and configured VPN between the MCE and MPE. Chose IP unnumbered for the link and instead of choosing a loopback from the pool, chose the loopback management IP address (the one defined as the target in VPNSC). The loopback IP address moves from the global routing table to the VRF. The ping from VPNSC works fine; the telnet from VPNSC works fine; but the SNMP does not work anymore. Can not get SNMP to work with an IP address belonging to a VRF. Therefore, the Populate Interface task does not work; the action from NetFlow (get interface) does not work; and the RTR feature does not work. Suggest that in the case of IP unnumbered and a chosen IP address, VPNSC should check that this address is not the management IP address.

Workaround: None

CSCds72015 - Deploy is not failed when the area number is different on the PE and CE
When you enter a different area number on the PE and CE, the Service Request can be submitted through the tool. The configuration file is downloaded to routers successfully. However, the connectivity is not there if the CE and PE are configured in this way.

Workaround: When entering the OSPF Area Number, you must verify that the Area Number on the CE and PE are the same before the Service Request is submitted.

CSCdt01882 - Interface is improperly removed when it is associated with two Service Requests
Two Service Requests have a common interface on the PE. Even though you make the second Service Request go invalid, you cannot stop one Service Request from affecting the other Service Request. The second Service Request should not be created in the first place.

Workaround: Avoid deleting or modifying the Service Request that goes invalid for this reason.

CSCdt12319 - Support same host and cable modem helper address
Failure to audit if the cable helper address is the same for a host and a cable modem.

Workaround: The cable helper address must be different for the host and a cable modem.

CSCdt12835 - Cable secondary address advertises management VPN
VPNSC only advertises the primary IP address of the maintenance interface. This is to provide access to the CE (in this case Cable modem). VPNSC does not currently provide access to any other device other than the CE on the customer site.

Workaround: None

CSCdt12895 - No recognition of the IOS message when IP address overlaps ...
When modifying the Service Request and changing encapsulation from ISL to default on the FastEthernet interface, IOS returns a message and ignores the configuration of the IP address. Although this problem is fixed, it requires a second link to the CE.

Workaround: Instead of modifying the Service Request, remove the Service Request first, and then add the Service Request with correct encapsulation on FastEthernet interface.

CSCdt26370 - VRF/RD override feature not working
The VRF and RD override feature should provide the ability to override the automatic VRF and RD generation feature. It does not work very well when existing CERCs are modified and the VRF name and RD are overridden to the original name. This is true for multiple service requests belonging to a particular VRF on the same PE.

Workaround: None

CSCdt26503 - When CE loopback address overlaps with other CE loopback address
If two Service Requests join grey management and use common IP address on their loopback interfaces, the connection to one of the CEs is broken.

Workaround: It is required to have unique IP address on the management link.

CSCdt32750 - Remote TGS does not work using TGS_TFTP mode through terminal server
When the router connection is through a terminal server and TGS_TFTP is used as the download mechanism, intermittently the following problem occurs:

1. The download task fails with error 2007 return code. Unable to configure element. Check TFTP Server connection and TFTP directory write permission.

2. The download task hangs for a long time (~30 minutes) and Multi-Telnet Gateway Server may retry if an alternate remote TGS is available.

The problem seems to appear only when TFTP is used and the connection to the router is through the terminal server.

Workaround: Connect directly to the router rather than through the terminal server when using TFTP. That is, remove association to the terminal server for the router, when the mode is TFTP.

CSCdt38428 - Multi-TGS fail download with 2006 randomly in Download Console
Intermittently, SSH times out with the return code 2006. SSH generates temporary keys and this takes some time to generate.

Workaround: Try setting the mode to Telnet. If the mode must be SSH, then increase the timeout attribute netsys.tgs.opTimeout in the csm.properties file. The default is 1200, so increase this to 2400 to give more time to generate these keys without a timeout.

CSCdt39793 - Download through Terminal Server success/failure not consistent with SSH
This situation occurs when you have a router associated with a terminal server and in the vpnconsole target for the terminal server, you do not enter an IP address. However, this may work even if you do not enter an IP address for the terminal server, if the terminal server has in its running configuration file:

ip host <TERM_SRVR_NAME> <IP_ADDR_OF_TERM_SRVR>

The better way to handle this is not to make any assumption about what is on the terminal server configuration, and resolve this by adding an IP address to the terminal server in the vpnconsole target editor.

An IP address is never required if the router is accessed directly without using a terminal server.

Workaround: None

CSCdt44697 - Lost connectivity to CE when deploying Service Request
Provisioning (adding/modifying/removing) a Service Request does not work properly if a CE can only be accessed through a PE (no second link to the CE).

Workaround: None

CSCdt46660 - Service Request does not go to CLOSE state after auditing
Workaround: Turn on the netsys.close.sr.option.unix attribute in the csm.properties file and force the Service Request to the Close state.

CSCdt46676 - MTGS download failed with CORBA Exception when stop remote TGSs
When multiple remote TGSs are used, if remote TGSs were stopped during massive download, one or two device downloads may fail with the error message, "CORBA General Exception Generated while contacting MTGS/TGS".

Workaround: Do not bring down remote TGSs during download, that is, before the outstanding tasks are completed. If the network or remote servers are so unstable that the remote TGSs can get disconnected often, use single TGS or no more than one remote TGS.

CSCdt50316 - Service Request remains in Deployed state even when the audit for functional fails
When the Service Requests are audited for functional, they remain in the Deployed state. This happens when there is an error reported in the tasklog while collecting for the VPN routes. This should result in changing the state of an SR to 'Broken' rather than retaining it in the 'Deployed' state, when the SR is subsequently audited for VPN routing.

Workaround: None.

CSCdt56843 - Core dump after clicking Next on Select Audit Option
If there are more than 1000 Audit tasks in the repository, the GUI wizard may throw a stack overflow exception and core dump after clicking Next on Select Audit Option when trying to deploy a service request.

Workaround: Remove some of the old audit tasks from the repository to keep less than 1000 audit tasks in the repository.

CSCdt61769 - Unpredictable behavior when Export Map and/or Import Map parameters are part of a Service Request
When the Export Map parameter and/or Import Map parameter are added as part of a Service Request, the provisioning engine may have unpredictable results.

Workaround: Modify the Service Request and remove the Export Map and/or Import Map parameters.

CSCdt66274 - Auto-picked CE addresses do not get populated
Auto-picked CE addresses are not stored back in the repository.

Workaround: None

CSCdt90274 - Service Request remains pending due to core in run_ngs
If you make a request to remove an SRVC, SRVC will be in the Remove requested state. After this, deploy this request and enable audit. Running an audit would usually move the SRVC to a remove Closed state. This is not happening, it remains in the Pending state. The run_ngs was invoked by the auditor. A core file was found after or during run_ngs (conn_solver), which caused the state to remain as Pending. This bug was found when using ECHO mode. It is not known under what circumstances this may occur. Currently it is a corner case.

Workaround: None

CSCdt96033 - Syslog recorded as TFTP with any transfer mode
The customer configured VPNSC provisioning by telnet as the transfer mode on IP Manager 2.0, however, the syslog output for this action has been recorded by tftp

Workaround: None

Graphical User Interface

CSCdm19511 - Vpnconsole hangs with fast <return> keystrokes
In some cases in the vpnconsole, typing in quick successive Return keystrokes in text fields causes the vpnconsole to hang.

Workaround: Restart the vpnconsole.

CSCdm47030 - GetDuration, GetStartTime, GetEndTime window, needs validation
While trying to Collect the datasets from the NetFlow collector, GetDuration, GetStartTime, and GetEndTime windows are not validated.

Workaround: None

CSCdm59399 - Vpnconsole windows have bad sizing behavior under X emulators
The vpnconsole has shown bad sizing behavior when used with X emulators, such as XVision on Windows, NCD Xterminals, and Reflection X.

Workaround: Resize the windows manually (if possible) or display to a Solaris workstation's display.

CSCdm59856 - Icons may not be displayed in topology
When using the topology, sometimes the icons may not display immediately.

Workaround: Close the topology and reopen it.

CSCdm65063 - Inconsistent behavior of modal windows in vpnconsole
The vpnconsole window handling is inconsistent. For most modal windows, if an attempt is made to click outside the window, an audible beep indicates that this is not allowed. However, if a nonmodal window is displayed and a modal window is then opened, it is possible to click on the nonmodal window and hear no beep.

Workaround: None

CSCdm80371 - Cursor does not appear in editable fields when using OpenLook Window Manager (olwm)
When using the olwm, the cursor does not appear in text fields in the vpnconsole.

Workaround: Change window manager to CDE.

CSCdm91769 - Click in Traffic Summary Graph displays wrong tag/numbers
The pie charts for the Accounting reports allow clicking on one of the wedges to see more information. In some cases, the numbers in the pie chart correspond to the wrong row in the tabular report.

Workaround: Look into the report for the accurate data.

CSCdm91773 - Axis values in accounting charts incorrect
The axis values in some of the accounting charts may be incorrect.

CSCdp04969 - Default route disappears when modifying a Service Request
A problem occurs when modifying a Service Request that is using Static routing between a PE and CE. The default route specified in the original Service Request is no longer displayed.

Workaround: Re-add the default route (0.0.0.0).

CSCdp14446 - Remove requests (re)scheduled through Task Manager receive fatal error
A Remove VPN Service request that is redeployed through the Task Manager fails with a Task Log error message of "FATAL ERROR". There are no service requests of type "\VIRepGenericSrvcReq::SRObjTypeSRVC\".

Workaround: Use the Provisioning > Deploy Service Request function to redeploy requests instead of rescheduling an existing task from the Task Manager.

CSCdp19379 - Vpnconsole hangs during refresh of Task Manager window
The vpnconsole can hang when using the Task Manager window. If this happens, you can start a new vpnconsole process.

Workaround: To avoid this problem entirely, use the drop-down menus from the menu task bar to start tasks instead of using the Task Manager.

CSCdp25127 - Xclipboard functionality limited
There is currently no way to copy text out of an VPNSC window and paste it into another Xclient window using mouse-based copy and paste. The Sun keyboard Copy and Paste keys appear to work for certain windows but not globally.

Workaround: None

CSCdp33118 - Double-click on chart pops up report
Double-clicking on a chart brings the report forward and covers the chart.

Workaround: None. Does not hurt the operation.

CSCdp54462 - GUI Refresh of VPN Inventory does not re-read the Repository
If the Raima utility initdb is used to clear out a database, then the Refresh functions in the VPN inventory of the vpnconsole will not work.

Workaround: Restart the vpnconsole.

CSCdp62988 - GUI hangs when modifying the Repository during a backup
When a Repository backup is running, the database is write-locked until the backup task completes. Trying to insert a new task into the Repository while the backup was running failed. The vpnconsole hung until the backup completed. Since a Repository backup may take time, the vpnconsole should not hang, but rather inform you that the database is currently write-locked.

Workaround: Do not attempt to modify the Repository while a backup is running.

CSCdp86529 - GUI lists objects twice if refreshed during initial load
Selecting Refresh in the VPN Inventory section in the GUI while it is still getting the object list results in the object tree being listed multiple times.

Workaround: Do not Refresh while the GUI is getting the object list results.

CSCdp86884 - Adding a VPN through the topology and exiting before finishing, causes errors
If a Service Request is created from the topology and is canceled before completion, it shows up in the left pane of the topology.

Workaround: Do not use the topology to create Service Requests. Use the wizard located in the vpnconsole at Provisioning > Add VPN Service to CE.

CSCdp88127 - The Advance Filter option should not be available in all windows
No known impact. This is an enhancement request to disable Advance Filter on some Spreadsheet Data Format (SDF) reports.

Workaround: Do not use advance filter feature if not needed.

CSCdr03591 - Java exception occurs when deleting Region
It is difficult to read error messages, when moving through the Add VPN Service wizard, due to a PE or Region being deleted by another user.

Workaround: No known impact.

CSCdr17172 - Task logs not being deleted from tmp directory
Logs are not deleted from the vpn/tmp directory according to schedule.

Workaround: Leave default configuration for csm.properties file as true, to clean up log files.

CSCdr27624 - Delete region does not check for associated PEs
When you delete a region with PEs in it, no error message is displayed. The PEs are also deleted.

Workaround: None

CSCdr33852 - Color coded list of Service Requests
Want to see Service Request status in the Service Request list report to be color-coordinated.

Workaround: This is an enhancement request. Service Request status is currently visible in text form in the Service Request list (that is, no information is missing). The request is to have better visuals.

CSCdr42538 - Task API: Scheduled task Name is not seen in the GUI
The scheduled task name entered through the CORBA API is not displayed in the Task Manager GUI.

Workaround: None

CSCdr52515 - Deletion of Region does not synchronize with its PEs
When delete the region failed, the region remained in the left panel but the PEs under the region were removed.

Workaround: None

CSCdr56337 - If PE selection changes during PE-CE provisioning, the interfaces will not refresh
In an interface selection step of the Service Request wizard, the list of interfaces are not refreshed if the PE selection is changed.

Workaround: Exit the wizard and start a new wizard.

CSCdr63519 - VPNSC hangs when double-click on Edit in the Edit Customer site
A double-click on Edit in the Edit Customer site window caused the application to hang. The only way to continue is to execute a stopwd/startwd and kill the existing jre. The fact that much memory was being used (untarring a large file and decompressing another file at the same time) could have contributed to the problem.

Workaround: None

CSCdr68917 - Tab key does not highlight the target field
On both the General and Passwords panels of the Edit Multiple Targets panel, when you tab to the check boxes in front of each choice, there is no highlighted blue underline box like other click boxes such as OK and Cancel have. It looks like the cursor has disappeared. When you tab to a check box, the box should be highlighted/dimmed/underlined and so on, to show that the cursor is positioned at the box.

Workaround: None

CSCdr76434 - Resizing some router chooser windows becomes unusable
If the target chooser window is resized, the table size becomes too small and in some cases it might become unusable.

Workaround: Resize the target chooser window to a bigger size until the table size is restored to its original size.

CSCdr92734 - PE-CE provision screen accepts different IP network addresses
When creating PE-CE links, the GUI allows the PE and CE IP addresses to be in different networks.

Workaround: None

CSCdr93603 - Delete region creates deadlock when Provider Administrative Domain (PAD) has only one region
Delete action on a region is creating deadlock when PAD contains only one Region under it.

Workaround: a) Instead of deleting the Region, modify the existing one; b) Delete the Region from the hierarchical pane (on the left side) without getting any error or deadlock, instead of deleting it from the Edit PAD window.

CSCdr96924 - Cable interface configuration GUI should show the subinterface number
Cable interface PE-CE provisioning screen only has the option of showing a Major interface. When you modify a subinterface, it is difficult to trace the interface being modified. For clarity while modifying the GUI, the interface to which the Service Request is attached should be shown.

Workaround: None

CSCdr97462 - Multiple user feature compounds data report memory leak
A vpnconsole uses large amounts of memory, especially when displaying large reports. There is also a memory leak with some reports. When multiple users concurrently run vpnconsoles from the same machine, this memory problem multiplies.

Workaround: Avoid opening large reports and running multiple vpnconsoles concurrently.

CSCds13047 - Service Request Audit Report window should avoid links to non-existing reports
Service Request Audit Report window creating link to non-existing target files to access the audit reports.

Workaround: None

CSCds44103 - Display of tree-view becomes corrupted when viewing 3,000 CEs
The hierarchical tree view pane becomes corrupted when viewing thousands of CEs. This is the result of a problem in the Java Runtime environment.

Workaround: No workaround known, but will not seriously impact functionality.

CSCds48679 - Inconsistent range for RT and RD from various GUI panels
From the GUI, there are several places where one can enter RD or RT values. Each place should be tested with in-range values and out-of-range values, as well as acceptable/non-acceptable characters.

Workaround: None

CSCds63329 - CERC selection window does not show if Hub/Spoke or Mesh
When defining a Service Request, the CERC selection window displays the available CERCs by name, but does not indicate whether they are full mesh or hub and spoke.

Workaround: None

CSCds65988 - BGP Autonomous System (AS) for CE can not be modified after deploying a Service Request
If the CE BGP AS number of a deployed Service Request is modified, the provisioning step during the deployment process fails, claiming that BGP has already been configured in that router using a different BGP AS number. The reason to change the BGP AS number is because the Service Provider is running out of numbers for BGP AS already, and they want to use the feature 'Neighbor AS-override', and change all the Autonomous Systems for all the VPNs.

Because the router only can be included in one Autonomous System, VPNSC stops without provisioning. In this particular case, VPNSC should write the command no router bgp 11 and configure a new process router bgp 12 in the CE.

Workaround: For the moment, the only way to do this is through the Command Language Interface disabling, in the CE, the current BGP process.

CSCds77244 - Special characters are being allowed as the first character
If you enter an invalid character past the first position and then delete characters until the invalid character is the first character, invalid characters can be entered into the first character position for Customer, Site, VPN, and other names.

Workaround: The first character of the name may only contain alphabetic characters. Do not enter a nonalphabetic character past the first position and then delete until it is in the first position.

CSCds85924 - GUI accepts nonprintable characters
The GUI allows copy and paste of non-printable characters like new-line or Carriage-Return, under some circumstances.

Workaround: None, except taking special care of how import text is created.

CSCdt04666 - Vpnconsole will not restart after Repository is restored
Workaround: Stop watchdog and kill the orbixd process. Restart Orbix, watchdog, and vpnconsole.

CSCdt01073 - Additional information required for RD/VRF override
It is possible to specify the RD alone in the SelectVRFParams window (when the VRF override feature is enabled). This could result in a Service Request that moves to either a Failed Deploy state or Failed Audit state, due to the fact that a RD alone cannot be changed within a VRF configuration in IOS.

Workaround: When using the VRF override feature, make sure that both a VRF name and RD are entered when making modifications to the Service Request.

CSCdt20166 - Vpnconsole core dumps when exiting watchdog first
Stopping the watchdog before exiting VPNSC will cause an exception.

Workaround: Do not close the watchdog before exiting VPNSC.

CSCdt20544 - Unable to read print result in Service Request history report
Printout from Service Request report text is too small.

Workaround: None

CSCdt33880 - Error and Exception while evaluating a port number
Edit fields do not prevent you from entering invalid characters and/or ranges.

Workaround: Enter the proper range/characters.

CSCdt35741 - Inconsistent GUI displays between IPsec and MPLS
Creating a customer from within IPSec causes an exception when running the MPLS portion of VPNSC. Also, deleting a customer and then adding a new customer with the same name causes duplicate customers to be seen in the tree.

Workaround: Use 'refresh' to remove the duplicate customer from the tree.

CSCdt37083 - Upload failed while download succeeded in the task log
If the configuration upload for a deploy task fails for the PE, the CE, or both the PE and the CE, the task logs display a Failed status for the upload. However, the status for provisioning and download are incorrectly displayed as Succeeded. The status for provisioning and download should be skipped if either the PE or the CE configuration upload has failed.

Workaround: None

CSCdt38633 - Spaces being accepted as prefix and suffix for CoS profile
Spaces are being accepted for CoS profile name.

Workaround: Do not enter spaces for any part of the name.

CSCdt39792 - Caught exception after delete customer
When deleting a customer, on rare occasions, an exception is thrown. This exception does not indicate that the customer object was not deleted and no negative side effects were encountered.

Workaround: None

CSCdt44551 - Unique name is not generated for a new data file in a folder
When you create a data file folder for a template, the defaults provided are not unique names.

Workaround: When saving the file, specify a unique name.

CSCdt45432 - Import Templates needs to verify permissions errors
No objects appear in the tree view after the import feature for Template files is utilized.

Workaround: Verify that there is enough disk space available to support a copy command, and verify that the permissions of the files you are importing are set correctly.

CSCdt46034 - Template Console does not refresh after configuration file deletion
After deleting a configuration file from the Template Console, the GUI might appear to be hung.

Workaround: Select another menu item from the tree view; right mouse click; and select open. The GUI refreshes when the selection is opened.

CSCdt46682 - Cannot view audit report
No place to view the audit report.

Workaround: Drill down in the Service Request Report to view the Audit Details for a Service Request.

CSCdt48246 - Memory leak in vpnconsole and scheduler
When creating large amounts of VPN Service Requests, in one session the GUI can consume large amounts of memory. This has been seen when more than 100 Service Requests are created in the same session.

Workaround: Restart vpnconsole to clean memory.

CSCdt50981 - GUI should disallow changing a CE to Management LAN CE
A problem is found in the following situation:

1. A Management LAN has not been created.

2. A CE is a regular CE and not a part of Management LAN and has been configured in one or more Service Requests.

3. When the CE is made a part of the Management LAN and any one of the Service Requests is deployed, it currently core dumps.

The GUI should not allow a regular CE in a Service Request to be changed to a Management LAN CE in a modification. The GUI and the Repository indicate the CE as a Management LAN CE for both the original and modified Service Requests, thereby causing incorrectness in the flow.

Workaround: None

CSCdt63060 - Cannot set maximum route threshold percentage
In Release 1.2, the maximum route percentage can be set in the csm.properties file:

netsys.watchdog.server.CVPIMServer.maxroutepercent =80

However, in Release 2.0, this parameter is removed from csm.properties. The tool generates a default threshold of 80 when provisioning service requests with maximum routes.

The suggestion is to add a field in the GUI next to the Max Routes field to allow the entry of a threshold percentage.

Workaround: None

CSCdt66303 - Edit Management Interface option in target editor not working
When editing a Management Interface in the IP addresses tab of the Edit Target window, unchecking the Management checkbox does not work. The operation appears to be successful in the GUI, but the update is not stored in the repository.

Workaround: Delete the interface that was selected as the Management Interface and, if required, manually add that same IP address without selecting the Management Interface option. This will allow the selection of another interface or IP address as the Management Interface.

CSCdt66306 - No error message in GUI when creating a duplicate Remove Service Request
If a remove Service Request is created and deployed and then an identical remove Service Request is created, the creation properly fails but without the appropriate error message in the GUI.

Workaround: None

CSCdt69260 - IP addresses not updated after collecting configuration files
Configuration files are parsed for their IP addresses during setup. When collecting from live routers, this parsing process for different IP addresses does not take place.

Workaround: Navigate and execute Monitoring > Configure Traps > Populate Interface Information for Cisco Router Targets or manually add the IP addresses in the target window.

CSCdt69808 - Accounting reports miss NetFlow data in some repositories
The VPNSC reports are sometimes missing data although it seems to be collected correctly if you look at the task logs under some conditions.

Workaround: None

CSCdt74465 - Creation of targets based on configuration file import may fail in part when more than 100 configuration files are imported
Targets are created in the VPNSC Repository without error. However, the error occurs when extracting passwords from configuration files. This problem is of importance only when the configuration file contains clear text or a hidden password (reversible encryption). When using one-way encryption (irreversible encryption), the target editor must be used to manually set the passwords anyway.

Workaround: Use the target editor to manually set the passwords.

CSCdt78841 - Caught exception for Add VPN service to CE
Caught exception for Add VPN service to CE.

Workaround: Do not use the modify function.

CSCdt80545 - VPNSC GUI takes a long time to initialize with a large repository
When you have a large repository, the initialization of the GUI can be extremely slow.

Workaround: None

Collection

CSCdp54370 - No support to bypass the login password field
The collection engine requires the router to be configured with a login password. The collection will fail if the router is configured to bypass login.

Workaround: Configure the router to require a password to login.

CSCdp66724 - Self-monitoring tool Dataset.Server, causing Java memory leak
Self-monitoring tool does not contain current data or it appears to stop updating.

Workaround: From the terminal window that launched the Watchdog, type: wdclient restart dataset.server.

CSCdp76580 - Problems running a Repository in a time zone different than the time zone in which the data was collected
If a Repository containing accounting data is moved to another system in a different time zone, or the time zone on the system where the data was collected is changed, the reports will be empty or incorrect when viewed.

Workaround: Set the time zone of the system on which you wish to view the accounting reports to be the same as the time zone in which they were collected.

CSCdr86087 - Watchdog event subject is not correct according to the specification
Watchdog event subject name missing "m1".

Workaround: Looking for subject "cisco.vpnsc.watchdog.XXX" instead of "cisco.vpnsc.watchdog.m1.XXX"

CSCds77876 - EventGateway exception when watchdog started for the second time
Sequence of events: 1) install VPNSC; 2) start orbixd and the watchdog—no problems during this startup; 3) stop the watchdog; 4) start the watchdog again -- this is when the EventGateway exception occurs (the watchdog reports that it is unable to register itself); 5) stop the watchdog, then kill orbixd; 6) start orbixd and the watchdog—no problems during this startup, as well as all subsequent ones.

CSCdt16345 - Error occurred when migrating Repository from 1.2 to 2.0
The migration failed the first time.

Workaround: Run the migration tool again without any changes.

CSCdt36291 - No error message is generated when a delete SLA task is run with no such probes existing
If SLA probes have already been deleted, scheduling to delete them again does not give an error message.

CSCdt44821 - Register/Deregister for traps task continues in running state
Register/Deregister for Traps task does not complete, and the status remains running in the Task Logs.

Workaround: Look in the Log itself to check for which devices the task failed and why.

CSCdt44834 - Selective Dataset Purge does not work correctly
You may not be able to delete certain datasets from the Repository with the Selective Dataset Purge tool.

Workaround: None

CSCdt47930 - Deselecting Management Interface deletes IP address of target
Unselecting an interface to no longer be Managed in the Edit Target window causes the IP address to revert to 0.0.0.0.

Workaround: Run Populate MIB Interface task to repopulate interface addresses.

CSCdt57264 - Tasks will not finish because of memory leak
When you schedule multiple tasks to run hourly, the scheduled tasks remain in the running state and never finishes.

Workaround: Stop the watchdog and restart.

CSCdt62470 - Time synchronization problem for SA Agent probes and VPNSC data collection
VPNSC needs to have the capability of time synchronizing the SA Agent probes. If a router goes down and comes back up again, the router will not have filled its data bucket by the next time VPNSC comes around and performs a data collection. VPNSC will not pick up the data from the router that reloaded because the bucket was not full. The next time VPNSC does the data collection, and the router bucket is full, the time information will be out of synchronization.

Workaround: None

CSCdt78548 - WDGUI hangs after several minutes on screen and becomes a ghost
WDGUI hangs after several minutes on the screen. It then becomes a ghost process and cannot be closed or killed. This occurs on the console of the machine where VPNSC is installed and on remote clients; both Sun workstations and HP machines running Reflection X.

Workaround: None

API

CSCdm80601 - Module CiscoVPNServiceRequest
When provisioning a CORBA API, the module CiscoVPNServiceRequest is not needed.

Workaround: This module and its references can be safely removed, in these circumstances.

CSCdp10956 - VsmSRCreator:setPEPortReservationOnly() does not work
Workaround: The CiscoVsmSRCreator::VsmVPNConnectivityCreator::setPEPortReservationOnly() operation has been removed from the Service Model API.

CSCdp66898 - /etc/init.d/tagvpn stop does not stop Name Server (NS) process
Running multiple instances of Orbix NS will cause corruption in the NS implementation Repository. We start orbixd and it in turn starts NS as part of the initialization. Even if the NS already exists, it goes ahead and starts another NS.

Workaround: To fix this corruption problem, make sure you always kill the NS process before orbixd is restarted. Note: In Orbix 3.x, NS is a java program and shows as a jre process.

CSCdr24652 - Task Log cannot be viewed if the task name has spaces
If a task is defined with spaces in its name, that task will not appear in the Task Log.

Workaround: Ensure that task names do not contain spaces. For example, you can use underscores to separate or use a capital letter to start each word in a multi-word name.

CSCdr89422 - java.lang.nullpointer.exception caught when create PE, CE
Problem with the following APIs: VsmPECreator.setRouterInterfaces() VsmCECreator.setRouterInterfaces() When these APIs are called, "java.lang.nullpointer" exception will be thrown out. Neither PE nor CE can be created.

Workaround: None

CSCdr93908 - VsmPECreator:No error checking for Telnet timeout/retries
The APIs: CiscoVsmFWCreator::VsmPECreator::setTelnetTimeOut (in unsigned long timeOut) and CiscoVsmFWCreator::VsmPECreator::setTelnetRetries (in unsigned short retries) do no range checking for the input parameters timeOut and retries respectively.

Workaround: API users have to do their own checking for the legal range 1 - 60 for both the parameters.

CSCdr94129 - Deleting Provider Administrative Domain (PAD) has different behaviors on GUI and API operation
When deleting the specified PAD, the GUI has a different behavior from the API's operation on the following test scenario: Create a PAD and assign some regions to it. For all of these regions, however, neither PEs nor IP address Pools are assigned to any of them. Test result: You are allowed to delete the PAD from the GUI side even though there are still some regions corresponding to it. However for API testing, calling the operation removeProviderAdminDomainFromRep() generates an error message: There are region(s) that depend on this Provider Administrative Domain record! The expectation is that the GUI should behave the same as API.

CSCdr96684 - VpnInvExport should not create Provider Administrative Domain (PAD) without a region
The VpnInvExport tool is creating an entry in the target file for a PAD without a region. This will create a problem while importing the repository.

Workaround: Make sure that no PAD exists without regions before exporting the Repository.

CSCds04218 - First interface name is blank in VpnInvExported file
First interface is blank in the <VsmPE> block.

Workaround: None

CSCds86977 - EventGateway client cored when using C++
Using Orbix specific method of _bind() to get a CORBA object reference causes an exception for the EventGateway server. This happens if the client is written in C++.

Workaround: Use the naming service instead of orbix specific _bind.

CSCdt32753 - VpnInvExport:SNMPv3 parameters are not getting exported
'VpnInvExport' tool exports the following details of the devices (only for those associated with a Service Request): General Details Passwords IP Address; But does not export the following details of the devices; SNMPv3 Parameters.

Workaround: After importing a file (either in XML or old format), edit the devices to specify the SNMPv3 parameters.

CSCdt50362 - VpnInvExport: Not exporting the redistribution protocols for OSPF
VpnInvExport Tool is not exporting the details related to the Redistribute Protocols when the protocol between a PE and a CE is OSPF.

Workaround: After Import, modify the Service Request to include the Redistributed Protocols.

CSCdt57994 - Import from remote host is not going through
Error when importing an XML file from the remote host.

Workaround: None

CSCdt88268 - VsmSRVC/VsmGenericSR: redundant APIs with slightly different names
The following CiscoVsmBrowser::VsmSRVC APIs are redundant:

1) VsmSRVC::getType()

2) VsmSRVC::getState()

3) VsmSRVC::getCreateTime()

4) VsmSRVC::getLastStateChngTime()

The previous APIs are available due to inheritance and map to the following:

1) VsmGenericSR::getSRType()

2) VsmGenericSR::getSRState()

3) VsmGenericSR::getCreationTime()

4) VsmGenericSR::getLastStateChangeTime()

Workaround: None

Other

CSCdp06576 - Hardwired path in Repository
Workaround: When changing the location of the Repository, make sure old tasks are deleted. These tasks may still refer to the old Repository location.

CSCdp62940 - Printing Data Summary report in Post Script takes large amount of resources
Printing report makes the GUI behave sluggishly or hangs it for a period of time.

Workaround: Do not try to print reports containing large data sets using the PostScript option. Instead, print to a text or HTML file and then open this file in a browser.

CSCdp63081 - Print of Data Summary report using TXT option has poor formatting
Format of printed Data Summary report needs to be enhanced.

CSCds34572 - VpnInvImport - cannot import RT, RD, address pool offset values
The offset values to the RD and RT pools are currently not imported by the import tool.

Workaround: None

CSCds84996 - Some servers do not start if the host name is in capital letters
The host name for the UNIX machine on which VPNSC is run must be in lower case.

Workaround: Be sure the name is in lower case.

CSCdt18993 - IDL compilation error
The module VPIM uses an internal variable with name errno. This may cause conflict with UNIX's system variable with the same name.

Workaround: None

CSCdt54342 - Renaming customer, site, vpn
Certain objects like VPN, Customer, Customer Site, and so on cannot be renamed. Also, there exists interdependency between objects. For example, the Customer object cannot be deleted until all Customer Site objects that belong to this Customer are deleted; Customer Site can not be deleted until all CEs are deleted; and so on.

Workaround: Delete all child objects first before deleting the parent objects.

CSCdt64087 - Collection Repository cleanup functions
When devices are deleted from the Directory repository, collection records and collection devices that reference these deleted devices from the Collection repository become dangling. This enhancement calls for a utility that will clean up the Collection repository by removing those dangling entities.

Workaround: None

CSCdt65013 - Watchdog does not come up in Alaska time zone
When the machine time zone is set to US/Alaska, occasionally watchdog does not come up.

Workaround: Set the machine time zone to AST (Australia, Alaska Daytime saving) or GMT+9 (Japan).

CSCdt65851 - http server results in a JRun error when deleting a task log
When deleting one or more task logs, a JRun error occurs. An OutOfMemory error appears in the http server log and other logs. This occurs on a dual-cpu machine but not on a single-cpu machine.

Workaround: When the JRun error occurs, restart the http server by running the command wdclient restart httpd.

CSCdt70266 - SSH key mismatch, known-hosts file is updated with new key
In SSH mode, if VPNSC receives a public key from a device that does not match the key in the known_hosts file, the known_hosts file is updated with the new key.

Workaround: None

Obtaining Technical Assistance

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC website.

Cisco.com

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.

Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online technical support, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.

Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.

To access Cisco.com, go to the following website:

http://www.cisco.com

Technical Assistance Center

The Cisco TAC website is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.

Contacting TAC by Using the Cisco TAC Website

If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC website:

http://www.cisco.com/tac

P3 and P4 level problems are defined as follows:

P3—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.

P4—You need information or assistance on Cisco product capabilities, product installation, or basic product configuration.

In each of the above cases, use the Cisco TAC website to quickly find answers to your questions.

To register for Cisco.com, go to the following website:

http://www.cisco.com/register/

If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following website:

http://www.cisco.com/tac/caseopen

Contacting TAC by Telephone

If you have a priority level 1(P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following website:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

P1 and P2 level problems are defined as follows:

P1—Your production network is down, causing a critical impact to business operations if service is not restored quickly. No workaround is available.

P2—Your production network is severely degraded, affecting significant aspects of your business operations. No workaround is available.