Table Of Contents
Release Notes for Cisco Router and Security Device Manager 2.3.4
Revised: December 13, 2006 OL-5009-15
These release notes support Cisco Router and Security Device Manager version 2.3.4. They should be used with the documents listed in the "Related Documentation" section. These release notes are updated as needed.
Cisco Router and Security Device Manager (Cisco SDM) is a web-based configuration tool that allows you to configure LAN and WAN interfaces, routing, Network Admission Control (NAC), Network Address Translation (NAT), firewalls, Intrusion Prevention System (IPS), Virtual Private Networks (VPNs), and other features on the router. Cisco SDM 2.1 and later versions can be installed on a PC, or in router flash, disk, or slot memory. Earlier versions of Cisco SDM cannot be installed on PCs, and can be installed in router flash, disk, or slot memory. If you have a router listed in the "Hardware Supported" section, Cisco SDM is either preinstalled in router memory, or is shipped on a CD with the router.
Cisco SDM Express allows you to give a router a basic LAN, WAN, firewall and NAT configuration. It is installed in router memory.
This document contains the following sections:
This section contains Cisco SDM system requirements.
Table 1 shows how much memory is required to support Cisco SDM files.
2 MB of router memory is required to support Cisco SDM Express files.
The Wireless Management application requires an additional 2 MB.
Cisco SDM installed on a PC requires 5.9 MB of memory.
Table 2 lists the files that are included with Cisco SDM, Cisco SDM Express, and the Wireless Management application.
This section lists the routers that Cisco SDM supports, by series.
Note Cisco SDM does not support Telco/CO router models.
Cisco SB100 series:
Cisco 800 series:
Cisco SDM is supported on the following Cisco 1700 series:
Cisco 1800 series:
Cisco 2600 series:
Cisco 3600 series:
Cisco SDM is supported on the following Cisco 3700 series:
Cisco SDM is supported on the following Cisco 3800 series:
Cisco SDM is supported on the following Cisco 7000 series:
Supported Adapters, Cards and Network Modules
•NM-4A/S (synchronous only)
•NM-8A/S (synchronous only)
Cisco SDM supports only Ethernet configuration on the following network modules:
Cisco SDM supports the following EtherSwitch Service Network Modules:
Cisco SDM supports the following WAN interface cards:
•WIC-2A/S (Frame Relay, PPP, HDLC, no asynchronous)
Cisco SDM supports the following high-speed WAN interface cards (HWICs):
Cisco SDM supports the following advanced integration modules (AIMs):
Cisco SDM supports the following port adapters on Cisco 7000 family routers:
Cisco SDM supports the following service adapters on Cisco 7000 family routers:
Cisco SDM also supports the MOD-1700VPN.
PC System Requirements
Cisco SDM is designed to run on a personal computer that has a Pentium III or faster processor.
This section describes Cisco SDM software requirements.
Cisco IOS Releases
Cisco SDM is compatible with the Cisco IOS releases listed in Table 2.
Note Cisco SDM supports the Cisco IOS Intrusion Prevention System (Cisco IOS IPS). In order to be able to use Cisco SDM to configure the Cisco IOS IPS software, the router must run Release 12.3(8)T4 or a later release. Later Cisco IOS releases support additional Cisco IOS IPS functionality. Table 3 lists the Cisco IOS IPS feature history by Cisco IOS release.
Table 3 shows the Cisco IOS IPS feature history, and lists the Cisco IOS releases that offered each set of features, beginning with the latest release. This information is available in the Cisco IOS IPS Deployment Guide available at the following link.
Determining the Cisco IOS Release
To determine the release of Cisco IOS software currently running on your Cisco router, log in to the router and enter the show version EXEC command. The following sample output from the show version command indicates the Cisco IOS release on the second output line:Router> show versionCisco Internetwork Operating System SoftwareIOS (tm) C1700 Software (c1700-k8sv3y7-mz) Version 12.2(13)ZH
Web Browser Versions and Java Runtime Environment Versions
Cisco SDM can be used with the following browsers:
•Firefox 1.0.6 and later versions
•Internet Explorer 5.5 and later versions
•Netscape 7.1 and 7.2
Cisco SDM requires Sun Java Runtime Environment (JRE). The following versions are supported:
Although the Cisco SDM application requires JRE to run, the Cisco SDM Express application included with Cisco SDM can run under the native Java Virtual Machine in the supported browsers, and also JRE.
PC Operating System Versions
Cisco SDM can be run on a PC running any of the following operating systems:
•Microsoft Windows ME
•Microsoft Windows NT 4.0 Workstation with Service Pack 4
•Microsoft Windows XP Professional
•Microsoft Windows 2003 Server (Standard Edition)
•Microsoft Windows 2000 Professional with Service Pack 4
Note Windows 2000 Advanced Server is not supported.
Japanese, Simplified Chinese, French, German, Spanish and Italian language support is available on these operating systems:
•Microsoft Windows XP Professional with Service Pack 2 or later
•Microsoft Windows 2000 Professional with Service Pack 4 or later
New and Changed Information
This section contains information that is new or changed since the previous version.
New Features Supported in Cisco SDM Version 2.3.4
Cisco SDM version 2.3.4 is available in the following language editions:
•Chinese (simplified) edition—available in the file SDM-V234-zh.zip
•English edition—available in the file SDM-V234.zip
•French edition—available in the file SDM-V234-fr.zip
•German edition—available in the file SDM-V234-de.zip
•Italian edition—available in the file SDM-V234-it.zip
•Japanese edition—available in the file SDM-V234-ja.zip
•Spanish edition—available in the file SDM-V234-es.zip
All editions of Cisco SDM are available on Cisco.com by going to the following link:
In order to run a Cisco SDM edition other than English, the PC that you are using must run a supported Microsoft Windows operating system of the same language as the Cisco SDM edition that you want to run, or, if the PC is running an English-language Microsoft Windows operating system, the regional settings on the PC must specify a locale that is compatible with the edition of Cisco SDM that you want to run. The English edition of Cisco SDM version 2.3.4 is able to run on all supported Microsoft Windows operating systems.
For more information on running a non-English edition of Cisco SDM on a PC running an English-language operating system, refer to the document Running Non English Editions of SDM on English-Language Operating Systems available at the same link.
Cisco SDM Files
This section describes the files used in Cisco SDM 2.3.4
Table 4 describes the files that Cisco SDM and its applications use.
The sizes of the Cisco SDM files are listed by language edition in Table 5.
This section contains important information regarding installation and upgrades to Cisco SDM.
Cisco 1700 Routers Running Cisco ITS/Cisco CallManager Express and Cisco IOS Release 12.2(13)T
If you are installing Cisco SDM on a router that already has the Internet Telephony Service (ITS) or Cisco CallManager Express application installed in flash memory, you may exceed the number of files allowed in flash memory by installing Cisco SDM. Cisco 1700 routers using Cisco IOS Release 12.2(13)T cannot have more than 32 files in flash memory.
Before installing Cisco SDM, you must delete any unneeded files from flash memory. If no files can be deleted, do not install Cisco SDM on the router.
Downloading Cisco SDM from Cisco.com and Installing It on the Router
If Cisco SDM is not currently installed on the router, see Downloading and Installing Cisco Router and Security Device Manager (SDM) to learn how to download Cisco SDM from Cisco.com and install it on the router. To obtain this document, go to the following URL:
Upgrading to a New Cisco SDM Version
If a version of Cisco SDM later than version 1.0 is already installed on the router, use the automatic update feature to install the latest files on the router. Cisco SDM automatically checks Cisco.com for more recent versions of Cisco SDM, downloads them to your PC, removes the old Cisco SDM files from memory, runs the squeeze flash: command if necessary, and copies the latest files to the router. The update feature is available from the Tools menu. Choose Tools > Update SDM > From Cisco.com.
If you are currently using Cisco SDM 1.0, you must download the file SDM-Vnn.zip at the following URL:
See Downloading and Installing Cisco Router and Security Device Manager (SDM) to learn how to install Cisco SDM and all related files on the router at the following URL:
Click Install and Upgrade in the Technical Documentation and Tools box, and then click Install and Upgrade Guides.
Uninstalling Cisco SDM Files
If you want to remove Cisco SDM from flash memory or from a router disk file system, you can do so by logging onto the router and completing the following steps in EXEC mode:
Step 1 Change to the directory in which the Cisco SDM files are located.
If the router has a flash file system, use the following command:router# cd flash:
If the router has a disk file system, use the following command:router# cd diskN
Replace N with the actual number of the disk. Use the slot keyword instead of the disk keyword if necessary.
Step 2 Use the delete command to remove the Cisco SDM files. The example below deletes the file sdm.tar:router# delete sdm.tarDelete filename [sdm.tar]?Delete flash:sdm.tar? [confirm]
Press Return to confirm the deletion.
Step 3 Use the delete command to remove the remaining Cisco SDM files. The "Cisco SDM Files" section lists the files used by Cisco SDM.
Step 4 Reclaim memory space by using the squeeze flash: command:router# squeeze flash:
It is not necessary to use the squeeze flash: command on DOS-based file systems.
Cisco SDM version 2.1 or later can be installed on your PC. To remove Cisco SDM from your PC, complete the following steps:
Step 1 Click Start > Program> Cisco Systems > Cisco SDM > Uninstall to launch the Uninstall program.
Step 2 When the message "Do you want to remove the selected applications and all of its features?" appears, click Yes.
Step 3 When the Uninstallation Complete screen is displayed, click Finish.
Limitations and Restrictions
This section describes restrictions and limitations that may apply to Cisco SDM.
Cisco SDM Minimum Screen Resolution
Cisco SDM requires a screen resolution of at least 1024 x 768.
Restrictions for Cisco 7204VXR, Cisco 7206VXR, and Cisco 7301 Routers
The following restrictions apply to Cisco SDM running on Cisco 7204VXR, Cisco 7206VXR, andCisco 7301 Routers:
•The Cisco SDM Express application is not supported.
•WAN configuration is not supported. Cisco SDM supports configuration of Ethernet and Fast Ethernet interfaces.
•The Cisco SDM Reset feature is not available.
•No Cisco SDM-default configuration file is supplied.
This section contains important information for Cisco SDM. It contains the following sections:
Cisco SDM Does Not Support a Configuration File Larger Than 250 Kilobytes
Cisco SDM does not support router configuration files larger than 250 Kb. If the configuration file on your router is larger than 250 Kb, Cisco SDM stops and displays an error message indicating that the configuration file exceeds the 250 Kb limit.
Cisco SDM Security Dashboard May Display Threats Unrelated to Your Cisco IOS IPS Installation
Some (or all) of the top threats you obtain using the Cisco SDM Security Dashboard may not pertain to your Cisco IOS IPS installation. After you deploy the signatures applicable to the top threats displayed by the Cisco SDM Security Dashboard, the Cisco SDM Security Dashboard may still display some (or all) top threats with a red icon because applicable signatures could not be found. Those remaining top threats are unrelated to your Cisco IOS IPS installation and not a danger to your router running Cisco IOS software.
Cisco SDM May not Launch Using IP Address of WebVPN Gateway
This information provides more information about the caveat CSCek33306. When Cisco SDM attempts to connect to a router with a WebVPN gateway configured using the Cisco IOS CLI, it might not launch from the IP address used by that gateway if the CLI statements necessary for Cisco SDM access are not included.
For example, if you have configured a WebVPN connection on the interface Fe 0/0 with the gateway IP address 10.10.10.1, and thegateway name MyWebVPN, you may not be able to launch Cisco SDM using that IP address.
To be able to launch Cisco SDM using that IP address, add the following Cisco IOS CLI commands:Router#config tRouter(config)# interface loopback next-available-loopback-numberRouter(config-if)# description Do not delete - SDM WebVPN generated interfaceRouter(config-if)# ip address 192.168.1.1 255.255.255.252Router(config-if)# no shutdownRouter(config-if)# ip nat insideRouter(config-if)# exitRouter(config)# ip nat inside source static tcp 192.168.1.1 443 10.10.10.1 4443Router(config)# router(config)# webvpn gateway MyWebVPNRouter(config-webvpn-gateway)# http-redirect port 80Router(config) # interface FastEthernet 0/0Router(config-if)# ip nat outsideRouter(config-if)# exit
After adding these commands, you can launch Cisco SDM by entering the following IP address and port in the browser:https://10.10.10.1:4443
If you remove the WebVPN gateway that was modified for Cisco SDM access, you must remove the loopback interface and NAT rule that you created to allow access in the first place. Enter the commands shown in the description of caveat CSCek38259.
Cisco SDM IPS User Guide Discontinued for Cisco SDM 2.2 and Later
The SDM IPS application has been merged with SDM version 2.2. Instructions for using IPS are included in the Cisco Router and Security Device Manager Version 2.2 User's Guide. No SDM IPS User's Guide has been published for this release.
Cisco SDM May Lose Connection to Network Access Device
This note concerns the NAC feature.
If the PC used to invoke Cisco SDM returns a posture state (Healthy, Infected, Checkup, Quarantine, or Unknown) and if the group policy on the ACS server attached to the posture token assigned to the PC has a redirect URL configured, the connection between Cisco SDM and the router acting as the Network Access Device (NAD) may be lost. The same problem can occur if an exception list entry attached to a policy with a redirect URL is configured with the IP address or MAC address of the PC.
If you try to reinvoke Cisco SDM from this PC, you will not be able to do so because the browser will be redirected to the location specified in the redirect URL.
There are two workarounds for this problem:
•Ensure that the PC that you use to invoke Cisco SDM attains a posture token which has an associated group policy on the ACS server that is not configured with a redirect URL.
•Alternatively, use Cisco SDM to create a NAC exception list entry with the IP address or MAC address of the PC you use to invoke Cisco SDM. Note that the exception list entry created for the PC should be associated to an exception policy which does not have a redirect URL configured in it.
For more information, see the links in the Cisco SDM NAC online help pages.
Cisco SDM on PC May Not Launch under Windows XP with Service Pack 2
When Cisco SDM is installed on a PC running Windows XP with Service Pack 2, Internet Explorer may display HTML source code when you attempt to launch Cisco SDM. To fix this problem, go to Tools > Internet Options > Advanced. Then scroll to the Security section, check Allow active content to run in files on my computer, and click Apply. Then relaunch Cisco SDM.
Popup Blockers Disable Cisco SDM Online Help
If you have enabled popup blockers in the browser you use to run Cisco SDM, Cisco SDM online help will not appear when you click the help button. To prevent this from happening, you must disable the popup blocker when you run Cisco SDM. Popup blockers may be enabled in search engine toolbars, or may be standalone applications integrated with the web browser.
Microsoft Windows XP with Service Pack 2 blocks popups by default. In order to turn off popup blocking in Internet Explorer, go to Tools > Pop-up Blocker > Turn Off Pop-up Blocker.
If you have not installed and enabled pop up blockers, go to Tools >Internet Options > Privacy, and uncheck the Block popups checkbox.
Disable Proxy Settings
Cisco SDM will not start when run under Internet Explorer with proxy settings enabled. To correct this problem, choose Internet Options from the Tools menu, click the Connections tab, and then click the LAN settings button. In the LAN Settings window, disable the proxy settings.
Routers Shipped with Cisco SDM Do Not Execute the Standard Cisco IOS Startup Sequence
Because a default configuration file is provided on a router shipped with Cisco SDM, the router will not execute the standard Cisco IOS startup sequence. If you are expecting to use the Cisco IOS setup utility, a TFTP/BOOTP configuration download, or other features available through the standard Cisco IOS startup, you will need to erase the configuration file.
To erase the existing configuration and take advantage of the Cisco IOS startup sequence, perform the following steps. This will leave Cisco SDM on the router if you later decide you want to use it, but you will need to configure the router manually before you can begin using Cisco SDM. Please see the router quick start guide and to the Cisco SDM FAQ (available at http://www.cisco.com/go/sdm) for information about the minimum configuration required for using Cisco SDM.
Step 1 Connect the light blue console cable, included with the router, from the blue console port on the router to a serial port on your PC. See the router hardware installation guide for instructions.
Step 2 Connect the power supply to the router, plug the power supply into a power outlet, and turn on the router. See the router quick start guide for instructions.
Step 3 Use a terminal emulation program on your PC, with the terminal emulation settings 9600 baud, 8 data bits, no parity, 1 stop bit, and no flow control, to connect to the router.
Step 4 At the prompt, enter the enable command, and enter the password cisco.yourname> enablePassword: ciscoyourname#
Step 5 Enter the erase startup-config command.yourname# erase startup-config
Step 6 Confirm the command by pressing Enter.
Step 7 Enter the reload command.yourname# reload
Step 8 Confirm the command by pressing Enter.
After the router completes the reload operation, it enters into the standard Cisco IOS startup sequence. You can use the startup sequence to give the router a configuration manually, or to copy a configuration file from the network. If you later decide you want to use Cisco SDM to change an existing configuration, see the instructions on starting Cisco SDM included in the quick start guide for the router.
Unable to Perform "squeeze flash:" Operation
If the router is using a Cisco IOS image earlier than release 12.3T, or release 12.2(13)ZH, it may be necessary to use the squeeze flash: command to reclaim flash memory after repeated use of Cisco SDM. If this becomes necessary, Cisco SDM will inform you that the squeeze flash: command must be used, and will execute the command upon your confirmation.
However, the squeeze flash: command will not work if an erase flash: command has never been executed on the router. If this is the case you will receive an "Unable to perform `squeeze flash'" warning message, and you will need to run the erase flash: command to enable the use of the squeeze flash: command.
Executing the erase flash: command removes Cisco SDM and the Cisco IOS image from the router flash memory, and you will lose your connection to the router. Complete the following steps to save files in flash memory, execute erase flash:, and copy the files back so you can reconnect to Cisco SDM.
Step 1 Ensure that the router will not lose power. If the router loses power after an erase flash: operation, there will be no Cisco IOS image in memory.
Step 2 Prepare a TFTP server to which you can save files and copy them over to the router. You must have write access to the TFTP server. Your PC can be used for this purpose if it has a TFTP server program.
Step 3 Open up a Telnet session on the router so that you can use the CLI.
Step 4 Save the router's running configuration to the startup configuration by entering the command copy running-config startup-config.
Step 5 Use the copy tftp command to copy the Cisco IOS image, and the Cisco SDM files from flash memory to a TFTP server:
copy flash: filename tftp://tftp-server-address/filename
For example:Router# copy flash: sdm.tar tftp://10.10.10.3/sdm.tar
Table 4 lists the files Cisco SDM uses.
Tip If you prefer to download a Cisco IOS image, and the SDM-Vnn.zip file, follow these instructions to use an Internet connection to download a Cisco SDM-supported Cisco IOS image, and the SDM-Vnn.zip file.
a. Click the following link to obtain a Cisco IOS image from the Cisco Software Center:
b. Obtain an image that supports the features you want on the Cisco 12.2(11)T release or later. Save the file to the TFTP server that is accessible from the router.
c. Use the following link to obtain the latest SDM-Vnn.zip file.
d. Extract the Cisco SDM files from SDM-Vnn.zip.
e. Click the setup.exe file to start the Cisco SDM installation wizard.
Step 6 From the PC, log in to the router using Telnet, and enter Enable mode.Router> enablePassword:Router#
Step 7 Enter the command erase flash:, and confirm. The router's IOS image, configuration file, and the Cisco SDM files are removed from flash memory.
Step 8 Use the copy tftp command to copy the IOS image and the Cisco SDM files from the TFTP server to the router:
copy tftp://tftp-server-address/filename flash:
Example:Router# copy tftp://10.10.10.3/SDM.tar flash:
Note Copy the Cisco IOS image first, followed by the Cisco SDM files.
Step 9 Start your web browser, and reconnect to Cisco SDM, using the same IP address you used when you started the Cisco SDM session.
Now that an erase flash: operation has been performed on the router, you will be able to execute the squeeze flash: command when necessary.
Security Alert Dialog May Remain After Cisco SDM Launches
When Cisco SDM is launched using HTTPS, a security alert dialog box that informs you of possible security problems and asks you if you want to proceed with program launch may appear. This can happen if the router does not have the following global configuration command in the running configuration:ip http timeout-policy idle 600 life 86400 requests 10000
Caveats describe unexpected behavior in Cisco SDM. Severity 1 caveats are the most serious caveats, severity 2 caveats are less serious, and severity 3 caveats are the least serious of these three severity levels.
Open Caveats—Release 2.3.4
This section lists caveats that are open in release 2.3.4
If you use the SDM install wizard to install SDM on a router that is running Cisco IOS 12.4(12), or if the file management feature is used to place a .tar file on the router running Cisco IOS 12.4(12), the operation may fail.
The workaround for both problems is to manually copy the files from the PC to the router using TFTP or FTP.
If the router is configured to allow Cisco SDM access through a WebVPN gateway that listens on the standard port 443, and that gateway is modified to listen on another custom port, the commands that were added for Cisco SDM access are not automatically removed, and must be removed using the Cisco IOS CLI. The WebVPN gateway may have been configured using the Cisco SDM WebVPN wizard, or it may have been configured manually and then modified to allow Cisco SDM access by adding the commands described in Cisco SDM May not Launch Using IP Address of WebVPN Gateway.
To safely edit the the WebVPN gateway to listen to a port other than 443, do the following:
a. Go to Configure > VPN > WebVPN > Edit WebVPN, select the gateway and click Edit.
b. Uncheck the Enable secure SDM access through IP address checkbox is checked, uncheck it, and click OK to deliver the configuration change to the router.
c. Click Edit again and enter the port number that you want the WebVPN gateway to use.
d. Remove the loopback interface that was created for Cisco SDM access by clicking Configure > Interfaces and Connections > Edit Interfaces/Connections and removing the loopback interface.
e. To remove the NAT rule, click Configure > NAT > Edit NAT Configuration, and remove the NAT rule that was added. Do not remove the NAT rule if it is being used by other parts of the configuration.
Cisco SDM can now be invoked using the standard HTTPS port 443.
If you prefer to use the Cisco IOS CLI, enter the following commands to remove the loopback interface and NAT rule that were added to allow Cisco SDM access. In these steps, Loopback 0 with an IP address of 192.168.1.1, and FastEthernet 0/0 with an IP address of 10.20.30.40 are used as examples.Router# config tRouter(config)# no interface Loopback0Router(config)# interface FastEthernet0/0Router(config-if)# no ip nat outsideRouter(config-if)# exitRouter(config)# no ip nat inside source static tcp 192.168.1.1 443 10.20.30.40 4443Router(config)# exit
Note Do not enter the no ip nat inside command if other NAT translation rules are using it. If no other rules use this command, remove it.
Due to a Cisco IOS problem, no more than 5 actions can be assigned to a signature. This problem has no workaround.
When you import signatures from a large Signature Definition File (SDF) more than 4 or 5 times during the same session, Cisco SDM may close. This problem has not been observed consistently. This problem has no workaround.
Cisco SDM may not launch from an interface with a CLI-configured WebVPN if the CLI commands necessary for Cisco SDM access have not been added. This includes WebVPNs configured with the command webvpn enable WebVPNname IP-address SSLVPN.
For more information about this caveat, see the "Cisco SDM May not Launch Using IP Address of WebVPN Gateway" section.
Cisco SDM Express browser windows do not close if the Secure Device Provisioning application is launched from Cisco SDM Express. If you choose Secure Device Provision in the Cisco SDM Express Router Provisioning screen, the SDP application is launched after you complete the Cisco SDM Express wizard and deliver the commands to the router. After the commands are delivered, Cisco SDM Express closes, but the two browser windows associated with Cisco SDM Express do not close automatically. This behavior has been observed in all browsers.
Close these windows manually. However, note that closing these windows manually also closes the SDP application. Therefore, do not close these windows until you have completed configuring the router using the SDP application.
If you edit the IPS rule for incoming traffic or outgoing traffic or edit both rules on the interface that Cisco SDM is using to communicate with the router, the no form of the existing rule is delivered first. For all other interfaces the no form of the rule is delivered last.
No workaround is available. However, this behavior does not cause a loss of functionality.
When signatures are reloaded using the option available in IPS > Edit IPS > Global Settings > Reload Signatures, and an IPS rule is applied on the interface on which Cisco SDM communicates with the router, the reload does not succeed because the commands from this interface are generated last.
This problem will occur only when IPS rule is applied on the interface on which Cisco SDM communicates to the router.
Do the following:
a. Disable IPS on the connected interface
b. Reload the signatures by clicking IPS > Edit IPS > Global Settings > Reload Signatures
c. Enable IPS on the connected interface
When Cisco SDM is run on the PC, the Load File from PC function available from the File Management window may not work properly.
Workaround: With a TFTP server application on the PC, copy files to the router using the copy tftp flash command.
The SDM_HIGH security policy may not block Instant Messaging (IM) applications. The application security feature blocks IM applications using the server deny name command. New servers may become available, and if they do, IM applications may connect to them.
Workaround: Complete the following steps:
a. Turn on firewall logging for IM applications. The names of the servers that the IM applications connect to will be revealed in the log.
b. Use the CLI to block the new servers. The following example uses the server newserver.yahoo.com:router# config trouter(config)# appfw policy-name SDM_HIGHrouter(cfg-appfw-policy)# application im yahoorouter(cfg-appfw-policy-ymsgr)# server deny name newserver.yahoo.comrouter(cfg-appfw-policy-ymsgr)# endrouter#
Note•IM applications are able to communicate over nonnative protocol ports, such as HTTP, and through their native TCP and UDP ports. Cisco SDM configures block and permit actions based on the native port for the application, and always blocks communication conducted over HTTP ports.
•Some IM applications, such as MSN Messenger 7.0, use HTTP ports by default. To permit these applications, configure the IM application to use its native port.
When the applications security policy blocks some Peer-to-Peer (P2P) applications, but permits others, blocked applications may be able to download files.
Workaround: Instead of permitting some P2P applications and blocking others, exclude the applications that you want to permit from the application security policy by unchecking the box next to the application name.
Because of a problem with the Cisco IOS NBAR feature, some Peer-to-Peer applications are able to download files even when application security is configured to block them. When the Cisco IOS NBAR feature is used to block Peer-to-Peer applications, only those applications and protocols supported by the NBAR feature will be successfully blocked.
Because of a problem with Cisco IOS (CSCin92327), a connection between an Easy VPN Remote client and an Easy VPN Server may timeout before the user has time to enter the credentials.
Due to a JVM bug (http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4110094) Cisco SDM IPS may crash when large Signature Definition Files (SDF) are imported. When Cisco SDM is used to import large SDFs such as virtualsensor.xml or IOS-S178.zip, Cisco SDM crashes when dismissing the Import Signature dialog. This problem does not always occur.
Workaround: Set the java heap size to -Xmx256m and try to import the file again. If you need to use Cisco SDM to perform a critical operation, complete that operation before reattempting to import the file.
VPN status in the Monitor windows do not show IPsec security association (SA) parameters for DMVPN when CLI status commands report that the crypto tunnels are up and traffic is passing through. The DMVPN tunnel is shown as established in the IKE SA tab.
Workaround: Use the CLI to view DMVPN status.
If multiple instances of Cisco SDM are run under Netscape version 7.1 using the Java Virtual Machine (JVM) or the Java plug-in, and the user shuts down one instance of Cisco SDM, then all other open instances of Cisco SDM on that PC are shut down.
This problem occurs because Netscape version 7.1 uses only one instance of the JVM or the Java plug-in, even when multiple instances of Netscape are launched. As a result, when one instance of Cisco SDM is shut down, Netscape shuts down the JVM or the Java plug-in, and all other instances of Cisco SDM are also shut down.
Workaround: If Cisco SDM is run under Netscape version 7.1, open only one instance of Cisco SDM. Using Internet Explorer is advised when multiple instances of Cisco SDM must be opened, such as when the user must configure multiple routers at the same time.
When the crypto identity ca command is used, the Loopback0 interface is shown as having no configured IP address in the Edit Interfaces and Connections window when an IP address has been configured.
Workaround: Disregard the IP address information in the Interfaces and Connections window. If you need to view the IP address, choose the interface and click the Edit button.
When an Easy VPN Server is configured using Digital Certificates for authentication, and an Easy VPN Remote connection is configured on another router, the client statistics for the Easy VPN server are all shown as 0 in the VPN Status window.
Workaround: To view client statistics, choose Tools > Telnet. Log in to the router, and issue the show crypto session command.
When adding a new signature to the ATOMIC.ICMP engine, you may see the error message "[Enum(xxx)-StorageKey-ATOMIC.ICMP] the value AaBb is not a valid value."
Workaround: In the Add Signature window, go to the parameter StorageKey, and click the green square to enable editing for this parameter. the green square icon will change to a red diamond icon. Choosing any value from the drop down box will fix this problem.
If an Easy VPN Remote configuration has connections to more than one Easy VPN server configured, VPN troubleshooting deactivating may report troubleshooting results for only one VPN server or give incorrect recommendations. This issue is seen only in some Cisco IOS images.
Invoking Cisco SDM with a user associated with SDM_Monitor view adds a PKI trust point and an Easy VPN profile. This behavior does not affect the running configuration.
Workaround: Invoke Cisco SDM with a user associated with a different CLI view, or with a user of privilege level 15.
Cisco SDM filenames are case sensitive. If the Cisco SDM files are copied from the PC hard disk to a flash card, File Explorer changes the names to uppercase. When this happens, Cisco SDM cannot be invoked from this flash card.
Workaround: Before removing the flash card from the PC, restore the filenames to lowercase.
When the router is running a Cisco IOS image that does not support the show pppoe session command, WAN troubleshooting may not report any reasons for failure or recommended actions for PPPoE connections that are found to be down.
If a firewall is configured for an interface which already has a Management Access policy associated with it, choosing Replace in the Merge/Replace dialog box might prevent access to certain networks.
This occurs because choosing Replace causes the policy access control entries (ACEs) to be disassociated from the interface but not from the vty or HTTP line.
Workaround: When running Firewall wizard on an interface configured with Management Access policy, choose Merge option instead of Replace and proceed.
VPN troubleshooting may report a possible Maximum Transmission Unit (MTU) problem in the passthrough network when the tunnel is up. If the VPN interface is a dialer interface configured on an asynchronous interface, this problem may not always exist, and the displayed recommended action will have no effect.
Workaround: Ignore this message and the corresponding recommendation.
Due to a problem with Cisco IOS, if a custom protocol is mapped to a port and the same custom protocol is specified for matching under a classmap, and then the mapping of the custom protocol is deleted from the configuration , Cisco IOS does not give any warning message that the user should first delete the match protocol custom-01 commands that make use of the custom protocol mapping.
Workaround: Do the following:
–Configure the custom protocol again.
–Remove all the match protocol statements that reference the custom protocol that you configured.
–Remove the custom protocol from the configuration.
This problem is caused by Cisco IOS caveat CSCef52919. A user with privilege level 1 who is associated with a view may be able to log in to Cisco SDM with a privilege level of 15. This occurs when authentication authorization and accounting (AAA) is enabled, and a vty line is configured with privilege level 2 through 15.
Workaround: Do not configure privilege 1-level users. The problem does not occur when users of higher privilege levels are configured.
When you update Cisco SDM, if any of the uploaded SDM files shows a size of zero bytes when show flash is invoked, no operations such as copy or delete can be performed on flash memory. This problem rarely occurs.
Workaround: Restart the router to be able to perform operations on flash memory. If files of zero bytes are shown in a show flash display, restart the router before starting SDM.
Router does not reload with default configuration when a' user executes a Reset To Factory Defaults operation in Cisco SDM.
If the router is running Cisco IOS Release 12.2(11)T6, and the last 4 bits of the config-register value are set to 0, for example 0x2100 or 0x1100, the router does not reload when the user performs a Reset To Factory Defaults. Cisco SDM indicates that it has sent a reload command to the router and shuts down, and the default configuration is copied to the startup-config, but the reload command has not executed, and the router is still using the running configuration that was present before the Reset To Factory Defaults operation.
Workaround: Use the CLI config-register command to ensure that the last 4 bits of the config register are not set to 0 (zero).
If you delete a WAN connection that you created, an ip nat inside command may still remain in a LAN interface configuration.
Workaround: To delete the ip nat inside command from the LAN interface configuration, go t o Edit Interfaces and Connections, choose the LAN interface, click Edit, and delete the association in the Association tab.
Enabling AES encryption or IP compression in the Add/Edit IKE Policy or Add/Edit Transform Set windows might not work even though the Cisco IOS image running on the router supports AES encryption or IP Compression. This may happen in the following circumstances:
–Hardware encryption is enabled.
–The router has a VPN module that does not support AES encryption or IP compression.
Workaround: Do one of the following:
–Disable hardware encryption by adding the no crypto engine accelerator command to the configuration file using the CLI interface. This command tells the router to use Cisco IOS software for encryption instead of using the encryption provided by the VPN module.
–Upgrade your hardware VPN module to one that supports AES or IP compression.
For more info on VPN Modules, see the data sheet at the following link: VPN data sheet.
When configuring static routing, if a virtual-template interface is configured as the next hop interface in a static route, Cisco SDM generates corresponding CLI commands. Delivering such commands to the router may fail on some platforms.
Workaround: Do not configure a virtual-template interface as a next hop interface if it is not supported on the router.
When Cisco SDM runs with a Cisco IOS image of a release earlier than 12.3T, or earlier than Release 12.2(13)ZH, the HTTP server appends unnecessary characters to names of files it displays. As a result, when Cisco SDM is started, the web browser displays the warning "Content does not match the signature."
Workaround: Disregard the warning and click Yes to continue.
When an Easy VPN tunnel is active, using Cisco SDM to apply a NAT configuration to the Easy VPN inside and outside interfaces will deliver ip nat inside and ip nat outside commands to the router, but the running configuration will not be changed. Cisco SDM displays no error message when this is attempted.
Workaround: To apply a NAT configuration to interfaces that have been designated as Easy VPN inside or outside interfaces, complete the following steps in Cisco SDM:
–Choose the Easy VPN tunnel in the VPN Connections window and click Disconnect. If the Connect/Disconnect button is disabled, choose the interface in the Interfaces and Connections window, open the Association tab for that connection and change the Easy VPN association to None.
–Open the NAT window, click Designate NAT Interfaces, and designate NAT inside and NAT outside interfaces.
–Select the Easy VPN tunnel, and click Connect. If you had to disassociate the Easy VPN tunnel from the connection, return to the Association tab, and choose the Easy VPN connection name again.
Cisco SDM will not start on a Cisco 831 router with 32 MB of memory if run from Netscape. An exception will be displayed in the Java console window, and in the router console window indicating a memory allocation failure.
Workaround: Run Cisco SDM using Internet Explorer version 5.5 or later. Or, if you want to continue to use Netscape, log in to the router CLI and enter the following memory-size command in global configuration mode:Router# memory-size iomem 10
XAuth authentication intermittently fails, and Easy VPN tunnels cannot be established using Cisco SDM on routers running Cisco IOS Release 12.3(4)T. When the user attempts to do an Xauth authentication in Cisco SDM, the following error message is displayed:Unable to establish a session with the router to process XAUTH request from the Easy VPN server. Easy VPN tunnel cannot be successfully brought up.
This message is followed by another indicating that the connect command was delivered to the router, but that the tunnel was not established.
Workaround: In the VPN Connections window, choose the Easy VPN tunnel configuration and click the Reset Tunnel button to clear the tunnel and reconnect it. If this does not bring up the tunnel, use the Login button, more than once if necessary, to bring up the tunnel.
When Cisco SDM Express runs with Cisco IOS image of Release 12.2(15)T, it fails to download the configuration file from the CNS server through the Cisco SDM Express wizard. See CSCin65539 for more details. This issue occurs only with Cisco IOS Release 12.2(15)T.
Workaround: Upgrade to Cisco IOS Release 12.3(4)T or later.
On Cisco 7x00 routers, the Cisco SDM Update feature is supported if the current Cisco SDM files were loaded onto the router flash disk or Compact Flash disk. However, the Cisco SDM Updates feature fails to upload new Cisco SDM files to the router if the current Cisco SDM files were installed in flash memory. The Cisco SDM Updates feature uses RCP protocol to upload the new Cisco SDM files to the router, but the RCP Server misinterprets the "flag" sent by the RCP Client for the above mentioned file systems.
Workaround: If the current Cisco SDM files were loaded into flash memory, update to the new Cisco SDM version by manually copying the new Cisco SDM files to the file system of the router using a TFTP server. To make use of the automatic Cisco SDM Update feature, always install Cisco SDM files on the flash disk or Compact Flash disks (disk0, disk1, disk2).
Cisco SDM should not get invoked from boot images such as kboot images on 72xx routers. Such boot images are a subset of the Cisco IOS software and do not support all router functions.
Workaround: Boot the router with an Cisco SDM-supported Cisco IOS image, and then invoke Cisco SDM. See Table 2 for the Cisco IOS releases that Cisco SDM supports.
On 72xx platforms, encryption is not supported on PA-4T port adapters. Because the CLI does not support crypto maps for these types of interfaces, Cisco SDM will fail to assign crypto maps to these interfaces. The PA-4T port adapter will not support future compression and encryption features.
Workaround: Upgrade your 72xx router hardware to the 4t+ PA port adapter.
Whenever any unconfigured interface contains the description $FW_INSIDE$, on a router configured with a firewall, adding a new NTP server will not modify the firewall ACLs to allow NTP passthrough traffic. Instead, when the user edits the firewall's outside interface in the Interfaces and Connections window, Cisco SDM prompts the user to add the NTP passthrough traffic.
Workaround: Use the CLI to manually remove the description $FW_INSIDE$ from the unconfigured interface.
If the interface used for the primary backup connection is configured for PPPoE encapsulation, the backup connection will not function properly if the next hop address is specified during configuration. A Cisco IOS caveat (CSCin64336) has been filed for this problem. If the interface used for the primary backup connection is an Ethernet interface configured without encapsulation, the backup connection will not function properly if the next hop address is not specified during configuration.
Workaround: Do one of the following:
–For PPPoE connections: Do not provide the next hop IP address when you configure the primary backup connection.
–For Ethernet connections without encapsulation: Do provide the next hop IP address when you configure the primary backup connection.
If the WAN wizard is used to configure an analog modem connection as a primary backup connection, and the analog modem connection is deleted, Cisco SDM may report that the interface contains unsupported configuration parameters.
Workaround: Click Refresh on the Cisco SDM toolbar, and delete the connection.
The Interfaces and Connections window may display the Backup option in disabled state for asynchronous interfaces on Cisco 831 and Cisco 837 routers. This will occur when the following operations have been performed:
–The interface used for the primary backup connection is configured with an Cisco SDM-supported IP address type.
–The asynchronous interface is configured as the backup for a primary interface.
–The IP address of the primary interface is changed.
When the IP address of the primary interface is changed, Cisco SDM displays a Yes or No warning popup asking if you want to remove the backup configuration. If you choose Yes, Cisco SDM removes the backup configuration, but the Interfaces and Connections window still shows the backup option as disabled, preventing you from choosing the asynchronous interface as a backup interface.
Workaround: Delete the asynchronous interface configuration using the Interfaces and Connections window.
When the router is configured to use PPPoE, users may not be able to download a file using FTP or display web pages from Internet hosts that they are able to ping or access using telnet. This can happen if Cisco SDM is being used on a router with interfaces that Cisco SDM does not support, such as Token Ring or VLAN interfaces. Cisco SDM does not deliver the command ip tcp adjust-mss 1452 to unsupported interfaces.
Workaround: Use the CLI to add the ip tcp adjust-mss 1452 command to the VLAN or Token Ring interface configuration. Use Telnet to access the router and enter the following command in VLAN or Token Ring interface configuration mode:Router# ip tcp adjust-mss 1452
The Cisco SDM Express wizard may not deliver the configuration to a Cisco 2691 router running Cisco IOS images of Release 12.2(15)T or 12.2(15)ZJ when SSH is used to communicate between Cisco SDM Express and the router. When Cisco SDM Express is invoked using the string https://router-IP-address, it uses SSH.
Workaround: When launching Cisco SDM Express, click Cancel in the SSH credentials window. Cisco SDM Express will use the Telnet protocol to communicate with the router. Enter the login ID and password in the Telnet credentials window.
When launching the Dynamic Multipoint Virtual Private Network (DMVPN) Hub and Spoke wizard, Cisco SDM may take up to 12 seconds to display the first wizard window. This latency may occur if a JRE plug-in of any version is running in the browser, or if Cisco SDM is using the SSH or Telnet communications module.
Cisco SDM may take several seconds to display screens in the DMVPN wizard. This latency may occur if a Java plug-in is running in the browser.
Using an IP unnumbered interface as a DMVPN tunnel source may cause Cisco IOS to crash. An interface configured as IP unnumbered uses the IP address of another interface on the router. This Cisco IOS problem does not always occur.
Workaround: Instead of using an IP unnumbered interface as the DMVPN tunnel source, use the interface that is referenced in the ip unnumbered command. If you are configuring a hub, the interface must have a static IP address.
The router reloads when an NHRP tunnel interface is removed. This is a Cisco IOS caveat which you may encounter when deleting a DMVPN tunnel. This caveat duplicates CSCed41641.
Workaround: There is no workaround for this problem.
If an Analog Modem or ISDN connection is deleted using Cisco SDM, the dialer interface may not be deleted from the configuration and the router may reload. This is due to a Cisco IOS caveat, CSCin69090. This occurs on routers using Cisco IOS images of Release 12.3(4)XG or later, or Cisco IOS Release 12.3(7)T.
Workaround: There is no workaround for this problem.
On routers running Cisco IOS Release 12.3(6), Cisco IOS may reload if Cisco SDM is started using HTTPS.
Workaround: Start Cisco SDM by entering http://ip-address. Do not use https://ip-address.
The Cisco SDM Express wizard may fail if the router is running Cisco IOS Release 12.3(9) and there is not sufficient space in NVRAM to save the startup configuration. This problem should not occur with new routers.
Workaround: If this problem occurs, use the CLI to remove unneeded files from NVRAM.
Cisco SDM does not issue the ntp update-calendar Cisco IOS command on Cisco 7200 routers if there are no new settings to enter and if the Network Time Protocol (NTP) server was configured using the CLI, only one NTP server IP address was provided and no ntp update-calendar Cisco IOS command was present in the running configuration.
Workaround: Use Cisco SDM to delete the NTP server configuration entry, click Refresh, and then re-create the entry, or make changes to the existing NTP server entry.
Because of a Cisco IOS issue (CSCee63313), if Cisco SDM is used to enable IPS on an interface, and then used to disable IPS on that interface, the router crashes.
Due to a Cisco IOS issue (see CSCee58000), Cisco SDM is unable to configure a virtual auxiliary port on Cisco 831, 836, or 837 routers running Cisco IOS Release 12.3(7)XR1.
Workaround: Load the rebuilt Cisco Release 12.3(7)XR2 image on the router when it becomes available and then use Cisco SDM to configure a virtual auxiliary port.
When Cisco SDM is installed on a PC, it cannot be launched if run from Netscape 7.1 or 7.2 and popup blockers have been enabled.
Workaround: In Netscape, go to Edit > Preferences > Privacy and Security > Popup Windows. In the Popup Windows section, uncheck Block unrequested popup windows, and then click Apply. Relaunch Cisco SDM.
A download exception message may appear in the Java console when Cisco SDM is launched on a PC running Japanese Windows 2000, or Japanese Windows XP. This problem does not prevent Cisco SDM from starting or from being used.
The Cisco SDM installation program does not use HTTPS to back up files from the router.
Workaround: No workaround exists.
When Cisco SDM is invoked from Cisco SDM Express, and Cisco SDM Express has been started under a nondefault browser, you must reenter router username and password before Cisco SDM will start.
Workaround: Use the default browser when launching Cisco SDM Express.
When Cisco SDM is installed on a PC running Windows XP with Service Pack 2, Internet Explorer will display a message bar at the top of the browser window stating: "To help protect your security, Internet Explorer has restricted this file from showing active content that access your computer. Click here for options..." Clicking Allow blocked content does not enable Cisco SDM to launch.
Workaround: In Internet Explorer, go to Tools > Internet Options > Advanced. Then scroll to the Security section, check Allow active content to run in files on my computer, and click Apply. Then relaunch Cisco SDM.
When Cisco SDM is run with certain Cisco IOS images, the number of Open Shortest Path First (OSPF) processes created can be greater than the number of interfaces in the administratively UP state. However, the running configuration does not display the value of the area configured for these additional networks. Thus, Cisco SDM is unable to display the networks for these additional OSPF processes. This problem has been reported with the following Cisco IOS images:
Workaround: No workaround exists.
If signatures are imported using Cisco SDM IPS on a router running Cisco IOS Release 12.3(11)T3, system variables parameters are ignored by Cisco IOS.
Workaround: Upgrade to a Cisco IOS image that supports SystemVariables.
The Cisco SDM Update from PC feature will not operate when the SDM-Vnn.zip file is placed in a shared folder with read-only access.
Workaround: Do not place the SDM-Vnn.zip file in a folder with read-only access.
Because of a problem with Cisco IOS (CSCeg63077), VPN troubleshooting will not detect the IKE mismatch in site-to-site VPN configuration. Instead it will give a generic recommendation to apply the mirror configuration generated by Cisco SDM which would solve this problem.
Workaround: Follow the recommendation displayed in the VPN troubleshooting window to apply mirror configuration on both the devices.
This section lists other documents with information on Cisco SDM.
See the quick start guide for the router, available on http://www.cisco.com, to learn how to set up the router hardware connections.
These documents are available on http://www.cisco.com/go/sdm.
•Cisco Router and Security Device Manager Q&A. Click Product Literature, and then click Q&A.
•Downloading and Installing Cisco Router and Security Device Manager (SDM). Click Install and Upgrade in the Technical Documentation and Tools box, and then click Install and Upgrade Guides.
•Switching from Cisco Router Web Setup Tool (CRWS) to Cisco SDM on Cisco 83X Series Routers. Click Install and Upgrade in the Technical Documentation and Tools box, and then click Install and Upgrade Guides.
•Running Non English Editions of SDM on English-Language Operating Systems. Click Maintain and Operate in the Technical Documentation and Tools box, and then click End User Guides.
•A number of application notes are available by clicking Reference Guides in the Technical Documentation and Tools box, and then clicking Technical References
Note For information on obtaining documentation and technical assistance, product security, and additional information, see What's New, which also lists new and revised documents each month.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Copyright © 2003-2007 Cisco Systems, Inc. All rights reserved.