Guest

Cisco PIX Firewall Software

Cisco PIX Security Appliance Release Notes, Version 7.0(4)

  • Viewing Options

  • PDF (338.9 KB)
  • Feedback
Cisco PIX Security Appliance Release Notes Version 7.0(4)

Table Of Contents

Cisco PIX Security Appliance Release Notes Version 7.0(4)

Contents

Introduction

System Requirements

Memory Requirements

Software Requirements

Maximum Recommended Configuration File Size

Cisco VPN Software Interoperability

Cisco VPN Client Interoperability

Cisco Easy VPN Remote Interoperability

Determining the Software Version

Upgrading to a New Software Release

New Features

Auto Update Over a VPN Tunnel

Crashinfo Enhancement

Modular Policy Framework Enhancement

Support GTP Load Balancing Across GSNs

Downloadable Access Control Lists Enhancements

Converting Wildcards to Network Mask in Downloadable ACL

IPSec VPN: Add support for Cascading ACLs

Failover Key Command

Rate limiting of Syslog messages

Important Notes

Important Notes in Release 7.0

Maximum Security Contexts and VLANs Supported

IKE Delete-with-Reason

User Upgrade Guide

Readme Document for the Conduits and Outbound List Conversion Tool 1.2

Features not Supported in Version 7.0

MIB Supported

Downgrade to Previous Version

Caveats

Open Caveats - Release 7.0(4)

Resolved Caveats - Release 7.0(4)

Related Documentation

Software Configuration Tips on the Cisco TAC Home Page

Obtaining Documentation and Submitting a Service Request


Cisco PIX Security Appliance Release Notes Version 7.0(4)


October 2005

Contents

This document includes the following sections:

Introduction

System Requirements

New Features

Important Notes

Caveats

Obtaining Documentation and Submitting a Service Request

Introduction


Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.0.


The Cisco PIX 500 series security appliance delivers unprecedented levels of defense against threats to the network with deeper web inspection and flow-specific analysis, improved secure connectivity through end-point security posture validation and voice and video over VPN support. It also provides enhanced support for intelligent information networks through improved network integration, resiliency, and scalability. This release introduces significant enhancements to all major functional areas, including: firewalling and inspection services, VPN services, network integration, high-availability services, and management/monitoring.

For more information on all the new features, see New Features

Additionally, the security appliance software supports ASDM. ASDM is a browser-based, Java applet used to configure and monitor the software on the security appliances. ASDM is loaded from the security appliance, then used to configure, monitor, and manage the device.

System Requirements

The sections that follow list the system requirements for operating a security appliance.


Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.0.


Memory Requirements

If you are using a PIX 515/515E running PIX Version 6.2/6.3, you need to upgrade your memory before performing an upgrade to PIX Version 7.0. PIX Version 7.0 requires at least 64 MB of RAM for Restricted (R) licenses and 128 MB of RAM for Unrestricted (UR) and Failover (FO) licenses. The following security appliance platforms require at least 64 MB of RAM. Table 1 lists Flash memory requirements for Version 7.0.

Table 1 Flash Memory Requirements 

security appliance Model
Flash Memory Required in Version 7.0

PIX 515/515E

16 MB

PIX 525

16 MB

PIX 535

16 MB


For more information on minimum memory requirements, see "Minimum Memory Requirements" section in the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0.

Software Requirements

Version 7.0(4) requires the following:

1. The minimum software version required before performing an upgrade to PIX Version 7.0 is PIX Version 6.2. If you are running a PIX release prior to PIX Version 6.2, you must first upgrade to PIX Version 6.2 or PIX Version 6.3 before you can begin the upgrade to PIX Version 7.0.

To upgrade your PIX software image, go to the following website:

http://www.cisco.com/public/sw-center/index.shtml

2. For information on specific licenses supported on each model of the security appliance, go to the following websites: https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet

3. If you are upgrading from a previous PIX version, save your configuration and write down your activation key and serial number. See the "Upgrading to a New Software Release" for new installation requirements.

Maximum Recommended Configuration File Size

For the PIX 525 and PIX 535, the maximum supported configuration file size is 2 MB for Version 7.0(4). For the PIX 515/515E, the maximum supported configuration file size is 1 MB for Version 7.0(4). If you are using ASDM, we recommend no more than a 500 KB configuration file because larger configuration files can interfere with the performance of ASDM on your workstation.

While configuration files up to 2 MB are supported on the PIX 525 and PIX 535, be aware that such large configuration files can reduce system performance. For example, a large configuration file is likely to noticeably slow execution times in the following situations:

While executing commands such as the write terminal and show running-config commands

Failover (the configuration synchronization time)

During a system reload

Cisco VPN Software Interoperability

Cisco VPN Series
Interoperability Comments

Cisco IOS routers

Version 7.0(4) requires Cisco IOS Release 12.3(T)T or higher running on the router when using IKE Mode Configuration on the security appliance.

Cisco VPN 3000 concentrators

Version 7.0(4) requires Cisco VPN 3000 concentrator Version 3.6 or higher for correct VPN interoperability.


Cisco VPN Client Interoperability

Cisco VPN Client
Interoperability Comments

Cisco VPN client v3.x/4x

(Unified VPN client framework)

Version 7.0(4) supports the Cisco VPN client Version 3.6 or higher that runs on all Microsoft Windows platforms. It also supports the Cisco VPN client Version 3.6 or higher that runs on Linux, Solaris, and Macintosh platforms.


Cisco Easy VPN Remote Interoperability

Cisco Easy VPN Remote
Interoperability Comments

Cisco PIX Security Appliance Easy VPN Remote v6.3

Version 7.0(4) Cisco Easy VPN server requires the Cisco PIX security appliance Version 6.3 Easy VPN remote that runs on the PIX 501 and PIX 506 platforms.

VPN 3000 Easy VPN remote v3.x/4x

Version 7.0(4) Cisco Easy VPN server requires the Version 3.6 or higher of the Easy VPN remote that runs on the VPN 3002 platform.

Cisco IOS Easy VPN remote Release 12.2(16.4)T

Version 7.0(4) Cisco Easy VPN server interoperates with Cisco IOS 806 Easy VPN remote Release (16.4)T.


Determining the Software Version

Use the show version command to verify the software version installed on your security appliance.

Upgrading to a New Software Release

If you have a Cisco.com (CDC) login, you can obtain software from the following website:

http://www.cisco.com/public/sw-center/index.shtml

New Features

This section describes the new features in this release. This section includes the following topics:

Auto Update Over a VPN Tunnel

Crashinfo Enhancement

Modular Policy Framework Enhancement

Support GTP Load Balancing Across GSNs

Downloadable Access Control Lists Enhancements

Converting Wildcards to Network Mask in Downloadable ACL

IPSec VPN: Add support for Cascading ACLs

Rate limiting of Syslog messages

Auto Update Over a VPN Tunnel

With this release, the auto-update server command has a new source interface argument that lets you specify an interface, such as a VPN tunnel used for management access and specified by the management-access command:

auto-update server url [source interface] [verify-certificate]

no auto-update server url [source interface] [verify-certificate]

For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.

Crashinfo Enhancement

Output from the crashinfo command might contain sensitive information that is inppropriate for viewing by all users connected to the security appliance. The new crashinfo console disable command lets you suppress the output from displaying on the console.

For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.

Modular Policy Framework Enhancement

The new set connection timeout command lets you configure the timeout period, after which an idle TCP connection is disconnected.

For more information, see the "Using Modular Policy Framework" section in the Cisco Security Appliance Command Line Configuration Guide. For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.

Support GTP Load Balancing Across GSNs

If the security appliance performs GTP inspection, by default the security appliance drops GTP responses from GSNs that were not specified in the GTP request. This situation occurs when you use load-balancing among a pool of GSNs to provide efficiency and scalability of GPRS. You can enable support for GSN pooling by using the permit response command. This command configures the security appliance to allow responses from any of a designated set of GSNs, regardless of the GSN to which a GTP request was sent.

For more information, see the "Enabling and Configuring GTP Inspection" section in the Cisco Security Appliance Command Line Configuration Guide. For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.

Downloadable Access Control Lists Enhancements

This feature adds a means of ensuring that downloadable ACL requests sent to a RADIUS server come from a valid source through the Message-Authenticator attribute.

Upon receipt of a RADIUS authentication request that has a username attribute containing the name of a downloadable ACL, Cisco Secure ACS authenticates the request by checking the Message-Authenticator attribute. The presence of the Message-Authenticator attribute prevents malicious use of a downloadable ACL name to gain unauthorized network access. The Message-Authenticator attribute and its use are defined in RFC 2869, RADIUS Extensions, available at http://www.ietf.org.

For more information, see the "Configuring Any RADIUS Server for Downloadable ACLs" section in the Cisco Security Appliance Command Line Configuration Guide. For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.

Converting Wildcards to Network Mask in Downloadable ACL

Some Cisco products, for example the VPN 3000 concentrator and Cisco IOS routers, require that dowloadable ACLs be configured with wildcards instead of network masks. The adaptive security appliance, on the other hand, requires that downloadable ACLs be configured with network masks. This new feature allows the security appliance to internally convert a wildcard to a netmask. Translation of wildcard netmask expressions means that downloadable ACLs written for Cisco VPN 3000 series concentrators can be used by the security appliance without altering the configuration of the downloadable ACLs on the RADIUS server.

You can configure ACL netmask conversion on a per-server basis, using the acl-netmask-convert command, available in the AAA-server configuration mode. For more information about configuring a RADIUS server, see the "Identifying AAA Server Groups and Servers" section in the Cisco Security Appliance Command Line Configuration Guide. For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.

IPSec VPN: Add support for Cascading ACLs

Cascading ACLs involves the insertion of deny ACEs to bypass evaluation against an ACL and resume evaluation against a subsequent ACL in the crypto map set. Because you can associate each crypto map with different IPSec settings, you can use deny ACEs to exclude special traffic from further evaluation in the corresponding crypto map, and match the special traffic to permit statements in another crypto map to provide or require different security. The sequence number assigned to the crypto ACL determines its position in the evaluation sequence within the crypto map set.

For more information, see the "Defining Crypto Maps" section in the Cisco Security Appliance Command Line Configuration Guide. For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.

Failover Key Command

The failover key command was modified to include the hex key keyword and argument. hex key specifies a hexadecimal value for the encryption key. The key must be 32 hexadecimal characters.

For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.

Rate limiting of Syslog messages

The logging rate limit enables you to limit the rate at which system log messages are generated. You can limit the number of system messages that are generated during a specified time interval.

You can limit the message generation rate for all messages, a single message ID, a range of message IDs, or all messages with a particular severity level. To limit the rate at which system log messages are generated, use the logging rate-limit command.

For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.

Important Notes

Important Notes in Release 7.0

This section lists important notes related to Version 7.0(4).

Maximum Security Contexts and VLANs Supported

The maximum security contexts supported in release 7.0(4) for the PIX 535 are 50 tiers. The maximum number of VLANs supported are 150. For more information on the feature support for each platform license, see the "Platform Feature Licenses" section in the Cisco Security Appliance Command Line Configuration Guide

IKE Delete-with-Reason

IKE syslogs for Delete-with-Reason will not contain the reason text unless the clients support this feature. Currently the VPN 3002 Version 4.7 and PIX 501 Version 6.3(4) hardware clients do not support this feature.


Note The PIX 501security appliance is not supported in software Version 7.0.


User Upgrade Guide

Before upgrading to Version 7.0(4), read the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading in Cisco PIX Software Version 7.0. This guide also includes information about deprecated features and other changes in the Cisco PIX Software Version7.0. For a list of deprecated features, and user upgrade information, go to the following URL:

http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html


Caution If you share the Stateful Failover update link with a link for regular traffic such as your inside interface, you must change your configuration before upgrading. Do not upgrade until you have corrected your configuration, as this is not a supported configuration and Version 7.0(4) treats the LAN failover and Stateful Failover update interfaces as special interfaces. If you upgrade to Version 7.0(4) with a configuration that shares an interface for both regular traffic and the Stateful Failover updates, configuration related to the regular traffic interface will be lost after the upgrade. The lost configuration may prevent you from connecting to the security appliance over the network.

Readme Document for the Conduits and Outbound List Conversion Tool 1.2

The security appliance Outbound/Conduit Conversion tool assists in converting configurations with outbound or conduit commands to similar configurations using ACLs. ACL-based configurations provide uniformity and leverage the powerful ACL feature set. ACL based configurations provide the following benefits:

ACE insertion capability - System configuration and management is greatly simplified by the ACE insertion capability that allows users to add, delete or modify individual ACEs.

Outbound ACLs and Time-based ACLs - Gives administrators improved flexibility for defining access control policies by adding support for outbound ACLs and time-based ACLs.

Enabling/Disabling of ACL Entries - Provides a convenient troubleshooting tool that allows administrators to test and fine-tune ACLs, without the need to remove and replace ACL entries.

Features not Supported in Version 7.0

The following features are not supported in Version 7.0(4) release:

PPPoE

L2TP over IPSec

PPTP

MIB Supported

For information on MIB Support, go to:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

Downgrade to Previous Version

To downgrade to a previous version of the operating system software (software image), use the downgrade command in privileged EXEC mode.

For more information and a complete description of the command syntax, see the Cisco Security Appliance Command Reference.


Caution Do not load a previous version of software if your PIX security appliance is currently running PIX Version 7.0 or later. Loading a software image from monitor mode, on a PIX security appliance that has a PIX Version 7.0 file system, results in unpredictable behavior and is not supported. We strongly recommend that you use the downgrade command from a running PIX Version 7.0 image that facilitates the downgrade process.

Caveats

The following sections describe the caveats for the 7.0(4) release.

For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:

Commands are in boldface type.

Product names and acronyms may be standardized.

Spelling errors and typos may be corrected.


Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:

http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl

To become a registered cisco.com user, go to the following website:

http://tools.cisco.com/RPF/register/register.do


Open Caveats - Release 7.0(4)

Table 2 Open Caveats 

ID Number
Software Release 7.0(4)
Corrected
Caveat Title

CSCeg57001

No

Packet does not come to inspect after no inspect and inspect

CSCeh15557

No

Assertion in tmatch_compile_proc, all memory is not freed.

CSCeh18115

No

Authentication not triggered sometimes when URL filtering enabled.

CSCeh32087

No

PIM sends Register with untranslated IP when NAT pool exhausted.

CSCeh43554

No

Device may reload if showing and removing config at the same time

CSCeh46345

No

Dynamic L2L could pass clear text traffic when tunnel terminates

CSCeh60845

No

Logginig queue incorrectly registers 8192 256-byte blocks

CSCeh84006

No

Wrong http version number should not be allowed

CSCeh90617

No

Recompiling ACLs can cause packet drops on low-end platforms

CSCeh93834

No

RSA SecurID replica list is lost after reboot

CSCei02273

No

1st log message is not sent by mail in transparent firewall

CSCei43588

No

traceback when trying to match a packet to acl with deny

CSCej04099

No

static xlate breaks management-access inside

CSCsb28708

No

Console traceback using show route command

CSCsb40188

No

SCEP fails if RA cert has 4096 bit key

CSCsb41742

No

P2P/IM/tunneling traffic is only dropped if strict-http action is drop

CSCsb51038

No

Traceback: _snp_sp_create_flow+1937 with outbound ACL and Policy Statics

CSCsb80170

No

Address-pools needed in group-policy - missing functionality from VPN3K

CSCsb81593

No

removing sunrpc-server cli doesnt stop sunrpc traffic from getting thru

CSCsb90046

No

GTP context creation might fail w/ Tunnel Limit xxx exceeded error

CSCsb99385

No

strict-http: with a space before http ver should generate a tcp reset

CSCsc00176

No

clear xlate take 4.5+ mins to clear 60K PAT xlat

CSCsc02485

No

Session Cmd: sendind \036x\r to exit session to ssm causes Traceback

CSCsc07421

No

Traceback in Dispatch Unit - decoding h323 ras message

CSCsc07614

No

Minimum unit poll time causes trouble for failover with 4GE card

CSCsc10617

No

GTP: memory leakage after <clear config all> at gtp_init

CSCsc11724

No

Logging: Wrong behaivor if syslog is sent to a nonfunctioning tcp server

CSCsc12094

No

AAA fallback authentication does not work with reactivation-mode timed

CSCsc14591

No

xlate and xlate perfmon print graph are all zeros

CSCsc15378

No

Telnet to pix outside interface through IPSEC connection fails

CSCsc15434

No

Assertion violation w/icmp traffic and icmp inspection

CSCsc16041

No

'clear local host' results in memory leak

CSCsc16503

No

Transparent firewall ASR UDP out traffic got errors and inbound failed

CSCsc16607

No

fixup pptp fails with static pat server configuration

CSCsc17051

No

VPNFO: VPN Failover fails to parse P2 SA when IPCOMP is used

CSCsc17428

No

Tracebacks with ci/console with 'clear config all'

CSCsc18324

No

PIX 7.0.2 traceback in Dispatch Unit (Old pc 0x001dbdc6 ebp 0x01212404)

CSCsc18444

No

Tunnel-group for specific peer not created upgrading to 7.0 w/ certs

CSCsc18911

No

PIX does not remove OSPF route for global PAT entry after deleting


Resolved Caveats - Release 7.0(4)

Table 3 Resolved Caveats 

ID Number
Software Release 7.0(4)
Corrected
Caveat Title

CSCeh81062

Yes

wrong ip addr on outgoing packets when PAT and static port are used

CSCeh90309

Yes

Checkheaps process crashes while dumping corrupted memory blocks

CSCeh90617

Yes

Recompiling ACLs can cause packet drops on low-end platforms

CSCeh97228

Yes

cTCP: cTCP connection are dropped sporadically when connected F1 Bet

CSCei00497

Yes

PIX 7.0 doesnt encrypt packets if next hop is PIX interface.

CSCei20466

Yes

Increase in CPU utilization when OSPF is enabled

CSCei20682

Yes

FWSM uptime stops at 49 days 17 hours

CSCei23290

Yes

DHCP Relay fails when static specified

CSCei24062

Yes

Some hosts in the network connects to inside intf cannot be reached

CSCei29277

Yes

Performance of Skinny calls through PIX is poor

CSCei31310

Yes

PIX 7.0 sends NAT-T keepalives with wrong UDP pkt length value

CSCei33166

Yes

Crash while pinging through a L2L tunnel w/ 10,000 byte pings

CSCei33782

Yes

Simultaneous TFTP connections are not closed properly

CSCei38012

Yes

DHCP Server should check for correct network upon REQUEST for rebind

CSCei38640

Yes

AAA: radius /w expiry does not work when using funk radius server

CSCei38644

Yes

VPN3000 does not properly handle State Attribute

CSCei38647

Yes

IKE SA stuck in MM_DONE state

CSCei38651

Yes

NT auth for VPN clients do not work with domainuser or user@domain

CSCei38657

Yes

P1 rekey may fail when P1/P2 rekeying and retransmit required

CSCei38667

Yes

Can't differentiate between root CA certs that have been re-keyed

CSCei38669

Yes

IPSec rekey causes tunnel to drop

CSCei41326

Yes

AAA: fallback to LOCAL authentication does not work for SSH

CSCei43065

Yes

Traceback - 0x004a21b0 ojb-f1/c_crypto_map:_crypto_map_remove_np+80

CSCei43133

Yes

traceback eip 0x006026a4 obj-f1/snp_ha_db in ci/console af cleconfal

CSCei43459

Yes

Cannot pass generic SSH command arguments via SCP in PIX 7.0.1

CSCei44143

Yes

Crash in malloc.c if removing ACE from ACL

CSCei50190

Yes

PIX not accepting 2 ISAKMP policies with different AES types

CSCei50691

Yes

traceback with ASR enabled for session with 2ndary conn in TFW mode

CSCei51783

Yes

Group enumeration possible on Benetton platform

CSCei51867

Yes

Usability - crypto config should be grouped together in CLI output

CSCei52413

Yes

PIX fails to import cert if CA issuer has 4096 bits cert

CSCei52906

Yes

Routes assoc. w/ net ext tunnels fail to get removed after tun drop

CSCei54438

Yes

Inspects that use TCP proxy must enable dual TCP normalizer mode

CSCei56278

Yes

All access-lists removed when removing one

CSCei57279

Yes

Cascading ACL: Deny rules not working after tunnel established

CSCei57980

Yes

c2950/3550/3750 connected to PIX causes RX errors after pix reload

CSCei62347

Yes

acl interval default value not show when inactive parameter used

CSCei64608

Yes

GTP: box reloads when Create Response has 3rd party GSN addr

CSCei65780

Yes

standby PIX may reload during the command replication

CSCei67952

Yes

GTP: PDP Context expires even when data is present in the tunnel

CSCei68679

Yes

Traceback on telnet TACACS+ authentication through the firewall.

CSCei68679

Yes

Traceback on telnet TACACS+ authentication through the firewall.

CSCei69450

Yes

RSH connection done by a cronjob fails through PIX 7.0

CSCei70172

Yes

TCP dynamic proxy doesnt fast retransmit lost packet

CSCei70785

Yes

TCP proxy must send data from retransmit queue when ACK is received

CSCei71868

Yes

Deny message for inbound traffic with no access-list changed

CSCei75013

Yes

confg doesnt get copied to admin ctx when changing mode SRM->MRM

CSCei78667

Yes

URL filtering: misc issues related to request exhaustion and cleanup

CSCei81803

Yes

Assert in validate_chunk() during startup

CSCei83304

Yes

clear conf sec doesnt clear igmp and ospf param in ifx submode

CSCei83942

Yes

PPTP connection throug PIX dropped after 2 min of inactivity

CSCei84925

Yes

traceback obj-f1/snp_tfw:_snpi_tfw_update_l2_entry+75 af apply conf

CSCei87390

Yes

Removing failover group causes traceback with 4GE installed

CSCei87785

Yes

MGCP: Call cannot be placed with IP phone using BTS CA & version 1.0

CSCei92828

Yes

Authentication failing for virtual telnet/http in transperent mode

CSCei93112

Yes

Existing connections not replicated to standby after failover

CSCei93790

Yes

Clear configure all in single transparent mode causes traceback

CSCej08898

Yes

tcpintercept caused trcback.embconn=0,maxconn!=0,eip:0x00c32dbc

CSCej12123

Yes

OSPF external routes preferred over internal with multiple processes

CSCej24446

Yes

error in processing IKE

CSCsb32565

Yes

Device reboots unexpectedly with traceback

CSCsb36441

Yes

Traceback eip _snp_fp_inspect_ip_options with IP Frag and 10 KB ping

CSCsb36525

Yes

DACL fails intermittently in PIX 7.0 code with ACL can't be found

CSCsb37531

Yes

Traceback after failover if TCP Intercept is triggered.

CSCsb38475

Yes

Port values byte reversed in %PIX-3-620002: Drop CTIQBE syslog message

CSCsb40331

Yes

PIX 7.0(1)2 Assertion Violation w/Multiple Context & VOIP Configuration

CSCsb45373

Yes

Traceback tcp_slow after vpn system test script strtd snd cfg setupUUT

CSCsb45584

Yes

Traceback eip _snp_ids_cleanup_cb with ips promiscuous and 100 byte ping

CSCsb46603

Yes

GTP: Responses that reject Create Requests are dropped

CSCsb46862

Yes

Assertion in ctm_sw_rng_x931.c:update_key

CSCsb47027

Yes

PIX crashed eip 0x00b8773c (image 7.0.2.1)

CSCsb47825

Yes

F1 fails to establish TCP remote access sessions with 3002 HW client

CSCsb49125

Yes

F1 crashes at <show debug> command

CSCsb50946

Yes

High cpu due to shun command

CSCsb52950

Yes

With banner exec command and # as delimiter replication not correct

CSCsb53407

Yes

MFIB: tracebacks when bouncing multicast-routing

CSCsb54545

Yes

Traceback eip _keyword_option_flex_action with show ip local pool

CSCsb55104

Yes

Syslog message 710003 is overloaded; behaves different than in PIX 6.3

CSCsb55282

Yes

sh inventory does not show 4GE module

CSCsb55550

Yes

traceback in pki_ctm:_pki_ctm_verify_signature+164 - 8192 bit certs conn

CSCsb56247

Yes

traceback in crypto_pki:_crypto_pki_poll_crl+52 - with crl opt PKI

CSCsb58364

Yes

VPNFO: tunnels get dropped when fover occurs

CSCsb58364

Yes

VPNFO: tunnels get dropped when fover occurs

CSCsb61027

Yes

mcast: secondary crashes shortly after sync'd with primary

CSCsb61462

Yes

PIX closes XDMCP/X display connections after some random time

CSCsb61644

Yes

PIX crashes when acessing ASDM over IPSec/TCP-10000 tunnel

CSCsb61832

Yes

HTTP-Proxy functionality (Port Forwarding) not working on Windows ME.

CSCsb62617

Yes

VPN: assertion 0 failed: file malloc.c, line 4570 RA dial/hang test

CSCsb62908

Yes

Closing the Port Forwarding Applet removes existing Proxy configuration

CSCsb63920

Yes

CLI: no ssl trust-point cmmd causes traceback, ssl_chain:_ssl_trustpoint

CSCsb64159

Yes

VPNLB: need ability to assign a trustpoint to the vcpip address

CSCsb64985

Yes

4ge module interface stops passing traffic after using QoS and L2L tunn

CSCsb67119

Yes

Inspect ESMTP incorrectly rewrites smtp reply containing 220 in text

CSCsb67166

Yes

Time based ACLs not working properly if object groups are used

CSCsb70268

Yes

'hw-module module 1 reload reloads 4GE module

CSCsb71198

Yes

incorrectly formatted DL ACL causes traceback in IKE daemon

CSCsb72604

Yes

crash in snmp thread after nmap UDP scan of port 161

CSCsb72665

Yes

IX 7 may drop valid TCP segments that carry data in final segment

CSCsb72803

Yes

rash triggered when system is out of memory

CSCsb74050

Yes

F1 crashed when sweep-ping (G-PDU) thru GTP tunnel v0

CSCsb75857

Yes

F1 hit memory corrution crash @ clear conf gtp then clear conf all

CSCsb76268

Yes

Immediately after upgrade to 7.0(1) - interfaces stuck in waitingstate

CSCsb76426

Yes

DACL fails intermittently in PIX 7.0 code with ACL can't be found

CSCsb76995

Yes

%PIX-3-113001: Unable to open AAA session. Session limit [32] reached

CSCsb77332

Yes

traceback in fover_parse on standby unit if config contains webtype acl

CSCsb77397

Yes

Traceback: eip 0x00c3426c strcpy:_strcpy+12, using deb menu ike commands

CSCsb78230

Yes

hw-module module 1 shut and reset do not bring up the 4ge module

CSCsb79742

Yes

incorrectly formatted downloadable acl causes traceback in emweb/https

CSCsb80196

Yes

DHCP ID String is limited to 50 characters, should be 128

CSCsb81575

Yes

key gen causes an assert if PIX has DES only license

CSCsb82583

Yes

PIX515E with VAC+ fails FIPS validation test and reboots

CSCsb82663

Yes

Out of order TCP packets degrade HTTP inspection performance

CSCsb83962

Yes

F1 OSPF regression scripts hang with removal of router config

CSCsb85239

Yes

PIX running 7.0.(1.5) crash with assert in TCP proxy 'tcp_slow'

CSCsb85767

Yes

URL Filtering with long URLs could cause memory corruption

CSCsb85780

Yes

Malformed HTTP GET request causes URL filtering module to cause a crash.

CSCsb88557

Yes

Traceback at snap:_snap_mini_dump+26 with acl Logging: thread-arp_timer

CSCsb89147

Yes

certificate-to-username mapping broken for some DN attributes

CSCsb91835

Yes

PIX reload in smtp/esmtp inspection {insp_process_smtp_data}

CSCsb91837

Yes

vpn-filter incorrectly blocking traffic with echo, echo-response keyword

CSCsb93659

Yes

Local IP doesn't get translated with NAT Exemption

CSCsb94651

Yes

Overlapping static statements should be allowed

CSCsb94689

Yes

4GE card firmware accessing incorrect PHY address

CSCsb95027

Yes

Stadby Betabox rebooted while upgrading to 7.0.3.19

CSCsb95259

Yes

No hits shown on access-list associated to a group-policy vpn-filter

CSCsb97680

Yes

traceback in radpact:_RADPBldHWClientReauth+260 during 3002 New Pin Mode

CSCsb98667

Yes

sunrpc inspection causes memory allocation error on pix 7.0.2

CSCsb99192

Yes

Show access-list | inc xxx causes traffic through device to be delayed

CSCsb99360

Yes

Logging queue 0 is wrongly shown as being unlimited queue

CSCsb99760

Yes

pix 7.0.2 extended split acl reverse of 6.3 format

CSCsb99792

Yes

PATed ICMP conn stops PIX from responding to ICMP Echo-Requests

CSCsc00709

Yes

PIX enable authentication issue

CSCsc02230

Yes

nat entry with outside keyword : ERROR: unable to download policy

CSCsc02485

Yes

Session Cmd: sendind 036xr to exit session to ssm causes Traceback

CSCsc02574

Yes

pki: ID cert signature validation failure allows successful connection

CSCsc05446

Yes

PIX sends ARP for RP address which is few hops away

CSCsc06282

Yes

fover: ip local pool fails to replicate after issuing from grp submode

CSCsc06477

Yes

unable to manage running config with err msg: configuration in progress

CSCsc06702

Yes

VPN: Interface counters are incorrectly incremented on decrypted packets

CSCsc08684

Yes

PIX 7.0.2 built connection number shows up as negative on syslog

CSCsc08843

Yes

DHCP-Relay drops packets when source address is non-zero

CSCsc09527

Yes

VPNFO: cannot establish a vpn tunnel "session limit reached" sa cnt -1

CSCsc09932

Yes

Assertion in file "vf_api.c", line 264, traceback in strdup:_int3+4

CSCsc14837

Yes

ARP fails on the 4GE interfaces in routed firewall mode


Related Documentation

Use this document in conjunction with the PIX Firewall and Cisco VPN client Version 3.x documentation at the following websites:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/tsd_products_support_series_home.html

http://www.cisco.com/en/US/products/sw/secursw/ps2308/tsd_products_support_series_home.html

Software Configuration Tips on the Cisco TAC Home Page

The Cisco Technical Assistance Center has many helpful pages. If you have a CDC account you can visit the following websites for assistance:

TAC Troubleshooting, Sample Configurations, Hardware Info, Software Installations and more:

http://www.cisco.com/en/US/products/ps6120/tsd_products_support_series_home.html

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.