Guest

Cisco Security Manager

Release Notes for Cisco Security Manager 4.5

  • Viewing Options

  • PDF (397.5 KB)
  • Feedback

Table of Contents

Release Notes for Cisco Security Manager 4.5

Introduction

Supported Component Versions and Related Software

What’s New

Installation Notes

OpenSSL Heartbeat Extension Vulnerability

Important Notes

Caveats

Open Caveats—Release 4.5

Resolved Caveats—Release 4.5

Resolved Caveats—Releases Prior to 4.5

Where to Go Next

Product Documentation

Obtaining Documentation and Submitting a Service Request

Release Notes for Cisco Security Manager 4.5

Originally Published: November 15, 2013
Last Updated: July 15, 2014

These release notes are for use with Cisco Security Manager 4.5.

Security Manager 4.5 is now available. Registered SMARTnet users can obtain release 4.5 from the Cisco support website by going to http://www.cisco.com/go/csmanager and clicking Download Software under Support.

This chapter contains the following topics:

Introduction


NoteUse this document in conjunction with the documents identified in Use this document in conjunction with the documents identified in Product Documentation. The online versions of the user documentation are also occasionally updated after the initial release. As a result, the information contained in the Cisco Security Manager end-user guides on Cisco.com supersedes any information contained in the context-sensitive help included with the product. For more information about specific changes, please see Where to Go Next.


This document contains release note information for the following:

  • Cisco Security Manager 4.5 —Cisco Security Manager enables you to manage security policies on Cisco security devices. Security Manager supports integrated provisioning of firewall, VPN, and IPS services across IOS routers, PIX and ASA security appliances, IPS sensors and modules, Catalyst 6500 and 7600 Series ASA Services Modules (ASA-SM), and several other services modules for Catalyst switches and some routers. (You can find complete device support information under Cisco Security Manager Compatibility Information on Cisco.com.) Security Manager also supports provisioning of many platform-specific settings, for example, interfaces, routing, identity, QoS, logging, and so on.

Security Manager efficiently manages a wide range of networks, from small networks consisting of a few devices to large networks with thousands of devices. Scalability is achieved through a rich feature set of device grouping capabilities and objects and policies that can be shared.

  • Auto Update Server 4.5 —The Auto Update Server (AUS) is a tool for upgrading PIX security appliance software images, ASA software images, PIX Device Manager (PDM) images, Adaptive Security Device Manager (ASDM) images, and PIX security appliance and ASA configuration files. Security appliances with dynamic IP addresses that use the auto update feature connect to AUS periodically to upgrade device configuration files and to pass device and status information.

NoteBefore using Cisco Security Manager 4.5, we recommend that you read this entire document. In addition, it is critical that you read the Before using Cisco Security Manager 4.5, we recommend that you read this entire document. In addition, it is critical that you read the Important Notes, the Installation Notes, and the Installation Guide for Cisco Security Manager 4.5 before installing Cisco Security Manager 4.5.


This document lists the ID numbers and headlines for issues that may affect your operation of the product. This document also includes a list of resolved problems. If you accessed this document from Cisco.com, you can click any ID number, which takes you to the appropriate release note enclosure in the Bug Toolkit. The release note enclosure contains symptoms, conditions, and workaround information.

Supported Component Versions and Related Software

The Cisco Security Management Suite of applications includes several component applications plus a group of related applications that you can use in conjunction with them. The following table lists the components and related applications, and the versions of those applications that you can use together for this release of the suite. For a description of these applications, see the Installation Guide for Cisco Security Manager 4.5 .


NoteFor information on the supported software and hardware that you can manage with Cisco Security Manager, see the For information on the supported software and hardware that you can manage with Cisco Security Manager, see the Supported Devices and Software Versions for Cisco Security Manager online document under Cisco Security Manager Compatibility Information on Cisco.com.


 

Table 1 Supported Versions for Components and Related Applications

Application
Support Releases
Component Applications

Cisco Security Manager

4.5

Auto Update Server

4.5

CiscoWorks Common Services

4.2.2

Related Applications

Cisco Security Monitoring, Analysis and Response System (CS-MARS)

6.0.7, 6.1.1

Cisco Secure Access Control Server (ACS) for Windows

Notes

  • Cisco Secure ACS Solution Engine 4.1(4) is also supported.
  • You can use other versions of Cisco Secure ACS if you configure them as non-ACS TACACS+ servers. A non-ACS configuration does not provide the granular control possible when you configure the server in ACS mode.

4.1(3, 4), 4.2(0)

Cisco Configuration Engine

3.5, 3.5(1)

What’s New

In addition to resolved caveats, this release includes the following new features and enhancements:

IPS 7.1(8) and 7.2(1)

ASA 8.4(6)

ASA 9.1(2) and 9.1(3) (both standalone ASA and ASA-SM)

ISR 4451 with IOS-XE 3.9 image

  • Security Manager now supports the Cisco TrustSec feature on ISR devices running IOS 15.2(2)T and later and ASR devices running IOS-XE 3.5.x(15.2(1)S) and later. Cisco TrustSec provides an access-control solution that builds upon an existing identity-aware infrastructure to ensure data confidentiality between network devices and integrate security access services on one platform.
  • The Security Manager client has a new launch point--a configurable dashboard. The dashboard contains gadgets that you select to help you quickly and conveniently see device health, top ten IPS and firewall reports, IPS sensors out of date, and several other measures of security on your network.
  • CSM Mobile allows you to access device health summary information from mobile devices. The information available to you in this way is the same as that available in the Device Health Summary widget in the Dashboard: current high or medium severity active alerts generated by HPM. Alerts can be grouped by Alert-Description, Predefined-Category, Device, or Alert Technology. The principal users of CSM Mobile are expected to be those who use an Apple iPad, an Apple iPhone, the Google Chrome browser, or the Apple Safari browser.
  • You can now use the Prime Security Manager page of the Security Manager Administration window to enable and configure a “single sign-on” (SSO) shared key, which is then used for cross-launching Cisco Prime Security Manager. Cisco Prime Security Manager is used to manage all ASA CX modules in the Security Manager inventory.

    If you enable and configure SSO cross-launch, Security Manager users can access Cisco Prime Security Manager without logging into Cisco Prime Security Manager separately. However, note that SSO must also be configured in Cisco Prime Security Manager using the shared key you generate in Security Manager.
  • The Policy Object export feature used for sharing data between Security Manager and Cisco Prime Security Manager has been enhanced to include the object type in the exported data and to allow flattening of Port List objects when exporting Services objects.
  • When installing IPS license files, you can now choose to work in client-side file systems in addition to server-side file systems. This means that while in previous versions of Security Manager you could store the IPS license file on a local drive on the Security Manager server, beginning with Version 4.5 you have the additional choice of storing it on a local drive on a client.
  • Security Manager users can now choose to receive by e-mail a report of those IPS devices whose license is due to expire within a specified number of days.
  • Security Manager now allows you to export the IPS licenses as PDF files in addition to CSV files.
  • Security Manager now has an Eventing Notification Settings page for sending email notifications when it receives critical events for ASA and IPS devices or when a signature fires on the IPS sensors that it manages.
  • The Event Table in the Event Viewer client application (Launch > Event Viewer) has a new right-click menu item for individual events. This new right-click menu item is “Tune Signature.” It opens the IPS Signature Quick Tune dialog box where you can enable or disable the signature associated with the selected event, and modify the Base Risk Rating of the signature that is assigned to the device or shared policy.
  • The IPS Signatures Page now has a Notes column for each signature; this feature enables you to add a note so that you can revisit particular signatures later to see what you or other users have added for a signature or an event. This feature is helpful for network administrators in monitoring noisy signatures or signatures that need particular attention.
  • Security Manager now has several pre-defined Risk Rating policy objects for use with the IPS Event Action Overrides policy.
  • Security Manager now allows you to navigate to the Event Action Filters policy for a device from the right-click menu of an event associated with that device.
  • Report Manager now allows you to drill down into the report data for the following reports:

Firewall Reports: Top Destinations, Top Services, and Top Sources

IPS Reports: Top Attackers, Top Signatures, and Top Victims

  • The Device Details view in Health and Performance Monitor has been redesigned to provide a more concise and easier to use view of information for the device. In addition, a device-specific view of alert data is available on the Alerts tab when viewing details for a specific device. With a few exceptions, you can perform many of the same functions from the device-specific alert view as you can from the primary Alerts display.
  • From the Device Details and VPN Details views in Health and Performance Monitor, you can now cross launch to the Event Viewer to see the events for the selected device or VPN.
  • From the Access Rules and Translation Rules policies in Security Manager, you can now select a rule and view related event information for that rule in Event Viewer. You can view real-time or historical events matching the rule. You can view events for ASA (including ASA-SM) and FWSM devices.
  • Security Manager now allows you to forward syslogs received by the Event Viewer to one additional local collector and two remote collectors. You can define which syslogs should be sent to each collector. You can also configure settings to control the CPU load used by the syslog relay service.
  • Security Manager now provides IP Intelligence tools (Reverse DNS/FQDN, GeoIP, and Whois) that allow you to find out information about specific IP addresses. The IP Intelligence feature is accessed in Configuration Manager from the Tools menu. The feature is also accessible from the right-click menu for IP addresses in Event Viewer and for certain policies in Configuration Manager.

Installation Notes

Please refer to the Installation Guide for Cisco Security Manager 4.5 for specific installation instructions and for important information about client and server requirements. Before installing Cisco Security Manager 4.5, it is critical that you read the notes listed in this section and the Important Notes.

  • Upgrading from Security Manager 4.5 beta images to the final Security Manager 4.5 FCS image is not supported.
  • The “Licensing” chapter in the installation guide enables you to determine which license you need. (The license you need depends upon whether you are performing a new installation or upgrading from one of several previous versions.) It also describes the various licenses available, such as standard, professional, and evaluation. It is available at http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.5/installation/guide/licensing.html .
  • Do not modify casuser (the default service account) or directory permissions that are established during the installation of the product. Doing so can lead to problems with your being able to do the following:

Logging in to the web server

Logging in to the client

Performing successful backups of all databases

  • The Installation Guide for Cisco Security Manager 4.5 provides important information regarding server requirements, server configuration, and post-installation tasks.
  • The Installation Guide for Cisco Security Manager 4.5 also provides important information regarding operating system and browser support. For example, Windows XP is no longer supported for clients. As another example, VMware ESXi 5.1 Update 1 is now supported.
  • You can install Security Manager server software directly, or you can upgrade the software on a server where Security Manager is installed. The Installation Guide for Cisco Security Manager for this release of the product explains which previous Security Manager releases are supported for upgrade and provides important information regarding server requirements, server configuration, and post-installation tasks.
  • Before you can successfully upgrade to Security Manager 4.5 from a prior version of Security Manager, you must make sure that the Security Manager database does not contain any pending data, in other words, data that has not been committed to the database. If the Security Manager database contains pending data, you must commit or discard all uncommitted changes, then back up your database before you perform the upgrade. The Installation Guide for Cisco Security Manager for this release of the product contains complete instructions on the steps required for preparing the database for upgrade.
  • We do not support installation of Security Manager on a server that is running any other web server or database server (for example, IIS or MS-SQL). Doing so might cause unexpected problems that may prevent you from logging into or using Cisco Security Manager.
  • Be aware of the following important points before you upgrade:

Ensure that all applications that you are upgrading are currently functioning correctly, and that you can create valid backups (that is, the backup process completes without error). If an application is not functioning correctly before an upgrade, the upgrade process might not result in a correctly functioning application.


Note It has come to Cisco’s attention that some users make undocumented and unsupported modifications to the system so that the backup process does not back up all installed CiscoWorks applications. The upgrade process documented in the installation guide assumes that you have not subverted the intended functioning of the system. If you are creating backups that back up less than all of the data, you are responsible for ensuring you have all backup data that you require before performing an update. We strongly suggest that you undo these unsupported modifications. Otherwise, you should probably not attempt to do an inline upgrade, where you install the product on the same server as the older version; instead, install the updated applications on a new, clean server and restore your database backups.


  • If you log in to a Security Manager server that is running a higher version than your client, a notification will be displayed and you will have the option of downloading the matching client version.
  • Beginning with Security Manager 4.4, AUS and the Security Manager client are installed in parallel to improve installation time.
  • CiscoWorks Common Services 4.2.2 is installed automatically when you install Security Manager or AUS.
  • An error message will pop up if there is any database migration error; this will be at a point where installation can be taken forward without stopping.
  • It is recommended to do disk fragmentation for every 50 GB increase in the disk size for optimal performance.

Caution Frequent defragmentation will also contribute to bad sectors, eventually leading to disk failure.

  • Beginning with Version 4.4, Security Manager includes a Windows Firewall configuration script in the server installer. This script automates the process of opening and closing the ports necessary for Windows Firewall to work correctly and securely; its purpose is to harden your Security Manager server.

OpenSSL Heartbeat Extension Vulnerability

Cisco Security Manager 4.5 includes a version of OpenSSL that is affected by the OpenSSL Heartbeat Extension Vulnerability (also known as Heartbleed). For more information, see http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed.

If you are using Cisco Security Manager 4.5, you should upgrade to Cisco Security Manager 4.6 or apply the Cisco Security Manager 4.5 SP0 CP3 patch as soon as possible.

To download Cisco Security Manager 4.5 SP0 CP3, follow these steps:


Step 1 Go to http://www.cisco.com/go/csmanager , and then click Download Software for this Product under the Support heading on the right side of the screen.

Step 2 Enter your user name and password to log in to Cisco.com.

Step 3 Click Security Manager (CSM) Software , expand the 4.5 folder under All Releases, and then click 4.5 .

Step 4 Download the file CSM450_SP0_PP3_installer.exe.

Step 5 Refer to the Readme_for_CSM450_SP0_PP3_Installer.txt file for instructions on installing the patch.


 

Important Notes

The following notes apply to the Security Manager 4.5 release:

  • You cannot use Security Manager to manage an IOS or ASA 8.3+ device if you enable password encryption using the password encryption aes command. You must turn off password encryption before you can add the device to the Security Manager inventory.
  • If you upgrade an ASA managed by Security Manager to release 8.3(x) or higher from 8.2(x) or lower, you must rediscover the NAT policies using the NAT Rediscovery option (right-click on the device, select Discover Policies on Device(s), and then select NAT Policies as the only policy type to discover). This option will update the Security Manager configuration so that it matches the device configuration while preserving any existing shared policies, inheritance, flex-configs, and so on.

When upgrading an ASA device from 8.4.x to 9.0.1, the device policies will be converted to the unified format. You can rediscover the unified NAT rules using the NAT Rediscovery option or you can convert the existing NAT policies to unified NAT policies with the help of the rule converter in Security Manager. For more information, see http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.5/user/guide/porules.html#wp485878 or the “Converting IPv4 Rules to Unified Rules” topic in the online help.

You can also use the rule converter for the other firewall rules like access rules, AAA rules, and inspection rules if you want to manage these policies in unified firewall rules format.

  • ASA 8.3 ACLs use the real IP address of a device, rather than the translated (NAT) address. During upgrade, rules are converted to use the real IP address. All other device types, and older ASA versions, used the NAT address in ACLs.
  • The device memory requirements for ASA 8.3 are higher than for older ASA releases. Ensure that the device meets the minimum memory requirement, as explained in the ASA documentation, before upgrade. Security Manager blocks deployment to devices that do not meet the minimum requirement.
  • If you have a device that uses commands that were unsupported in previous versions of Security Manager, these commands are not automatically populated into Security Manager as part of the upgrade to this version of Security Manager. If you deploy back to the device, these commands are removed from the device because they are not part of the target policies configured in Security Manager. We recommend that you set the correct values for the newly added attributes in Security Manager so that the next deployment will correctly provision these commands. You can also rediscover the platform settings from the device; however, you will need to take necessary steps to save and restore any shared Security Manager policies that are assigned to the device.
  • Device and Credential Repository (DCR) functionality within Common Services is not supported in Security Manager 4.5.
  • A Cisco Services for IPS service license is required for the installation of signature updates on IPS 5.x+ appliances, Catalyst and ASA service modules, and router network modules.
  • Do not connect to the database directly, because doing so can cause performance reductions and unexpected system behavior.
  • Do not run SQL queries against the database.
  • If an online help page displays blank in your browser view, refresh the browser.
  • Security Manager 4.5 only supports Cisco Secure ACS 5.x for authentication. ACS 4.1(3), 4.1(4), or 4.2(0) is required for authentication and authorization.
  • If you do not manage IPS devices, consider taking the following performance tuning step. In $NMSROOT \MDC\ips\etc\sensorupdate.properties, change the value of packageMonitorInterval from its initial default value of 30,000 milliseconds to a less-frequent value of 600,000 milliseconds. Taking this step will improve performance somewhat. [ $NMSROOT is the full pathname of the Common Services installation directory (the default is C:\Program Files\CSCOpx).]
  • The IPS packages included with Security Manager do not include the package files that are required for updating IPS devices. You must download IPS packages from Cisco.com or your local update server before you can apply any updates. The downloaded versions include all required package files and replace the partial files that are included in the Security Manager initial installation.
  • The “License Management” link on the CiscoWorks Common Services home page has been removed.
  • CsmReportServer and CsmHPMServer are now supported with 64-bit JRE.
  • The “rsh” service has been changed to manual start mode. You can start it manually if you need it.

Caveats

This section describes the open and resolved caveats with respect to this release.

For your convenience in locating caveats using the Cisco Bug Search Tool (BST), the caveat titles listed in this section are drawn directly from the Bug Search Tool database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:

  • Product names and acronyms may be standardized.
  • Spelling errors and typos may be corrected.

NoteIf you are a registered cisco.com user, you can access the Cisco Bug Search Tool on cisco.com at If you are a registered cisco.com user, you can access the Cisco Bug Search Tool on cisco.com at https://tools.cisco.com/bugsearch. For more information about the Bug Search Tool, visit the help page at http://www.cisco.com/web/applicat/cbsshelp/help.html.

To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do


This section contains the following topics:

Open Caveats—Release 4.5

The following caveats affect this release and are part of Security Manager 4.5.


NoteIn some instances, a known problem might apply to more than one area, for example, a PIX device might encounter a problem during deployment. If you are unable to locate a particular problem within a table, expand your search to include other tables. In the foregoing example, the known problem might be listed in either the Deployment table or the PIX/ASA/FWSM Configuration table. In some instances, a known problem might apply to more than one area, for example, a PIX device might encounter a problem during deployment. If you are unable to locate a particular problem within a table, expand your search to include other tables. In the foregoing example, the known problem might be listed in either the Deployment table or the PIX/ASA/FWSM Configuration table.


 

Table 2 Cisco IOS Router Devices Caveats

Reference Number
Description

CSCth95357

XE: Deploy Fails when Memory Critical Notifications are Changed

CSCti15944

CLI: “dot1x pae authenticator” generated after deployment of 802.1x

CSCtq12795

Generic Router : AAA rules getting negated.

 

Table 3 Cisco IPS and IOS IPS Devices Caveats

Reference Number
Description

CSCtk36259

MU-IPS Licensing page taking too long for Refresh / CCO Update operation

CSCug68487

CSM isn't closing all the HTTPS session as part of config deployment

 

Table 4 Client and Server Install Caveats

Reference Number
Description

CSCtq99125

Installation: Evaluation and Licensing options get enabled simultaneous

CSCtr71792

ETSGJ-CH:CSM Launch Icons Missing on XP JOS Client

CSCtr72248

ETSGJ-CH:Not able to proceed with install if going back to previous page

CSCuj65553

CSM 4.5 Installation Command Buttons appear garbled

CSCuj65593

CSM 4.5 Installation Button Appears Garbled

CSCuj65797

CSM 4.5 Security Tools page UI launching Issues on Win 7 32 bit client

 

Table 5 Device Management, Discovery, and Deployment Caveats

Reference Number
Description

CSCub81927

Scal Testing: DB error during deployment

CSCuc13848

Getting error while submitting a ticket for Validation.

 

Table 6 Event Viewer Caveats

Reference Number
Description

CSCtg54222

Eventing Restore: Restore failing or partially succeeding in some cases

CSCtg57676

Internal error thrown when portlist is used in service object filter.

CSCtg57745

Filtering does not work when only protocol name is used in service obj.

CSCtg57839

Results not correct when network obj with non-contiguous mask is used.

CSCtl73195

BB names having underscore in name can’t be shown in the event viewer

CSCua81392

CSM 4.2 - Eventing directory does not get deleted

CSCuh16940

IPS subscription is not getting closed when unmonitoring the device

CSCuh38244

P2E: Events are not filtered properly if ACE has muliple services

CSCui01213

Changing “Time field” by highlighting the value is not inserting properly

 

Table 7 Firewall Services Caveats

Reference Number
Description

CSCtf32208

Deployment fails with ACE edit in ACL BB

CSCtg80500

Manual-NAT: need validation for “neq” operator in static NAT

CSCti08077

system context Config file discovery fails with ASA 5580 platform

CSCtl10613

Int: ASA 5580/85 should support max 1034 int allocation to context

CSCto67515

ASA/ASASM Failover commands not negated

CSCto80002

UID: Deployment fails when domain is used in ACL and is deleted

CSCtq04794

NAT: Deployment is failing for object NAT for Translate DNS rule

CSCtq20157

Delta is empty after unassigning Inspection settings.

CSCtq20876

Generic Router: Deployment fails after unassigning web filter settings

CSCtq20997

NAT:Subnet Can not be used as mapped Source in Dynamic NAT policy

CSCtq24069

UID: repeated ACL delta with ACL match protocol inspection

CSCtq36739

NAT: Same Mapped address cannot be used to perform both NAT and PAT

CSCtq63721

UID: order of AAA server negation/appending _1 on discovery should modify

CSCtq82588

Discovery fails for device with scan safe AAA in CSM 4.1

CSCtq82698

NAT: Unable to Edit Static Object NAT

CSCtr12016

ETSGJ-CH:Japanese User not displayed in Identity UserGroup UI

CSCtr12155

ETSGJ-CH:Japanese User Group shows Name as Square blocks in JOS Client

CSCtr17688

NAT: No validation for FQDN in pre ASA 8.3 NAT

CSCtr25092

ETSGJ-CH:Pop-up for wrong bind in Identity needs to be revisited

CSCtr25195

ETSGJ-CH:Domain name with special characters are permitted

CSCtr30676

Deployment fails when http accounting banner from file is configured

CSCtr71998

ETSGJ-CH:Incremental pop-up for a wrong MAC in Cat6k ASA-SM Failover

CSCts15802

Scan Safe-Deployment fails when enabling Encryption IOS

CSCts25221

Edit ACL in Identity Policy-CSM generates incorrect order of cli

CSCtw48451

Override BB are not mapping with BBs used in import rules

CSCtx47521

Extended pat table option should be disabled

CSCtx51882

ACD: Navigation from conflict details fails to rule in rule section

CSCty77037

Remove unreferenced Object-Group option can cause deployment error

CSCtz78135

ASR: ZBF Disabled & Enabled Rule found similar in GUI

CSCtz92786

RBAC: Privileges for NAT policies on ASA 8.3 not working

CSCud37752

ASA Image Downgrade From 9.0 to 8.4.4 Contain Xlate Rules in Preview

CSCuj99884

Global search does not display default inspection rule present in device

 

Table 8 Health and Performance Monitor Caveats

Reference Number
Description

CSCtt95667

FW: Certificates should be displayed as part of Non VPN Views

CSCtx48130

VPN: SitetoSite VPN tunnel details not proper with dynamic cryptomap 8.4

CSCud53546

“Master” changes needs to be reflected in Cluster row

CSCue50284

Tunnel Alerts: Traps Not Processed if the Remote Subnet is a Host

 

Table 9 Image Manager Caveats

Reference Number
Description

CSCue30032

Multicontext devices are not shown in IM in ACS setup

 

Table 10 Miscellaneous Caveats

Reference Number
Description

CSCtq99617

CSM UI unresponsive for a long period in MU testing

CSCuh86712

Device state is not changed as rediscovering the changes

CSCui32627

Adding IP to cluster pool is not getting updated in logrelay filter

CSCui78433

Flickering issue : IP Intel and View Statistics refresh/other flows

CSCuj25254

Not able to crosslaunch frm CSM-PRSM if username starts with bold letter

CSCuj50087

Image is removing from the list after viewing the config file

CSCuj60513

Logrelay:Warning can be given when one user changes impacting other user

 

Table 11 Policy Management Caveats

Reference Number
Description

CSCud86519

CSM deployment error with an Object

CSCuh40492

Configuration differences in OOB detection not shown exactly

CSCui64215

IPS deployment fails for BB having colon (introduced by CSCuc48237)

 

Table 12 VPN Device and Configuration Support Caveats

Reference Number
Description

CSCth43310

GRE H&S-Default route is not discovered for Informer device

CSCtl82579

IKEv2 connection is down for default connection-type of CSM

CSCtq06818

Group Encryp Policy-unassigned from policyview not restoring default val

CSCtq15281

Config wizard-Auto-update client is not deployed properly

CSCtq29212

SSL-CSM is not generates proper URL when configuring bookmark

CSCtq67354

preview fails,rule name(SSLVPN->othersett->content rewrite) having space

CSCtq86149

deployment fails:existing Virtual Template int with type serial - Ezvpn

CSCtr06681

preview fails : if SSO name is given with spaces

CSCtr28222

IPSec Proposal is not discovered, if DVTI/VRF is configured in ISR

CSCtr64655

VPN discovery fails:using tunnel_3des as Ikev1 TS in ASA-ISR combination

CSCts30832

Preview failed due to FQDN acl BB used in group policy.

CSCtz47183

IPS 43xx: Standalone Transparent Mode Device Deployment Fails

CSCub28608

VPN policy discovery clears the existing crypto map ACL

CSCub82270

CSM deletes the existing ACL when changing protected nw/Spk2Spk connecti

CSCub89125

PKI node under Remote Access VPN to be enabled

CSCuc48221

CSD policy editor:- Secure vault checkbox is missing in prelogin policy

CSCud61707

PKI deployment failed with trustpoint not enrolled error for ASA 9.0

Resolved Caveats—Release 4.5

The following customer found or previously release noted caveats have been resolved in this release.

Reference Number
Description

CSCtq85580

Object NAT: Unable to create rule due to device locking issue

CSCtr00850

CSM should read the OSPF configuration correctly

CSCtr40704

Double Quotes generation in Client Access rule in Group Policy

CSCtr90006

Generic Router:Inspection policy message from device should be handled

CSCtt97627

Flexconfigs modified/deleted not removed from preview and got deployed

CSCtz70420

Unable to configure flow-export service policy via CSM GUI

CSCub97337

Deploy fails with large # devices in one job w/ ACL BB/VPN config

CSCuc08659

With anyconnect 3.1, not able to launch web security profile

CSCuc18629

CSM 4.3 Section lost after copying config

CSCuc60042

CSM wrongly generates the crypto ACL for specific Building blocks(BB)

CSCuc72706

CSM fails to purge old partition

CSCuc80471

CSM 4.3 Keys not getting synchronized across KS

CSCuc85344

Incorrect filtering for All-IPv6-Address and All-IPv4-Address BB

CSCud15187

CSM: AUS changes do not replicate to standby firewall

CSCud62338

CSM Object Override Screens May Not Work After Upgrade

CSCud80090

CSM requires CSD package when creating DAP

CSCud80123

OS operator in CSM is not present

CSCud83531

CSM 4.3 add-rule lost focus when adding the rule

CSCud91572

CSM 4.2: Missing option to modify “hide internal password”

CSCud98874

CSM Issues with AAA Accounting between PIX 6.x and PIX/ASA 7.x+

CSCue21624

Some or All Devices are Missing in Device View

CSCue22968

CSM DOC: IPS Auto update for shared policies only for vs0

CSCue25304

“Error Validating Data” pop up during device credential change

CSCue46254

CSM 4.3 SP1 deployment fails due to attempt to remove referenced object

CSCue51858

CSM doesn’t support DHCP Relay per interface

CSCue53645

CSM 4.3 SP1 crl configure - policy value always set to both

CSCue53955

CSM 4.3 SP1 Adding “anyconnect ask none default webvpn” command

CSCue54248

CSM 4.3 SP1 Should support group-lock for ssl vpn group policies

CSCue54256

CSM 4.3 SP1 Adds “fqdn none” under trustpoint

CSCue72718

CSD 3.4.0373 is no longer Bundled with CSM installer - User Guide Defect

CSCui96058

CSM 4.4 SP1 - error when selected network object doesn't include IP adds

Resolved Caveats—Releases Prior to 4.5

For the list of caveats resolved in releases prior to this one, see the following documents:

Where to Go Next

If you want to:
Do this:

Install Security Manager server or client software.

See Installation Guide for Cisco Security Manager 4.5 .

Understand the basics.

See the interactive JumpStart guide that opens automatically when you start Security Manager.

Get up and running with the product quickly.

See “Getting Started with Security Manager” in the online help, or see Chapter 1 of User Guide for Cisco Security Manager 4.5 .

Complete the product configuration.

See “Completing the Initial Security Manager Configuration” in the online help, or see Chapter 1 of User Guide for Cisco Security Manager 4.5 .

Manage user authentication and authorization.

See the following topics in the online help, or see Chapter 7 of Installation Guide for Cisco Security Manager 4.5 .

  • Setting Up User Permissions
  • Integrating Security Manager with Cisco Secure ACS

Bootstrap your devices.

See “Preparing Devices for Management” in the online help, or see Chapter 2 of User Guide for Cisco Security Manager 4.5 .

Product Documentation

For the complete list of documents supporting this release, see the release-specific document roadmap:

  • Guide to User Documentation for Cisco Security Manager

http://www.cisco.com/en/US/products/ps6498/products_documentation_roadmaps_list.html

Lists document set that supports the Security Manager release and summarizes contents of each document.

  • For general product information, see:

http://www.cisco.com/go/csmanager

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html .

Subscribe to What’s New in Cisco Product Documentation , which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.

This document is to be used in conjunction with the documents listed in the “Product Documentation” section.