Cisco Security Manager

Release Notes for Cisco Security Manager 4.1

  • Viewing Options

  • PDF (539.7 KB)
  • Feedback
Release Notes for Cisco Security Manager 4.1

Table Of Contents

Release Notes for Cisco Security Manager 4.1


Supported Component Versions and Related Software

What's New

Installation Notes

Service Pack 2 Download and Installation Instructions

Important Notes


Open Caveats—Release 4.1

Resolved Caveats—Release 4.1 Service Pack 2

Resolved Caveats—Release 4.1 Service Pack 1

Resolved Caveats—Release 4.1

Resolved Caveats—Releases Prior to 4.1

Where to Go Next

Product Documentation

Obtaining Documentation and Submitting a Service Request

Release Notes for Cisco Security Manager 4.1

First Published: March 15, 2011
Last Revised: April 2, 2012

These release notes are for use with Cisco Security Manager 4.1.

Cisco Security Manager 4.1 is now available. Registered SMARTnet users can obtain release 4.1 from the Cisco support website by going to and clicking Download Software in the Support box.

This chapter contains the following topics:


Supported Component Versions and Related Software

What's New

Installation Notes

Service Pack 2 Download and Installation Instructions

Important Notes


Where to Go Next

Product Documentation

Obtaining Documentation and Submitting a Service Request


Note Use this document in conjunction with the documents identified in Product Documentation. The online versions of the user documentation are also occasionally updated after the initial release. As a result, the information contained in the Cisco Security Manager end-user guides on supersedes any information contained in the context-sensitive help included with the product. For more information about specific changes, please see Where to Go Next.

This document contains release note information for the following:

Cisco Security Manager 4.1 (including Service Packs 1 and 2)—Cisco Security Manager (Security Manager) enables you to manage security policies on Cisco security devices. Security Manager supports integrated provisioning of firewall, VPN, and IPS services across IOS routers, PIX and ASA security appliances, IPS sensors and modules, and some services modules for Catalyst 6500 switches and some routers. (You can find complete device support information under Cisco Security Manager Compatibility Information on Security Manager also supports provisioning of many platform-specific settings, for example, interfaces, routing, identity, QoS, logging, and so on.

Security Manager efficiently manages a wide range of networks, from small networks consisting of a few devices to large networks with thousands of devices. Scalability is achieved through a rich feature set of device grouping capabilities and objects and policies that can be shared.

Auto Update Server 4.1—The Auto Update Server (AUS) is a tool for upgrading PIX security appliance software images, ASA software images, PIX Device Manager (PDM) images, Adaptive Security Device Manager (ASDM) images, and PIX security appliance and ASA configuration files. Security appliances with dynamic IP addresses that use the auto update feature connect to AUS periodically to upgrade device configuration files and to pass device and status information.

Performance Monitor 4.1—Performance Monitor is a browser-based tool that monitors and troubleshoots the health and performance of services that contribute to network security. It helps you to isolate, analyze, and troubleshoot events in your network as they occur, so that you can increase service availability. Supported service types are remote-access VPN, site-to-site VPN, firewall, Web server load-balancing, and proxied SSL.

Note Before using Cisco Security Manager 4.1, we recommend that you read this entire document. In addition, it is critical that you read the Important Notes, the Installation Notes, and the Installation Guide for Cisco Security Manager 4.1 before installing or upgrading to Cisco Security Manager 4.1.

This document lists the ID numbers and headlines for issues that may affect your operation of the product. This document also includes a list of resolved problems. If you accessed this document from, you can click any ID number, which takes you to the appropriate release note enclosure in the Bug Toolkit. The release note enclosure contains symptoms, conditions, and workaround information.

Supported Component Versions and Related Software

The Cisco Security Management Suite of applications includes several component applications plus a group of related applications that you can use in conjunction with them. The following table lists the components and related applications, and the versions of those applications that you can use together for this release of the suite. For a description of these applications, see the Installation Guide for Cisco Security Manager 4.1.

Note For information on the supported software and hardware that you can manage with Cisco Security Manager, see the Supported Devices and Software Versions for Cisco Security Manager online document under Cisco Security Manager Compatibility Information on

Table 1 Supported Versions for Components and Related Applications 

Support Releases
Component Applications

Cisco Security Manager


Auto Update Server


Performance Monitor


CiscoWorks Common Services


Resource Manager Essentials (RME)


Related Applications

Cisco Security Monitoring, Analysis and Response System (CS-MARS)

6.0.7, 6.1.1

Cisco Secure Access Control Server (ACS) for Windows


Cisco Secure ACS Solution Engine 4.1(4) is also supported.

You can use other versions of Cisco Secure ACS if you configure them as non-ACS TACACS+ servers. A non-ACS configuration does not provide the granular control possible when you configure the server in ACS mode.

4.1(3, 4), 4.2(0)

Cisco Configuration Engine

3.5, 3.5(1)

What's New

Cisco Security Manager 4.1 Service Pack 1 and 2

Security Manager 4.1 Service Packs 1 and 2 provide fixes for various problems. The service packs are cumulative, so applying a service pack will include all updates from earlier services packs. For more information about the problems fixed in each service pack, see the following:

Resolved Caveats—Release 4.1 Service Pack 2.

Resolved Caveats—Release 4.1 Service Pack 1.

Cisco Security Manager 4.1

In addition to resolved caveats, this release includes the following new features and enhancements:

Enterprise-class integrated Firewall, IPS, and VPN reporting functionality for improved visibility into security devices. Custom reports can be created using advanced filters, and reports can be viewed on-demand and scheduled for email delivery.

Support for IPv6 addressing in some policies and features for ASA devices in router mode (release 7.0+) and transparent mode (8.2+) and FWSM in router mode (3.1+). Note that you must configure an IPv4 management address for devices that use IPv6 addressing; Security Manager uses IPv4 for all communications with managed devices. The following configuration and features support IPv6 addressing:

Policy Objects—A new IPv6 network/host object for IPv6 addresses, and support for ICMP6 services in the services object.

Firewall Services—New policies for IPv6 access rules and IPv6 access control settings. The hit count and find and replace tools also work with the IPv6 access rules policy. There are new FlexConfig system variables to identify the IPv6 ACLs configured on a device.

ASA/FWSM platform policies—The interfaces policy lets you configure IPv6 addresses for interfaces. New bridging policies are IPv6 Neighbor Cache and Management Address (IPv6).

Event Viewer—IPv6 events are now fully parsed, and IPv6 addresses can appear in the Source, Destination, and IPLog Address columns. The following columns are deprecated: Source (IPv6), Destination (IPv6), IPLog Address (IPv6)

Advanced troubleshooting of operational issues using Packet Capture, ping, traceroute, and other tools, in addition to Event-to-Policy linkages and Cisco Packet Tracer tools.

A simplified method for defining an Extranet that is a point-to-point regular IPsec VPN to a device outside your management scope (such as one in the service provider's network, to a non-Cisco device, or to a device in a part of your network that you do not manage) has been added to the Site to Site VPN Manager.

There are new import and export features that are available from the File menu:

You can now export shared policies, including the policy objects used in the policies, and import them into another Security Manager server. This can help you maintain a consistent set of policies when using more than one Security Manager server.

You can now export devices with all policies, policy objects, certificates, Configuration Archive data, and associated VPN topologies, and import them into another Security Manager server. This simplifies the process of splitting a single server into two or more servers without having to rediscover policies. The export includes all shared policies and assignments, so the imported devices maintain shared-policy relationships.

Note that the existing device export feature (export to CSV file) has been moved to File > Export. In previous releases, the command was Tools > Export Inventory. The Export to CSV feature has not been changed; you can still export to CSV and add the devices through the New Device wizard.

Support for latest ASA 8.4 feature set, including the following features:

You can configure Kerberos Constrained Delegation to allow users to gain access to Kerberos-protected resources after they use non-Kerberos methods to log into a remote access VPN.

You can configure IKE version 2 (IKEv2) for regular IPsec site-to-site VPNs and remote access IPSec VPNs. When using IKEv2 in a remote access IPSec VPN, you must use the AnyConnect 3.0 VPN client. The configuration for IKEv2 is in many cases significantly different from the configuration of IKEv1. For example, when configuring a remote access IPSec VPN for IKEv2, you must also configure several policies that used to be specific to SSL VPNs, such as the SSL VPN Access policy. Review the documentation carefully before implementing IKEv2.

You can define up to 48 logical EtherChannel interfaces, each of which consists of between zero and eight active Fast Ethernet, Gigabit Ethernet, or Ten-Gigabit Ethernet ports. Also called a "port-channel" interface, this provides increased bandwidth and fault tolerance over the individual links. An EtherChannel interface is configured and used in the same manner as a physical interface.

A number of additional Simple Network Management Protocol (SNMP) traps are available for these ASAs. Specific traps include Fan Failure, CPU Temperature, Power-Supply Failure, NAT Packet Discard, and Memory Threshold.

Operating system support as follows:

Strongly Recommended: Windows 2008 R2 Enterprise Server—64-bit.

Alternate operating system that also is supported: Windows 2008 Enterprise Server (Service Pack 2)—64-bit only.

Beginning with the ASA 8.4.1 and FWSM 3.1, operating in transparent mode, you can increase the number of interfaces available to a device or context through use of bridge groups. You can configure up to eight bridge groups—on an FWSM each group can contain two interfaces; on an ASA each group can contain four interfaces.

Maximum number of virtual contexts supported on ASA 5550 and 5580 devices increased from 50 to 100 on the 5550, and from 50 to 250 on the 5580. Note that from a licensing standpoint, each context is considered to be a separate device; be sure you have enough licenses to support the intended number of contexts.

Increasing the number of virtual contexts supported requires also increasing the number of VLANs supported. Thus, the maximum number of VLANs supported increased from 256 to 400 on the 5550, and from 256 to 1024 on the 5580.

Support for Configuration Engine 3.5 and 3.5(1).

Support for Cisco 1900 Series Integrated Services Routers models 1905 and 1921.

Support for Cisco IOS XE Software release 3.1.x on ASRs. This release is mapped to 15.0(1)S in Security Manager.

The following enhancements are available in the Event Viewer application in addition to IPv6 support:

Supports for the following new syslog messages: Etherchannel 426001-426003; SNMP NAT MIB 202010; additional SNMP traps 321005-321006; IKEv1 713001-713259, 714001-714011, 715001-715080; IKEv2 743001-743009, 744001-744016, 745001-745016.

You can now use Event Viewer with FWSM running software releases 3.1.17+, 3.2.17+, 4.0.10+, and 4.1.1+.

You can configure an extended event storage area on directly-attached storage, such as SAN storage connected through fiber channel. Event Viewer automatically copies data to extended storage and retrieves it whenever an event query includes events that are in extended storage.

The status bar now shows the current events per second (EPS) rate and a color-coded icon that indicates the health of the system. Clicking the icon provides statistics for the past five minutes and system alerts concerning packet drops or other critical situations that require your attention.

There are new ACS privileges to control access to Event Viewer and for selecting or deselecting devices for monitoring.

You can now view host object names instead of IP addresses as the source and destination of events.

You can now view IP logs for IPS Alert events using an external packet analyzer tool.

Activity or Configuration Session Change reports now include changes to VPN topologies and remote access VPN policies.

During remote access VPN policy discovery, Security Manager now discovers the default tunnel groups (connection profiles) for IPSec and SSL connections, including the default group policy: DefaultRAGroup, DefaultWEBVPNGroup, and DfltGrpPolicy. You can now manage these default objects through Security Manager.

You can now use Smart Tunnel Auto Sign-on lists when configuring Clientless SSL VPN on ASA 5500 devices running software version 7.1(1) and later.

You can now upload Hostscan packages to an ASA device.

You can now manage IPS certificates using Security Manager. You can ensure that Security Manager has the correct certificates to communicate using HTTPS (SSL) and regenerate certificates before or after they expire. Select Manage > IPS > IPS Certificates in Configuration Manager.

The IPS license management feature has been modified so that license updates are performed without obtaining a lock on the device. Also, automated license update job configuration has been simplified, and you can now configure the job to provide e-mail notifications of pending license expirations and the results of the daily license update job.

Note If you upgrade from 4.0.1 to 4.1, and you have an automatic license update job configured, that job configuration is converted to a daily job at midnight, checking for licenses that expire on the same day. You should reconfigure the job to meet your requirements and to add e-mail addresses for notification purposes.

Improvements in problem resolution, including:

Added details to system messages that instruct you to contact the Cisco Technical Assistance Center (TAC).

The command for generating partial database backups for use by Cisco TAC. These backups are not usable as a normal database backup.

The ability to create deployment and discovery reports that you can send to Cisco TAC for problem analysis.

Some actions that can take a long time to complete now have more informative status dialog boxes to show you the current status of the actions. Affected actions include activity validation, activity submission, activity approval, and preview configuration.

The User Interface has been reorganized in some areas, specifically:

You can now directly open the Configuration Manager, Event Viewer, or Report Manager applications from the Windows start menu. You can also open each of these applications from within any application. In previous versions of Security Manager, there was a single client view; the traditional client is now called Configuration Manager.

There are new toolbar buttons available for selection in Configuration Manager. To add them to the toolbar, select View > Customized Toolbar.

Some commands on the Tools menu have been moved to other menus, including two new menus, Manage and Launch. Some other commands have been renamed. Table 2 shows the old and new commands.

Table 2 Moved or Renamed Commands in Security Manager 4.1 

Old Command
New Command

Tools > Policy Object Manager

Manage > Policy Objects

Tools > Site-to-Site VPN Manager

Manage > Site-to-Site VPNs

Tools > Deployment Manager

Manage > Deployments

Tools > Configuration Archive

Manage > Configuration Archive

Tools > Activity Manager

Manage > Activities

Tools > Policy Discovery Status

Manage > Policy Discovery Status

Tools > Audit Report

Manage > Audit Report

Tools > Change Reports

Manage > Change Reports

Tools > Export Inventory

Device > Export > Devices

Tools > Device Manager

Launch > Device Manager

Tools > Event Viewer

Launch > Event Viewer

Policy > Save Policy As

Policy > Clone Policy

Right-click a shared policy in Policy view, Device view, or Site to Site VPN Manager and select Save Policy As.

Command is now Clone Policy.

In Policy Object Manager, right-click an object and select Create Duplicate.

Command is now Clone Object.

Installation Notes

Customers upgrading from Cisco Security Manager 3.x are required to purchase the appropriate Cisco Security Manager 4.x license. Details about Cisco Security Manager licensing can be found in the datasheet at

Cisco Security Manager 4.0 customers with a valid Cisco Software Application Support (SAS) Service contract for Cisco Security Manager may upgrade to Cisco Security Manager 4.1 at no charge, but must download a new license file using the Product Upgrade Tool at Customers will enter their SAS Contract Number into the tool and will receive a new license file via email.

If no license is provided during installation, the resulting installation will be an evaluation version. If you provide an invalid license during installation, an error message prompts you for a valid license (but installation is not aborted).

Do not modify casuser (the default service account) or directory permissions that are established during the installation of the product. Doing so can lead to problems with your being able to do the following:

Logging in to the web server

Logging in to the client

Performing successful backups of all databases

For the server, Windows Server 2003 is no longer supported, and Windows Server 2008—32-bit is no longer supported. For the server, operating system support is as follows:

Strongly Recommended: Windows 2008 R2 Enterprise Server—64-bit.

Alternate operating system that also is supported: Windows 2008 Enterprise Server (Service Pack 2)—64-bit only.

For the client workstation, Windows Server 2003 is no longer supported, Windows Vista is no longer supported, and Windows Server 2008—32-bit is no longer supported. For the client workstation, operating system support is as follows:

Windows XP (Service Pack 3).

Windows 7 Enterprise Edition—64-bit and 32-bit.

Windows 2008 Enterprise Server (Service Pack 2)—64-bit only.

Windows 2008 R2 Enterprise Server—64-bit.

Internet Explorer 8 is supported, but only in Compatibility View. To use Compatibility View, open Internet Explorer 8, go to Tools > Compatibility View Settings, and add the Security Manager server as a "website to be displayed in Compatibility View."

On the Cisco Security Manager server, you must deselect (clear) the checkbox "Automatically manage paging file size for all drives" in Windows Server 2008. The navigation path to this checkbox is Computer > Properties > Advanced System Settings > Performance > Settings > Advanced > Virtual Memory > Change.

Memory Reservation Framework (MRF), a new feature, provides Cisco Security Manager administrators the capability to modify heap sizes of key processes; doing so can enhance the performance of the server.

Note Configuring a process heap size is a critical procedure that can affect the performance of Security Manager, so Cisco recommends that it be done only under the guidance of application experts. Also, as a precautionary measure, Cisco recommends that you save your existing memory configurations for processes before changing them; and MRF provides two methods for doing so.

The Security Manager client is installed as an application suite that consists of three applications—Configuration Manager, Event Viewer, and Report Manager. Each can be launched independently in one of the following three ways:

Start > Programs > Cisco Security Manager Client > [choose one of the following] Configuration Manager, Event Viewer, or Report Manager

desktop icon

[after starting one of the applications] Launch > [choose a different one of the applications in the Security Manager client application suite]

You can install Security Manager server software directly, or you can upgrade the software on a server where Security Manager is installed. The Installation Guide for Cisco Security Manager for this release of the product explains which previous Security Manager releases are supported for upgrade and provides important information regarding server requirements, server configuration, and post-installation tasks.

Before you can successfully upgrade to Security Manager 4.1 from a prior version of Security Manager, you must make sure that the Security Manager database does not contain any pending data, in other words, data that has not been committed to the database. If the Security Manager database contains pending data, you must commit or discard all uncommitted changes, then back up your database before you perform the upgrade. The Installation Guide for Cisco Security Manager for this release contains complete instructions on the steps required for preparing the database for upgrade.

We do not support installation of Security Manager on a server that is running any other web server or database server (for example, IIS or MS-SQL). Doing so might cause unexpected problems that may prevent you from logging into or using Cisco Security Manager.

Be aware of the following important points before you upgrade:

Ensure that all applications that you are upgrading are currently functioning correctly, and that you can create valid backups (that is, the backup process completes without error). If an application is not functioning correctly before an upgrade, the upgrade process might not result in a correctly functioning application.

Note It has come to Cisco's attention that some users make undocumented and unsupported modifications to the system so that the backup process does not back up all installed CiscoWorks applications. The upgrade process documented in the installation guide assumes that you have not subverted the intended functioning of the system. If you are creating backups that back up less than all of the data, you are responsible for ensuring you have all backup data that you require before performing an update. We strongly suggest that you undo these unsupported modifications. Otherwise, you should probably not attempt to do an inline upgrade, where you install the product on the same server as the older version; instead, install the updated applications on a new, clean server and restore your database backups.

If you upgrade from release 4.0.1 to release 4.1, and you use Cisco Configuration Engine, you must upgrade Configuration Engine to 3.5 or 3.5(1) at the same time. Security Manager 4.1 does not support older versions of Configuration Engine.

If you install RME on the same server as Security Manager, do not apply the file available with the RME IDU patch. Applying this file will damage the device support files in Security Manager, and you will need to contact Cisco Technical Support to correct the problem. If you install RME on a server separate from Cisco Security Manager, this restriction does not apply.

Service Pack 2 Download and Installation Instructions

Service pack 2 is a cumulative update that also includes the updates that were found in service pack 1. You can apply Cisco Security Manager 4.1 Service Pack 2 to a Cisco Security Manager 4.1 installation whether that installation has an earlier service pack installed or not.

To download and install service pack 2, follow these steps:

Step 1 Go to, and then click Download Software under the Support heading on the right side of the screen.

Step 2 Enter your user name and password to log in to

Step 3 Click Security Manager (CSM) Software, expand the 4.1 folder under All Releases, and then click 4.1sp2.

Step 4 Download the file fcs-csm-410-sp2-win-k9.exe.

Step 5 To install the service pack, close all open applications, including the Cisco Security Manager Client.

Step 6 If Cisco Security Agent is installed on your server, manually stop the Cisco Security Agent service from Start > Settings > Control Panel > Administrative Tools > Services.

Step 7 Run the fcs-csm-410-sp2-win-k9.exe file that you previously downloaded.

Step 8 In the Install Cisco Security Manager 4.1 Service Pack 2 dialog box, click Next and then click Install in the next screen.

Step 9 After the updated files have been installed, click Finish to complete the installation.

Step 10 On each client machine that is used to connect to the Security Manager server, you must perform the following steps to apply the service pack before you can connect to the server using that client:

a. If Cisco Security Agent is installed on the client, manually stop the Cisco Security Agent service from Start > Settings > Control Panel > Administrative Tools > Services.

b. Launch the Security Manager client.

You will be prompted to "Download Service Pack".

c. Download the service pack and then launch the downloaded file to apply the service pack.

Step 11 (Optional) Go to the client installation directory and clear the cache, for example, <Client Install Directory>/cache.

Important Notes

The following notes apply to the Security Manager 4.1 release:

You cannot use Security Manager to manage an ASA 8.3+ device if you enable password encryption using the password encryption aes command. You must turn off password encryption before you can add the device to the Security Manager inventory.

If you upgrade an ASA to release 8.3(x) or higher from 8.2(x) or lower, you must delete the device from the Security Manager inventory and add it back again for the policies to work correctly.

ASA 8.3 ACLs use the real IP address of a device, rather than the translated (NAT) address. During upgrade, rules are converted to use the real IP address. All other device types, and older ASA versions, used the NAT address in ACLs.

The device memory requirements for ASA 8.3 are higher than for older ASA releases. Ensure that the device meets the minimum memory requirement, as explained in the ASA documentation, before upgrade. Security Manager blocks deployment to devices that do not meet the minimum requirement.

If you have a device that uses commands that were unsupported in previous versions of Security Manager, these commands are not automatically populated into Security Manager as part of the upgrade to this version of Security Manager. If you deploy back to the device, these commands are removed from the device because they are not part of the target policies configured in Security Manager. We recommend that you set the correct values for the newly added attributes in Security Manager so that the next deployment will correctly provision these commands. You can also rediscover the platform settings from the device; however, you will need to take necessary steps to save and restore any shared Security Manager policies that are assigned to the device.

A Cisco Services for IPS service license is required for the installation of signature updates on IPS 5.x+ appliances, Catalyst and ASA service modules, and router network modules.

Do not connect to the database directly, because doing so can cause performance reductions and unexpected system behavior.

Do not run SQL queries against the database.

If an online help page displays blank in your browser view, refresh the browser.

Cisco Secure ACS 5.0 is not supported by Security Manager 4.1.

If you do not manage IPS devices, consider taking the following performance tuning step. In $NMSROOT\MDC\ips\etc\, change the value of packageMonitorInterval from its initial default value of 30,000 milliseconds to a less-frequent value of 600,000 milliseconds. Taking this step will improve performance somewhat. [$NMSROOT is the full pathname of the Common Services installation directory (the default is C:\Program Files\CSCOpx).]

The IPS packages included with Security Manager do not include the package files that are required for updating IPS devices. You must download IPS packages from or your local update server before you can apply any updates. The downloaded versions include all required package files and replace the partial files that are included in the Security Manager initial installation.


This section describes the open and resolved caveats with respect to this release.

For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:

Commands are in boldface type.

Product names and acronyms may be standardized.

Spelling errors and typos may be corrected.

Note If you are a registered user, view Bug Toolkit on at the following website:
To become a registered user, go to the following website:

This section contains the following topics:

Open Caveats—Release 4.1

Resolved Caveats—Release 4.1 Service Pack 2

Resolved Caveats—Release 4.1 Service Pack 1

Resolved Caveats—Release 4.1

Resolved Caveats—Releases Prior to 4.1

Open Caveats—Release 4.1

The following caveats affect this release and are part of Security Manager 4.1:

ASA, PIX, and FWSM Firewall Devices Caveats

CSM Client and Server Install Caveats

Cisco Catalyst 6000 Device Support Caveats

Cisco IOS Router Devices Caveats

Cisco IPS and IOS IPS Devices Caveats

Device Management, Discovery, and Deployment Caveats

Event Viewer Caveats

Firewall Services Caveats

Miscellaneous Caveats

Policy Management Caveats

VPN Device and Configuration Support Caveats

Note In some instances, a known problem might apply to more than one area, for example, a PIX device might encounter a problem during deployment. If you are unable to locate a particular problem within a table, expand your search to include other tables. In the foregoing example, the known problem might be listed in either the Deployment table or the PIX/ASA/FWSM Configuration table.

Table 3 ASA, PIX, and FWSM Firewall Devices Caveats 

Reference Number


OSPF validations are not adequate


FAILOVER - Active/Active deploys to Standby unit and returns errors


OSPF Discovery: Deployment of incomplete OSPF policy invalid


RIP configuration commands in PIX/ASA 7.2(1) cannot be fully managed


Enable DHCPD auto configuration with interface option not discovered


Discovery of a multi-mode ASA added to CSM as a new device fails


Deployment of ips command truncated if containing class map is changed


CSM managing A/A FWSM will not use configured management ip of context


ISC:Can allocate more than 32 data interfaces to transparent ASA context


Target OS for PIX firewall shows unsupported versions.

Table 4 CSM Client and Server Install Caveats 

Reference Number


CSM installer should check for supported SP during install


Not able to launch the CSM client after upgrade (CSM3.3SP1 to CSM4.0)


CSM coexistence problem with Symantec Event Manager startup sequence


CSM: "Login URL access is forbidden" "403 - Forbidden Error"


CSM: input fields for url bookmark show garbage characters


CSM/CSDM Client fails to open imported Cisco Secure Desktop config


A more direct upgrade path from CSM 3.3 to 4.1 would be more convenient

Table 5 Cisco Catalyst 6000 Device Support Caveats 

Reference Number


Deployment fails when allowed VLAN ID is modified on IDSM capture port


Deployment fails if you change access to trunk mode & enable DTP negotiation

Table 6 Cisco IOS Router Devices Caveats 

Reference Number


PPP policy does not support if-needed and local-case keywords for AAA


NetFlow deployment fails on subinterfaces


802.1x-Number of retries command not generated correctly


PPP-No validation for multilink support on device


AAA - source intf disc from global cmd instead of aaa subcommand


QoS policy not discovered when WRED is enabled


Discovery failure with target os 12.3(9) does not exist


Negation is not getting generated for policies using nonexistent ACL


Deployment fails on changing VTY authentication method frm AAA to local.


NTP Authentication key is not negated for 3945 router


RIP-Deployments fails for RIP policy but CLI are pushed into the device


BGP-Unassign bgp pol+Deploy,Deployment fails for 861 Router for 15.0 ima


Deployment fails after unassigning BGP policy


Filters not working in QOS->Control Plane and Interfaces->settings->CEF


no auto-summary in EIGRP discovered as auto-summary for infusion device


ASR: Advanced Interface Settings: MOP needs to be enabled by default


HTTP-Radius Retransmit on Dev-Key Not Disc & Retransmit Removed on Deploy


Static: No Cli Generated when Null0 Interface is selected


RIP: "Chain" is Masked instead of Key Chain Name


XNE: Syslog: Both Standard and XML Syslog Buffers are Allowed on Device


XE:MemoryThreshold Notification can be configure only for Free Processor


XE: Deploy Fails when Memory Critical Notifications are Changed


EIGRP Removed if Network is Changed


ASR - BGP - redistribute static - clns does not appear on device


Dialer Profile - Named Acl is Created During Discovery


PVC - UI Issues


ASR - PVC/OAM - Unsupported Cli


Cannot Rollback from Config Archive nor Deployment Manager


CLI: "dot1x pae authenticator" generated after deployment of 802.1x


Infusion: RAVPN Checkbox should be disabled in Bulk Re-discovery Panel


Deployment fails when regenerate RSA keys on SSH policy


ASR - No validation in CSM when configuring unsupported cli for ASR

Table 7 Cisco IPS and IOS IPS Devices Caveats 

Reference Number


IPS related policies should be listed in device properties page


IPS 6.x pol. should not be listed for 5.x devices in copy & share policy


VLAN groups need to display "unassigned" VLANS


After Abort, progress bar continues to 100% and Status remains = Started


Copy policies between devices with VS as source only shows VS's as destn


Warning message is displayed during blocking policy deployment.


Autoupdate setting value for a device should be same in device tree.


IPS EAO: After editing a row, the ed. row is displayed as the last row


IPS Licensing Date varies between sensor CLI and sensor


On IPS Update page, checkbox for shared sig. policy can be incorrect


Dynamic IP address IOS router imported by CNS cannot be discovered


During deployment, signatures removed from current.xml


Sig update fails when using HTTP if console logging is on


EAF: Show content option in context menu for victim addr is not working


OOB OPACL changes not resynced after successful deploy


Deployment of NTP policy with policy objects sometimes fails


IPS variable names cannot contain special characters.


Policy object overridden at VS level is not deployed correctly


Inventory alone discovery fails for IPS 6.x device for submit operation


Licensing: Repeated clicking of refresh button shows duplicate entries


Deployment Failed error on Event Action Rules


CSM daily autodownload every 2 days should start from the present date


MultiContext not handled in ApplyIPSUpdate wizard upon SigEditParams


Intf Policy copy betn same IPS models but diff interface cards fails


OS Id.'s ->Restrict to these IP address field should not map to pol. obj


Err loading pg if NTP policy from 6.1 dev is copied to 6.0/5.1 dev


Rules and AD profile name changes with multiple vs profile config


Security Manager swaps names of policies while deploying to device


Security Manager Deployment UI shows OOB for unsupported commands


Link for Interface help for SSC is redirected to Product Overview


IOS IPS : Cannot deploy custom signature for "normalizer" engine


IOS IPS: SDEE properties cannot be discovered if SDEE is disabled


Unable to unshare a shared policy for un-supported platform in dev view


Package download fails with error msg Download not enough space on disk


IOS IPS version should be updated with changes in IOS version


Security Manager does not push "category ios_ips basic" command properly


Not able to do signature update on IPS-4260 running 5.1(8)E2.9S342.0


Cannot deploy service module policy in IOS


on applying sig pkg to the device, New sig(s) is not listed on sig page


Signature deploy failed with "category ios_ips default" command


Sensor update fails on applying sensor pkg manually with OOB change


No validation for incorrect speed/duplex setting for 10G Interface


IPS Validation warnings still show up after unassigning shared policies


Delta shown for user profiles(no conf chng)after remote upgrade ( 3.3.1)


Licence Refresh functionality is broken when navigating between tabs ...


CSM discovery fail when Signature ID 50000 or later is modified


Event Action Filter variable problem


Migration log: IPS backward compatible devices are not reported


check for update in IPS should be sorted according to pkg category


reference context copy overrides the non-reference context local tuning


AAA policy managd as backward compatible throws wrong error post upgrade


Validation error when sharing the new engine with older signature device


Certificate page sud show proper error msg when it shows non-retrievable


Email notification should be meaningful if device has no service contrac


Right Click does not work on Vistual Sensor page


MU-IPS Licensing page taking too long for Refresh / CCO Update operation


MU-Anomaly detection page not responsive if more than one user logged in


Multi context issue in shared signature makes import/export funct broken


Packages are not extracted to temp folder if i manually copy it to updat


IPS Sig discovery Failing


CSM: Adding IOS IPS device failing from MARs Seed file.


Error thrown for Sensor/sig update during registratn of IPS pkgs


Null Pointer Exception when deploying a new update for IPS signature.


CSM: IOS IPS "basic" signature category deploys "default' signature set

Table 8 Device Management, Discovery, and Deployment Caveats 

Reference Number


Add field in DM to specify whether device is Admin Context or not


Security Manager deployment may trigger ObjectGroup name warnings.


Security Manager deployment may trigger interface name warnings


Deployment Manager refresh causes selected job focus to be lost


DCS to monitor the Admin context CLI


HitCount -- Internal Failure


[Rollback]Rollback is not working properly with ASA


CSM incorrectly handles '\t' when parsing configuration in the database.


In 3.2.2, database corruption in device_dirty_status table


Missing information in the FQ logic.


Failover: Deployment takes a long time


CSM does not deploy crypto related configuration to AUS


Deployment summary shows successful though deployment not done.


Failover License Checkbox not updated after re-discovery


Scalability: Cannot import IPS devices with specific signature levels


ENH:CSM should re-use csm-generated obj-group name after new discovery


Time discrepancy in deployment schedule


Scalability:Need baseline for max number of devices that can be exported


CSM should warn about AUS during device export if AUS is confgd


CSM thread hangs when firewall device non-responsive


Perf 4.1 - ER04 - QA07 - QA08 -Time to Deployment CPU hocking 100% Conf


CSM May Fail to Archive Configuration

Table 9 Event Viewer Caveats 

Reference Number


Floating view minimized by default.


Real-time event row selection not retaining


Select all in custom filter with filter criteria not correct.


Custom filter does not remember values when some filter is applied.


Event Viewer must provide the ability to filter in a signature ID


"Backplane" & physical" interface fields are always blank for events


Time slider doesnt show correct trend for view with long duration.


Continue showing 'Navigating to.' dialog even if crosslaunch is canceled


Internal error thrown on opening view having BB which is deleted.


Custom filters using BB should have view option to see BB contents.


No warning if event data store size is reduced than actual stored events


Unselecting a sigId should unselect it under all Signature Categories


Floating window goes invisible on clicking Cancel Close


Closing pre-defined view with filter changes should ask for save as.


Custom Filter shows Empty Categories for Syslog and Signature


ASA Eventing: Incorrect event names for some syslogs


Eventing Restore: Restore failing or partially succeeding in some cases


Internal error thrown when portlist is used in service object filter.


Filtering does not work when only protocol name is used in service obj.


Results not correct when network obj with non-contiguous mask is used.


VmsEventServer doesnt come up after CSM DB restore.


Save required after device/BB is deleted and custom view is launched.


Need latest syslog-msg.xml file for Event Details for AC Milan


IP to Object name mapping for Multiple objects not showing properly


BB names having underscore in name can't be shown in the event viewer

Table 10 Firewall Services Caveats 

Reference Number


ACL limitations for Layer 2 interfaces on IOS ISR devices


Activity Report: Issues with access rules table change report


Problems matching interface name when reusing AAA policy objects


Inspect Map: PIX 7.1 gtp-map subcommand order is not preserved


Discovery of PAM Mappings with Inspection Rules is incorrect


Changes to files lost during Security Manager upgrade


MAC Exempt list cannot be ordered


CSM incorrectly marks services like 'tcp/1234' as invalid format


Wrong error message after sorting the Access control by ACL name


Failover: Deployment fails with subinterface as failover Interface


Delta generated for Object-groups


DES: Unmanaged policy-map configs removed after discovery


SNMP Policy: Port field is applicable to only the admin context.


Unassign of translation rules should remove object nat rules also


Auto NAT: Ordering of Auto NAT rules is not correct.


Bottom align single row column headers if other headers are on 2 rows


Deployment fails with ACE edit in ACL BB


Proposed Performance optimization in NAT (translation and simplified)


Generates the duplicate port-map commands with ZBF port-map config


Deployment fails because of duplicate entries in the NAT address pool.


Discovery fails if IOS config contains OGs with name larger than 64 char


Simplified NAT : Additional validation required in Activity Validation


<NAT Rule> select Edit Source, not displaying BB selector Dialog


Edit BB throws Exception, After select OK button,If same name BB present


Add Singleton network object (host/network) takes more time than groups


Section feature supporting in NAT on ASA 8.3 and above


Manual-NAT: need validation for "neq" operator in static NAT


Fail to Removing un-reference object-groups leads to deployment fails


Discovery of asr-group in ASA 8.3.1 on CSM is not displayed


Jamaica: system context Config file discovery fails with ASA 5580 platfo


CSM Modifying existing policies name without any changes after discovery


Intf:failover Interface should not available to context allocation


CSM: Interface ID should not be edited while having sub-interfaces.


Int: ASA 5580/85 should support max 1034 int allocation to context


ZBF: Need validation for un-supported ZBF protocols with ISR 15.1(1)T


default version for spyker should be 8.4.1


ASA version 7.2.5 not listed in Device Addition Wizard


NAT: Policy dynamic NAT UP is not working


policy PAT wizard should validate service instead of throwing error when


Discovery : CSM negating BG if BVI isnt configured


Etherchannel: Portchannel with Sub i/f's should not be editablefw


CSM: Disabling or modifying one inspection may remove all inspections


CSM configuration update incorrectly deplys static NAT config


CSM merging the remarks to next ACE for duplicate ACES after deployment

Table 11 Miscellaneous Caveats 

Reference Number


IEV installation fails on systems without C: drive


Disabled rules not shown as inactive in read-only policy page in MARS


CSM 3.2.2 does not release feature locks on a discarded activity


Last run entry not seen in Deployment Schedule on page refresh.


MCP: Tunnel packet counters not updated for P2P S2S VPN on VSPA.


Security Manager - Server does not start - regdaemon.xml corrupted


Manual NAT : Incomplete display of menu bar


Setting log level to SEVERE for Event management logs debug messages


CSM is not prompting for license again when invalid license is given


Pro- Time Bound license is behaving like pro- permanent license


MCP:Packet In and Out Counters not updated for adevice in DMVPN topology


PCAP:User shud be allowd to selet diff set of match criteria for egress


PCAP:Source,Dest Host/Network fields should also accept "any"


PCAP:Summary of the capture invoked should be available at last page


Security Manager diagnostics generates an invalid compressed archive


PCAP:ASA versions support for ICMP code types uinder match


PCAP:Need to modify the buffer range supported for different Versions


PCAP:Close all the packet capuure wizard window without any service msg


PCAP:Capture should not be run for systemcontext - multicontext mode


PCAP:unable to fetch ACLs/interfcs for FWSM 2.3.5


User cannot log in to two apps if one app is waiting for license upload


Appropriate access privilege required on CSM Client folder


MCP 4.1: Discovery fails for ISR router with IOS 15.1


Workflow mode : editing combobox values in policy view


CSM client goes out of memory with DB having huge config


Scheduled backup not removed on uninstallation of CSM


Change report shows passwords in clear text


Performance monitor 3.3 sends SNMP get request larger than 512 bytes

Table 12 Policy Management Caveats 

Reference Number


Network/Service BB objects should retain the order


KCD:Interface configuration is mandatory for configuring Kerberos server


Edit device overrides dialog takes unduly long to load if many overrides


object panel is not displayed correctly

Table 13 Report Manager Caveats 

Reference Number


Device list filter refresh problem in already opened report


Chart generation when all count values are zero


Pie chart not shown correctly when data variation is large.


User reports charts not correct for high number of users.


Top value selection criteria in case of same event count


Blank report is generated if report is scheduled at hour boundary


Selection of IPS virtual sensor has problem in device selection tree


All values are not marked on the target analysis report scatter chart


Data should not be populated in the custom report if all value not avail


Generating deleted report doesnt show correct error.


Changed default Report Settings are not shown properly to logged in user


ETSGJ-CH:Scheduled Reports not working in a Windows Enterprise Server


Device Filter Does Not Show Selected Devices


Custom report list not refreshed on report deletion.


VPN reports:Device Certificate validation not being done while polling


Setting log level to SEVERE logs debug messages in vmsreportsbe log


Multiple custom report deletion from view menu doesnt work correctly.


VPN Reports: XY/Bar Chart shows Different Values


Clearing of service filter doesnt update Gui correctly.


Service object override support in reports


Changes to service objects are not updated in reports


CSV export doesnt show all reporting ASA device as one entry in botnet.


Report Improper When Print With Yes Option in Settings Changed Dialog

Table 14 VPN Device and Configuration Support Caveats 

Reference Number


Support for IOS version 12.2(33)SRA on 7600 devices


EzVPN - default tunnel-groups are not handled by Security Manager


Deployment fails on ASA 5505/PIX 6.3 Easy VPN remote client


Cat6k-SPA GRE+Multicast - unsupported


validation error should be thrown if int ip & pool address are same


IPSEC VPN import failed when crypto ACL contains intf in source/dest


Side-effects due to missing Protected Network's assignmnt usage info.


Remote Access VPN - Activity validation reports error for http-form


VPN policy discovery fails when tunnel source defined with IP address.


Deployment fails in 7600 due to wrong order in CLI negation


CS Mgr discovery fails when NAT IP address is configured with LPIT.


Regular ipsec discovery - Preshared key Aggressive mode not discovered


CS Mgr 3.3 not showing modified DfltGrpPolicy in RA VPN


CSM: ASA VPN creation/discovery failure if interface ip is not static


GRE H&S-Default route is not discovered for Informer device


CSM: Remote Access VPN 'send FQDN to client' checkbox doesn't function


Unable to remove password management from tunnel group


Report for Un-sharing RA policy is not shown in Activity Rport


PIX6.3/PIX7.0/ASA device can not initiate aggressive mode key exchange


CSM does not generate cli when aggressive mode is selected


IKEv1 PKI is discovered when discoverying VPN with IKEv2 config


Options are missing in Device category of DAP Entry


AD groups field is missing in LDAP attributes


Activity change report RAVPN-Dynamic access tab not proper


Additional unnessary fields shown in Activity chage report.


Getting a Invalid URL error when entering the RDP2 bookmark


VPN deployment - wrong CLI set transform-set Translation ERROR


CSM: null values for peer_device_id column in vpn_gre_hack_ip_allocation


Aggressive mode should be enabled if customer use pre-shared key for cli


IKEv2 connection is down for default connection-type of CSM


H&S VPN-wrong AV when discoverying bidirectional key(PKI & PSK) config


Discovery fails if Anyconnect image is present in disk1 of the device


CSM 4.0.1 Deployment fails with internal error exception


CSM : Require a way to disable navigation pane on the webvpn portal

Resolved Caveats—Release 4.1 Service Pack 2

The following customer found or previously release-noted caveats have been resolved in Cisco Security Manager 4.1 Service Pack 2.

Reference Number


CSM thread hangs when firewall device non-responsive


Some VPN features can fail after a restore to a different drive


Deployment report generation failing


ACS Authorization Failure Message - CSM RBAC Setup


UID: Disable option throws NPE in Qos policies


user cannot config DNS,HTTP and AAA after upgrading ips from 6.24 to 7.0.5


CSM: Edit VPN Policy Page takes 15-20 minutes to load


CSM Reporting stops polling the device


Deployment errors at CSM if changes at tunnels were made


Security Issue in Apache :: PSIRT ISSUE


PIX interface names missing from preview config after CSM 4.x.x upgrade


CSM removes ip local pool from the connection profiles


CSM 4.2 AnyConnect profile CLI Not Reconized by the config Parser


CSM: Preview Configuration error "Failed to generate delta config"


CSM allows to configure duplicate nat rules for ASA running 8.3/later


CSM: Longer time validating all tunnels if 1 got newly added/modified


CSM mid deployment crash with no warning due daemon restart


CSM 4.1 not able to validate ASA-multiple context with same interface IP


Upgraded IPS always downloading FlexLM license in CSM


Event Viewer stops displaying events due to hung thread


CSM device reports stopped running


Vpn Performance Improvements


DfltGrpPolicy: Delta seen in preview every time


Using Custom Roles in ACS is blocking the import functionality in CSM


CSM 4.2 Apache and SSL vulnerabilities.

Resolved Caveats—Release 4.1 Service Pack 1

The following customer found or previously release-noted caveats have been resolved in Cisco Security Manager 4.1 Service Pack 1.

Reference Number


CSM 3.2.1 SP 1 unable to use local user password of length 17-31 charact


ZBF: Activity validation does not consider BB override


Network/Service BB objects should retain the order


CSM discovery fail when Signature ID 50000 or later is modified


Avoid destructive operation on CLI's during delta generation


CSM: IPS signature registration fails with out of memory errors


CSM removes existing NAT0 ACL and creates new one per interface


Support special characters in Group Policy, Cert Map, DAP policy name


VPN deployment - wrong CLI set transform-set Translation ERROR


OOB detection during deployment should compare checksum before diffing


Detect/notify if server patch is not matching with client patch after CP


CSM creating multiple deployment job at a same time.


CSM use wrong cmd syntax when disabling "log with interval" option


Change report shows passwords in clear text


While enabling Do not translate vpn traffic delta seen after deployment


CSM : Require a way to disable navigation pane on the webvpn portal


VPN activity validation exception during Acitivity Change Report Gen


NAT Rule: Activity Validation error for Network BB containing


VPN Activity change reports : password fields need to be hidden


LDAP attribute maps not editable after migration to 4.1


Nullpointerexception in RAVPNServicePlugin prevents VPN deployments


Group-Alias command does not support spaces


Duplicate Peer IP validation


VPN activity change report showing Password in clear text


CSM wrong deployment of AAA auth-proxy accounting commands


Activity report for a newly discovered VPN hub device taking ~24 hours


ASA device discovery failing while configuring webacl in any policies


CSM removed some ACLs that resulted in network outage/delay of airlines


CSM Deployment changes ASA Remote Access Preshared Key to masked value


CSM negating On-demand-routing (ODR) while pushing config


CSM 4.1 deletes dap.xml and data.xml files if RA VPN policy not discover


CSM validate a QoS policy incorrectly "Qos Preclassify is not supported"


VPN: Anyconnect profiles are not getting discovered for ASA 8.4(1)


CSM - Arbitrary command execution vulnerability.


Any connect profile is not discovered while used in group policy


CSM does not show L2L VPN with CAT6K Endpoint


After editing IPS sig to default from local, the delta is empty


Enhancement: serial deployment option for ASA


Router with pre-configured parameter-map type global fails discovery


CSM 4.1 Deployment errors due to the order of VPN IP pools


CSM should not try tor remove class-default on ASR1K


Bundle defect for known vulnerabilities in CiscoWorks Common Services.


CSM Stops polling all IPS Events intermittently

Resolved Caveats—Release 4.1

The following customer found or previously release noted caveats have been resolved in this release.

Reference Number


SLA: Interface roles assigned to an SLA Monitor not validated


CSM - Needs a way to remove old IPS metadata


"ip local pool" DDP doesn't translate name assigned to ip addr ranges


AAA server object: no error issued when interface not specified


Modifying ACL used in ZBF generates CLI for policy-map also


Cannot edit device overrides in nested ACL objects


CSM Deploy fails if removing web-type ACL that is applied to mult DAPs


Security Level changes when name of interface changed


Performance Monitor not generating e-mail alerts


MCP - cannot import VPN in HSRP configuration


Need to modify format of "IP Log Id" values under "Displayed Fields" tab


ZBF:No validation message for protocols unsupported with IOS versions


ACL BB renames if remark is used


EPS: On a Win 2k8, 64 bit OS, 8 GB machine EPS doesnt cross 15K-18K


CSM doesn't support platform option in smart-tunnel list


CS patch install fails when CSM is installed on Japanese windows


View creation fails though view with same name not present.


IPv6 syntax is not recognized properly by DDP


Simplified NAT: Edit Source not properly chaning the Source


Fails to apply a license to IPS


CSM 3.3.1 SP1 wrong deployment of ACLs to ISR running 12.4(24)T code


CLI for object generated even when it was not referred


Lan-to-lan cannot be discovered if RA VPN was already discovered


Discovering RA VPN causes discovered Lan-to-Lan config to be removed


BV-NAT: Unable to delete last NAT rule with disable/enable operation


Event Data Store Location change is not working


VPN on ASA cannot be discovered when infinite keyword is used for DPD


Changes to shared credentials policy does not sync with CSM inventory


CSM doesn't allow to deploy to a device that's part of a pending job


Importing ACL rules w/ object-groups in CSM fail


CSM is altering manually deployed ACL/tcp-map names after deployment


One time deployment job shown as recurring in deploy manager


ASA: Error with more then 2 net-flow collector configuration in CSM


Error deleting tenGig sub-interface in system context


CSM deploys dhcpd enable <nameif> if interface was removed in deployment


Object deletion of large number of objects leads to Sybase jConnect err


Diagnostics collector doesn't zip up SP pack install logs


CSM deploys crypto enroll after importing device with existing cert


CSM 4.0 Move Up and Move Down buttons delete FlexConfig lines


CSM 4.0 discovers ASA 8.3 interfaces with uppercase fails deployment


redundant mgmt int config delta sent to ASA in transparent mode


IKE PKI Warning Window pops up if trustpoint is configured for SSL


CSM: Checksum failed when downloading IPS signature S511


CSM - configuration differences not shown properly


CSM - Query window pop-up is not appearing


CSM - selected object does not expand completely


CSM - switching back to access rule is very slow if filter is applied


users are allowed to create duplicate static routes


RAVPN:CSM needs to support CSD 3.5.1077


CSM does not check Vlan ID field for repetitive entries for FWSM


RAVPN: Need support for 'Windows 7' OS version in DAP entry


CSM: IPS signature registration fails with out of memory errors


Number of matched rule in the section is not showing if filter in place


X axis needs to be renamed for IPS Simulation Mode report


CSM allows auto expand of NAT rules for ASA8.3


Support ASA 8.2.3 version for all Models of ASA


CSM pushes incorrect config for DAP Policy for Symantec personal FW


Static NAT and PAT rules are not always added back to the configuration


CSM generates incorrect DAP LUA expressions for Process checks


CSM: 8.3 destination nat displayed incorrectly


VPN config - ASANAT configuration causes deployment error


CSM 4.0 LDAP attribute map customer map value does not support space


CSM 3.3(1) - variables in FlexConfig script not correcty populated


auto update failing for IPS


crypto isakmp tcp-over-ipsec is removed after VPN discovery


CSM: CRC Error When Downloading IPS Signature Updates


CSM dirties system defined service obj when created frm within ruletable


CSM Daemon wont start if Windows 2008 auto VM setting is checked


DAP changes pushed from CSM are not visible in ASDM


CSM ignore the first device in 2,3,.. N jobs of autodownload

Resolved Caveats—Releases Prior to 4.1

For the list of caveats resolved in releases prior to this one, see the following documents:

Where to Go Next

If you want to:
Do this:

Install Security Manager server or client software.

See Installation Guide for Cisco Security Manager 4.1.

Understand the basics.

See the interactive JumpStart guide that opens automatically when you start Security Manager.

Get up and running with the product quickly.

See "Getting Started with Security Manager" in the online help, or see Chapter 1 of User Guide for Cisco Security Manager 4.1.

Complete the product configuration.

See "Completing the Initial Security Manager Configuration" in the online help, or see Chapter 1 of User Guide for Cisco Security Manager 4.1.

Manage user authentication and authorization.

See the following topics in the online help, or see Chapter 7 of Installation Guide for Cisco Security Manager 4.1.

Setting Up User Permissions

Integrating Security Manager with Cisco Secure ACS

Bootstrap your devices.

See "Preparing Devices for Management" in the online help, or see Chapter 2 of User Guide for Cisco Security Manager 4.1.

Install entitlement applications.

Your Security Manager license grants you the right to install certain other applications—including specific releases of RME and Performance Monitor—that are not installed when you install Security Manager. You can install these applications at any time. See the Introduction to Component Applications section in Chapter 1 of Installation Guide for Cisco Security Manager 4.1.

Product Documentation

For the complete list of documents supporting this release, see the release-specific document roadmap:

Guide to User Documentation for Cisco Security Manager

Lists document set that supports the Security Manager release and summarizes contents of each document.

For general product information, see:

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.

This document is to be used in conjunction with the documents listed in the "Product Documentation" section.