Guest

Cisco PIX Firewall Software

Cisco PIX Security Appliance Release Notes Version 7.0(5)

  • Viewing Options

  • PDF (299.0 KB)
  • Feedback
Cisco PIX Security Appliance Release Notes Version 7.0(5)

Table Of Contents

Cisco PIX Security Appliance Release Notes Version 7.0(5)

Contents

Introduction

System Requirements

Memory Requirements

Software Requirements

Maximum Recommended Configuration File Size

Cisco VPN Software Interoperability

Cisco VPN Client Interoperability

Cisco Easy VPN Remote Interoperability

Determining the Software Version

Upgrading to a New Software Release

New Features

Command to Control DNS Guard

Enhanced IPSEC Inspection

Command to Disable RST for Denied TCP Packets

Password Increased in Local Database

Enhanced show interface and show traffic Commands

Important Notes

Important Notes in Release 7.0

Maximum Security Contexts and VLANs Supported

IKE Delete-with-Reason

User Upgrade Guide

Readme Document for the Conduits and Outbound List Conversion Tool 1.2

Features not Supported in Version 7.0

MIB Supported

Downgrade to Previous Version

Caveats

Open Caveats - Release 7.0(5)

Resolved Caveats - Release 7.0(5)

Related Documentation

Software Configuration Tips on the Cisco TAC Home Page

Obtaining Documentation and Submitting a Service Request


Cisco PIX Security Appliance Release Notes Version 7.0(5)


April 2006

Contents

This document includes the following sections:

Introduction

System Requirements

New Features

Important Notes

Caveats

Obtaining Documentation and Submitting a Service Request

Introduction


Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.0.


The Cisco PIX 500 series security appliance delivers unprecedented levels of defense against threats to the network with deeper web inspection and flow-specific analysis, improved secure connectivity through end-point security posture validation and voice and video over VPN support. It also provides enhanced support for intelligent information networks through improved network integration, resiliency, and scalability. This release introduces significant enhancements to all major functional areas, including: firewalling and inspection services, VPN services, network integration, high-availability services, and management/monitoring.

For more information on all the new features, see New Features

Additionally, the security appliance software supports ASDM. ASDM is a browser-based, Java applet used to configure and monitor the software on the security appliances. ASDM is loaded from the security appliance, then used to configure, monitor, and manage the device.

System Requirements

The sections that follow list the system requirements for operating a security appliance.


Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.0.


Memory Requirements

If you are using a PIX 515/515E running PIX Version 6.2/6.3, you need to upgrade the system memory before performing an upgrade to PIX Version 7.0. PIX Version 7.0 requires at least 64 MB of RAM for Restricted (R) licenses and 128 MB of RAM for Unrestricted (UR) and Failover (FO) licenses. The following security appliance platforms require at least 64 MB of RAM. Table 1 lists Flash memory requirements for Version 7.0.

Table 1 Flash Memory Requirements 

Security Appliance Model
Flash Memory Required in Version 7.0

PIX 515/515E

16 MB

PIX 525

16 MB

PIX 535

16 MB


For more information on minimum memory requirements, see the "Minimum Memory Requirements" section in the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0.

Software Requirements

Version 7.0(5) requires the following:

1. The minimum software version required before performing an upgrade to PIX Version 7.0 is PIX Version 6.2. If you are running a PIX release prior to PIX Version 6.2, you must first upgrade to PIX Version 6.2 or PIX Version 6.3 before you can begin the upgrade to PIX Version 7.0.

To upgrade your PIX software image, go to the following website:

http://www.cisco.com/public/sw-center/index.shtml

2. For information on specific licenses supported on each model of the security appliance, go to the following website:

http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html

3. If you are upgrading from a previous PIX version, save your configuration and write down your activation key and serial number. See the "Upgrading to a New Software Release" for new installation requirements.

Maximum Recommended Configuration File Size

For the PIX 525 and PIX 535, the maximum supported configuration file size is 2 MB for Version 7.0(5). For the PIX 515/515E, the maximum supported configuration file size is 1 MB for Version 7.0(5). If you are using ASDM, we recommend no more than a 500 KB configuration file because larger configuration files can interfere with the performance of ASDM on your workstation.

While configuration files up to 2 MB are supported on the PIX 525 and PIX 535, be aware that such large configuration files can reduce system performance. For example, a large configuration file is likely to noticeably slow execution times in the following situations:

While executing commands such as the write terminal and show running-config commands

Failover (the configuration synchronization time)

During a system reload

Cisco VPN Software Interoperability

Cisco VPN Series
Interoperability Comments

Cisco IOS routers

Version 7.0(5) requires Cisco IOS Release 12.3(T)T or higher running on the router when using IKE Mode Configuration on the security appliance.

Cisco VPN 3000 concentrators

Version 7.0(5) requires Cisco VPN 3000 concentrator Version 3.6 or higher for correct VPN interoperability.


Cisco VPN Client Interoperability

Cisco VPN Client
Interoperability Comments

Cisco VPN client v3.x/4x

(Unified VPN client framework)

Version 7.0(5) supports the Cisco VPN client Version 3.6 or higher that runs on all Microsoft Windows platforms. It also supports the Cisco VPN client Version 3.6 or higher that runs on Linux, Solaris, and Macintosh platforms.


Cisco Easy VPN Remote Interoperability

Cisco Easy VPN Remote
Interoperability Comments

Cisco PIX Security Appliance Easy VPN Remote v6.3

Version 7.0(5) Cisco Easy VPN server requires the Cisco PIX security appliance Version 6.3 Easy VPN remote that runs on the PIX 501 and PIX 506 platforms.

VPN 3000 Easy VPN remote v3.x/4x

Version 7.0(5) Cisco Easy VPN server requires the Version 3.6 or higher of the Easy VPN remote that runs on the VPN 3002 platform.

Cisco IOS Easy VPN remote Release 12.2(16.4)T

Version 7.0(5) Cisco Easy VPN server interoperates with Cisco IOS 806 Easy VPN remote Release (16.4)T.


Determining the Software Version

Use the show version command to verify the software version installed on your security appliance.

Upgrading to a New Software Release

If you have a Cisco.com (CDC) login, you can obtain software from the following website:

http://www.cisco.com/public/sw-center/index.shtml

New Features

Command to Control DNS Guard

Version 7.0(5) introduces a new global configuration command, dns guard to control the DNS guard function. In releases prior to 7.0(5), the DNS guard functions were always enabled regardless of the configuration of DNS inspection:

Stateful tracking of the DNS response with DNS request to match the ID

Tearing down the DNS connection when all pending requests are responded

This command is effective only on interfaces with inspect dns disabled. When DNS inspection is enabled, the DNS guard function is always performed. For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.

Enhanced IPSEC Inspection

The ability to open specific pinholes for ESP flows based on existence of an IKE flow is provided by the enhanced IPSec inspect feature. This feature can be configured within the MPF infrastructure along with other inspects. The idle-timeout on the resulting ESP flows is statically set at 10 minutes. There is no maximum limit on number of ESP flows that can be allowed.

A new policy-map command inspect ipsec-pass-thru is added to enable this feature.

Command to Disable RST for Denied TCP Packets

When a TCP packet is denied, the security appliance always sends a reset when the packet is going from a high security to a low security interface. The service resetinbound command is used to enable or disable sending resets when TCP packet is denied when going from a low security to a high security interface. The service resetinbound command is introduced to control sending RESETs when a packet is denied when goingthrough from a high security to a low security interface. The existing service resetinbound command is enhanced to take an additional interface option.

[no] service resetoutbound [interface <ifc name>]

[no] service resetinbound [interface <ifc name>]

For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.

Password Increased in Local Database

Username and enable password length limits increased from 16 to 32 in the LOCAL database, in the security appliance.

Enhanced show interface and show traffic Commands

The traffic statistics displayed in both the show interface and show traffic commands now support 1 minute rate and 5 minute rate for input, output and drop. The rate is calculated as the delta between the last two sampling points. For the 1 minute rate and 5 minute rate, a 1 minute timer and a 5 minute timer are run constantly for the rates respectively. An example of the new display follows:

1 minute input rate 128 pkts/sec, 15600 bytes/sec

1 minute output rate 118 pkts/sec, 13646 bytes/sec

1 minute drop rate 12 pkts/sec

5 minute input rate 112 pkts/sec, 13504 bytes/sec

5 minute output rate 101 pkts/sec, 12104 bytes/sec

5 minute drop rate 4 pkts/sec

Important Notes

Important Notes in Release 7.0

This section lists important notes related to Version 7.0(5).

Maximum Security Contexts and VLANs Supported

The maximum security contexts supported in release Version 7.0(5) for the PIX 535 are 50 tiers. The maximum number of VLANs supported are 150. For more information on the feature support for each platform license, see the "Platform Feature Licenses" section in the Cisco Security Appliance Command Line Configuration Guide.

IKE Delete-with-Reason

IKE system log messages for Delete-with-Reason do not contain the reason text unless the clients support this feature. Currently the VPN 3002 Version 4.7 and PIX 501 Version 6.3(4) hardware clients do not support this feature.


Note The PIX 501security appliance is not supported in software Version 7.0.


User Upgrade Guide

Before upgrading to Version 7.0(5), read the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading in Cisco PIX Software Version 7.0. This guide also includes information about deprecated features and other changes in the Cisco PIX Software Version7.0. For a list of deprecated features, and user upgrade information, go to the following URL:

http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html


Caution If you share the Stateful Failover update link with a link for regular traffic such as your inside interface, you must change your configuration before upgrading. Do not upgrade until you have corrected your configuration, as this is not a supported configuration and Version 7.0(5) treats the LAN failover and Stateful Failover update interfaces as special interfaces. If you upgrade to Version 7.0(5) with a configuration that shares an interface for both regular traffic and the Stateful Failover updates, configuration related to the regular traffic interface will be lost after the upgrade. The lost configuration may prevent you from connecting to the security appliance over the network.

Readme Document for the Conduits and Outbound List Conversion Tool 1.2

The security appliance Outbound/Conduit Conversion tool assists in converting configurations with outbound or conduit commands to similar configurations using ACLs. ACL-based configurations provide uniformity and leverage the powerful ACL feature set. ACL based configurations provide the following benefits:

ACE insertion capability - System configuration and management is greatly simplified by the ACE insertion capability that allows users to add, delete or modify individual ACEs.

Outbound ACLs and Time-based ACLs - Gives administrators improved flexibility for defining access control policies by adding support for outbound ACLs and time-based ACLs.

Enabling/Disabling of ACL Entries - Provides a convenient troubleshooting tool that allows administrators to test and fine-tune ACLs, without the need to remove and replace ACL entries.

Features not Supported in Version 7.0

The following features are not supported in Version 7.0(5) release:

PPPoE

L2TP over IPSec

PPTP

MIB Supported

For information on MIB Support, go to:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

Downgrade to Previous Version

To downgrade to a previous version of the operating system software (software image), use the downgrade command in privileged EXEC mode.

For more information and a complete description of the command syntax, see the Cisco Security Appliance Command Reference.


Caution Do not load a previous version of software if your PIX security appliance is currently running PIX Version 7.0 or later. Loading a software image from monitor mode, on a PIX security appliance that has a PIX Version 7.0 file system, results in unpredictable behavior and is not supported. We strongly recommend that you use the downgrade command from a running PIX Version 7.0 image that facilitates the downgrade process.

Caveats

The following sections describe the caveats for Version 7.0(5).

For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:

Commands are in boldface type.

Product names and acronyms may be standardized.

Spelling errors and typos may be corrected.


Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:

http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl

To become a registered cisco.com user, go to the following website:

http://tools.cisco.com/RPF/register/register.do


Open Caveats - Release 7.0(5)

Table 2 Open Caveats 

ID Number
Software Release 7.0(5)
Corrected
Caveat Title

CSCei47678

No

SNMP packet size standards in RFC3417 not fully supported.

CSCek21836

No

SIP: BYE embryonic connection timestamp not updated.

CSCsc36891

No

Higher CPU utilization for url filtering in recent releases.

CSCsc37965

No

IP-directed broadcasts no longer allowed through device.

CSCsc68575

No

CPU usage is higher for given traffic throughput in recent releases.

CSCsc97602

No

Traceback is sometimes observed in tmatch compile thread.

CSCsd00086

No

ASDM connection may cause packet loss

CSCsd08170

No

UDP 500 not removed from pat port pool when crypto map is applied

CSCsd59936

No

Registering to the RP for PIM fails if fragmented in more then 12 packs

CSCsd69625

No

EZVPN:IOS C876 Client can't connect to ASA using digi certs and noXauth

CSCsd75865

No

VPN address pool overlap may cause packet drop.

CSCsd78428

No

Traceback may occur in Checkheaps on standby unit

CSCsd79596

No

H245 connection going idle although traffic on RTP stream and H225.

CSCsd82355

No

Malformed syslog packets may be generated.

CSCsd82714

No

RTSP fails with Windows media player

CSCsd84394

No

IPSec: Invalid block submitted to outbound packet processing

CSCsd85345

No

Traceback may occur in fover_parse on 7.0.4

CSCsd89503

No

Traceback during failover in routing module

CSCsd93207

No

Show failover indicates different uptimes on devices in failover pair

CSCsd93380

No

Packets for VPN-l2l peer get dropped instead of encrypted


Resolved Caveats - Release 7.0(5)

Table 3 Resolved Caveats 

ID Number
Software Release 7.0(5)
Corrected
Caveat Title

CSCeh46345

Yes

Dynamic L2L could pass clear text traffic when tunnel terminates

CSCeh60845

Yes

Logging queue incorrectly registers 8192 256-byte blocks

CSCeh70043

Yes

DOC: sh asp drop needs further clarification in doc

CSCeh90617

Yes

Recompiling ACLs can cause packet drops on low-end platforms

CSCei43588

Yes

traceback when trying to match a packet to acl with deny

CSCek21835

Yes

Higher metric OSPF external route is selected

CSCek21836

Yes

SIP: PIX does not update BYE embryonic's timestamp.

CSCek21837

Yes

PDM with Command Authorization requires the write command for Read-Only

CSCek21838

Yes

SIP: fail to open a conn for Record route in NOTIFY

CSCek21843

Yes

SIP: Not translate c= address if first m= has port 0 in SDP body

CSCek21846

Yes

SIP: PIX does not parse the expire value in Register

CSCek21849

Yes

Backspace sent in cut-through proxy authentication

CSCek26572

Yes

tftp fixup does not allow error message from client

CSCek27919

Yes

PIX reload with Thread Name: tcp_slow

CSCsb98925

Yes

PIX-3-210007: LU allocate xlate failed is logged on the standby PIX

CSCsc02485

Yes

Session Cmd: sendind 036xr to exit session to ssm causes Traceback

CSCsc03061

Yes

CLI should generate Warning if kerberos-relm is not in all uppercase

CSCsc07614

Yes

Minimum unit poll time causes trouble for failover with 4GE card

CSCsc08188

Yes

5540 crash during 1000+ tunnel, multi-encapsulation system testing

CSCsc12094

Yes

AAA fallback authentication does not work with reactivation-mode timed

CSCsc15378

Yes

Telnet to PIX outside interface through IPSEC connection fails

CSCsc15434

Yes

Assertion violation w/icmp traffic and icmp inspection

CSCsc16014

Yes

PIX 7.0 Spoofed TCP SYN packets can block legitimate TCP connections

CSCsc16041

Yes

'clear local host' results in memory leak

CSCsc16507

Yes

url-server: cannot remove despite having removed url-block cmd

CSCsc18324

Yes

PIX 7.0.2 crashes in Dispatch Unit (Old pc 0x001dbdc6 ebp 0x01212404)

CSCsc18444

Yes

Tunnel-group for specific peer not created upgrading to 7.0 w/ certs

CSCsc18911

Yes

PIX does not remove OSPF route for global PAT entry after deleting

CSCsc20032

Yes

PIX may reload in IPsec message handler when clearing IPSec SAs

CSCsc20102

Yes

webfo: traceback during bulk sync in vpnfol_thread_sync

CSCsc23718

Yes

ERROR: Command requires failover license - seen in PIX upgrade to 7.0

CSCsc26331

Yes

PKI: CR should not be used to terminate certificate console input

CSCsc27972

Yes

Traceback when changing crypto maps when Answer-Only in lower sequence

CSCsc28889

Yes

Upgrade PIX 6.3.5 to 7.0.4 with PFS does not maintain ipsec group

CSCsc29264

Yes

TACACS+ command authorization uses service=PIXshell

CSCsc31195

Yes

PIX crash Thread Name: uauth (Old pc 0x009edcc1 ebp 0x0147281c)

CSCsc31762

Yes

Fixup RTSP does not re-write the SET Parameter to the NATed IP address

CSCsc31788

Yes

Failover Primary access-list delete problem crashes secondary

CSCsc33385

Yes

GTP - pdp context creation failed - GSN tunnel limit exceeded

CSCsc34022

Yes

PIX requires improved failover testing method

CSCsc36332

Yes

Crash with show running-config all when priority class configured

CSCsc36898

Yes

FIPS: POST Bypass test failure

CSCsc37492

Yes

PIX: snmp-server host is not working in some circumstances

CSCsc39334

Yes

Crash due to check-retransmission from the tcp-map

CSCsc39559

Yes

APPFW:Obfuscated characters causing alert with firefox browser

CSCsc42204

Yes

Syslog ID 111005 no longer being logged when user exits config mode

CSCsc44566

Yes

Traceback in Dispatch Unit - pm_rcv_cb_ids

CSCsc44591

Yes

Traceback in ARP Thread - arp_sendbp in multi context mode

CSCsc46976

Yes

SIP: crash when failed to pre-allocate early rtp

CSCsc48330

Yes

OpenSSL Security Advisory: Potential SSL 2.0 Rollback

CSCsc49830

Yes

IKE daemon crashes after upgrading

CSCsc49873

Yes

VPN-filter not applied without for remote VPN clients without xauth

CSCsc51939

Yes

Performance throughput problems through the PIX w/ http inspect enabled

CSCsc56552

Yes

Adding user context causes traceback on Standby unit

CSCsc57901

Yes

Memory leak when the standby unit fails to parse IKE messages

CSCsc59298

Yes

VPN: IPSec errors are reported when trying to fragment compressed pkts

CSCsc60506

Yes

Large banner from RADIUS is causing traceback

CSCsc67347

Yes

VPN locks up under throughput stress

CSCsc68126

Yes

PIX may run out of free TCP Sockets

CSCsc68575

Yes

PIX 535 7.0.2 show cpu usage at 75% for traffic throughput of 140 Mbs

CSCsc73580

Yes

traceback in logger_save after clear config logging

CSCsc73942

Yes

TCP RST is dropped when there is outstanding data that is not acked

CSCsc77884

Yes

GTP: should check spare bits in header

CSCsc78010

Yes

PIX 7.0.4 Crash in Thread Name: Checkheaps

CSCsc78900

Yes

Reload with Thread Name: Dispatch Unit at tcp_check_packet

CSCsc81236

Yes

PIX may reload unexpectedly when processing ICMP Error packets

CSCsc81668

Yes

https://<ip>/config does not have the same privilege level as 'write'

CSCsc84291

Yes

When using SSL the warning message is not returned back

CSCsc86217

Yes

Voice Proxy Function does not preserve DSCP bits

CSCsc90826

Yes

PIX 7.0 getting the error %PIX-1-106021 when ip verify command enable

CSCsc90944

Yes

PIX sends malformed https proxy authentication page.

CSCsc91450

Yes

PIX 7.0 ftp control channel timing out although data channel is active

CSCsc92575

Yes

Upgrade Activation Key reduces permitted interfaces

CSCsc93061

Yes

PIX crashes after activation of vpn-filter

CSCsc97846

Yes

CPU utilization increase when adding more logging hosts

CSCsc97905

Yes

traceback when running codenomicon snmp suite. eip 0x00ebf294

CSCsc97999

Yes

Syslog Message ID PIX-4-313003 is Overloaded

CSCsc98336

Yes

Large group-policy names cause crash if used with IPSec

CSCsc98339

Yes

Failovered secondary PIX crash when primary unit turned off

CSCsc99263

Yes

GTPv1: Subsequent Create Req to modify PDP context IEs are not processed

CSCsc99339

Yes

traceback when running ospf codenomicon suite.eip 0x00ef5f7c

CSCsc99364

Yes

SSL Certs from Verisign Managed PKI do not install

CSCsd00051

Yes

SNMP polling may cause packet loss

CSCsd01096

Yes

Primary active crash and both primary and secondary are non-active

CSCsd01722

Yes

PIX 7.0 logging message 419001 always sent in message lists

CSCsd02938

Yes

PIX doesn't reconnect if websense server goes down

CSCsd03391

Yes

TCP Intercept doesn't negate CPU impact when SYN flood from adjacent net

CSCsd04700

Yes

match port option for setting connection time-outs does not work

CSCsd08060

Yes

Memory corruption caused by session DB when events are out of sync

CSCsd10138

Yes

Crash in Checkheaps thread when enabling LAN2LAN vpn

CSCsd11179

Yes

SNMP polling of resource MIBS may cause packet loss

CSCsd11511

Yes

Crash due to memory corruption in sanity check of the Checkheaps thread

CSCsd11908

Yes

Traceback in logger_save thread

CSCsd13938

Yes

Traceback and Assertion in "fover_dev.c", line 513

CSCsd16751

Yes

GTP: wrong service-policy used when connection is re-used

CSCsd22910

Yes

users with passwords longer than 11 chars can no longer authenticate

CSCsd31068

Yes

platform image read as ascii if uploaded by asdm to flash:

CSCsd34070

Yes

H.245 inspection skipped when malformed GKRCS packet

CSCsd36030

Yes

in multiple policy-maps, packets should match the first map, not the last

CSCsd37075

Yes

DSH API should check for 0 handle

CSCsd38929

Yes

SSL Verisign imported certificate fails when establishing SSL session

CSCsd39029

Yes

Traceback with Thread Name: Dispatch Unit

CSCsd44349

Yes

PIM codenomicon suite crashes box - eip 0x010811f3

CSCsd45099

Yes

logging debug-trace should not prevent debugs from printing to console

CSCsd46111

Yes

Traceback when using sh xlate via telnet over VPN tunnel

CSCsd46922

Yes

High CPU usage when configuring/compiling ACL's

CSCsd48512

Yes

Duplicate ASP crypto table entry causes firewall to not encrypt traffic

CSCsd51884

Yes

Restore debug icmp trace functionality - showing nat translation

CSCsd58400

Yes

PIX fails to send Embryonic Limit Exceeded message

CSCsd58620

Yes

H.323: Memory Leak Under Load

CSCsd58848

Yes

Memory allocated for connections not freed

CSCsd64394

Yes

Deny syslog not generated for denied URLs traffic

CSCsd64912

Yes

url-server: tcp connections fail when tcp stack users are exhausted

CSCsd64920

Yes

url-server: url lookup requests are not retried when using tcp

CSCsd65209

Yes

url-block block: http response buffering feature does not work

CSCsd65215

Yes

Capture access-list shows only 1 hit count for outbound traffic

CSCsd67647

Yes

Traceback in obj-f1/tcp:_q_copydata+26 on copying image to ftp server

CSCsd70242

Yes

Some syslogs are incorrectly logged to an event list, when not specified

CSCsd70812

Yes

HA: Traffic Stall after config syncing running Act/Act fover

CSCsd71386

Yes

RTSP traffic led the PIX to crash

CSCsd72617

Yes

Dispatch Unit Crash when HTTP inspect enabled...PIX 7.1.2, 7.0.4-11

CSCsd72951

Yes

Traceback: Thread Name: IKE Daemon (Old pc 0x00507433 ebp 0x03bdc498)

CSCsd73852

Yes

PIX H.323 Inspect not opening media stream

CSCsd74964

Yes

SNP Inspect Http drops messages other than GET

CSCsd75794

Yes

MFW:R applfw crash on codenomicon http suite, test 39614 or 39615

CSCsd76384

Yes

dhcpc fails when management-access is configured

CSCsd77018

Yes

Traceback in obj-f1/snp_fp_main:_snp_fp_fragment+260

CSCsd77155

Yes

All out of order packets dropped by tcp normalizer

CSCsd78595

Yes

Global buffer drop output under show service-policy

CSCsd81496

Yes

crash when websense service is restarted while requests are pending

CSCsd82047

Yes

PIX 7.0(4) FO : bad LU from Act causes LU allocate xlate failed on Std

CSCsd82114

Yes

Change of log options on the ACE doesn't take immediate effect

CSCsd83007

Yes

Need ability to disable dns guard in 7.0

CSCsd83863

Yes

Reload with Thread Name: Dispatch Unit

CSCsd85451

Yes

SAs not created when crypto map group and isakmp policy group are differ

CSCsd86841

Yes

F1 crash immediately after sending ping traffic thru GTP tunnel

CSCsd87779

Yes

fips self test power on never completes


Related Documentation

Use this document in conjunction with the PIX Firewall and Cisco VPN client Version 3.x documentation at the following websites:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/tsd_products_support_series_home.html

http://www.cisco.com/en/US/products/sw/secursw/ps2308/tsd_products_support_series_home.html

Software Configuration Tips on the Cisco TAC Home Page

The Cisco Technical Assistance Center has many helpful pages. If you have a CDC account you can visit the following websites for assistance:

TAC Troubleshooting, Sample Configurations, Hardware Info, Software Installations and more:

http://www.cisco.com/en/US/products/ps6120/tsd_products_support_series_home.html

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.

.