Guest

Cisco Traffic Anomaly Detectors

Release Note for the Cisco Traffic Anomaly Detector (Software Version 6.0(x))

  • Viewing Options

  • PDF (156.9 KB)
  • Feedback
Release Note for the Cisco Traffic Anomaly Detector Appliance

Table Of Contents

Release Note for the Cisco Traffic Anomaly Detector Appliance

Contents

New Features in Software Version 6.0(5)

Upgrading to Software Version 6.0(x)

Operating Consideration

MultiDevice Manager Commands Omitted from the Configuration Guide

mdm logging trap Command

mdm restore Command

show mdm Command

Software Version 6.0(10) Open Caveats and Resolved Caveats

Software Version 6.0(10) Open Caveats

Software Version 6.0(10) Resolved Caveats

Software Version 6.0(5) Open Caveats and Resolved Caveats

Software Version 6.0(5) Open Caveats

Software Version 6.0(5) Resolved Caveats

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines


Release Note for the Cisco Traffic Anomaly Detector Appliance


July 16, 2007


Note The most current Cisco documentation for released products is available on Cisco.com.


Contents

This release note applies to software versions 6.0(10) and 6.0(5) for the Cisco Traffic Anomaly Detector appliance (Detector). This release note contains the following sections:

New Features in Software Version 6.0(5)

Upgrading to Software Version 6.0(x)

Operating Consideration

MultiDevice Manager Commands Omitted from the Configuration Guide

Software Version 6.0(10) Open Caveats and Resolved Caveats

Software Version 6.0(5) Open Caveats and Resolved Caveats

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines

New Features in Software Version 6.0(5)

The following new features are available in software version 6.0(5):

Support for the 2007 daylight saving time (DST) change.

Ability to set the TACACS+ sever port.

Ability to set the TACACS+ encryption key.

Upgrading to Software Version 6.0(x)

In software version 4.x, the Detector allowed you to configure illegal subnet masks. In software version 5.1(4), the Detector checks to ensure that subnet masks are legal. When you upgrade from a software version prior to 5.1(4) to version 6.0(x), the Detector corrupts all zone configurations that contain an illegal subnet mask. To prevent the Detector from corrupting a zone configuration that contains an illegal subnet mask, configure the zone configuration with a legal subnet mask by performing the following steps prior to upgrading the software:


Step 1 Use the no ip address command to delete the subnet mask.

Step 2 Use the ip address command to configure the subnet mask with a legal subnet.


For details on configuring zone IP addresses, see the "Configuring the Zone IP address Range" section in the Cisco Traffic Anomaly Detector Configuration Guide.

Software upgrade instructions are located in the "Upgrading the Detector Software Version" section in the Cisco Traffic Anomaly Detector Configuration Guide.

Operating Consideration

The copy ftp command supports active mode only.

MultiDevice Manager Commands Omitted from the Configuration Guide

Three commands related to the Cisco DDoS MultiDevice Manager (MDM) software functionality on the Detector were introduced in software version 5.1(5), but were omitted from the Cisco Traffic Anomaly Detector Configuration Guide. The following sections describe these commands:

mdm logging trap Command

mdm restore Command

show mdm Command

mdm logging trap Command

To configure traps for MDM logging, use the mdm logging trap command in global configuration mode. To disable logging functions, use the no form of this command.

The syntax for this command is as follows:

mdm logging trap {alerts | critical | debugging | emergencies | errors | informational | notifications | warnings}

The following table describes the keywords for the mdm logging trap command.

alerts

Immediate action needed (severity=1).

critical

Critical conditions (severity=2).

debugging

Debugging messages (severity=7).

emergencies

System is unusable (severity=0). This is the default.

errors

Error conditions (severity=3).

informational

Informational messages (severity=6).

notifications

Normal but significant conditions (severity=5).

warnings

Warning conditions (severity=4).


For example, to capture and log informational messages, use the mdm logging trap informational command in global configuration mode.

user@DETECTOR# configure 
user@DETECTOR-conf# mdm logging trap informational
 
   

mdm restore Command

When you enable the MDM service on the Detector to allow you to manage the device using the MDM, the MDM automatically upgrades the RA on the device when it initiates a communication link with the device. While the MDM is upgrading the device RA, the operating state displays on the MDM as Initializing. The state changes to Connected when the RA upgrade is complete.

When a device appears to be constantly in a state of initialization, it may indicate that the MDM is attempting to upgrade the device RA but cannot do so.

Use the mdm restore command to resolve issues with upgrading and connecting the device RA. To return the device Remote Agent (RA) to the stub and force the MDM to reinstall the latest RA version, use the mdm restore command in global configuration mode.

The syntax for this command is as follows:

mdm restore

For example:

user@DETECTOR# configure 
user@DETECTOR-conf# mdm restore
 
   

show mdm Command

To check the status of MDM connections and settings, use the show mdm command in EXEC mode.

The syntax for this command is as follows:

show mdm

For example:

user@DETECTOR# show mdm 
 
   

The following table describes the fields in the show mdm display.

Field
Description

MDM service state

Operating state of the MDM service: enabled or disabled.

MDM servers

List of MDM servers that you define on the device (permitting them to access the device) and the state of the key exchange process with each of the servers: key exchange is complete or key exchange is required.

Connected managers

MDM server currently connected to and managing the device.

MDM syslog level

Setting of the syslog server logging level: alerts, critical, debugging, emergencies, errors, informational, notifications, warnings.


Software Version 6.0(10) Open Caveats and Resolved Caveats

The following sections contain the open and resolved caveats in software version 6.0(10):

Software Version 6.0(10) Open Caveats

Software Version 6.0(10) Resolved Caveats

Software Version 6.0(10) Open Caveats

The following caveats are open in software version 6.0(10):

CSCsb05557Remote activation and synchronization processes from a Detector appliance to a Guard appliance do not function when the Detector is located behind a device that is performing Network Address Translation (NAT). Workaround: Reconfigure the network configuration to disable NAT.

CSCsb20206The WBM remains unresponsive while the pop up window waits for results from the signature generation process. Even if you close the pop up window manually, the WBM remains unresponsive while signature generation is in progress. Workaround: Wait until the pop up window receives a result, or issue the no service wbm CLI command in configuration mode.

CSCsb29083You cannot use the same name to create packet dumps in different zones. Workaround: Assign unique names to manual packet dumps.

CSCsc05116The Detector may stop functioning or start logging errors after reaching 100% anomaly detection engine memory utilization. Workaround: Use the show resources command in global mode to view the amount of anomaly detection engine memory currently being used by the Detector. Reducing the number of active zones may free up memory.

CSCsc49737The accelerator card may fail to load on the first attempt during the reload or bootup process. The Detector issues and logs an error message. The Detector attempts two additional loads.

CSCsc69508After importing an HTML file to serve as login banner, some SSH clients may not be able to connect to the Detector. Workaround: Remove the login banner.

CSCsc77155After a Detector reloads 1,024 consecutive times, it cannot be accessed from the network. Workaround: Reboot the Detector.

CSCsd39569After several hundred consecutive reloads, the Detector may automatically reboot. Workaround: None.

CSCsd71002Under certain conditions, the Detector does not create and activate all child zones that are being attacked. This behavior occurs when the zone is defined on the Detector using the dst-ip-by-name activation method, and when the attack occurs on several IP addresses from the zone range. If global policies are only active (that is, not the dst_ip policy), only the first recognized IP address is protected successfully. Workaround: Ensure that the dst_ip policies are active on the zone.

CSCse08139The CLI session terminates when you press Ctrl-Z several times after issuing the more 0 command.

CSCse27876When you press Ctrl-C during an import of a new software version or configuration, you interrupt the import process and the CLI session may get disconnected. Workaround: Do not press Ctrl-C during the import process.

CSCse31042A zone configuration with ip_scan or port_scan policies cannot be imported into the Detector. Workaround: None.

CSCsg42338—The Detector CPU usage may reach 100%. Workaround: Reboot the Detector.

CSCsi07283The Web-Based Manager (WBM) does not reflect changes to the TimeZone definition until the Detector is rebooted. Workaround: Reboot the Detector.

CSCsi21984When using the WBM, browsing to a zone page is very slow after the zone has been active for a long time and the zone logs become extremely long. Workaround: Export the zone logs to an external server and then clear the log files from the Detector database.

CSCsi50185—When synchronizing time with NTP server, the Detector intermittently detects a major clock change (16 seconds or more) and issues a log message. Workaround: None.

CSCsj27292—The Detector does not count bypass filters correctly, which may cause the watchdog to reload the Detector. Workaround: Remove all unnecessary bypass filters.

Software Version 6.0(10) Resolved Caveats

The following caveats were resolved in software version 6.0(10):

CSCsh92933—After entering the tacacs authorization exec tacacs+ command, the show running-config command does not display the tacacs authorization exec tacacs command in the configuration output.

CSCsi2905, CSCsi17169—When accepting the thresholds during the learning process, the Detector intermittently encounters an error when accepting some of the thresholds.

CSCsi23637—When using the Web-Based Manager (WBM), TACACS+ login authentication falls back to local authentication even if the TACACS+ server rejects the authentication.

CSCsi65071—A flex-content filter with a single byte tcpdump expression may not detect the byte in the zone traffic.

CSCsi67008—A flex-content filter tcpdump expression does not look at the last byte of a packet.

CSCsi70650—The watchdog process intermittently becomes stuck on one of the child processes.

CSCsi78741—The internal watchdog constantly reloads the Detector and the accelerator card is unresponsive. The log contains many "cannot read counters" errors.

CSCsi86968—The MultiDevice Manager (MDM) fails to activate anomaly detection on a zone that is configured on two Detectors.

Software Version 6.0(5) Open Caveats and Resolved Caveats

The following sections contain the open and resolved caveats in software version 6.0(5):

Software Version 6.0(5) Open Caveats

Software Version 6.0(5) Resolved Caveats

Software Version 6.0(5) Open Caveats

The following caveats are open in software version 6.0(5):

CSCsb05557Remote activation and synchronization processes from a Detector appliance to a Guard appliance do not function when the Detector is located behind a device that is performing Network Address Translation (NAT). Workaround: Reconfigure the network configuration to disable NAT.

CSCsb20206The Web-Based Manager (WBM) remains unresponsive while the pop up window waits for results from the signature generation process. Even if you close the pop up window manually, the WBM remains unresponsive while signature generation is in progress. Workaround: Wait until the pop up window receives a result, or issue the no service wbm CLI command in configuration mode.

CSCsb29083You cannot use the same name to create packet dumps in different zones. Workaround: Assign unique names to manual packet dumps.

CSCsc05116The Detector may stop functioning or start logging errors after reaching 100% anomaly detection engine memory utilization. Workaround: Use the show resources command in global mode to view the amount of anomaly detection engine memory currently being used by the Detector. Reducing the number of active zones may free up memory.

CSCsc49737The accelerator card may fail to load on the first attempt during the reload or bootup process. The Detector issues and logs an error message. The Detector attempts two additional loads.

CSCsc69508After importing an HTML file to serve as login banner, some SSH clients may not be able to connect to the Detector. Workaround: Remove the login banner.

CSCsc77155After a Detector reloads 1,024 consecutive times, it cannot be accessed from the network. Workaround: Reboot the Detector.

CSCsd39569After several hundred consecutive reloads, the Detector may automatically reboot. Workaround: None.

CSCsd71002Under certain conditions, the Detector does not create and activate all child zones that are being attacked. This behavior occurs when the zone is defined on the Detector using the dst-ip-by-name activation method, and when the attack occurs on several IP addresses from the zone range. If global policies are only active (that is, not the dst_ip policy), only the first recognized IP address is protected successfully. Workaround: Ensure that the dst_ip policies are active on the zone.

CSCse08139The CLI session terminates when you press Ctrl-Z several times after issuing the more 0 command.

CSCse27876When you press Ctrl-C during an import of a new software version or configuration, you interrupt the import process and the CLI session may get disconnected. Workaround: Do not press Ctrl-C during the import process.

CSCse31042A zone configuration with ip_scan or port_scan policies cannot be imported into the Detector. Workaround: None.

Software Version 6.0(5) Resolved Caveats

The following caveats were resolved in software version 6.0(5):

CSCsb33259— The graphs for the show counters history, show rates history, and the WBM traffic rates only show current rates. The graphs do not show logs for the zone. This occurs when the zone is active, but there is no activity (that is, there is no traffic) on it.

CSCsc85020—The graph interpolates the end of an attack curve with current time instead of the real end of attack time.

CSCse64988—When you use the WBM to add a service to a zone, service thresholds are set to zero and are not tuned.

CSCsf02506—When you use the WMB to show zone general information, the error message may appear on the first try: "Unexpected error".

CSCsg22709—When you add a service in a WBM comparison screen, the service is not added to the zone. This occurs when you compare a zone with a snapshot.

CSCsg53101—When you use the WBM excessively, the RAM disk becomes filled with logs before the logrotate policy removes old logs. This situation may cause the Detector to become unstable and inaccessible.

Related Documentation

The following Detector documents are available:

Cisco Guard and Traffic Anomaly Detector Hardware Installation and Configuration Note

Cisco Traffic Anomaly Detector Configuration Guide

Cisco Traffic Anomaly Detector Web-Based Manager Configuration Guide

Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html