Table Of Contents
Cisco PIX Security Appliance Release Notes Version 7.0(5)
Contents
Introduction
System Requirements
Memory Requirements
Software Requirements
Maximum Recommended Configuration File Size
Cisco VPN Software Interoperability
Cisco VPN Client Interoperability
Cisco Easy VPN Remote Interoperability
Determining the Software Version
Upgrading to a New Software Release
New Features
Command to Control DNS Guard
Enhanced IPSEC Inspection
Command to Disable RST for Denied TCP Packets
Password Increased in Local Database
Enhanced show interface and show traffic Commands
Important Notes
Important Notes in Release 7.0
Maximum Security Contexts and VLANs Supported
IKE Delete-with-Reason
User Upgrade Guide
Readme Document for the Conduits and Outbound List Conversion Tool 1.2
Features not Supported in Version 7.0
MIB Supported
Downgrade to Previous Version
Caveats
Open Caveats - Release 7.0(5)
Resolved Caveats - Release 7.0(5)
Related Documentation
Software Configuration Tips on the Cisco TAC Home Page
Obtaining Documentation and Submitting a Service Request
Cisco PIX Security Appliance Release Notes Version 7.0(5)
April 2006
Contents
This document includes the following sections:
•
Introduction
•System Requirements
•New Features
•Important Notes
•Caveats
•Obtaining Documentation and Submitting a Service Request
Introduction
Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.0.
The Cisco PIX 500 series security appliance delivers unprecedented levels of defense against threats to the network with deeper web inspection and flow-specific analysis, improved secure connectivity through end-point security posture validation and voice and video over VPN support. It also provides enhanced support for intelligent information networks through improved network integration, resiliency, and scalability. This release introduces significant enhancements to all major functional areas, including: firewalling and inspection services, VPN services, network integration, high-availability services, and management/monitoring.
For more information on all the new features, see New Features
Additionally, the security appliance software supports ASDM. ASDM is a browser-based, Java applet used to configure and monitor the software on the security appliances. ASDM is loaded from the security appliance, then used to configure, monitor, and manage the device.
System Requirements
The sections that follow list the system requirements for operating a security appliance.
Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.0.
Memory Requirements
If you are using a PIX 515/515E running PIX Version 6.2/6.3, you need to upgrade the system memory before performing an upgrade to PIX Version 7.0. PIX Version 7.0 requires at least 64 MB of RAM for Restricted (R) licenses and 128 MB of RAM for Unrestricted (UR) and Failover (FO) licenses. The following security appliance platforms require at least 64 MB of RAM. Table 1 lists Flash memory requirements for Version 7.0.
Table 1 Flash Memory Requirements
Security Appliance Model
|
Flash Memory Required in Version 7.0
|
PIX 515/515E
|
16 MB
|
PIX 525
|
16 MB
|
PIX 535
|
16 MB
|
For more information on minimum memory requirements, see the "Minimum Memory Requirements" section in the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0.
Software Requirements
Version 7.0(5) requires the following:
1. The minimum software version required before performing an upgrade to PIX Version 7.0 is PIX Version 6.2. If you are running a PIX release prior to PIX Version 6.2, you must first upgrade to PIX Version 6.2 or PIX Version 6.3 before you can begin the upgrade to PIX Version 7.0.
To upgrade your PIX software image, go to the following website:
http://www.cisco.com/public/sw-center/index.shtml
2. For information on specific licenses supported on each model of the security appliance, go to the following website:
http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html
3. If you are upgrading from a previous PIX version, save your configuration and write down your activation key and serial number. See the "Upgrading to a New Software Release" for new installation requirements.
Maximum Recommended Configuration File Size
For the PIX 525 and PIX 535, the maximum supported configuration file size is 2 MB for Version 7.0(5). For the PIX 515/515E, the maximum supported configuration file size is 1 MB for Version 7.0(5). If you are using ASDM, we recommend no more than a 500 KB configuration file because larger configuration files can interfere with the performance of ASDM on your workstation.
While configuration files up to 2 MB are supported on the PIX 525 and PIX 535, be aware that such large configuration files can reduce system performance. For example, a large configuration file is likely to noticeably slow execution times in the following situations:
•While executing commands such as the write terminal and show running-config commands
•Failover (the configuration synchronization time)
•During a system reload
Cisco VPN Software Interoperability
Cisco VPN Series
|
Interoperability Comments
|
Cisco IOS routers
|
Version 7.0(5) requires Cisco IOS Release 12.3(T)T or higher running on the router when using IKE Mode Configuration on the security appliance.
|
Cisco VPN 3000 concentrators
|
Version 7.0(5) requires Cisco VPN 3000 concentrator Version 3.6 or higher for correct VPN interoperability.
|
Cisco VPN Client Interoperability
Cisco VPN Client
|
Interoperability Comments
|
Cisco VPN client v3.x/4x
(Unified VPN client framework)
|
Version 7.0(5) supports the Cisco VPN client Version 3.6 or higher that runs on all Microsoft Windows platforms. It also supports the Cisco VPN client Version 3.6 or higher that runs on Linux, Solaris, and Macintosh platforms.
|
Cisco Easy VPN Remote Interoperability
Cisco Easy VPN Remote
|
Interoperability Comments
|
Cisco PIX Security Appliance Easy VPN Remote v6.3
|
Version 7.0(5) Cisco Easy VPN server requires the Cisco PIX security appliance Version 6.3 Easy VPN remote that runs on the PIX 501 and PIX 506 platforms.
|
VPN 3000 Easy VPN remote v3.x/4x
|
Version 7.0(5) Cisco Easy VPN server requires the Version 3.6 or higher of the Easy VPN remote that runs on the VPN 3002 platform.
|
Cisco IOS Easy VPN remote Release 12.2(16.4)T
|
Version 7.0(5) Cisco Easy VPN server interoperates with Cisco IOS 806 Easy VPN remote Release (16.4)T.
|
Determining the Software Version
Use the show version command to verify the software version installed on your security appliance.
Upgrading to a New Software Release
If you have a Cisco.com (CDC) login, you can obtain software from the following website:
http://www.cisco.com/public/sw-center/index.shtml
New Features
Command to Control DNS Guard
Version 7.0(5) introduces a new global configuration command, dns guard to control the DNS guard function. In releases prior to 7.0(5), the DNS guard functions were always enabled regardless of the configuration of DNS inspection:
•Stateful tracking of the DNS response with DNS request to match the ID
•Tearing down the DNS connection when all pending requests are responded
This command is effective only on interfaces with inspect dns disabled. When DNS inspection is enabled, the DNS guard function is always performed. For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
Enhanced IPSEC Inspection
The ability to open specific pinholes for ESP flows based on existence of an IKE flow is provided by the enhanced IPSec inspect feature. This feature can be configured within the MPF infrastructure along with other inspects. The idle-timeout on the resulting ESP flows is statically set at 10 minutes. There is no maximum limit on number of ESP flows that can be allowed.
A new policy-map command inspect ipsec-pass-thru is added to enable this feature.
Command to Disable RST for Denied TCP Packets
When a TCP packet is denied, the security appliance always sends a reset when the packet is going from a high security to a low security interface. The service resetinbound command is used to enable or disable sending resets when TCP packet is denied when going from a low security to a high security interface. The service resetinbound command is introduced to control sending RESETs when a packet is denied when goingthrough from a high security to a low security interface. The existing service resetinbound command is enhanced to take an additional interface option.
[no] service resetoutbound [interface <ifc name>]
[no] service resetinbound [interface <ifc name>]
For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
Password Increased in Local Database
Username and enable password length limits increased from 16 to 32 in the LOCAL database, in the security appliance.
Enhanced show interface and show traffic Commands
The traffic statistics displayed in both the show interface and show traffic commands now support 1 minute rate and 5 minute rate for input, output and drop. The rate is calculated as the delta between the last two sampling points. For the 1 minute rate and 5 minute rate, a 1 minute timer and a 5 minute timer are run constantly for the rates respectively. An example of the new display follows:
1 minute input rate 128 pkts/sec, 15600 bytes/sec
1 minute output rate 118 pkts/sec, 13646 bytes/sec
1 minute drop rate 12 pkts/sec
5 minute input rate 112 pkts/sec, 13504 bytes/sec
5 minute output rate 101 pkts/sec, 12104 bytes/sec
5 minute drop rate 4 pkts/sec
Important Notes
Important Notes in Release 7.0
This section lists important notes related to Version 7.0(5).
Maximum Security Contexts and VLANs Supported
The maximum security contexts supported in release Version 7.0(5) for the PIX 535 are 50 tiers. The maximum number of VLANs supported are 150. For more information on the feature support for each platform license, see the "Platform Feature Licenses" section in the Cisco Security Appliance Command Line Configuration Guide.
IKE Delete-with-Reason
IKE system log messages for Delete-with-Reason do not contain the reason text unless the clients support this feature. Currently the VPN 3002 Version 4.7 and PIX 501 Version 6.3(4) hardware clients do not support this feature.
Note The PIX 501security appliance is not supported in software Version 7.0.
User Upgrade Guide
Before upgrading to Version 7.0(5), read the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading in Cisco PIX Software Version 7.0. This guide also includes information about deprecated features and other changes in the Cisco PIX Software Version7.0. For a list of deprecated features, and user upgrade information, go to the following URL:
http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html
Caution If you share the Stateful Failover update link with a link for regular traffic such as your inside interface, you must change your configuration before upgrading. Do not upgrade until you have corrected your configuration, as this is not a supported configuration and Version 7.0(5) treats the LAN failover and Stateful Failover update interfaces as special interfaces. If you upgrade to Version 7.0(5) with a configuration that shares an interface for both regular traffic and the Stateful Failover updates, configuration related to the regular traffic interface will be lost after the upgrade. The lost configuration may prevent you from connecting to the security appliance over the network.
Readme Document for the Conduits and Outbound List Conversion Tool 1.2
The security appliance Outbound/Conduit Conversion tool assists in converting configurations with outbound or conduit commands to similar configurations using ACLs. ACL-based configurations provide uniformity and leverage the powerful ACL feature set. ACL based configurations provide the following benefits:
•ACE insertion capability - System configuration and management is greatly simplified by the ACE insertion capability that allows users to add, delete or modify individual ACEs.
•Outbound ACLs and Time-based ACLs - Gives administrators improved flexibility for defining access control policies by adding support for outbound ACLs and time-based ACLs.
•Enabling/Disabling of ACL Entries - Provides a convenient troubleshooting tool that allows administrators to test and fine-tune ACLs, without the need to remove and replace ACL entries.
Features not Supported in Version 7.0
The following features are not supported in Version 7.0(5) release:
•PPPoE
•L2TP over IPSec
•PPTP
MIB Supported
For information on MIB Support, go to:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
Downgrade to Previous Version
To downgrade to a previous version of the operating system software (software image), use the downgrade command in privileged EXEC mode.
For more information and a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
Caution Do not load a previous version of software if your PIX security appliance is currently running PIX Version 7.0 or later. Loading a software image from monitor mode, on a PIX security appliance that has a PIX Version 7.0 file system, results in unpredictable behavior and is not supported. We strongly recommend that you use the
downgrade command from a running PIX Version 7.0 image that facilitates the downgrade process.
Caveats
The following sections describe the caveats for Version 7.0(5).
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
Open Caveats - Release 7.0(5)
Table 2 Open Caveats
ID Number
|
Software Release 7.0(5)
|
Corrected
|
Caveat Title
|
CSCei47678
|
No
|
SNMP packet size standards in RFC3417 not fully supported.
|
CSCek21836
|
No
|
SIP: BYE embryonic connection timestamp not updated.
|
CSCsc36891
|
No
|
Higher CPU utilization for url filtering in recent releases.
|
CSCsc37965
|
No
|
IP-directed broadcasts no longer allowed through device.
|
CSCsc68575
|
No
|
CPU usage is higher for given traffic throughput in recent releases.
|
CSCsc97602
|
No
|
Traceback is sometimes observed in tmatch compile thread.
|
CSCsd00086
|
No
|
ASDM connection may cause packet loss
|
CSCsd08170
|
No
|
UDP 500 not removed from pat port pool when crypto map is applied
|
CSCsd59936
|
No
|
Registering to the RP for PIM fails if fragmented in more then 12 packs
|
CSCsd69625
|
No
|
EZVPN:IOS C876 Client can't connect to ASA using digi certs and noXauth
|
CSCsd75865
|
No
|
VPN address pool overlap may cause packet drop.
|
CSCsd78428
|
No
|
Traceback may occur in Checkheaps on standby unit
|
CSCsd79596
|
No
|
H245 connection going idle although traffic on RTP stream and H225.
|
CSCsd82355
|
No
|
Malformed syslog packets may be generated.
|
CSCsd82714
|
No
|
RTSP fails with Windows media player
|
CSCsd84394
|
No
|
IPSec: Invalid block submitted to outbound packet processing
|
CSCsd85345
|
No
|
Traceback may occur in fover_parse on 7.0.4
|
CSCsd89503
|
No
|
Traceback during failover in routing module
|
CSCsd93207
|
No
|
Show failover indicates different uptimes on devices in failover pair
|
CSCsd93380
|
No
|
Packets for VPN-l2l peer get dropped instead of encrypted
|
Resolved Caveats - Release 7.0(5)
Table 3 Resolved Caveats
ID Number
|
Software Release 7.0(5)
|
Corrected
|
Caveat Title
|
CSCeh46345
|
Yes
|
Dynamic L2L could pass clear text traffic when tunnel terminates
|
CSCeh60845
|
Yes
|
Logging queue incorrectly registers 8192 256-byte blocks
|
CSCeh70043
|
Yes
|
DOC: sh asp drop needs further clarification in doc
|
CSCeh90617
|
Yes
|
Recompiling ACLs can cause packet drops on low-end platforms
|
CSCei43588
|
Yes
|
traceback when trying to match a packet to acl with deny
|
CSCek21835
|
Yes
|
Higher metric OSPF external route is selected
|
CSCek21836
|
Yes
|
SIP: PIX does not update BYE embryonic's timestamp.
|
CSCek21837
|
Yes
|
PDM with Command Authorization requires the write command for Read-Only
|
CSCek21838
|
Yes
|
SIP: fail to open a conn for Record route in NOTIFY
|
CSCek21843
|
Yes
|
SIP: Not translate c= address if first m= has port 0 in SDP body
|
CSCek21846
|
Yes
|
SIP: PIX does not parse the expire value in Register
|
CSCek21849
|
Yes
|
Backspace sent in cut-through proxy authentication
|
CSCek26572
|
Yes
|
tftp fixup does not allow error message from client
|
CSCek27919
|
Yes
|
PIX reload with Thread Name: tcp_slow
|
CSCsb98925
|
Yes
|
PIX-3-210007: LU allocate xlate failed is logged on the standby PIX
|
CSCsc02485
|
Yes
|
Session Cmd: sendind 036xr to exit session to ssm causes Traceback
|
CSCsc03061
|
Yes
|
CLI should generate Warning if kerberos-relm is not in all uppercase
|
CSCsc07614
|
Yes
|
Minimum unit poll time causes trouble for failover with 4GE card
|
CSCsc08188
|
Yes
|
5540 crash during 1000+ tunnel, multi-encapsulation system testing
|
CSCsc12094
|
Yes
|
AAA fallback authentication does not work with reactivation-mode timed
|
CSCsc15378
|
Yes
|
Telnet to PIX outside interface through IPSEC connection fails
|
CSCsc15434
|
Yes
|
Assertion violation w/icmp traffic and icmp inspection
|
CSCsc16014
|
Yes
|
PIX 7.0 Spoofed TCP SYN packets can block legitimate TCP connections
|
CSCsc16041
|
Yes
|
'clear local host' results in memory leak
|
CSCsc16507
|
Yes
|
url-server: cannot remove despite having removed url-block cmd
|
CSCsc18324
|
Yes
|
PIX 7.0.2 crashes in Dispatch Unit (Old pc 0x001dbdc6 ebp 0x01212404)
|
CSCsc18444
|
Yes
|
Tunnel-group for specific peer not created upgrading to 7.0 w/ certs
|
CSCsc18911
|
Yes
|
PIX does not remove OSPF route for global PAT entry after deleting
|
CSCsc20032
|
Yes
|
PIX may reload in IPsec message handler when clearing IPSec SAs
|
CSCsc20102
|
Yes
|
webfo: traceback during bulk sync in vpnfol_thread_sync
|
CSCsc23718
|
Yes
|
ERROR: Command requires failover license - seen in PIX upgrade to 7.0
|
CSCsc26331
|
Yes
|
PKI: CR should not be used to terminate certificate console input
|
CSCsc27972
|
Yes
|
Traceback when changing crypto maps when Answer-Only in lower sequence
|
CSCsc28889
|
Yes
|
Upgrade PIX 6.3.5 to 7.0.4 with PFS does not maintain ipsec group
|
CSCsc29264
|
Yes
|
TACACS+ command authorization uses service=PIXshell
|
CSCsc31195
|
Yes
|
PIX crash Thread Name: uauth (Old pc 0x009edcc1 ebp 0x0147281c)
|
CSCsc31762
|
Yes
|
Fixup RTSP does not re-write the SET Parameter to the NATed IP address
|
CSCsc31788
|
Yes
|
Failover Primary access-list delete problem crashes secondary
|
CSCsc33385
|
Yes
|
GTP - pdp context creation failed - GSN tunnel limit exceeded
|
CSCsc34022
|
Yes
|
PIX requires improved failover testing method
|
CSCsc36332
|
Yes
|
Crash with show running-config all when priority class configured
|
CSCsc36898
|
Yes
|
FIPS: POST Bypass test failure
|
CSCsc37492
|
Yes
|
PIX: snmp-server host is not working in some circumstances
|
CSCsc39334
|
Yes
|
Crash due to check-retransmission from the tcp-map
|
CSCsc39559
|
Yes
|
APPFW:Obfuscated characters causing alert with firefox browser
|
CSCsc42204
|
Yes
|
Syslog ID 111005 no longer being logged when user exits config mode
|
CSCsc44566
|
Yes
|
Traceback in Dispatch Unit - pm_rcv_cb_ids
|
CSCsc44591
|
Yes
|
Traceback in ARP Thread - arp_sendbp in multi context mode
|
CSCsc46976
|
Yes
|
SIP: crash when failed to pre-allocate early rtp
|
CSCsc48330
|
Yes
|
OpenSSL Security Advisory: Potential SSL 2.0 Rollback
|
CSCsc49830
|
Yes
|
IKE daemon crashes after upgrading
|
CSCsc49873
|
Yes
|
VPN-filter not applied without for remote VPN clients without xauth
|
CSCsc51939
|
Yes
|
Performance throughput problems through the PIX w/ http inspect enabled
|
CSCsc56552
|
Yes
|
Adding user context causes traceback on Standby unit
|
CSCsc57901
|
Yes
|
Memory leak when the standby unit fails to parse IKE messages
|
CSCsc59298
|
Yes
|
VPN: IPSec errors are reported when trying to fragment compressed pkts
|
CSCsc60506
|
Yes
|
Large banner from RADIUS is causing traceback
|
CSCsc67347
|
Yes
|
VPN locks up under throughput stress
|
CSCsc68126
|
Yes
|
PIX may run out of free TCP Sockets
|
CSCsc68575
|
Yes
|
PIX 535 7.0.2 show cpu usage at 75% for traffic throughput of 140 Mbs
|
CSCsc73580
|
Yes
|
traceback in logger_save after clear config logging
|
CSCsc73942
|
Yes
|
TCP RST is dropped when there is outstanding data that is not acked
|
CSCsc77884
|
Yes
|
GTP: should check spare bits in header
|
CSCsc78010
|
Yes
|
PIX 7.0.4 Crash in Thread Name: Checkheaps
|
CSCsc78900
|
Yes
|
Reload with Thread Name: Dispatch Unit at tcp_check_packet
|
CSCsc81236
|
Yes
|
PIX may reload unexpectedly when processing ICMP Error packets
|
CSCsc81668
|
Yes
|
https://<ip>/config does not have the same privilege level as 'write'
|
CSCsc84291
|
Yes
|
When using SSL the warning message is not returned back
|
CSCsc86217
|
Yes
|
Voice Proxy Function does not preserve DSCP bits
|
CSCsc90826
|
Yes
|
PIX 7.0 getting the error %PIX-1-106021 when ip verify command enable
|
CSCsc90944
|
Yes
|
PIX sends malformed https proxy authentication page.
|
CSCsc91450
|
Yes
|
PIX 7.0 ftp control channel timing out although data channel is active
|
CSCsc92575
|
Yes
|
Upgrade Activation Key reduces permitted interfaces
|
CSCsc93061
|
Yes
|
PIX crashes after activation of vpn-filter
|
CSCsc97846
|
Yes
|
CPU utilization increase when adding more logging hosts
|
CSCsc97905
|
Yes
|
traceback when running codenomicon snmp suite. eip 0x00ebf294
|
CSCsc97999
|
Yes
|
Syslog Message ID PIX-4-313003 is Overloaded
|
CSCsc98336
|
Yes
|
Large group-policy names cause crash if used with IPSec
|
CSCsc98339
|
Yes
|
Failovered secondary PIX crash when primary unit turned off
|
CSCsc99263
|
Yes
|
GTPv1: Subsequent Create Req to modify PDP context IEs are not processed
|
CSCsc99339
|
Yes
|
traceback when running ospf codenomicon suite.eip 0x00ef5f7c
|
CSCsc99364
|
Yes
|
SSL Certs from Verisign Managed PKI do not install
|
CSCsd00051
|
Yes
|
SNMP polling may cause packet loss
|
CSCsd01096
|
Yes
|
Primary active crash and both primary and secondary are non-active
|
CSCsd01722
|
Yes
|
PIX 7.0 logging message 419001 always sent in message lists
|
CSCsd02938
|
Yes
|
PIX doesn't reconnect if websense server goes down
|
CSCsd03391
|
Yes
|
TCP Intercept doesn't negate CPU impact when SYN flood from adjacent net
|
CSCsd04700
|
Yes
|
match port option for setting connection time-outs does not work
|
CSCsd08060
|
Yes
|
Memory corruption caused by session DB when events are out of sync
|
CSCsd10138
|
Yes
|
Crash in Checkheaps thread when enabling LAN2LAN vpn
|
CSCsd11179
|
Yes
|
SNMP polling of resource MIBS may cause packet loss
|
CSCsd11511
|
Yes
|
Crash due to memory corruption in sanity check of the Checkheaps thread
|
CSCsd11908
|
Yes
|
Traceback in logger_save thread
|
CSCsd13938
|
Yes
|
Traceback and Assertion in "fover_dev.c", line 513
|
CSCsd16751
|
Yes
|
GTP: wrong service-policy used when connection is re-used
|
CSCsd22910
|
Yes
|
users with passwords longer than 11 chars can no longer authenticate
|
CSCsd31068
|
Yes
|
platform image read as ascii if uploaded by asdm to flash:
|
CSCsd34070
|
Yes
|
H.245 inspection skipped when malformed GKRCS packet
|
CSCsd36030
|
Yes
|
in multiple policy-maps, packets should match the first map, not the last
|
CSCsd37075
|
Yes
|
DSH API should check for 0 handle
|
CSCsd38929
|
Yes
|
SSL Verisign imported certificate fails when establishing SSL session
|
CSCsd39029
|
Yes
|
Traceback with Thread Name: Dispatch Unit
|
CSCsd44349
|
Yes
|
PIM codenomicon suite crashes box - eip 0x010811f3
|
CSCsd45099
|
Yes
|
logging debug-trace should not prevent debugs from printing to console
|
CSCsd46111
|
Yes
|
Traceback when using sh xlate via telnet over VPN tunnel
|
CSCsd46922
|
Yes
|
High CPU usage when configuring/compiling ACL's
|
CSCsd48512
|
Yes
|
Duplicate ASP crypto table entry causes firewall to not encrypt traffic
|
CSCsd51884
|
Yes
|
Restore debug icmp trace functionality - showing nat translation
|
CSCsd58400
|
Yes
|
PIX fails to send Embryonic Limit Exceeded message
|
CSCsd58620
|
Yes
|
H.323: Memory Leak Under Load
|
CSCsd58848
|
Yes
|
Memory allocated for connections not freed
|
CSCsd64394
|
Yes
|
Deny syslog not generated for denied URLs traffic
|
CSCsd64912
|
Yes
|
url-server: tcp connections fail when tcp stack users are exhausted
|
CSCsd64920
|
Yes
|
url-server: url lookup requests are not retried when using tcp
|
CSCsd65209
|
Yes
|
url-block block: http response buffering feature does not work
|
CSCsd65215
|
Yes
|
Capture access-list shows only 1 hit count for outbound traffic
|
CSCsd67647
|
Yes
|
Traceback in obj-f1/tcp:_q_copydata+26 on copying image to ftp server
|
CSCsd70242
|
Yes
|
Some syslogs are incorrectly logged to an event list, when not specified
|
CSCsd70812
|
Yes
|
HA: Traffic Stall after config syncing running Act/Act fover
|
CSCsd71386
|
Yes
|
RTSP traffic led the PIX to crash
|
CSCsd72617
|
Yes
|
Dispatch Unit Crash when HTTP inspect enabled...PIX 7.1.2, 7.0.4-11
|
CSCsd72951
|
Yes
|
Traceback: Thread Name: IKE Daemon (Old pc 0x00507433 ebp 0x03bdc498)
|
CSCsd73852
|
Yes
|
PIX H.323 Inspect not opening media stream
|
CSCsd74964
|
Yes
|
SNP Inspect Http drops messages other than GET
|
CSCsd75794
|
Yes
|
MFW:R applfw crash on codenomicon http suite, test 39614 or 39615
|
CSCsd76384
|
Yes
|
dhcpc fails when management-access is configured
|
CSCsd77018
|
Yes
|
Traceback in obj-f1/snp_fp_main:_snp_fp_fragment+260
|
CSCsd77155
|
Yes
|
All out of order packets dropped by tcp normalizer
|
CSCsd78595
|
Yes
|
Global buffer drop output under show service-policy
|
CSCsd81496
|
Yes
|
crash when websense service is restarted while requests are pending
|
CSCsd82047
|
Yes
|
PIX 7.0(4) FO : bad LU from Act causes LU allocate xlate failed on Std
|
CSCsd82114
|
Yes
|
Change of log options on the ACE doesn't take immediate effect
|
CSCsd83007
|
Yes
|
Need ability to disable dns guard in 7.0
|
CSCsd83863
|
Yes
|
Reload with Thread Name: Dispatch Unit
|
CSCsd85451
|
Yes
|
SAs not created when crypto map group and isakmp policy group are differ
|
CSCsd86841
|
Yes
|
F1 crash immediately after sending ping traffic thru GTP tunnel
|
CSCsd87779
|
Yes
|
fips self test power on never completes
|
Related Documentation
Use this document in conjunction with the PIX Firewall and Cisco VPN client Version 3.x documentation at the following websites:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/tsd_products_support_series_home.html
http://www.cisco.com/en/US/products/sw/secursw/ps2308/tsd_products_support_series_home.html
Software Configuration Tips on the Cisco TAC Home Page
The Cisco Technical Assistance Center has many helpful pages. If you have a CDC account you can visit the following websites for assistance:
TAC Troubleshooting, Sample Configurations, Hardware Info, Software Installations and more:
http://www.cisco.com/en/US/products/ps6120/tsd_products_support_series_home.html
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
.
Feedback
