Cisco Security Manager

Release Notes for Cisco Security Manager 4.6

  • Viewing Options

  • PDF (411.9 KB)
  • Feedback

Table of Contents

Release Notes for Cisco Security Manager 4.6


Supported Component Versions and Related Software

What’s New

Installation Notes

Service Pack 1 Download and Installation Instructions

Important Notes


Open Caveats—Release 4.6

Resolved Caveats—Release 4.6 Service Pack 1

Resolved Caveats—Release 4.6

Resolved Caveats—Releases Prior to 4.6

Where to Go Next

Product Documentation

Obtaining Documentation and Submitting a Service Request

Release Notes for Cisco Security Manager 4.6

Originally Published: April 10, 2014
Last Updated: April 14, 2015

These release notes are for use with Cisco Security Manager 4.6.

Security Manager 4.6 is now available. Registered SMARTnet users can obtain release 4.6 from the Cisco support website by going to and clicking Download Software under Support.

This document contains the following topics:


Note Use this document in conjunction with the documents identified in Product Documentation. The online versions of the user documentation are also occasionally updated after the initial release. As a result, the information contained in the Cisco Security Manager end-user guides on supersedes any information contained in the context-sensitive help included with the product. For more information about specific changes, please see Where to Go Next.

This document contains release note information for the following:

  • Cisco Security Manager 4.6 —Cisco Security Manager enables you to manage security policies on Cisco security devices. Security Manager supports integrated provisioning of firewall, VPN, and IPS services across IOS routers, PIX and ASA security appliances, IPS sensors and modules, Catalyst 6500 and 7600 Series ASA Services Modules (ASA-SM), and several other services modules for Catalyst switches and some routers. (You can find complete device support information under Cisco Security Manager Compatibility Information on Security Manager also supports provisioning of many platform-specific settings, for example, interfaces, routing, identity, QoS, logging, and so on.

Security Manager efficiently manages a wide range of networks, from small networks consisting of a few devices to large networks with thousands of devices. Scalability is achieved through a rich feature set of device grouping capabilities and objects and policies that can be shared.

  • Auto Update Server 4.6 —The Auto Update Server (AUS) is a tool for upgrading PIX security appliance software images, ASA software images, PIX Device Manager (PDM) images, Adaptive Security Device Manager (ASDM) images, and PIX security appliance and ASA configuration files. Security appliances with dynamic IP addresses that use the auto update feature connect to AUS periodically to upgrade device configuration files and to pass device and status information.

Note Before using Cisco Security Manager 4.6, we recommend that you read this entire document. In addition, it is critical that you read the Important Notes, the Installation Notes, and the Installation Guide for Cisco Security Manager 4.6 before installing Cisco Security Manager 4.6.

This document lists the ID numbers and headlines for issues that may affect your operation of the product. This document also includes a list of resolved problems. If you accessed this document from, you can click any ID number, which takes you to the appropriate release note enclosure in the Cisco Bug Search Tool (BST). The release note enclosure contains symptoms, conditions, and workaround information.

Supported Component Versions and Related Software

The Cisco Security Management Suite of applications includes several component applications plus a group of related applications that you can use in conjunction with them. The following table lists the components and related applications, and the versions of those applications that you can use together for this release of the suite. For a description of these applications, see the Installation Guide for Cisco Security Manager 4.6.

Note For information on the supported software and hardware that you can manage with Cisco Security Manager, see the Supported Devices and Software Versions for Cisco Security Manager online document under Cisco Security Manager Compatibility Information on


Table 1 Supported Versions for Components and Related Applications

Support Releases
Component Applications

Cisco Security Manager


Auto Update Server


CiscoWorks Common Services


Related Applications

Cisco Security Monitoring, Analysis and Response System (CS-MARS)

6.0.7, 6.1.1

Cisco Secure Access Control Server (ACS) for Windows


  • Cisco Secure ACS Solution Engine 4.1(4) is also supported.
  • You can use other versions of Cisco Secure ACS if you configure them as non-ACS TACACS+ servers. A non-ACS configuration does not provide the granular control possible when you configure the server in ACS mode.

4.1(3, 4), 4.2(0)

Cisco Configuration Engine

3.5, 3.5(1)

What’s New

Cisco Security Manager 4.6 Service Pack 1

Security Manager 4.6 Service Pack 1 provides fixes for various problems. For more information, see Resolved Caveats—Release 4.6 Service Pack 1.

This service pack also provides support for Cisco IPS 7.3(2)E4 on the following platforms:

  • IPS 4345
  • IPS 4360
  • IPS 4510
  • IPS 4520
  • IPS 4520-XL
  • ASA 5512-X IPS SSP
  • ASA 5515-X IPS SSP
  • ASA 5525-X IPS SSP
  • ASA 5545-X IPS SSP
  • ASA 5555-X IPS SSP
  • ASA 5585-X IPS SSP-10
  • ASA 5585-X IPS SSP-20
  • ASA 5585-X IPS SSP-40
  • ASA 5585-X IPS SSP-60

Cisco Security Manager 4.6

In addition to resolved caveats, this release includes the following new features and enhancements:

IPS 7.2(2) and 7.3(1). However, IPS 7.3(1) is not supported on all platforms; for a list of supported platforms, refer to Supported Devices and Software Versions for Cisco Security Manager 4.6.

ASA 9.1(4)

  • Security Manager now enables you to apply a signature threat profile to one or more signature policies, starting from IPS device version 7.3(1) on IPS platforms (4345/4360/4510/4520). A signature threat profile is a predefined signature template that includes customized tunings. These tunings adjust the signature coverage and response actions to enable the sensor to make better choices in various deployment and threat scenarios.
  • Security Manager now enables you to configure SNMPv3 settings on the IPS devices it manages. You must add SNMPv3 users to configure SNMPv3 settings on the managed IPS devices. Note that SNMPv3 is supported in IPS version 7.2.2 and later, but not in the IPS version 7.3.1. Therefore, you cannot directly upgrade from IPS 7.2.2 to IPS 7.3.1 if SNMP policies are configured. Unassign the SNMP policy on the device and deploy it to continue with the upgrade to 7.3.1.
  • You can configure SSHv2 server host keys (outgoing SSHv2 connections from an IPS sensor to an SSH server) on IPS sensors running 7.1(8) and later versions of Cisco IPS. Also, SSHv1 fallback is available on IPS sensors running 7.1(8) and later versions of Cisco IPS.
  • Security Manager now supports SNMP Version 3 on ASA devices running 8.2(1) or later and on ASA-SM devices running 8.5(1) or later. SNMP Version 3 allows you to configure authentication characteristics by using the User-based Security Model (USM).
  • Clustering is now supported on ASA 5512-X, 5515-X, 5525-X, 5545-X and 5555-X devices running 9.1(4) or later.
  • For ASA devices running 9.1(4) or later, Security Manager now supports configuration of a default connection profile to use for Citrix clients when no specific tunnel group is identified during tunnel negotiation.
  • Split-tunneling of VPN traffic has been enhanced to support both exclude and include ACLs. Exclude ACLs were previously ignored.
  • OpenSSL upgraded to 1.0.1g which contains a fix for the OpenSSL Heartbeat Extension Vulnerability (commonly known as the Heartbleed bug).

Installation Notes

Please refer to the Installation Guide for Cisco Security Manager 4.6 for specific installation instructions and for important information about client and server requirements. Before installing Cisco Security Manager 4.6, it is critical that you read the notes listed in this section and the Important Notes.

  • The “Licensing” chapter in the installation guide enables you to determine which license you need. (The license you need depends upon whether you are performing a new installation or upgrading from one of several previous versions.) It also describes the various licenses available, such as standard, professional, and evaluation. It is available at
  • The STD-TO-PRO upgrade converts an ST25 license to a PRO50 license and will result in support for 50 devices. If additional devices need to be supported, you need to buy the necessary incremental licenses.
  • Do not modify casuser (the default service account) or directory permissions that are established during the installation of the product. Doing so can lead to problems with your being able to do the following:

Logging in to the web server

Logging in to the client

Performing successful backups of all databases

  • The Installation Guide for Cisco Security Manager 4.6 provides important information regarding server requirements, server configuration, and post-installation tasks.
  • The Installation Guide for Cisco Security Manager 4.6 also provides important information regarding operating system and browser support. For example, Windows XP is no longer supported for clients. As another example, VMware ESXi versions up to ESXi 5.5 are now supported.
  • You can install Security Manager server software directly, or you can upgrade the software on a server where Security Manager is installed. The Installation Guide for Cisco Security Manager for this release of the product explains which previous Security Manager releases are supported for upgrade and provides important information regarding server requirements, server configuration, and post-installation tasks.
  • Before you can successfully upgrade to Security Manager 4.6 from a prior version of Security Manager, you must make sure that the Security Manager database does not contain any pending data, in other words, data that has not been committed to the database. If the Security Manager database contains pending data, you must commit or discard all uncommitted changes, then back up your database before you perform the upgrade. The Installation Guide for Cisco Security Manager for this release of the product contains complete instructions on the steps required for preparing the database for upgrade.
  • We do not support installation of Security Manager on a server that is running any other web server or database server (for example, IIS or MS-SQL). Doing so might cause unexpected problems that may prevent you from logging into or using Cisco Security Manager.
  • Be aware of the following important points before you upgrade:

Ensure that all applications that you are upgrading are currently functioning correctly, and that you can create valid backups (that is, the backup process completes without error). If an application is not functioning correctly before an upgrade, the upgrade process might not result in a correctly functioning application.

Note It has come to Cisco’s attention that some users make undocumented and unsupported modifications to the system so that the backup process does not back up all installed CiscoWorks applications. The upgrade process documented in the installation guide assumes that you have not subverted the intended functioning of the system. If you are creating backups that back up less than all of the data, you are responsible for ensuring you have all backup data that you require before performing an update. We strongly suggest that you undo these unsupported modifications. Otherwise, you should probably not attempt to do an inline upgrade, where you install the product on the same server as the older version; instead, install the updated applications on a new, clean server and restore your database backups.

  • If you log in to a Security Manager server that is running a higher version than your client, a notification will be displayed and you will have the option of downloading the matching client version.
  • Beginning with Security Manager 4.4, AUS and the Security Manager client are installed in parallel to improve installation time.
  • CiscoWorks Common Services 4.2.2 is installed automatically when you install Security Manager or AUS.
  • An error message will pop up if there is any database migration error; this will be at a point where installation can be taken forward without stopping.
  • It is recommended to do disk fragmentation for every 50 GB increase in the disk size for optimal performance.

Caution Frequent defragmentation will also contribute to bad sectors, eventually leading to disk failure.

  • Beginning with Version 4.4, Security Manager includes a Windows Firewall configuration script in the server installer. This script automates the process of opening and closing the ports necessary for Windows Firewall to work correctly and securely; its purpose is to harden your Security Manager server.
  • Important changes have been made in Cisco licensing. Refer to the “Licensing” chapter of Installation Guide for Cisco Security Manager and to the following page:

Service Pack 1 Download and Installation Instructions

To download and install service pack 1, follow these steps:

Note You must install the Cisco Security Manager 4.6 FCS build on your server before you can apply this service pack.

Caution Before installing this service pack, please back up the following files:


If you have previously modified these files, you will need to reconfigure them after installing the service pack.

Step 1 Go to, and then click Download Software for this Product under the Support heading on the right side of the screen.

Step 2 Enter your user name and password to log in to

Step 3 Click Security Manager (CSM) Software, expand the 4.6 folder under All Releases, and then click 4.6sp1.

Step 4 Download the file fcs-csm-460-sp1-win-k9.exe.

Step 5 To install the service pack, close all open applications, including the Cisco Security Manager Client.

Step 6 If Cisco Security Agent is installed on your server, manually stop the Cisco Security Agent service from Start > Settings > Control Panel > Administrative Tools > Services.

Step 7 Run the fcs-csm-460-sp1-win-k9.exe file that you previously downloaded.

Step 8 In the Install Cisco Security Manager 4.6 Service Pack 1 dialog box, click Next and then click Install in the next screen.

Step 9 After the updated files have been installed, click Finish to complete the installation.

Step 10 On each client machine that is used to connect to the Security Manager server, you must perform the following steps to apply the service pack before you can connect to the server using that client:

a. If Cisco Security Agent is installed on the client, manually stop the Cisco Security Agent service from Start > Settings > Control Panel > Administrative Tools > Services.

b. Launch the Security Manager client.

You will be prompted to “Download Service Pack”.

c. Download the service pack and then launch the downloaded file to apply the service pack.

Step 11 (Optional) Go to the client installation directory and clear the cache, for example, <Client Install Directory>/cache.

Step 12 (Optional) Configure SSL Certificates or self-signed certificates for Open SSL:

a. Stop the CSM Daemon service [net stop crmdmgtd]

b. If you have your own SSL certificates configured, you can reconfigure the certificates as per the steps outlined in the link below:

c. For self-signed certificates, from the command prompt navigate to the <CSCOpx>\MDC\Apache directory, and then execute the gencert.bat file.
(where <CSCOpx> is your installation directory)

d. Start the CSM Daemon service [net start crmdmgtd]


Important Notes

The following notes apply to the Security Manager 4.6 release:

  • Security Manager does not support Internet Control Message Protocol (ICMP) for IPv6 addresses. It supports ICMP for IPv4 addresses only.
  • Security Manager sends only the delta configuration to the Configuration Engine, where the particular device retrieves it. The full configuration is not pushed to the device. Therefore, the following behaviors are encountered for OSPF, VLAN, and failover for devices.

OSPF for IOS routers—Security Manager supports OSPF policy for routers running the IOS Software version 12.2 and later. However, Security Manager does not support OSPF policy for Catalyst devices. Therefore when you configure the OSPF policy in a Catalyst device and perform the discovery in Security Manager, the latter removes the ‘no passive-interface <interface number>’ command from the full configuration. Therefore you will see a difference in the Security Manager-generated configuration and the configuration on the device.

VLAN—Security Manager supports discovery of VLAN command in IOS devices but does not support dynamic behavior of the VLAN command. If there are user driven changes in VLAN policy, Security Manager generates the command in delta and full configuration. In other words, in normal preview or deployment, Security Manager does not generate VLAN command in full configuration. Therefore you will see a difference in the Security Manager-generated configuration and the configuration on the device.

Failover policy for firewall devices, such as ASA and FWSM, and IOS devices—Security Manager does not support dynamic behavior of failover devices. That is, the primary unit in HA has ‘failover lan unit primary’ command and secondary unit has ‘failover lan unit secondary’ command. When there is a switchover, Security Manager tries to compare with the ‘failover lan unit primary’ and generates the delta configuration. This leads to a failure in deployment.

Note Security Manager does not support ‘dynamic’ CLI commands. If the syntax of a CLI command is modified, for example, the ‘primary’ keyword is changed to ‘secondary’; it will not be supported by Security Manager.

  • For ASA devices in cluster mode, Security Manager treats the entire cluster as a single node and manages the cluster using the main cluster IP address. The main cluster IP address is a fixed address for the cluster that always belongs to the current master unit. If the master node changes, the SNMP engine ID for the cluster also changes. In such a case, Security Manager will regenerate the CLI for all SNMP Server Users that are configured with a Clear Text password. Security Manager will not regenerate the CLI for users that are configured using an Encrypted password.

You can use the Get SNMP Engine ID button on the SNMP page to retrieve the engine ID from the device currently functioning as the cluster master unit.

  • You cannot use Security Manager to manage an IOS or ASA 8.3+ device if you enable password encryption using the password encryption aes command. You must turn off password encryption before you can add the device to the Security Manager inventory.
  • If you upgrade an ASA managed by Security Manager to release 8.3(x) or higher from 8.2(x) or lower, you must rediscover the NAT policies using the NAT Rediscovery option (right-click on the device, select Discover Policies on Device(s), and then select NAT Policies as the only policy type to discover). This option will update the Security Manager configuration so that it matches the device configuration while preserving any existing shared policies, inheritance, flex-configs, and so on.

When upgrading an ASA device from 8.4.x to 9.0.1, the device policies will be converted to the unified format. You can rediscover the unified NAT rules using the NAT Rediscovery option or you can convert the existing NAT policies to unified NAT policies with the help of the rule converter in Security Manager. For more information, see or the “Converting IPv4 Rules to Unified Rules” topic in the online help.

You can also use the rule converter for the other firewall rules like access rules, AAA rules, and inspection rules if you want to manage these policies in unified firewall rules format.

  • ASA 8.3 ACLs use the real IP address of a device, rather than the translated (NAT) address. During upgrade, rules are converted to use the real IP address. All other device types, and older ASA versions, used the NAT address in ACLs.
  • The device memory requirements for ASA 8.3 are higher than for older ASA releases. Ensure that the device meets the minimum memory requirement, as explained in the ASA documentation, before upgrade. Security Manager blocks deployment to devices that do not meet the minimum requirement.
  • If you have a device that uses commands that were unsupported in previous versions of Security Manager, these commands are not automatically populated into Security Manager as part of the upgrade to this version of Security Manager. If you deploy back to the device, these commands are removed from the device because they are not part of the target policies configured in Security Manager. We recommend that you set the correct values for the newly added attributes in Security Manager so that the next deployment will correctly provision these commands. You can also rediscover the platform settings from the device; however, you will need to take necessary steps to save and restore any shared Security Manager policies that are assigned to the device.
  • Device and Credential Repository (DCR) functionality within Common Services is not supported in Security Manager 4.6.
  • LACP configuration is not supported for the IPS 4500 device series.
  • A Cisco Services for IPS service license is required for the installation of signature updates on IPS 5.x+ appliances, Catalyst and ASA service modules, and router network modules.
  • Do not connect to the database directly, because doing so can cause performance reductions and unexpected system behavior.
  • Do not run SQL queries against the database.
  • If an online help page displays blank in your browser view, refresh the browser.
  • Security Manager 4.6 only supports Cisco Secure ACS 5.x for authentication. ACS 4.1(3), 4.1(4), or 4.2(0) is required for authentication and authorization.
  • If you do not manage IPS devices, consider taking the following performance tuning step. In $NMSROOT \MDC\ips\etc\, change the value of packageMonitorInterval from its initial default value of 30,000 milliseconds to a less-frequent value of 600,000 milliseconds. Taking this step will improve performance somewhat. [ $NMSROOT is the full pathname of the Common Services installation directory (the default is C:\Program Files\CSCOpx).]
  • The IPS packages included with Security Manager do not include the package files that are required for updating IPS devices. You must download IPS packages from or your local update server before you can apply any updates. The downloaded versions include all required package files and replace the partial files that are included in the Security Manager initial installation.
  • The “License Management” link on the CiscoWorks Common Services home page has been removed.
  • CsmReportServer and CsmHPMServer are now supported with 64-bit JRE.
  • The “rsh” service has been changed to manual start mode. You can start it manually if you need it.
  • There are no changes with respect to the API in Security Manager 4.5 or Security Manager 4.6. You can use the Cisco Security Manager 4.4 API Specification (Version 1.1).


This section describes the open and resolved caveats with respect to this release.

For your convenience in locating caveats using the Cisco Bug Search Tool (BST), the caveat titles listed in this section are drawn directly from the Bug Search Tool database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:

  • Product names and acronyms may be standardized.
  • Spelling errors and typos may be corrected.

Note If you are a registered user, you can access the Cisco Bug Search Tool on at For more information about the Bug Search Tool, visit the help page at

To become a registered user, go to the following website:

This section contains the following topics:

Open Caveats—Release 4.6

The following caveats affect this release and are part of Security Manager 4.6.

Note In some instances, a known problem might apply to more than one area, for example, a PIX device might encounter a problem during deployment. If you are unable to locate a particular problem within a table, expand your search to include other tables. In the foregoing example, the known problem might be listed in either the Deployment table or the PIX/ASA/FWSM Configuration table.


Table 2 Cisco IOS Router Devices Caveats

Reference Number


XE: Deploy Fails when Memory Critical Notifications are Changed


CLI: “dot1x pae authenticator” generated after deployment of 802.1x


Generic Router : AAA rules getting negated.


Table 3 Cisco IPS and IOS IPS Devices Caveats

Reference Number


MU-IPS Licensing page taking too long for Refresh / CCO Update operation


CSM isn't closing all the HTTPS session as part of config deployment


TP tunings are not applied when sig is tuned other than status fields


Table 4 Client and Server Install Caveats

Reference Number


Installation: Evaluation and Licensing options get enabled simultaneous


ETSGJ-CH:CSM Launch Icons Missing on XP JOS Client


ETSGJ-CH:Not able to proceed with install if going back to previous page


CSM 4.5 Installation Command Buttons appear garbled


CSM 4.5 Installation Button Appears Garbled


CSM 4.5 Security Tools page UI launching Issues on Win 7 32 bit client


Table 5 Device Management, Discovery, and Deployment Caveats

Reference Number


Scal Testing: DB error during deployment


Getting error while submitting a ticket for Validation.


CSM 4.4 deploys IOS NTP configuration in wrong command order


Table 6 Event Viewer Caveats

Reference Number


Eventing Restore: Restore failing or partially succeeding in some cases


Internal error thrown when portlist is used in service object filter.


Filtering does not work when only protocol name is used in service obj.


Results not correct when network obj with non-contiguous mask is used.


CSM 4.2 - Eventing directory does not get deleted


IPS subscription is not getting closed when unmonitoring the device


P2E: Events are not filtered properly if ACE has muliple services


Changing “Time field” by highlighting the value is not inserting properly


Table 7 Firewall Services Caveats

Reference Number


Deployment fails with ACE edit in ACL BB


Manual-NAT: need validation for “neq” operator in static NAT


system context Config file discovery fails with ASA 5580 platform


Int: ASA 5580/85 should support max 1034 int allocation to context


ASA/ASASM Failover commands not negated


UID: Deployment fails when domain is used in ACL and is deleted


NAT: Deployment is failing for object NAT for Translate DNS rule


NAT:Subnet Can not be used as mapped Source in Dynamic NAT policy


UID: repeated ACL delta with ACL match protocol inspection


NAT: Same Mapped address cannot be used to perform both NAT and PAT


UID: order of AAA server negation/appending _1 on discovery should modify


Discovery fails for device with scan safe AAA in CSM 4.1


ETSGJ-CH:Japanese User not displayed in Identity UserGroup UI


ETSGJ-CH:Japanese User Group shows Name as Square blocks in JOS Client


ETSGJ-CH:Pop-up for wrong bind in Identity needs to be revisited


ETSGJ-CH:Domain name with special characters are permitted


Deployment fails when http accounting banner from file is configured


ETSGJ-CH:Incremental pop-up for a wrong MAC in Cat6k ASA-SM Failover


Edit ACL in Identity Policy-CSM generates incorrect order of cli


Override BB are not mapping with BBs used in import rules


Remove unreferenced Object-Group option can cause deployment error


ASA Image Downgrade From 9.0 to 8.4.4 Contain Xlate Rules in Preview


Global search does not display default inspection rule present in device


OSPFv3: Add Range and Virtual Link Table Empty on GUI


CSM 4.5 - Warnings related to IOSMethodType when deploying on ASA


Table 8 Health and Performance Monitor Caveats

Reference Number


FW: Certificates should be displayed as part of Non VPN Views


VPN: SitetoSite VPN tunnel details not proper with dynamic cryptomap 8.4


Tunnel Alerts: Traps Not Processed if the Remote Subnet is a Host


Perf : HPM Client Lag Issue after leaving it idle for long time


Table 9 Miscellaneous Caveats

Reference Number


CSM UI unresponsive for a long period in MU testing


Device state is not changed as rediscovering the changes


Adding IP to cluster pool is not getting updated in logrelay filter


Flickering issue : IP Intel and View Statistics refresh/other flows


Not able to crosslaunch frm CSM-PRSM if username starts with bold letter


Image is removing from the list after viewing the config file


Logrelay:Warning can be given when one user changes impacting other user


Device Status view is not getting autorefreshed when in undock view


Device filter is not working in OOB detection window


Discrepancy in displaying Geoip Schedule download timings


Table 10 Policy Management Caveats

Reference Number


CSM deployment error with an Object


Configuration differences in OOB detection not shown exactly


Mutual usage of PB in multiuser scenario showing exceptions in message


Table 11 VPN Device and Configuration Support Caveats

Reference Number


preview fails,rule name(SSLVPN->othersett->content rewrite) having space


deployment fails:existing Virtual Template int with type serial - Ezvpn


preview fails : if SSO name is given with spaces


IPSec Proposal is not discovered, if DVTI/VRF is configured in ISR


Preview failed due to FQDN acl BB used in group policy.


CSM deletes the existing ACL when changing protected nw/Spk2Spk connecti


PKI node under Remote Access VPN to be enabled


PKI deployment failed with trustpoint not enrolled error for ASA 9.0


CSM does not properly disable isakmp keepalives


Discovery issue for IKEv2 Auth policy when changed from PSK to PKI


IOS SSL VPN:negation of ssl trustpoint cli


existing IPsec proposals are deleted when anew tungrp is created via wiz

Resolved Caveats—Release 4.6 Service Pack 1

The following customer found or previously release-noted caveats have been resolved in Cisco Security Manager 4.6 Service Pack 1.

Reference Number


CSM 4.3 w/ASA 8.3+ - No error when interface IP's have overlapped subnet


CSM: Deployment Validation Fails if ASA nameif Contains \"(\" or \")\" Chars


CSM should handle NPE in


CSM reports hitcounts not for all ACE in FWSM


CSM trying to negate unmanaged VPN config


CSM 4.5: Raw ACE table content does not match with the selected ACL


CSM does not deploy changed Network object name in Shared policy


CSM remove prefix-lists used in the route-map

Note Security Manager will not remove the prefix-list while removing the ospf filter configuration on the device.


Refresh hitcount shows wrongly after rule add in middle and deploy


Renaming A BB with Overriddes and changing data in a single Session


CSM 4.5 Wrong src/dst address ACEs show up in \"Show HitCount Details\"


CSM Negates NAT Policies on ASA device after CSV file discovery


CSM4.6 fails to parse interface-specific dhcprelay config on ASASM


FWSM : hitcount fails with internal error for sepecific configuration


Cisco Security Manager wrongly negates 'mac-address auto' command on ASA


\"Originate-Only\" setting is missing in CSM UI VPN management


CSM approving activity cause Server Busy or Unavailable


IPS 7.3.2 Support


CSM 4.6 incorrectly requires cluster IP pool for spanned-etherchannel


4.7 ER03 Perf:VPN Deployment Degrade-HnS, RA VPN Connection and Extranet


CSM 4.6 Deploys management-only under none management interface


TP:- ips 731 device for sig update is grayed out when client is remote


DOC-CSM Run CSM client with \"run as administrator\" when UAC is enabled


CSM usage of DM_INLINE_NETWORK_ objects


CSM - Multiple Vulnerabilities in OpenSSL - June 2014


CSM: CsmReportServer Process Maximum Heap Size Info Incorrect in Doc


Applicable device grayed out during 7.3.2 sensor upgrade


Any applied Threat profile changes to NONE after submit in share policy

Resolved Caveats—Release 4.6

The following customer found or previously release noted caveats have been resolved in this release.

Reference Number


IKEv2 connection is down for default connection-type of CSM


Group Encryp Policy-unassigned from policyview not restoring default val


Config wizard-Auto-update client is not deployed properly


SSL-CSM is not generates proper URL when configuring bookmark


RBAC: Privileges for NAT policies on ASA 8.3 not working


VPN policy discovery clears the existing crypto map ACL


CSD policy editor:- Secure vault checkbox is missing in prelogin policy


“Master” changes needs to be reflected in Cluster row


StdtoPro upgrade license increase the device count to 75


Cisco Security Manager is vulnerable to CVE-2014-0160 - aka Heartbleed


Unable to install 3rd party Base64 encoded X.509 certificate on CSM 4.5

Resolved Caveats—Releases Prior to 4.6

For the list of caveats resolved in releases prior to this one, see the following documents:

Where to Go Next

If you want to:
Do this:

Install Security Manager server or client software.

See Installation Guide for Cisco Security Manager 4.6.

Understand the basics.

See the interactive JumpStart guide that opens automatically when you start Security Manager.

Get up and running with the product quickly.

See “Getting Started with Security Manager” in the online help, or see Chapter 1 of User Guide for Cisco Security Manager 4.6.

Complete the product configuration.

See “Completing the Initial Security Manager Configuration” in the online help, or see Chapter 1 of User Guide for Cisco Security Manager 4.6.

Manage user authentication and authorization.

See the following topics in the online help, or see Chapter 7 of Installation Guide for Cisco Security Manager 4.6.

  • Setting Up User Permissions
  • Integrating Security Manager with Cisco Secure ACS

Bootstrap your devices.

See “Preparing Devices for Management” in the online help, or see Chapter 2 of User Guide for Cisco Security Manager 4.6.

Product Documentation

For the complete list of documents supporting this release, see the release-specific document roadmap:

  • Guide to User Documentation for Cisco Security Manager

Lists document set that supports the Security Manager release and summarizes contents of each document.

  • For general product information, see:

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at:

Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation as an RSS feed and delivers content directly to your desktop using a reader application. The RSS feeds are a free service.

This document is to be used in conjunction with the documents listed in the “Product Documentation” section.