Guest

Cisco Security Manager

Release Notes for Cisco Security Manager 3.3.1

  • Viewing Options

  • PDF (438.0 KB)
  • Feedback
Release Notes for Security Manager 3.3.1

Table Of Contents

Release Notes for Security Manager 3.3.1

Introduction

Supported Component Versions and Related Software

What's New

Installation Notes

Service Pack 4 Download and Installation Instructions

Important Notes

Caveats

Open Caveats— Release 3.3.1

Resolved Caveats—Release 3.3.1 Service Pack 4

Resolved Caveats—Release 3.3.1 Service Pack 3

Resolved Caveats—Release 3.3.1 Service Pack 2

Resolved Caveats—Release 3.3.1 Service Pack 1

Resolved Caveats—Release 3.3.1

Resolved Caveats—Releases Prior to 3.3.1

Where to Go Next

Product Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines


Release Notes for Security Manager 3.3.1


Updated: October 18, 2011

These release notes are for use with the Cisco Security Manager (Security Manager), Release 3.3.1.

Release 3.3.1 is now available. Registered SMARTnet users can obtain release 3.3.1 from the Cisco support website by going to http://www.cisco.com/go/csmanager and clicking Download Software in the Support box.

This chapter contains the following topics:

Introduction

Supported Component Versions and Related Software

What's New

Installation Notes

Service Pack 4 Download and Installation Instructions

Important Notes

Caveats

Where to Go Next

Product Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines


Note Do not use this version of Security Manager to manage ASA 8.3 devices. This version of Security Manager configures ASA 8.3 devices in downward-compatibility mode, meaning that the device configuration does not use the new features introduced in version 8.3. Because of the extensive changes introduced with version 8.3, it is not downwardly-compatible with older ASA releases. If you want to manage ASA 8.3 devices with Security Manager, you must upgrade to Security Manager 4.0 or later.


Introduction


Note Use this document in conjunction with the documents identified in Product Documentation. The online versions of the user documentation are also occasionally updated after the initial release. As a result, the information contained in the Cisco Security Manager end-user guides on Cisco.com supersedes any information contained in the context-sensitive help included with the product. For more information about specific changes, please see Where to Go Next.


This document contains release note information for the following:

Cisco Security Manager 3.3.1 (including Service Packs 1, 2, 3, and 4)—Cisco Security Manager (Security Manager) enables you to manage security policies on Cisco security devices. Security Manager supports integrated provisioning of firewall, VPN, and IPS services across IOS routers, PIX and ASA security appliances, and some services modules for Catalyst 6500 switches and some routers. (You can find complete device support information under Cisco Security Manager Compatibility Information on Cisco.com.) Security Manager also supports provisioning of many platform-specific settings, for example, interfaces, routing, identity, QoS, logging, and so on.

Security Manager efficiently manages a wide range of networks, from small networks consisting of a few devices to large networks with thousands of devices. Scalability is achieved through a rich feature set of device grouping capabilities and objects and policies that can be shared.

Auto Update Server 3.3.1—The Auto Update Server (AUS) is a tool for upgrading PIX security appliance software images, ASA software images, PIX Device Manager (PDM) images, Adaptive Security Device Manager (ASDM) images, and PIX security appliance and ASA configuration files. Security appliances with dynamic IP addresses that use the auto update feature connect to AUS periodically to upgrade device configuration files and to pass device and status information.

Performance Monitor 3.3.1—Performance Monitor is a browser-based tool that monitors and troubleshoots the health and performance of services that contribute to network security. It helps you to isolate, analyze, and troubleshoot events in your network as they occur, so that you can increase service availability. Supported service types are remote-access VPN, site-to-site VPN, firewall, Web server load-balancing, and proxied SSL.


Note Before using Cisco Security Manager 3.3.1, we recommend that you read this entire document. In addition, it is critical that you read the Important Notes section, the "Upgrade Notes" section, and the Installation Guide for Cisco Security Manager 3.3.1 before installing or upgrading to Cisco Security Manager 3.3.1.


This document lists the ID numbers and headlines for issues that may affect your operation of the product. This document also includes a list of resolved problems. If you accessed this document from Cisco.com, you can click any ID number, which takes you to the appropriate release note enclosure in the Bug Toolkit. The release note enclosure contains symptoms, conditions, and workaround information.

Supported Component Versions and Related Software

The Cisco Security Management Suite of applications includes several component applications plus a group of related applications that you can use in conjunction with them. The following table lists the components and related applications, and the versions of those applications that you can use together for this release of the suite. For a description of these applications, see the Installation Guide for Cisco Security Manager 3.3.1.


Note For information on the supported software and hardware that you can manage with Cisco Security Manager, see the Supported Devices and Software Versions for Cisco Security Manager online document under Cisco Security Manager Compatibility Information on Cisco.com.


Table 1 Supported Versions for Components and Related Applications 

Application
Support Releases
Component Applications

Cisco Security Manager

3.3.1

Auto Update Server

3.3.1

Performance Monitor

3.3.1

CiscoWorks Common Services

3.2

Resource Manager Essentials (RME)

4.2

Cisco Security Agent

5.2

Related Applications

Cisco Security Monitoring, Analysis and Response System (CS-MARS)

6.0.1, 6.0.5

Cisco Secure Access Control Server (ACS) for Windows

Note Cisco Secure ACS Solution Engine 4.1(4) is also supported.

4.1(3, 4), 4.2(0)

Cisco Configuration Engine

3.0


What's New

Cisco Security Manager 3.3.1 Service Packs 1, 2, 3, and 4

Security Manager 3.3.1 Service Packs 1, 2, 3, and 4 provide fixes for various problems. The service packs are cumulative, so applying a service pack will include all updates from earlier services packs. For more information about the problems fixed in each service pack, see the following:

Resolved Caveats—Release 3.3.1 Service Pack 4.

Resolved Caveats—Release 3.3.1 Service Pack 3.

Resolved Caveats—Release 3.3.1 Service Pack 2.

Resolved Caveats—Release 3.3.1 Service Pack 1.

Security Manager 3.3.1 Service Packs 2, 3, and 4 also add support for changes to the mechanism used for downloading sensor and signature updates from Cisco.com.

As part of Cisco Security Manager 3.3.1 Service Pack 1, 2, 3, or 4 installation, Apache will be upgraded from version 1.3.41 to 2.2.10.


Warning There are several CiscoWorks Common Services 3.2 patches available that address problems with Apache 1.3.41. These patches are NOT compatible with Security Manager 3.3.1 with Service Pack 1, 2, 3, or 4 installed.

Note Several patches for CiscoWorks Common Services 3.2 are currently available. We recommend that you install these updates on the Security Manager server after applying Security Manager 3.3.1 Service Pack 1, Service Pack 2, Service Pack 3, or Service Pack 4. To download the CiscoWorks Common Services 3.2 patches:

1. Go to http://www.cisco.com/en/US/products/sw/cscowork/ps3996/tsd_products_support_eol_series_home.html.

2. Click Download Software > CiscoWorks Common Services Software 3.2 > Windows > 3.2.0.

3. Download and install the following patches:

cwcs32-win-CSCsy14799.zip

cwcs32-win-CSCtc38080.zip


Warning Do not install cwcs32-win-CSCtd01597-K9.zip and cwcs32-win-CSCtb70407-K9.zip as these patches are for Apache 1.3.41 and are not comaptible with Security Manager 3.3.1 with Service Pack 1, Service Pack 2, Service Pack 3, or Service Pack 4 installed.

Cisco Security Manager 3.3.1

In addition to resolved caveats, this release includes the following new features and enhancements:

There is a new administrative setting for deploying ACLs generated from firewall access rules. You can elect to share ACLs. If you assign the same ACL to multiple interfaces, Security Manager can now create a single ACL and share it among the interfaces, rather than create a duplicate ACL for each interface. Sharing can occur only if you do not specify ACL names or require that Security Manager preserve existing names; your naming requirements are a higher priority than ACL sharing. The new property is on the Tools > Security Manager Administration > Deployment page.

The following FWSM releases are supported in downward compatibility mode: 3.1(15-17), 3.2(5-16), 4.0(2-10). For more information, see Supported Devices and Software Versions for Cisco Security Manager 3.3.1.

Cisco IOS Software release 15.0(1)M is supported.

The following new integrated services router series are supported: 19xx, 29xx, 39xx. You can configure these devices in Security Manager and monitor them using Performance Monitor.

The following new integrated services routers are supported: 866, 886SRST, 887M, 887Vdsl2.

The Cisco IAD880 Series Integrated Access Devices are supported.

If you use AUS to deploy configurations, Security Manager now includes the HTTP user name and password as well as the enable password when adding the device to AUS. This allows you to perform immediate auto updates (Update Now) actions on these devices when you are using local or TACACS+ authentication on your devices.

If you use ACS to control access to Security Manager, users are now notified if authorization fails because all ACS servers are unavailable. An e-mail message is also sent to the Security Manager server administrator indicating that all ACS servers are unavailable and that users cannot log into the Security Manager server.

Cisco IPS 7.0.2 is supported.

The User Accounts page and related interface elements give you the capability of user management for IPS devices. Specifically, you can discover local users from the IPS device, create users, modify user credentials or privileges, delete user accounts, and perform other user management tasks.

TCP State Bypass is now available on FWSM 3.2+ and ASA 8.2+ devices. TCP packets that match existing connections in the fast path can pass through the appliance without every aspect of the security policy being rechecked. This feature maximizes performance.

Multiple IP addresses now can be specified in static route destinations, and in IGMP multicast group networks.

Installation Notes

You can install Security Manager server software directly, or you can upgrade the software on a server where Security Manager is installed. The Installation Guide for Cisco Security Manager for this release of the product explains which previous Security Manager releases are supported for upgrade and provides important information regarding server requirements, server configuration, and post-installation tasks.

Before you can successfully upgrade to Security Manager 3.3.1 from a prior version of Security Manager, you must make sure that the Security Manager database does not contain any pending data, in other words, data that has not been committed to the database. If the Security Manager database contains pending data, you must commit or discard all uncommitted changes, then back up your database before you perform the upgrade. The Installation Guide for Cisco Security Manager for this release contains complete instructions on the steps required for preparing the database for upgrade.

For the Installation Guide for Cisco Security Manager 3.3.1, go to the list of Cisco Security Manager installation and upgrade guides on Cisco.com.

Be aware of the following important points before you upgrade:

If you upgrade from a release earlier than 3.3 to Security Manager 3.3 or higher, and you use Cisco Configuration Engine, you must upgrade Configuration Engine to 3.0 at the same time. Security Manager 3.3 and higher does not work with older versions of Configuration Engine.

If you install RME on the same server as Security Manager 3.3.1, do not apply the MDF.zip file available with the RME IDU patch. Applying this file will damage the device support files in Security Manager, and you will need to contact Cisco Technical Support to correct the problem. If you install RME on a server separate from Cisco Security Manager, this restriction does not apply.

Service Pack 4 Download and Installation Instructions

Service pack 4 is a cumulative update that also includes the updates that were found in service packs 1, 2, and 3. You can apply Cisco Security Manager 3.3.1 Service Pack 4 to a Cisco Security Manager 3.3.1 installation whether that installation has an earlier service pack installed or not.


Step 1 Go to http://www.cisco.com/go/csmanager, and then click Download Software under the Support heading on the right side of the screen.

Step 2 Enter your user name and password to log in to Cisco.com.

Step 3 Click Security Manager (CSM) Software, expand the 3.3 folder under All Releases, and then click 3.3.1sp4.

Step 4 Download the file fcs-csm-331-sp4-win-k9.exe.

Step 5 To install the service pack, close all open applications, including the Cisco Security Manager Client.

Step 6 Manually stop the Cisco Security Agent service from Start > Settings > Control Panel > Administrative Tools > Services.

Step 7 Run the fcs-csm-331-sp4-win-k9.exe file that you previously downloaded.

Step 8 In the Install Cisco Security Manager 3.3.1 Service Pack 4 dialog box, click Next and then click Install in the next screen.


Note If you have not already installed Security Manager 3.3.1 Service Pack 1, 2, or 3, Apache will be upgraded from version 1.3.41 to 2.2.10 as part of the Service Pack 4 installation.



Warning There are several CiscoWorks Common Services 3.2 patches available that address problems with Apache 1.3.41. These patches are NOT compatible with Security Manager 3.3.1 with Service Pack 1, Service Pack 2, Service Pack 3, or Service Pack 4 installed.

Step 9 After the updated files have been installed, click Finish to complete the installation.

Step 10 If you have not already installed Service Pack 3, and you are using Cisco Security Manager 3.3.1 in a high availability (HA) or disaster recovery (DR) configuration with clustering, copy the perl script from <NMSROOT>\MDC\athena\ha\agent\online.pl to <VCS_HOME>\bin\CSManager\online.pl after installing Service Pack 4.

Step 11 On each client machine that is used to connect to the Security Manager server, you must perform the following steps to apply the service pack before you can connect to the server using that client:

a. Manually stop the Cisco Security Agent service from Start > Settings > Control Panel > Administrative Tools > Services.

b. Launch the Security Manager client.

You will be prompted to "Download Service Pack".

c. Download the service pack and then launch the downloaded file to apply the service pack.

Step 12 (Optional) Go to the client installation directory and clear the cache, for example, <Client Install Directory>/cache.


Important Notes

The following notes apply to the Security Manager 3.3.1 release:

You can use IPv4 addresses only in Security Manager. Although some of the device software Security Manager supports allows you to use IPv6 addresses on commands, Security Manager does not support IPv6 addresses directly. If you want to configure IPv6 features using Security Manager, you can use FlexConfig policies.

If you have a device that uses commands that were unsupported in previous versions of Security Manager, these commands are not automatically populated into Security Manager as part of the upgrade to this version of Security Manager. If you deploy back to the device, these commands are removed from the device because they are not part of the target policies configured in Security Manager. We recommend that you set the correct values for the newly added attributes in Security Manager so that the next deployment will correctly provision these commands. You can also rediscover the platform settings from the device; however, you will need to take necessary steps to save and restore any shared Security Manager policies that are assigned to the device.

A Cisco Services for IPS service license is required for the installation of signature updates on IPS 5.x appliances, Catalyst and ASA service modules, and router network modules.

Do not connect to the database directly, because doing so can cause performance reductions and unexpected system behavior.

Do not run SQL queries against the database.

If an online help page displays blank in your browser view, refresh the browser.

With the release of the S227 signature update on May 12, 2006, the minimum required version for 5.x signature updates was incremented from IPS version 5.0(5) to 5.0(6). Sensors running IPS 5.x software versions earlier than the minimum required version will fail until the sensor is upgraded to the supported level. Note that the minimum required version for 5.x signature updates is generally set to the latest available service pack within 30 to 45 days of that service pack's release.


Caution If you did not set Category CLI commands on your IOS IPS device to select a subset of IPS signatures that the device will attempt to compile, Security Manager will push CLI commands to enable the IOS IPS Basic category to prevent the device resources from being overloaded. These CLI commands are not managed by Security Manager after they are deployed. You can change these manually on the device to select another set of signatures to compile.

Caveats

This section describes the open and resolved caveats with respect to this release.

For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:

Commands are in boldface type.

Product names and acronyms may be standardized.

Spelling errors and typos may be corrected.


Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
http://www.cisco.com/support/bugtools
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do


This section contains the following topics:

Open Caveats— Release 3.3.1

Resolved Caveats—Release 3.3.1 Service Pack 4

Resolved Caveats—Release 3.3.1 Service Pack 3

Resolved Caveats—Release 3.3.1 Service Pack 2

Resolved Caveats—Release 3.3.1 Service Pack 1

Resolved Caveats—Release 3.3.1

Resolved Caveats—Releases Prior to 3.3.1

Open Caveats— Release 3.3.1

The following caveats affect this release and are part of Security Manager 3.3.1:

ASA and PIX Firewall Devices Caveats

Security Manager Client and Server Install Caveats

Cisco Catalyst 6000 Device Support Caveats

Cisco IOS Router Devices Caveats

Cisco IPS and IOS IPS Devices Caveats

Device Management, Discovery, and Deployment Caveats

Firewall Services Caveats

Miscellaneaous Caveats

Policy Management Caveats

VPN Device and Configuration Support Caveats


Note In some instances, a known problem might apply to more than one area, for example, a PIX device might encounter a problem during deployment. If you are unable to locate a particular problem within a table, expand your search to include other tables. In the example provided, the known problem could be listed in either the "Device Management, Discovery, and Deployment Caveats" table or the "ASA and PIX Firewall Devices Caveats" table.


Table 2 ASA and PIX Firewall Devices Caveats 

Reference Number
Description

CSCse51450

OSPF validations are not adequate

CSCsh20731

FAILOVER - Active/Active deploys to Standby unit and returns errors

CSCsi24397

SLA: Interface roles assigned to an SLA Monitor not validated

CSCsi34972

OSPF Discovery: Deployment of incomplete OSPF policy invalid

CSCsi42889

Swapping interface names causes deployment failure

CSCsi44546

RIP configuration commands in PIX/ASA 7.2(1) cannot be fully managed

CSCsl51451

Enable DHCPD auto configuration with interface option not discovered

CSCsm82107

Discovery of a multi-mode ASA added to CSM as a new device fails

CSCsr17662

Deployment of ips command truncated if containing class map is changed

CSCtb43369

Deployment fails when deleting redundant interface assigned to ACL


Table 3 Security Manager Client and Server Install Caveats 

Reference Number
Description

CSCtb69375

Uninstalling CSM 3.3 except CSM client popup mentioning "Cannot uninstal

CSCtc55570

Upgrade of CSM HA setup does not check proper perl file replacement

CSCtc79621

CSM client installation "Could not create the Java virtual machine."

CSCtc93470

CSM install should exit if cu is installing CSM on non En/Ja Local


Table 4 Cisco Catalyst 6000 Device Support Caveats 

Reference Number
Description

CSCsi17608

Deployment fails when allowed VLAN ID is modified on IDSM capture port

CSCsi24091

Deploy fails if you change access to trunk mode & enable DTP negotiation

CSCsz85341

CSM deletes shared vlan group between svclc and firewall


Table 5 Cisco IOS Router Devices Caveats 

Reference Number
Description

CSCsf09088

PPP policy does not support if-needed and local-case keywords for AAA

CSCsh18926

NetFlow deployment fails on subinterfaces

CSCsi20458

802.1x-Number of retries command not generated correctly

CSCsi25845

PPP-No validation for multilink support on device

CSCsi45142

AAA - source intf disc from global cmd instead of aaa subcommand

CSCsi45204

QoS policy not discovered when WRED is enabled

CSCsr14267

Discovery failure with target os 12.3(9) does not exist

CSCsr45265

Negation is not getting generated for policies using nonexistent ACL

CSCsz55274

Deployment to an ASR Fails when Configuring an Interface IP Address

CSCsz79334

Deployment fails on changing VTY authentication method frm AAA to local.

CSCta73192

NTP Authentication key is not negated for Xformer router of type 3945

CSCta84886

RIP-Deployments fails for RIP policy but CLI are pushed into the device

CSCta84894

BGP-Unassign bgp pol+Deploy,Deployment fails for 861 Router for 15.0 ima

CSCta84907

Xformer:Dep BGP+Change AS no. & Dep+Unassign BGP,Deployment fails

CSCta92949

QoS-Queue limit option supported by router(15.0) dosn't match with CSM

CSCtb04099

Deployment fails when configuring numbered ACL for QOS policy

CSCtb77960

Qos : Cannot save changes for default class for an ASR

CSCtc17882

Activity Validation causes MOP error on interface


Table 6 Cisco IPS and IOS IPS Devices Caveats 

Reference Number
Description

CSCse95933

IPS related policies should be listed in device properties page

CSCsg25899

IPS 6.x pol. should not be listed for 5.x devices in copy & share policy

CSCsg38052

VLAN groups need to display "unassigned" VLANS

CSCsg51052

After Abort, progress bar continues to 100% and Status remains = Started

CSCsg78129

Copy policies betn devices with VS as src only shows VS's as destn

CSCsg80289

Warning message is displayed during blocking policy deployment.

CSCsh02407

Autoupdate setting value for a device should be same in device tree.

CSCsh36604

IPS EAO: After editing a row, the ed. row is displayed as the last row

CSCsh52484

IPS Licensing Date varies between sensor CLI and sensor

CSCsh53265

On IPS Update page, checkbox for shared sig. policy can be incorrect

CSCsh67506

Dynamic IP address IOS router imported by CNS cannot be discovered

CSCsh77105

During deployment, signatures removed from current.xml

CSCsh86189

Sig update fails when using HTTP if console logging is on

CSCsi01650

EAF: Show content option in context menu for victim addr is not working

CSCsi26525

OOB OPACL changes not resynced after successful deploy

CSCsi33159

Greenfield device is showing 5.1(4)E1 should be 5.1(5)E1

CSCsi39380

Deployment of NTP policy with policy objects sometimes fails

CSCsi44605

IPS variable names cannot contain special characters.

CSCsi47289

Policy object overridden at VS level is not deployed correctly

CSCsj60530

Inventory alone discovery fails for IPS 6.x device for submit operation

CSCsm72033

Deployment Failed error on Event Action Rules

CSCsm93970

Green field device Preview config does not show IPS pull down option

CSCsm94535

COPY POLICY:Engine parameter not copied to IOS-IPS GreenField device.

CSCso11145

CSM daily autodownload every 2 days should start from the present date

CSCso11482

MultiContext not handled in ApplyIPSUpdate wizard upon SigEditParams

CSCso17575

Intf Policy copy betn same IPS models but diff interface cards fails

CSCsr19163

OS Id.'s ->Restrict to these IP address field should not map to pol. obj

CSCsr31140

Err loading pg if NTP policy from 6.1 dev is copied to 6.0/5.1 dev

CSCsr46030

Copy Interface & VS policy from a 6.1(1)E2 to 6.1(1)E2 fails

CSCsv44809

Rules and AD profile name changes with multiple vs profile config

CSCsv57621

IPS Incorrect Interfaces discovery (removed from VS or disabled)

CSCsv59057

Sigupdate failed to an IOS device with NME module

CSCsv85664

Security Manager swaps names of policies while deploying to device

CSCsv91055

Security Manager Deployment UI shows OOB for unsupported commands

CSCsx20448

IPS 6.2 unsupported devices should not be shown for Update

CSCsx33551

Rollback on IOS IPS Device Fails If SSH Is Not Enabled

CSCsx52318

IPS Editing service ports for signatures throws error

CSCsx72883

Link for Interface help for SSC is redirected to Product Overview

CSCsx98868

IOS IPS : Cannot deploy custom signature for "normalizer" engine

CSCsy03168

IOS IPS: SDEE properties canot be discovered if SDEE is disabled

CSCsy47123

Unable to unshared a shared policy for un-supported platform in dev view

CSCsy47398

Rediscovery of Platform Settings Only Removes Virtual Sensors

CSCsy51377

Package download fails with error msg Download not enough space on disk

CSCsy56978

IOS IPS version should be updated with changes in IOS version

CSCsy60393

Security Manager does not push "category ios_ips basic" command properly

CSCsy89865

Not able to do signature update on IPS-4260 running 5.1(8)E2.9S342.0

CSCsz33707

Licenses are not shown in IPS tab post ACS Integration without refresh

CSCsz35545

Pre-ACS integrated devices are shown in IPS updates page

CSCta90115

Cannot deploy service module policy in IOS

CSCta93482

Deployment fails- shared sig policy with new custom sig to older version

CSCtb16577

on applying sig pkg to the device, New sig(s) is not listed on sig page

CSCtb25669

Edit Signature Parameter of New E4 engines gives strange errors

CSCtb34158

Global correlation policies show up blank after major ver sensor update

CSCtb40828

Signature deploy failed with "category ios_ips default" command

CSCtb40971

Caching issue : Sig update of 407 LWE failing for ISRs with IOS 12.4

CSCtb55176

Sensor update fails on applying sensor pkg manually with OOB change

CSCtb70183

Not able to Launch Activity Report After modification

CSCtb72766

sig update fails with "invalid typedefs" error but sig upd is successful

CSCtb81058

User Accounts managed in csm gets locked after deploy to IPS appliance

CSCtb81245

No Entry in Config Archive when deploy includes User Accounts Policy ...

CSCtb81691

Deploy/discovery of IPS Appliances fail with "can't identify user" error

CSCtc01735

IpsSensorUpdate policy locks device; device cannot be deleted

CSCtc29327

In 3.3, Sensors with Policy or Assignment Locked

CSCtc51619

Deployment failed for ISR G2 with IOS 15.0 FCS build

CSCtc57010

No validation for incorrect speed/duplux setting for 10G Interface

CSCtc61925

Global Correlation policies are not population upon dbrestoreorig.pl

CSCtc66970

Two stage upgrade and restore : Auto update settings disabled

CSCtc85407

CSM generates unnecessary delta with ip reordered for network object

CSCtc85738

CSManager IPS Auto Update Attempts to Update Unsupported Images

CSCtc85877

CSManager IPS Auto Updates - Doesn't Update Sig if Image Update Fails

CSCtc90943

CSM Can no associate more than 91 subinterface on an IPS Virtual Sensor


Table 7 Device Management, Discovery, and Deployment Caveats 

Reference Number
Description

CSCsg70526

EzVPN - default tunnel-groups are not handled by Security Manager

CSCsh63248

Add field in DM to specify whether device is Admin Context or not

CSCsi09814

Configuration updates fail for CNS-managed PIX Firewall devices

CSCsi18673

Security Manager deployment may trigger ObjectGroup name warnings.

CSCsi18678

Security Manager deployment may trigger interface name warnings

CSCsk59843

DCS to monitor the Admin context CLI

CSCsq32343

HitCount -- Internal Failure

CSCsu98320

In 3.2.2, MU durability, user3 failed, ILLEGAL_STATE_TRANSITION

CSCsy98103

Config-diff shows diff between two configs though they are exactly same.

CSCsz81607

Last run entry not seen in Deployment Schedule on page refresh.

CSCta98850

Config Rollback fails for PIX security context

CSCtb10579

Multiline AuthProxy Banners lead to Deployment Failures

CSCtb31451

In 3.2.2, database corruption in device_dirty_status table

CSCtc43031

preview configuration failing network object non-contiguous mask

CSCtf32208

Deployment fails with ACE edit in ACL BB


Table 8 Firewall Services Caveats 

Reference Number
Description

CSCsc22934

ACL limitations for Layer 2 interfaces on IOS ISR devices

CSCsh68101

Activity Report: Issues with access rules table change report

CSCsh94210

Problems matching interface name when reusing AAA policy objects

CSCsi18871

Inspect Map: PIX 7.1 gtp-map subcommand order is not preserved

CSCsk33350

Discovery of PAM Mappings with Inspection Rules is incorrect

CSCsk46057

Changes to csm.properties files lost during Security Manager upgrade

CSCsq75974

Static Rules ACL with source interface are not discovered

CSCsr25786

AAA server object: no error issued when interface not specified

CSCsz53354

MAC Exempt list cannot be ordered

CSCta76862

Deployment fails when an access rule is added, edited or deleted

CSCtb00116

Wrong error message after sorting the Access control by ACL name

CSCtb03821

Failover: Deployment fails with subinterface as failover Interface

CSCtb59163

Import: Discovery of ASA 8.2 maps to 8.1(2)

CSCtc35113

Space in notification e-mail causes deployment error

CSCtc43845

Failover: ASA license-related deployment failure

CSCtc49458

IOS Inspection rule with port number >6000 generated incorrectly

CSCtc54330

Cannot duplicate Service object that has override values

CSCtc56379

Shared Logging Setup Policies not seen under Policy View

CSCtc56731

Cannot edit device overrides in nested ACL objects

CSCtc84865

CSM ACL generation issue with nested service object-groups


Table 9 Miscellaneaous Caveats 

Reference Number
Description

CSCse47834

MCP:Not able to Uninstall completely if MCP is installed

CSCsi08390

IEV installation fails on systems without C: drive

CSCsk11268

A User Can Open Multiple Sessions in Non-Workflow Mode

CSCsk78778

Error not shown for unavailable ACE during MARS events lookup

CSCsk94278

Read-only policy page in MARS is blank after starting Security Manager

CSCsm50836

MARS credentials retained in cache after changing authentication option

CSCsm68564

Disabled rules not shown as inactive in read-only policy page in MARS

CSCsz38530

Multiuser: device can be deleted while deploying changes

CSCsz74628

Performance Monitor: Packet counters not updated in RA-VPN device page.

CSCsz74737

Performance Monitor: Site-to-site VPN charts updated with RA-VPN data.

CSCta17924

MCP: Tunnel packet counters not updated for P2P S2S VPN on VSPA.

CSCta33520

long job names causing MDCSupport.exe to fail

CSCtb42436

Changes made within Security Mgr cannot be saved or applied to device

CSCtb55368

MCP: Device int details are not displaying properly with Ez-VPN

CSCtb81848

Security Manager - Server does not start - regdaemon.xml corrupted

CSCtb97623

FWSM contexts not shown correctly in MCP

CSCtb97789

View tab in "managing devices" in MCP not working

CSCtc36711

CSM 3.x - Intermittent activity report PDF creation failure

CSCtc59058

MCP does not retain changes for multi-context FWSM contexts overnight

CSCtc59526

Security Manager client performance upgrade

CSCtc81467

Client unresponsive when move back and next in add new device window


Table 10 Policy Management Caveats 

Reference Number
Description

CSCtc49550

Stack overflow error with network BB override option- Router


Table 11 VPN Device and Configuration Support Caveats 

Reference Number
Description

CSCse94752

Support for IOS version 12.2(33)SRA on 7600 devices

CSCsh14709

Deployment fails on ASA 5505/PIX 6.3 Easy VPN remote client

CSCsh79282

Cat6k-SPA GRE+Multicast - unsupported

CSCso63006

IPSEC VPN import failed when crypto ACL contains intf in source/dest

CSCsq66815

Side-effects due to missing Protected Network's assignmnt usage info.

CSCsq87565

certificate-to-connection-profile map policy does not support map name

CSCsr23893

Remote Access VPN - Activity validation reports error for http-form

CSCsv31933

Onscrn kbd, internal pwd features set to default after migration

CSCsy83931

VPN policy discovery fails when tunnel source defined with IP address.

CSCsz60736

CS Mgr not generating a workable configuration with unique tunnel source

CSCsz72524

DMVPN does not work even though spoke connectivity is selected.

CSCsz79453

CS Mgr discovery fails when NAT IP address is configured with LPIT.

CSCta86315

DMVPN-Discovery+deploy - NHRP auth value changed

CSCta92510

Regular ipsec discovery - Preshared key Aggressive mode not discovered

CSCtb61976

SSLVPN - DAP changes not getting saved properly

CSCtc18700

CS Mgr 3.3 not showing modified DfltGrpPolicy in RA VPN

CSCtc43399

Ability to add RDP2 plugin to ASA not supported

CSCtc53906

crl configure - policy value always set to both

CSCtc53977

Banner is added two times to the full config during discovery

CSCtc76822

SSL VPN discovery fails because of CSD package size


Resolved Caveats—Release 3.3.1 Service Pack 4

The following customer found or previously release noted caveats have been resolved in Cisco Security Manager 3.3.1 Service Pack 4.

Reference Number
Description

CSCte77128

UE: Deployment Devices Dialog - provide option to expand nodes.

CSCtq63992

CSM - Arbitrary command execution vulnerability.

CSCtr79564

Bundle defect for known vulnerabilities in CiscoWorks Common Services.


Resolved Caveats—Release 3.3.1 Service Pack 3

The following customer found or previously release noted caveats have been resolved in Cisco Security Manager 3.3.1 Service Pack 3.

Reference Number
Description

CSCsr23976

"ip local pool" DDP doesn't translate name assigned to ip addr ranges.

CSCtc84865

CSM ACL generation issue with nested service object-groups.

CSCtd44879

CSM Deploy fails if removing web-type ACL that is applied to mult DAPs.

CSCte12616

CSM - ASA QOS - wrong cli generated.

CSCte83219

CSM - preview gives error in set trustpoint after VPN creation.

CSCtf08622

CSM will not recognize new AAA syntax from IOS 12.4(22)T.

CSCtf09901

CSM generates wrong CLI for Hub-Spoke VPN on ASA.

CSCtg60036

CSM: EDS & dependent processes not coming up in HA/DR failover scenario.

Note If you are using Cisco Security Manager in an HA/DR configuration with clustering, as part of the fix for CSCtg60036, you must copy the perl script from <NMSROOT>\MDC\athena\ha\agent\online.pl to <VCS_HOME>\bin\CSManager\online.pl after installing Cisco Security Manager 3.3.1 Service Pack 3.

CSCti17452

Object deletion of large number of objects leads to Sybase jConnect err.

CSCti37498

CSM deploys crypto enroll after importing device with existing cert.

CSCti64353

CSM re-orders rules wrongly, and it causes rules deleted wrongly.

CSCti70386

CSM: Dynamic policy nat or static 1-1 nat may fail at random times.

CSCtj07173

Users are allowed to create duplicate static routes.

CSCtj21414

IPS Event Viewer cross launch doesn't work.

CSCtj25820

CSM: IPS signature registration fails with out of memory errors.

CSCtj68043

Static NAT and PAT rules are not always added back to the configuration.

CSCtj81252

CSM 3.3(1) - variables in FlexConfig script not correcty populated.

CSCtj86328

Auto update failing for IPS.

CSCtk54563

Support for 10 AAA servers in AAA accounting policies in IOS 12.4(22)T.

CSCtk54667

"Enable broadcast to multiple server" not generate commands IOS12.4(22)T.

CSCtk58951

CSM dirties system defined service obj when created frm within ruletable.

CSCtk64596

IPS download : Unnecessary URL conn made before checking MD5 and closed.

CSCtk66798

CSM removes existing NAT0 ACL and creates new one per interface.

CSCtl53112

Detect/notify if server patch is not matching with client patch after CP.

CSCtl58341

CSM ignore the first device in 2,3,.. N jobs of autodownload.

CSCtl82415

CSM creating multiple deployment job at a same time.

CSCtl84930

CSM throws parser error when we configure servicebb in aclbb in botnet.


Resolved Caveats—Release 3.3.1 Service Pack 2

The following customer found or previously release noted caveats have been resolved in Cisco Security Manager 3.3.1 Service Pack 2.

Reference Number
Description

CSCtg98419

Discovering RA VPN causes discovered Lan-to-Lan config to be removed.

CSCtg98391

Lan-to-lan cannot be discovered if RA VPN was already discovered.

CSCtg80784

Shared signature policies are not visible after signature update.

CSCtg06207

SSLVPN: Full customization feature is not working.

CSCtg02063

Deployment fails after assigning shared policy to "Allowed Hosts".

CSCtf89506

Tacacs+ fallback authentication failure in Security Mgr in non-ACS mode.

CSCtf88750

CS admin "logged in users" page shows only one logged in user account.

CSCtf70104

SSL VPN Customization file size grows with every deployment.

CSCtd75710

Proposed full config does not include NAT commands.

CSCtd39876

Error loading page in Details tab of RA VPN > Global Settings policy.

CSCtc66901

Upgrade to 7.0.2(E3) fails in deployment.


Resolved Caveats—Release 3.3.1 Service Pack 1

The following customer found or previously release noted caveats have been resolved in Cisco Security Manager 3.3.1 Service Pack 1.

Reference Number
Description

CSCsv98168

Static routing option on DMVPN generates incorrect routes on hub

CSCsw44997

ZBFW: ActRpt - Create Map, Overrride - not shown correctly

CSCta87566

Activity Report shows hostnames truncated

CSCtb10469

NAT: Negation of CLI is not generated for "nat-control"

CSCtb34238

Bookmark is displayed empty during discovery for group policy.

CSCtb75312

Hit Count - Hit Count Internal Failure error

CSCtc16631

Read only message is not dispalyed in all policies for helpdesk user.

CSCtc29610

After policies copied to an ASA 5580, validation takes more than 3.5 hrs

CSCtc30623

Global Settings - Save button does not work

CSCtc63141

Security Manager: fail to launch packet capture tool

CSCtc70513

Deployment failing with unmanaged plug-ins

CSCtc78040

Wrong Default value is populated for Primary DN field

CSCtc81240

CSM negates IP Pool if its associated to ISAKMP Pol

CSCtd07260

Deployment fails citing error userAccount policy after upgrade to 3.3.1

CSCtd34189

CSM3.3.1: VACLPlugin throws exception/failure during config deployment

CSCtd46152

CSM inserting "inspect dns maximum-length 0" for default value on FWSM

CSCtd68888

CSM - HitCount - java exception if "hitcount=*"

CSCtd74630

CentralInterfaceController prevents enabling Tomcat security

CSCtd74661

log4j.properties in thea-shared.jar prevents enabling of Tomcat security

CSCte26400

Distribute-list removed during preview display

CSCte47079

CSM 3.3.1 and ASA Static NAT Rules

CSCte81211

CSM: Network Object Import Does Not Correctly Handle Network Range

CSCte83575

CSM: Network Object Import Does Not Correctly Import Nested Objects

CSCte83612

CCO account lock : IPS license update fails / IPS sig download works

CSCtf00371

Split tunnel ACL generated with missing "standard" keyword

CSCtf02795

CSM deployment & preview gets stuck in DDP GPLDiff infinite loop

CSCtf15421

Apache crashes with ap_ctx_get()+9 byte(s). Frequently with multi-user

CSCtf19972

CSM adds unnecessary static route for GRE-IPSEC config

CSCtf21033

CSM: Use of space in src network causes ACL deletion

CSCtf23981

partial fix for CSCtd17954 and other enhancements

CSCtf24082

Licensing : Response XML from CCO should be logged

CSCtf59438

Performance optimization in various activity validation handlers

CSCtf86159

IP address is getting negated after discovery in Cat3k Switch

CSCtf91071

Patch for JPMC on CSM 3.2.2 for Apache crash problem


Resolved Caveats—Release 3.3.1

The following customer found or previously release noted caveats have been resolved in this release.

Reference Number
Description

CSCsi19584

Removing an interface used in access rules can cause deployment to fail

CSCsj38020

CSM3.1 Request for optimization of shared access-list generation

CSCsv10362

Config archive is not automatically purged

CSCsx16443

Apache Security issue with all versions of CSM

CSCsy61195

Deployment Fails when Changing BGP AS Number on ASR Device

CSCsz37841

CSM can't upgrade signature with "could not get device version" message

CSCsz46172

CSM Client stuck in Initializing

CSCsz58009

Validation fails with stack overflow on discovery of more IPS sig tuning

CSCsz58064

FWSM : Deployment should handle "Device can send Configuration in progre

CSCsz58766

After enabling VACL, CSM sends unsupported command to 6500 Sup1

CSCsz59552

CSM fail to validate the content of Network object.

CSCsz72119

AU: Sig update applied to dev with invalid lic when SP is also selected

CSCsz72156

AU does not apply minor update if the dev is at lower Engine/Sig level

CSCsz74432

Assignment of shared VPN policies not working from Policy view.

CSCsz75152

special char "\" in the ACL remarks causing discovery failure in 3.2.2

CSCsz82813

MCP does not retain changes for multi-context FWSM contexts

CSCsz87296

Deployment on IPS/IOS-IPS deletes tunings for retired\enabled sometime

CSCsz89897

ipsec-pass-thru not recognised by CSM for ASA version 7.1.2

CSCsz92007

CSM: Should allow semicolon delimiter in PKI certificate subject name.

CSCsz93753

virtual signature signature levels mismatched

CSCta00907

DMVPN: distribute-list ACL overwritten when spoke participates in 2 topo

CSCta03206

CSM deploys IOS FW "ip inspect max-incomplete low/high" in wrong order

CSCta08701

Cannot select FILE deployment Method for selected devices

CSCta18060

CSM installed Sybase DB is carrying sample DB of sports clothing

CSCta23518

Scheduled email to report vpn usage is failing.

CSCta53076

CSM uses incorrect syntax to push DCD config to ASA

CSCta53304

Error in Rediscover Peers removes the Hub and corrupts VPN

CSCta57896

Act Report shows modified but no change in column for ip reorder

CSCta61812

CSM - Summertime config overwritten during deployment

CSCta62887

CSM 3.3 cannot deploy "logging facility" on older PIX versions

CSCta62903

CSM incorrectly marks services like 'tcp/1234' as invalid format

CSCta64654

OK button is outside of screen in deployment dialog

CSCta69399

CSM incorrectly handles '\t' when parsing configuration in the database.

CSCta71926

"Error loading page" in IPS device view when user has no write privs

CSCta76629

Deployment to FWSM 3.1(4)6 hang

CSCta77790

CSM - Enabling DCD with default setting is not deployed

CSCta79659

MCP-CSM ill-timed P1 alerts send due to tcp-window 0 advertised

CSCta83590

CSM 3.3 `no monitor-interface' ASA base license deployment failure

CSCta87190

CSM allows to configure and deploy duplicate static translation rules

CSCta91066

Unchecking Inventory in Discover Policy causes Assignment to be deleted.

CSCtb08031

Inline upgrade csm3.2 > CSM 3.3 not deploying bkup changes in 1 scenario

CSCtb11258

CSM - Warning is needed during the discovery of a Cat6k in VSS mode

CSCtb16822

CSM: Database corruption due to deleted policy references

CSCtb20714

"File> View Changes" does not work correctly

CSCtb21172

ACL used by non-supported IOS policy is deleted

CSCtb24786

CSM 3.2.2 - Backup shows successful irrespectve of vms.tmpl missing

CSCtb25271

Changing VPN credentials override marks all devices using policy dirty

CSCtb44365

CSM cannot define speed nonegotiate on fiber gigabit ports on ASA-5580

CSCtb51855

NullPointerException when discovering VPN policies

CSCtb54928

CSM 3.3 Can't deploy "failover polltime interface without holdtime

CSCtb62827

CSM3.3: InspectMapsPlugin fail to generate raw configlets on deploy

CSCtb68566

CSM deploys incomplete VPN configuration for ASA site-to-site VPN

CSCtb72572

CSM 3.3 - cannot add PIX 6.3 anymore as a spoke in Ezvpn topology

CSCtb73211

Protected network discovery for L2L should be done with ACL on 3.3.0

CSCtb79468

Devices are treated as dirty after succeeded deployment

CSCtb80489

CSM is not able to add from network C7300 routers.

CSCtb81733

CSM discovery of EzVPN with certificates chooses wrong tunnel-group

CSCtb82114

"no monitor-interface" is automatically added on CSM

CSCtb82527

CSM tries to deploy pre-shared key for certificate based EzVPN topology

CSCtb84188

CSM - crypto map is missing when deploying to AUS

CSCtc16352

ADMIN cannot change config after READ ONLY user's unprivileged access

CSCtc38660

CSM IPS Updates Download - Unable to communicate with locator service

CSCtc53926

CSM - deploys "authorization-dn-attributes UID" in the tunnel group

CSCtc53954

CSM - certificate map - config might not be discovered in some cases

CSCtc56419

CSM - Policy view- logging setup returns an error

CSCtc82027

CSM: Doc bug in User Guide, does not provide steps to restore database


Resolved Caveats—Releases Prior to 3.3.1

For the list of caveats resolved in releases prior to this one, see the following documents:

http://www.cisco.com/en/US/products/ps6498/prod_release_notes_list.html

Where to Go Next

If you want to:
Do this:

Install Security Manager server or client software.

See Installation Guide for Cisco Security Manager 3.3.1.

Understand the basics.

See the interactive JumpStart guide that opens automatically when you start Security Manager.

Get up and running with the product quickly.

See "Getting Started with Security Manager" in the online help, or see Chapter 1 of User Guide for Cisco Security Manager 3.3.1.

Complete the product configuration.

See "Completing the Initial Security Manager Configuration" in the online help, or see Chapter 1 of User Guide for Cisco Security Manager 3.3.1.

Manage user authentication and authorization.

See the following topics in the online help, or see Chapter 2 of User Guide for Cisco Security Manager 3.3.1.

Setting Up User Permissions

Integrating Security Manager with Cisco Secure ACS

Bootstrap your devices.

See "Preparing Devices for Management" in the online help, or see Chapter 5 of User Guide for Cisco Security Manager 3.3.1.

Install entitlement applications.

Your Security Manager license grants you the right to install certain other applications—including specific releases of RME and Performance Monitor—that are not installed when you install Security Manager. You can install these applications at any time. See the Introduction to Component Applications section in Chapter 1 of Installation Guide for Cisco Security Manager 3.3.1.


Product Documentation

For the complete list of documents supporting this release, see the release-specific document roadmap:

Guide to User Documentation for Cisco Security Manager

http://www.cisco.com/en/US/products/ps6498/products_documentation_roadmaps_list.html

Lists document set that supports the Security Manager release and summarizes contents of each document.

For general product information, see:

http://www.cisco.com/go/csmanager

Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.


This document is to be used in conjunction with the documents listed in the "Product Documentation" section.