Downloads |
Table Of Contents
Release Notes for
Cisco VPN Solutions Center, Release 2.1.1Documentation Road Map for Cisco VPN Solutions Center: IPsec Solution, Release 2.1.1
Documentation Road Map for Cisco VPN Solutions Center: MPLS Solution, Release 2.1.1
What Is New in Release 2.1.1 of VPNSC
csm.properties File Rearranged
Deletion Confirmation (Preferences)
PIX Firewall Provisioning Through Templates
Provision SLA Definitions and Collect SLA Data
Repository Import and Export Tools
View Verification Report Discontinued
VPN 3000 IPsec Provisioning Support
VPN 5000 IPsec Provisioning—Unsupported Feature
Errata for the 2.1 Documentation
Problems Fixed in This Release
IPsec Known Problems in Cisco VPN Solutions Center, Release 2.1.1
MPLS Known Problems in Cisco VPN Solutions Center, Release 2.1.1
Obtaining Technical Assistance
Contacting TAC by Using the Cisco TAC Website
Release Notes for
Cisco VPN Solutions Center, Release 2.1.1
Note
All documentation, printed and on CCO, including this Release Notes for Cisco VPN Solutions Center, Release 2.1.1 document and any or all of the parts of the Release 2.1 documentation set, may be upgraded.
The information in the Release Notes for Cisco VPN Solutions Center, Release 2.1.1 document supersedes all information in the Release 2.1 documentation set for Cisco VPN Solutions Center: IPsec Solution, referred to as IPsec VPN Solution and for Cisco VPN Solutions Center: MPLS Solution, referred to as MPLS VPN Solution.
Note
All VPNSC patches are available at: http://www.cisco.com/cgi-bin/tablebuild.pl/vpnsc (where in tablebuild.pl, the last character is the lower-case letter "l").
Note
Note
Note
Note
Contents
The information in this release note is organized into the following sections:
•
•
•
•
•
•
•
•
Introduction
Using the architecture of Cisco VPN Solutions Center (hereafter referred to as VPNSC) Release 2.0, VPNSC Release 2.1.1 continues to provide features such as provisioning, auditing, and SLA monitoring for Multiprotocol Label Switching (MPLS) and Internet Protocol security (IPsec) VPNs. VPNSC is a network and service management system for Service Providers. VPNSC allows Service Providers to seamlessly provision and manage intranet and extranet VPNs. VPNSC focuses on provisioning, auditing, and monitoring the links between a customer's edge routers through the Service Provider's network.
In an IPsec network, a Customer Premises Equipment (CPE) router in one site connects to another CPE in a second site, as defined by the IPsec protocol. The IP traffic is encrypted and encapsulated at the CPE's secure interface, and then sent to the destination CPE through the IPsec tunnel, thus providing privacy and security for the data. The VPNSC provisioning engine for IPsec accesses the configuration files on both the CPEs to compute the necessary changes required to set up an IPsec VPN.
Materials
When you order a VPN Solutions Center product, either IPsec Solution, MPLS Solution, or both, you receive the following:
•
•
•
Note
The printed documentation distributed with the IPsec VPN Solution and MPLS VPN Solution products is also available on http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/vpnsc/index.htm and is as follows:
•
•
The rest of the documentation for VPN Solutions Center is available only through http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/vpnsc/index.htm. It is as follows:
•
•
•
•
•
•
Additionally, there is an HTML reference for the Application Programming Interface (API) Interface Definition Language (IDL) files for IPsec and MPLS on the product CD-ROM and on http://www.cisco.com/cgi-bin/tablebuild.pl/vpnsc in the file named IDL_Reference.tar. The index to the reference is in the file index.html.
Documentation Road Map for Cisco VPN Solutions Center: IPsec Solution, Release 2.1.1
This section describes documentation resources to help you find information about the Cisco VPN Solutions Center: IPsec Solution, Release 2.1.1. The IPsec VPN Solution Documentation Home is: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/vpnsc/index.htm.
Note
If you are using the IPsec VPN Solution product, we recommend you refer to the documentation in the following order:
1.
The contents of this document are:–
–
–
–
–
–
–
–
–
–
–
–
2.
The contents of this document are:–
–
–
–
3.
The contents of this document are:–
–
–
–
–
–
–
–
–
–
–
–
4.
The contents of this document are:–
–
–
–
–
–
–
–
–
–
5.
The contents of this document are:–
–
–
–
–
–
–
6.
Documentation Road Map for Cisco VPN Solutions Center: MPLS Solution, Release 2.1.1
This section describes documentation resources to help you find information about the Cisco VPN Solutions Center: MPLS Solution, Release 2.1.1. The MPLS VPN Solution Documentation Home is: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/vpnsc/index.htm.
Note
If you are using the MPLS VPN Solution product, we recommend you refer to the documentation in the following order:
1.
The contents of this document are:–
–
–
–
–
–
–
–
–
–
–
–
2.
The contents of this document are:–
–
–
–
3.
The contents of this document are:–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
4.
The contents of this document are:–
–
–
–
–
–
–
–
–
–
5.
The contents of this document are:–
–
–
–
–
–
6.
What Is New in Release 2.1.1 of VPNSC
Release 2.1.1 is a complete replacement to Release 2.1 and is distributed on CD-ROM. Release 2.1.1 includes the following:
•
•
•
The major change between Release 2.0 and Release 2.1 is the addition of support for the VPN 3000 concentrator.
Note that much attention has also been given to fixing problems. Numerous patch releases have occurred to be placed on top of Release 2.0 and they are cumulative. These problem fixes and problem fixes to Release 2.1 have been rolled into Release 2.1.1.
The following topics (listed alphabetically) are new or the implementation was changed dramatically from Release 2.0 to Release 2.1 and Release 2.1.1:
•
•
•
•
•
•
•
•
•
APIs
The following new APIs are available for IPsec for creating and maintaining the new VPN 3000 concentrator:
•
•
•
The following APIs have been enhanced for IPsec:
•
•
•
The following APIs are for both IPsec and MPLS:
•
•
•
Configure Traps
The separate Register and Deregister tasks for Config-Change Traps are now combined into one task item Set Config-Change Traps. This new task uses the Generic Transport Library (GTL)/Multi Telnet Gateway Server (MTGS)/Telnet Gateway Server (TGS) instead of its own expect scripts, thus taking advantage of the scalability and failover capability of MTGS and of the Task Logs reporting mechanism.
csm.properties File Rearranged
The csm.properties file has been rearranged to make it easier to locate properties. The categories are now listed alphabetically and the properties within each category are listed alphabetically. Additionally, new properties have been added for this release.
A table of the csm.properties reflects the new arrangement and appears in an appendix of both the Cisco VPN Solutions Center: IPsec Solution User Reference and the Cisco VPN Solutions Center: MPLS Solution User Reference. The indexes for these manuals address these properties by function and by name.
Deletion Confirmation (Preferences)
In both IPsec and MPLS mode, you can now choose to confirm or not confirm deletion of specific VPNSC elements. The specific VPNSC elements are: Customers, Customer Sites, Edge Devices, Policies, VPNs, AAServers, SecurID Servers, and VPN Groups. The default is you are asked to confirm deletion of any of these VPNSC elements.
From the VPN Console, choose File > Preferences and uncheck boxes for specific elements, which then allows deletion without confirmation. If you check the box, "Do Not show this dialog box again," when confirming a deletion, the Preferences file is automatically updated.
Dial-On-Demand (DOD)
IPsec mode now supports edge devices with dial-on-demand (DOD) ISDN interfaces. IPsec Service Requests in Failed Deploy state are automatically redeployed when the ISDN interface of the edge device becomes available.
Download and Version Console
Download Console and Version Console have been combined into one selection item from the menu task bar, Tools > Download and Version Console, for both the IPsec and MPLS modes. This combination simplifies the downloading of a specific version of a configuration file. Now, instead of using the Version Console to choose a version of a configuration file, saving it to disk, and then navigating to the Download Console and downloading the saved file, you can choose a version of a configuration file and download it from the same wizard.
Additionally, you can now choose to Download to startup, which downloads the selected device configuration to the startup configuration, or you can choose Download to download the configuration to the running configuration. These same choices are also available for Template Download operations.
DSCP ToS Support for SLA
You can now choose either the eight Type of Service (ToS) values supported in previous releases when provisioning SLA definitions, now called Precedence TOS Category values, or you can choose the new 64 Differentiated-Service-Code-Point (DSCP) TOS Category values. When using this new DSCP ToS support, you no longer have access to Traffic Profiling by ToS reports.
DSLAM as a PE
VPNSC provisions MPLS VPNs on the Cisco 6000 NI-2 based IP Digital Subscriber Line (DSL) switch, the latest generation of DSL Access Multiplexer (DSLAM). The Cisco IP DSL switch product family includes the Cisco 6015, 6160, and 6260 with the NI-2 controller card.
The current support limitations and restrictions for deploying the VPNSC for the IP DSL switch are as follows:
•
•
•
•
•
•
Ethernet Over MPLS (EoMPLS)
VPNSC supports Ethernet Over MPLS (EoMPLS) on the Cisco Optical Switch Router (OSR) 7600 using the Template Manager. A set of sample templates are provided to extend the Ethernet LAN using point-to-point links between VPN sites. EoMPLS creates virtual local-area network (VLAN) connectivity from customer edge router (CE) to CE across the MPLS core network.
VPNSC provisions EoMPLS one PE at a time using the VPNSC Template Manager. The template can create multiple VLAN interfaces per PE to provision multiple EoMPLS endpoints on the PE.
High Availability Support
VPNSC Release 2.1.1 supports Sun™ Cluster Release 3.0 with Update 1 in failover mode, not scalable mode. VPNSC supports a maximum of two nodes in the cluster.
Note
Sun™ Cluster offers mainframe-class reliability, availability, and scalability. It is designed to deliver high availability through automatic fault detection recovery, ensuring that your mission-critical applications and services are available when you need them. For more information about Sun™ Cluster 3.0 with Update 1, refer to the Sun™ Web site or documentation.
Note
After installing VPNSC, you can install High Availability Support by going to CCO (http://www.cisco.com/cgi-bin/tablebuild.pl/vpnsc) and following the instructions in the High Availability readme file.
Note
Inter-AS MPLS VPN
The Inter-Autonomous System (Inter-AS) MPLS VPN feature allows you to provision a customer VPN to span more than one BGP Autonomous System (BGP AS). Support is available for various schemes of route target allocation associated with Inter-AS for an MPLS VPN. You can present topology views for Inter-AS. SLA monitoring is also supported across Inter-AS.
Interface Types—New
Release 2.1.1 supports the following new interface types:
•
•
IP Address Pool Utilities
Three new utilities that can be activated through the command line are available relative to the IP address pool. These utilities are only available in MPLS mode and are as follows:
•
•
•
Licensing
To install Release 2.1.1, you must enter a minimum of three authorized license keys. These are all provided on separate Right to Use documents included in your product. The ordering scheme shows that you order the following:
•
•
•
Each of these ordered entities comes with an authorized license key.
As in Release 2.0, once you approach the limit of the license, you are notified by e-mail. You may then choose to upgrade any of the licensed entities. You will need to enter the authorized license key(s) for each level through which you upgrade.
Note
PIX Firewall Provisioning Through Templates
Private Internet Exchange (PIX) firewall provisioning is supported using templates. Sample provisioning templates for common firewall configurations are provided. Navigate to Tools > Template Console, and then in the hierarchy pane, choose PIX. Using these templates as examples, customers can create their own templates for other configurations.
Provision SLA Definitions and Collect SLA Data
The Service Level Agreement (SLA) is used to monitor the network latency and packet drop.
Two new SLA features are in this release:
•
•
With the IOS 12.2.1(T) and later images, you can now configure SLAs on PE routers and make the SLAs monitor the VPN route. IOS 12.2.1(T) and later releases support SLA provisioning on a PE. In this release, VPNSC in MPLS mode now supports ICMP, UDP, and Jitter SLAs that can be configured on a PE: Monitoring > Provision SLA Definitions and Collect SLA Data > From Provider Edge Devices. While creating the SLA on a PE, a VPN Routing and Forwarding instance (VRF) name and interface are selected. The VRF name indicates the VPN selection, because the VRF name includes the VPN name.
Repository Import and Export Tools
The Repository Import Tool, VpnInvImport, and the Repository Export Tool, VpnInvExport, have been upgraded to accommodate schema changes and to work with the supported VPN 3000 devices.
For both IPsec and MPLS, the following two new interactive command line utilities are supported for device inventory import and export. The DirRepImport utility provides a way to import Directory Repository information to set up the Device Inventory targets. The DirRepExport utility allows you to export an existing Directory Repository. These utilities should be used in conjunction with the existing command line utilities VpnInvImport and VpnInvExport, respectively. Note that if the DirRepImport is used, it must be run before the VpnInvImport tool is run.
Repository Migration
If you are using Release 1.x or 2.0.x, you must use the Repository Migration Tool to migrate your data from the old schema to the new and extended 2.1.x schema. If you are using the Beta version of Release 2.1, due to a new schema change after Beta, any Repository created with the Beta code cannot be used with this release.
If you are migrating from Release 1.2.x to Release 2.0 or 2.1.1, the password file was moved from <InstallationDirectory>/vpn/etc/passwordFile to <InstallationDirectory>/Repository/users/passwordFile. Therefore, to maintain your user and password information, copy <InstallationDirectory>/vpn/etc/passwordFile to <InstallationDirectory>/Repository/users/passwordFile.
Template Examples Added
In addition to the previous Examples and Interface example templates, this release now includes the following sample templates: Firewall (for IOS), PIX (for PIX Firewall), dslam, VPN 3000, EOverMPLS, and Universal Transport Interface (UTI).
View Verification Report Discontinued
The View Verification Report has been discontinued.
VPN 3000 IPsec Provisioning Support
VPNSC 2.1.1 supports the VPN 3000 models 3005, 3015, 3030, 3060, and 3080 concentrators, which are high capacity non-IOS IPsec devices. These devices serve as IPsec CPEs and also provide remote access to IPsec services. Support is for both LAN-to-LAN and remote access provisioning. VPNSC allows provisioning of LAN-to-LAN IPsec connections between the VPN 3000s and between the VPN 3000 and IOS tunnel peers, and manages remote access to IPsec services.
VPN 3000 configuration files can be imported directly into VPNSC. Additionally, you can create a task to do a live collection of the configuration files from specified devices.
When Remote Access IPsec VPN is provisioned on a VPN 3000 concentrator, a variety of IPsec clients may be used to terminate tunnels on the concentrator, such as:
•
•
•
Note
Note
You must set the Policy's Perfect Forward Secrecy (PFS) to disabled in the Perfect Forward Secrecy block. When you navigate in the hierarchy pane, right-click on Policies, then left-click on New Policy, enter a Policy Name, and then under the Global Parameters tab, do not check the Enabled box.
Additionally, in the Policy's IKE Proposals table, you must select Group 2 for the Diffie-Hellman DH Group ID. When you navigate in the hierarchy pane, right-click on Policies, then left-click on New Policy, enter a Policy Name, and then under the Proposals tab, in the IKE Proposals block, under the column DH Group ID, double-click on the selection and you will get a drop-down menu. Choose Group 2.
VPN 5000 IPsec Provisioning—Unsupported Feature
VPN 5000 IPsec provisioning appears in the Graphical User Interface (GUI) and API, but is an unsupported feature in this release.
wdperf Command Discontinued
The wdperf command and its reports are discontinued. For comparable report information, you may want to look into using the UNIX vmstat (virtual memory statistics) and sar (system administrator's report) commands.
Errata for the 2.1 Documentation
The 2.1.1 product uses the 2.1 documentation set with the exception that this Release Note replaces the Release Notes for Cisco VPN Solutions Center, Release 2.1.
The following information has changed from Release 2.1 to Release 2.1.1:
1.
2.
3.
4.
5.
6.
7.
8.
9.
System Recommendations
The following are the system recommendations for VPNSC:
•
•
Note
•
•
•
•
•
•
•
Note
•
•
•
Note
Caution
VPN Solutions Center cannot override the file descriptor limitation setting in the login shell file. If the value is set incorrectly, VPN Solutions Center may experience operational problems.
Problems Fixed in This Release
Note
The patch release 2.0.0.9 is a cumulative patch and includes all the fixes for problems in the patch releases 2.0.0.2 through 2.0.0.9.
IPsec Known Problems in Cisco VPN Solutions Center, Release 2.1.1
The most important known IPsec problems in Release 2.1.1 are presented in the following categories:
•
Provisioning
CSCdw43116 - Modify service request removes configlets from untouched edge devices
If a service request is a hub-and-spoke IPsec VPN with 25 devices and is subsumed when adding an extra spoke, the user will no longer be able to view the remaining 24 configlets that were generated while deploying this service request.Workaround: None. The information is in the repository but the GUI does not display it.
CSCdw57964 - Unable to modify or remove templates after migration from 1.2.1
Templates created in VPNSC 1.2.1 that are migrated to VPNSC 2.0 or later cannot be modified or removed from a Service Request. If you modify a migrated Service Request to use a new template, both the old and the new template commands are generated.Workaround: Remove an old Service Request and create the new 2.0 or later Service Request with new templates.
CSCdx11868 - TGS/GTL remains idle during large download task
When downloading to a large number of devices in a single deployed task, TGS may sit idle for a long time (approximately 30 minutes). This is due to timing problems when TGS encounters various error conditions accessing the devices.Workaround: Download a smaller number of devices in one task or confirm proper connectivity prior to download.
Graphical User Interface
CSCdw58688 - Template and secondary edge devices are not displayed in the GUI
Template and secondary edge devices are not displayed in the GUI after modifying an existing Service Request.Workaround: Do not modify a Service Request to add a template or secondary edge device. Have these as part of the initial Service Request.
CSCdw94116 - Exception occurs if user associates to a group with a duplicated name
Exception occurs if a user associates to a group that has the same name as one that already exists in the Repository.Workaround: Do not associate to a group that has the same name as an existing group.
CSCdw94598 - Exception occurs after creating duplicate AA server names for a customer
Exception occurs after creating duplicate AA server names for a customer.Workaround: Do not create duplicate AA server names for a customer.
Collection
CSCdp543701 - VPNSC does not support by-passing the login password field
The current VPNSC collection engine requires the router to be configured with a login password. The collection fails if the router is configured to by-pass login.Workaround: Configure the router to require a login password.
API
CSCdw23948 - Should not allow duplicate group name in repository
A VPN 3000 configuration import allows the creation of groups with the same names as those that have been added using the CiscoVsm3kFWIPsecCreator API. When two groups exist with the same name, the function Vsm3kFWIPsecCreator::find3kGroupByName() may not be dependable, because it always finds the first match. If a group retrieved this way is not associated with a policy, its use in a remote access service request causes a CiscoVsmExceptions::InvalidData exception.Workaround: Remove the duplicate groups from the VPN 3000 concentrator before a configuration collection.
CSCdw26708 - Cannot remove a VPN 3000 CPE even when there is no RASR bundled to it
You cannot remove a VPN 3000 CPE using the VpnInvMgr.removeEdgeDeviceFromRep() API. The API produces an error message that says this edge device cannot be deleted even when there are no VPN 3000 RASRs depending on the edge device.Workaround: Use the VPN Console to remove VPN 3000 edge devices from the repository.
CSCdx07810 - setTemplatesForSR() crashes the VpnInvServer during Service Request modification
For IPsec: CiscoVsmIPsecSRCreator::VsmIPsecSRModifier::setTemplatesForSR() crashes the VpnInvServer. For MPLS: CiscoVsmSRCreator::VsmVPNServiceModifier::setTemplatesForSR() throws a CiscoVsmExceptions::InvalidData exception.Workaround: Use vpnconsole to modify an IPsec or an MPLS Service Request to associate templates.
Other
CSCdw16773 - VPN Console GUI crashes when creating targets from router configuration files stored on a PC
When editing a single target, the target name field is blank. When editing multiple targets, the VPN Console GUI crashes. This can occur when targets are created with router configuration files imported from a PC. The configuration importer cannot properly handle the control characters that are present in a PC text file.Workaround: Create targets by importing router configuration files from a UNIX-based system.
CSCdx01404 - Config collections silently succeed if IOS hostname mismatches target name
If the target name in the VPNSC Repository does not match the IOS hostname, config collection succeeds without issuing and error message.Workaround: Verify that the hostname and the target name match.
CSCdx10710 - SNMP operation changes IP address of an interface in a Repository
The machine used to install VPNSC must have the directory /usr/lib/locale/en_US installed. For VPNSC to function correctly on Solaris 8, the following is set in vpnenv.sh or comparably in vpnenv.csh and must remain set:setenv LANG en_US
setenv LC_CTYPE en_US
If the locale is set to C, for example, the following may occur:
1.
2.
Workaround: Make sure LANG is en_US and LC_CTYPE is en_US.
Incompatibility between Veritas Volume Manager™ and Sun Java™ Development Kit (JDK™) Patches
If you are using the Veritas Volume Manager™, after installing the required patches, you may find that you no longer have access to their disk groups. Veritas Volume Manager™ has a dependency requiring dynamic libraries from /usr/lib and /etc/vx/slib to be synchronized. Sun Patch 108827 installs a new libnsl.so.1 in /usr/lib, putting these files out of synchronization.Workaround: Save the original and copy the new file over, as follows:
# mv /etc/vx/slib/libnsl.so.1 /etc/vx/slib/libnsl.so.1.orig
# cp /usr/lib/libnsl.so.1 /etc/vx/slib/libnsl.so.1
Now update the software installation database for the Veritas Volume Manager™ file, as follows:
Note
# installf VRTSvxvm /etc/vx/slib/libnsl.so.1 f
# installf -f VRTSvxvm
The changes should take place immediately, but to ensure that the Veritas Volume Manager™ starts correctly, the recommendation is to reboot the machine after implementing this workaround.
MPLS Known Problems in Cisco VPN Solutions Center, Release 2.1.1
The most important known MPLS problems in Release 2.1.1 are presented numerically in the following categories:
•
Provisioning
CSCds65988 - BGP Autonomous System (AS) for CE can not be modified after deploying a Service Request
If the CE BGP AS number of a deployed Service Request is modified, the provisioning step during the deployment process fails, claiming that BGP has already been configured in that router using a different AS number. VPNSC currently does not issue a no router bgp <AS#> for the original CE BGP configuration when attempting to modify a BGP AS number of a CE. The correct behavior would be for VPNSC to issue a no router bgp <AS#> and configure a new BGP process for the modify Service Request.Workaround: If the BGP AS number of a CE needs to be changed, the Service Request should be removed and a new Service Request with the required BGP AS number should be provisioned.
CSCdt84585 - No Refresh of the Service Request State for MPLS
When the Provisioning cycle is performed, the provisioning GUI does not update the service request state change. This requires that you continuously press the refresh button until the updated state is obtained.Workaround: Manually refresh.
CSCdv73951 - VPNSC uses no ip route-cache to remove NetFlow from interface
VPNSC uses no ip route-cache to remove a Service Request with NetFlow enabled, but should use no ip route-cache flow instead. As a consequence, IOS may automatically issue no ip route-cache cef if you create a new Service Request with NetFlow enabled on the same interface.Workaround: Manually issue ip route-cache cef under interface config.
CSCdw15022 - Unable to remove Allow AS-in option from service request
VPNSC successfully adds BGP Allow AS-in option but cannot remove it when modifying a service request.Workaround: Remove service request and create new service request without the Allow AS-in option and deploy.
CSCdw16817 - VPNSC is not provisioning Permanent Virtual Circuit (PVC) details for unmanaged CE
If you provision a service request with a PE-CE ATM link and if the CE is unmanaged, VPNSC will not provide a PVC VPI/VCI statement in a CE configlet. If a CE is managed everything works fine.Workaround: Create a template that adds a pvc vpi/vci command to the interface configlet or manually configured CE.
CSCdw57964 - Unable to modify or remove templates after migration from 1.2.1
Templates created in VPNSC 1.2.1 that are migrated to VPNSC 2.0 or later cannot be modified or removed from a Service Request. If you modify a migrated Service Request to use a new template, both the old and the new template commands are generated.Workaround: Remove an old Service Request and create the new 2.0 or later Service Request with new templates.
CSCdw78252 - Configlet generates bad access list on cable interface
When deploying a Service Request on a Cable interface, a wrong access list is created. The access list that is created contains a permit statement for a specific host rather than a network.CSCdw91697 - BRI0:0 is not a supported WAN interface type
When creating a Service Request for a CE using BRI0:0 interface, the following error occurs, "Invalid WAN interface type (BRI0:0) for the CE. Please enter a valid WAN interface or select one from the list."Workaround: None. The BRI0:0 interface type is not supported.
CSCdx11868 - TGS/GTL remains idle during large download task
When downloading to a large number of devices in a single deployed task, TGS may sit idle for a long time (approximately 30 minutes). This is due to timing problems when TGS encounters various error conditions accessing the devices.Workaround: Download a smaller number of devices in one task or confirm proper connectivity prior to download.
Graphical User Interface
CSCds63329 - CERC selection window does not show if Hub/Spoke or Mesh
When defining a Service Request, the CERC selection window displays the available CERCs by name, but does not indicate whether they are full mesh or hub and spoke.Workaround: None
CSCdu37215 - Shutdown PE Interface gets enabled when you click outside of area
During provisioning of a CE to PE link, when choosing the interfaces to use, there is a check box - Shutdown PE interface. Clicking anywhere on the line rather than being limited to clicking on the check box can enable this option.CSCdu37355 - Changing width of columns in the Service Request window does not stay if the data in the window is refreshed
Refresh under the Service Request window resizes the column width back to default.CSCdu37372 - CE selection change ignored when moving backward through the wizard
When you change a CE and then move backward through the wizard, your change to your CE is lost.Workaround: You must re-enter your CE modification.
CSCdu37373 - Invalid characters in the Target name are not checked at creation time
You are not informed of invalid host names until you try to retrieve a target from the Repository.Workaround: Delete the target from the Repository and re-enter it with a valid name.
CSCdu42873 - ATM subinterface number range checking
Range checking during the wizard called Add VPN Service to CE is insufficient. If you enter a subinterface such as 0.50 in the wizard, the GUI does not object but the service request fails deployment when it tries to create an invalid interface name.CSCdv14242 - VPNSC GUI accepts a subinterface value (used as VCD) greater than 4096
A subinterface value (used as a VCD) greater than 4096 in the GUI may work for some versions of IOS, but it won't work with the API.Workaround: Do not assign a VCD value greater than 4096 and both the GUI and API will work the same.
CSCdw58688 - Template and secondary edge devices are not displayed in the GUI
Template and secondary edge devices are not displayed in the GUI after modifying an existing Service Request.Workaround: Do not modify a Service Request to add a template or secondary edge device. Have these as part of the initial Service Request.
Collection
CSCdp543701 - VPNSC does not support by-passing the login password field
The current VPNSC collection engine requires the router to be configured with a login password. The collection fails if the router is configured to by-pass login.Workaround: Configure the router to require a login password.
API
CSCdt93691 - getSRState() for VsmSRVC fails
When a server side object is created, it caches the database object that it represents and the accessors and mutators are called on the local cache. This is saved in the repository when you actually send an update request. The local cache might not represent the actual values in the database if the values change after the server side object has been instantiated. To fix this bug we would need to reimplement the caching mechanism that we adopt on the server side. However, reading the values out of the database every time an accessor function is called is not advisable.Workaround: The workaround is to instantiate another server side object before calling the getSRState().
CSCdw10548 - Severe performance degradation of releaseX() API calls during a VPN export
For large repositories, API calls such as VpnInvMgrMPLS::getAllSRVCs() or getAllCERCMemberships() can degrade the performance of the VpnInvServer, because they cause accumulation of a large number of VpnInventory objects on the server side. VpnInvMgrMPLS::releaseX() calls take a long time to complete when there are a large number of objects on the server side.Workaround: None
CSCdx07810 - setTemplatesForSR() crashes the VpnInvServer during Service Request modification
For IPsec: CiscoVsmIPsecSRCreator::VsmIPsecSRModifier::setTemplatesForSR() crashes the VpnInvServer. For MPLS: CiscoVsmSRCreator::VsmVPNServiceModifier::setTemplatesForSR() throws a CiscoVsmExceptions::InvalidData exception.Workaround: Use vpnconsole to modify an IPsec or an MPLS Service Request to associate templates.
Other
CSCds34572 - VpnInvImport cannot import RT and RD address pool offset values
The offset values to the RD and RT pools are currently not imported by the import tool.Workaround: None.
CSCdw16773 - VPN Console GUI crashes when creating targets from router configuration files stored on a PC
When editing a single target, the target name field is blank. When editing multiple targets, the VPN Console GUI crashes. This can occur when targets are created with router configuration files imported from a PC. The configuration importer cannot properly handle the control characters that are present in a PC text file.Workaround: Create targets by importing router configuration files from a UNIX-based system.
CSCdx01404 - Config collections silently succeed if IOS hostname mismatches target name
If the target name in the VPNSC Repository does not match the IOS hostname, config collection succeeds without issuing and error message.Workaround: Verify that the hostname and the target name match.
CSCdx10710 - SNMP operation changes IP address of an interface in a Repository
The machine used to install VPNSC must have the directory /usr/lib/locale/en_US installed. For VPNSC to function correctly on Solaris 8, the following is set in vpnenv.sh or comparably in vpnenv.csh and must remain set:setenv LANG en_US
setenv LC_CTYPE en_US
If the locale is set to C, for example, the following may occur:
1.
2.
Workaround: Make sure LANG is en_US and LC_CTYPE is en_US.
Incompatibility between Veritas Volume Manager™ and Sun Java™ Development Kit (JDK™) Patches
If you are using the Veritas Volume Manager™, after installing the required patches, you may find that you no longer have access to their disk groups. Veritas Volume Manager™ has a dependency requiring dynamic libraries from /usr/lib and /etc/vx/slib to be synchronized. Sun Patch 108827 installs a new libnsl.so.1 in /usr/lib, putting these files out of synchronization.Workaround: Save the original and copy the new file over, as follows:
# mv /etc/vx/slib/libnsl.so.1 /etc/vx/slib/libnsl.so.1.orig
# cp /usr/lib/libnsl.so.1 /etc/vx/slib/libnsl.so.1
Now update the software installation database for the Veritas Volume Manager™ file, as follows:
Note
# installf VRTSvxvm /etc/vx/slib/libnsl.so.1 f
# installf -f VRTSvxvm
The changes should take place immediately, but to ensure that the Veritas Volume Manager™ starts correctly, the recommendation is to reboot the machine after implementing this workaround.
Obtaining Documentation
The following sections provide sources for obtaining documentation from Cisco Systems.
World Wide Web
You can access the most current Cisco documentation on the World Wide Web at the following sites:
Documentation CD-ROM
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.
Ordering Documentation
Cisco documentation is available in the following ways:
•
http://www.cisco.com/cgi-bin/order/order_root.pl
•
http://www.cisco.com/go/subscription
•
Documentation Feedback
If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.
You can e-mail your comments to bug-doc@cisco.com.
To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address:
Attn Document Resource Connection
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-9883We appreciate your comments.
Obtaining Technical Assistance
Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC website.
Cisco.com
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.
Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online technical support, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.
To access Cisco.com, go to the following website:
Technical Assistance Center
The Cisco TAC website is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.
Contacting TAC by Using the Cisco TAC Website
If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC website:
P3 and P4 level problems are defined as follows:
•
•
In each of the above cases, use the Cisco TAC website to quickly find answers to your questions.
To register for Cisco.com, go to the following website:
http://www.cisco.com/register/
If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following website:
http://www.cisco.com/tac/caseopen
Contacting TAC by Telephone
If you have a priority level 1 (P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following website:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
P1 and P2 level problems are defined as follows:
•
•
