Table Of Contents
Cisco PIX Security Appliance Release Notes Version 7.1(1)
Contents
Introduction
System Requirements
Memory Requirements
Software Requirements
Maximum Recommended Configuration File Size
Cisco VPN Software Interoperability
Cisco VPN Client Interoperability
Cisco Easy VPN Remote Interoperability
Determining the Software Version
Upgrading to a New Software Release
New Features
Important Notes
Important Notes in Release 7.1
Maximum Security Contexts and VLANs Supported
IKE Delete-with-Reason
User Upgrade Guide
Readme Document for the Conduits and Outbound List Conversion Tool 1.2
Features not Supported in Version 7.1
MIB Supported
Downgrade to Previous Version
Caveats
Open Caveats - Release 7.1(1)
Resolved Caveats - Release 7.1(1)
Related Documentation
Software Configuration Tips on the Cisco TAC Home Page
Obtaining Documentation and Submitting a Service Request
Cisco PIX Security Appliance Release Notes Version 7.1(1)
February 2006
Contents
This document includes the following sections:
•
Introduction
•System Requirements
•New Features
•Important Notes
•Caveats
•Obtaining Documentation and Submitting a Service Request
Introduction
Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.1.
The Cisco PIX 500 series security appliance delivers unprecedented levels of defense against threats to the network with deeper web inspection and flow-specific analysis, improved secure connectivity through end-point security posture validation and voice and video over VPN support. It also provides enhanced support for intelligent information networks through improved network integration, resiliency, and scalability. This release introduces significant enhancements to all major functional areas, including: firewalling and inspection services, VPN services, network integration, high-availability services, and management/monitoring.
For more information on all the new features, see New Features.
Additionally, the security appliance software supports ASDM. ASDM is a browser-based, Java applet used to configure and monitor the software on the security appliances. ASDM is loaded from the security appliance, then used to configure, monitor, and manage the device.
System Requirements
The sections that follow list the system requirements for operating a security appliance.
Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.1.
Memory Requirements
If you are using a PIX 515/515E running PIX Version 6.2 or 6.3, you need to upgrade your memory before performing an upgrade to PIX Version 7.0. PIX Version 7.0 requires at least 64 MB of RAM for Restricted (R) licenses and 128 MB of RAM for Unrestricted (UR) and Failover (FO) licenses. The following security appliance platforms require at least 64 MB of RAM. Table 1 lists Flash memory requirements for Version 7.1.
Table 1 Flash Memory Requirements
Security Appliance Model
|
Flash Memory Required in Version 7.1
|
PIX 515/515E
|
16 MB
|
PIX 525
|
16 MB
|
PIX 535
|
16 MB
|
For more information on minimum memory requirements, see the "Minimum Memory Requirements" section in the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0.
Software Requirements
Version 7.1(1) requires the following:
1. The minimum software version required before performing an upgrade to PIX Version 7.1 is PIX Version 7.0. If you are running a PIX release prior to PIX Version 6.2, you must first upgrade to PIX Version 6.2 or PIX Version 6.3 before you can begin the upgrade to PIX Version 7.0.
To upgrade your PIX software image, go to the following website:
http://www.cisco.com/public/sw-center/index.shtml
2. For information on specific licenses supported on each model of the security appliance, go to the following website:
http://www.cisco.com/go/license/index.html
3. If you are upgrading from a previous PIX version, save your configuration and write down your activation key and serial number. For new installation requirements, see the following website:
http://www.cisco.com/public/sw-center/index.shtml
Maximum Recommended Configuration File Size
For the PIX 525 and PIX 535, the maximum supported configuration file size is 2 MB for Version 7.1(1). For the PIX 515/515E, the maximum supported configuration file size is 1 MB for Version 7.1(1). If you are using ASDM, we recommend no more than a 500 KB configuration file because larger configuration files can interfere with the performance of ASDM on your workstation.
While configuration files up to 2 MB are supported on the PIX 525 and PIX 535, be aware that such large configuration files can reduce system performance. For example, a large configuration file is likely to noticeably slow execution times in the following situations:
•While executing commands such as the write terminal and show running-config commands
•Failover (the configuration synchronization time)
•During a system reload
Cisco VPN Software Interoperability
Cisco VPN Series
|
Interoperability Comments
|
Cisco IOS routers
|
Version 7.1(1) requires Cisco IOS Release 12.3(T)T or higher running on the router when using IKE Mode Configuration on the security appliance.
|
Cisco VPN 3000 concentrators
|
Version 7.1(1) requires Cisco VPN 3000 concentrator Version 3.6 or higher for correct VPN interoperability.
|
Cisco VPN Client Interoperability
Cisco VPN Client
|
Interoperability Comments
|
Cisco VPN client v3.x/4x
(Unified VPN client framework)
|
Version 7.1(1) supports the Cisco VPN client Version 3.6 or higher that runs on all Microsoft Windows platforms. It also supports the Cisco VPN client Version 3.6 or higher that runs on Linux, Solaris, and Macintosh platforms.
|
Cisco Easy VPN Remote Interoperability
Cisco Easy VPN Remote
|
Interoperability Comments
|
Cisco PIX Security Appliance Easy VPN Remote v6.3
|
Version 7.1(1) Cisco Easy VPN server requires the Cisco PIX security appliance Version 6.3 Easy VPN remote that runs on the PIX 501 and PIX 506 platforms.
|
VPN 3000 Easy VPN remote v3.x/4x
|
Version 7.1(1) Cisco Easy VPN server requires the Version 3.6 or higher of the Easy VPN remote that runs on the VPN 3002 platform.
|
Cisco IOS Easy VPN remote Release 12.2(16.4)T
|
Version 7.1(1) Cisco Easy VPN server interoperates with Cisco IOS 806 Easy VPN remote Release (16.4)T.
|
Determining the Software Version
Use the show version command to verify the software version installed on your security appliance.
Upgrading to a New Software Release
If you have a Cisco.com (CDC) login, you can obtain software from the following website:
http://www.cisco.com/public/sw-center/index.shtml
If you want to upgrade or downgrade from Version 7.0.(x) to 7.1(1) and vice versa You must follow the steps below because older versions of the security appliance images does not recognize new ASDM images, new security appliance images does not recognize old ASDM images.
To upgrade from Version 7.0.(x) to 7.1(1), you must perform the following steps:
Step 1 Load the new Version 7.1(1) image from the following website:
http://www.cisco.com/public/sw-center/index.shtml
Step 2 Reload the device so that it will start using the Version 7.1(1) image.
Step 3 Copy the new ASDM Version 5.1(1) image from the following website:
http://www.cisco.com/public/sw-center/index.shtml
To downgrade from Version 7.1(1) to 7.0.(x), you must perform the following steps:
Step 1 Load the new Version 7.1(1) image from the following website:
http://www.cisco.com/public/sw-center/index.shtml
Step 2 Reload the device so that it will be use the Version 7.0(x) image.
Step 3 Copy the ASDM Version 5.0(x) image from the following website:
http://www.cisco.com/public/sw-center/index.shtml
New Features
Version 7.1(1) is a maintenance release which includes several caveat resolutions.
Important Notes
Important Notes in Release 7.1
This section lists important notes related to Version 7.1(1).
Maximum Security Contexts and VLANs Supported
The maximum security contexts supported in release 7.1(1) for the PIX 535 are 50 tiers. The maximum number of VLANs supported are 150. For more information on the feature support for each platform license, see the "Platform Feature Licenses" section in the Cisco Security Appliance Command Line Configuration Guide
IKE Delete-with-Reason
IKE syslogs for Delete-with-Reason will not contain the reason text unless the clients support this feature. Currently the VPN 3002 Version 4.7 and PIX 501 Version 6.3(4) hardware clients do not support this feature.
Note The PIX 501security appliance is not supported in software Version 7.1.
User Upgrade Guide
Before upgrading to Version 7.1(1), read the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading in Cisco PIX Software Version 7.0. This guide also includes information about deprecated features and other changes in the Cisco PIX Software Version7.0. For a list of deprecated features, and user upgrade information, go to the following URL:
http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html
Caution If you share the Stateful Failover update link with a link for regular traffic such as your inside interface, you must change your configuration before upgrading. Do not upgrade until you have corrected your configuration, as this is not a supported configuration and Version 7.1(1) treats the LAN failover and Stateful Failover update interfaces as special interfaces. If you upgrade to Version 7.1(1) with a configuration that shares an interface for both regular traffic and the Stateful Failover updates, configuration related to the regular traffic interface will be lost after the upgrade. The lost configuration may prevent you from connecting to the security appliance over the network.
Readme Document for the Conduits and Outbound List Conversion Tool 1.2
The security appliance Outbound/Conduit Conversion tool assists in converting configurations with outbound or conduit commands to similar configurations using ACLs. ACL-based configurations provide uniformity and leverage the powerful ACL feature set. ACL based configurations provide the following benefits:
•ACE insertion capability - System configuration and management is greatly simplified by the ACE insertion capability that allows users to add, delete or modify individual ACEs.
•Outbound ACLs and Time-based ACLs - Gives administrators improved flexibility for defining access control policies by adding support for outbound ACLs and time-based ACLs.
•Enabling/Disabling of ACL Entries - Provides a convenient troubleshooting tool that allows administrators to test and fine-tune ACLs, without the need to remove and replace ACL entries.
Features not Supported in Version 7.1
The following features are not supported in Version7.1(1) release:
•PPPoE
•L2TP over IPSec
•PPTP
MIB Supported
For information on MIB Support, go to:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
Downgrade to Previous Version
To downgrade to a previous version of the operating system software (software image), use the downgrade command in privileged EXEC mode.
For more information and a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
Caution Do not load a previous version of software if your PIX security appliance is currently running PIX Version 7.0 or later. Loading a software image from monitor mode, on a PIX security appliance that has a PIX Version 7.0 file system, results in unpredictable behavior and is not supported. We strongly recommend that you use the
downgrade command from a running PIX Version 7.0 image that facilitates the downgrade process.
Caveats
The following sections describe the caveats for the 7.1(1) release.
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
Open Caveats - Release 7.1(1)
Table 2 Open Caveats
ID Number
|
Software Release 7.1(1)
|
Corrected
|
Caveat Title
|
CSCsd11908
|
No
|
Traceback in logger_save thread
|
CSCsc15434
|
No
|
Assertion violation w/icmp traffic and icmp inspection
|
CSCsd21821
|
No
|
Traceback eip:sessmgrmain:_CheckSubRecConnectTime+23 after appl. act-key
|
CSCsd05080
|
No
|
inspect ftp cli creating unexpected error
|
CSCej04099
|
No
|
static xlate breaks management-access inside
|
CSCsc83495
|
No
|
dhcpc: client doesn't issue DISCOVER after server loses it's bindings
|
CSCsd17794
|
No
|
If FTP-Inspection is disabled in the ASA CLI the FTP-data is not scanned
|
CSCsd18563
|
No
|
Must ignore SPI field in Notify messages
|
CSCsd20882
|
No
|
Repeated Error messages on console
|
CSCsd21066
|
No
|
Static bypass in multicontext mode seems not working
|
CSCsd22425
|
No
|
multi-transparent mode ftp redirect is not working in my configuration
|
CSCsd23946
|
No
|
In Active-active failover, WCCP does not perform redirect correctly
|
CSCsb92848
|
No
|
ASA drops pkts with nat/global from third to outside
|
Resolved Caveats - Release 7.1(1)
Table 3 Resolved Caveats
ID Number
|
Software Release 7.1(1)
|
Corrected
|
Caveat Title
|
CSCsc53448
|
Yes
|
Traceback while adding an Admin context
|
CSCei68679
|
Yes
|
Traceback on telnet TACACS+ authentication through the firewall.
|
CSCsb53407
|
Yes
|
MFIB: tracebacks when bouncing multicast-routing
|
CSCsb55550
|
Yes
|
traceback in pki_ctm:_pki_ctm_verify_signature+164 - 8192 bit certs conn
|
CSCsc25780
|
Yes
|
Traceback Thread Name: pix_flash_config_thread (Old pc 0x00723a09 ebp 0x
|
CSCsc73580
|
Yes
|
traceback in logger_save after clear config logging
|
CSCsc02574
|
Yes
|
pki: ID cert signature validation failure allows successful connection
|
CSCsc56552
|
Yes
|
Adding user context causes traceback on Standby unit
|
CSCsc09932
|
Yes
|
Assertion in file vf_api.c, line 264, traceback in strdup:_int3+4
|
CSCeh97228
|
Yes
|
cTCP: cTCP connection are dropped sporadically when connected F1 Bet
|
CSCsc36187
|
Yes
|
traceback after OWA 2003 log on to email.cisco.com while page is opening
|
CSCsb76426
|
Yes
|
DACL fails intermittently in PIX 7.0 code with ACL can't be found
|
CSCsb76995
|
Yes
|
%PIX-3-113001: Unable to open AAA session. Session limit [32] reached
|
CSCei29277
|
Yes
|
Performance of Skinny calls through PIX is poor
|
CSCei33166
|
Yes
|
Crash while pinging through a L2L tunnel w/ 10,000 byte pings
|
CSCsb77397
|
Yes
|
Traceback: eip 0x00c3426c strcpy:_strcpy+12, using deb menu ike commands
|
CSCei52906
|
Yes
|
Routes assoc. w/ net ext tunnels fail to get removed after tun drop
|
CSCsc50830
|
Yes
|
Memory corruption and traceback in strdup with inspect sqlnet config
|
CSCsc50177
|
Yes
|
rsh not working with fixup and nat0 acl configured
|
CSCei57279
|
Yes
|
Cascading ACL: Deny rules not working after tunnel established
|
CSCei64608
|
Yes
|
GTP: box reloads when Create Response has 3rd party GSN addr
|
CSCei71868
|
Yes
|
Deny message for inbound traffic with no access-list changed
|
CSCsb79950
|
Yes
|
FTP put hangs and timesout on put both active and passive
|
CSCei83304
|
Yes
|
clear conf sec doesnt clear igmp and ospf param in ifx submode
|
CSCsb81575
|
Yes
|
key gen causes an assert if ASA/PIX has DES only license
|
CSCei92828
|
Yes
|
Authentication failing for virtual telnet/http in transperent mode
|
CSCei93790
|
Yes
|
Clear configure all in single transparent mode causes traceback
|
CSCsb97680
|
Yes
|
traceback in radpact:_RADPBldHWClientReauth+260 during 3002 New Pin Mode
|
CSCsb82583
|
Yes
|
PIX515E with VAC+ fails FIPS validation test and reboots
|
CSCej08898
|
Yes
|
tcpintercept caused trcback.embconn=0,maxconn!=0,eip:0x00c32dbc
|
CSCsc06282
|
Yes
|
fover: ip local pool fails to replicate after issuing from grp submode
|
CSCsb45373
|
Yes
|
Traceback tcp_slow after vpn system test script strtd snd cfg setupUUT
|
CSCsb46603
|
Yes
|
GTP: Responses that reject Create Requests are dropped
|
CSCsb47825
|
Yes
|
F1 fails to establish TCP remote access sessions with 3002 HW client
|
CSCsb49125
|
Yes
|
F1 crashes at <show debug> command
|
CSCsb56247
|
Yes
|
traceback in crypto_pki:_crypto_pki_poll_crl+52 - with crl opt PKI
|
CSCsb58364
|
Yes
|
VPNFO: tunnels get dropped when fover occurs
|
CSCsb61027
|
Yes
|
mcast: secondary crashes shortly after sync'd with primary
|
CSCsb62617
|
Yes
|
VPN: assertion 0 failed: file malloc.c, line 4570 RA dial/hang test
|
CSCsb63920
|
Yes
|
CLI: no ssl trust-point cmmd causes traceback, ssl_chain:_ssl_trustpoint
|
CSCsc09527
|
Yes
|
VPNFO: cannot establish a vpn tunnel session limit reached sa cnt -1
|
CSCsb71198
|
Yes
|
incorrectly formatted DL ACL causes traceback in IKE daemon
|
CSCsc24671
|
Yes
|
DHCP address set does not trigger reg_invoke_ip_address_change()
|
CSCsb72803
|
Yes
|
Crash triggered when system is out of memory
|
CSCsc88348
|
Yes
|
traceback eip 0x006c80d9 obj-f1/snp_asdp_dev:_snp_asdp_pkt_rx+821
|
CSCsc88444
|
Yes
|
Traceback seen: obj-f1/snap:_snap_mini_dump+26
|
CSCsc89279
|
Yes
|
Standby Traceback, eip 0x006be09e obj-f1/snp_sp_main:_snp_sp_action_conn
|
CSCsd00427
|
Yes
|
eip: ctm_ipsec:_ctm_ipsec_create_sa+2266 when 750-3.6 client con to 5520
|
CSCsd01134
|
Yes
|
assertion addr->ip_version == IP_VERSION_6 failed: file printf.c
|
CSCei85052
|
Yes
|
IPv6:Copy TFTP fails, acknowledgement is sent to different port
|
CSCei89095
|
Yes
|
SAs not coming up when initiator has multiple transform sets
|
CSCei90839
|
Yes
|
1550 block leak after active switch to standby under load
|
CSCei92225
|
Yes
|
show interface will show negative number in input error under load
|
CSCei93593
|
Yes
|
IPv6: If MTU set less than 1500, bigger size pckt doesnt go thru
|
CSCej02689
|
Yes
|
traceback - ssh_init thread - eip 0x00a30b8a.ssh protocol test.
|
CSCej04201
|
Yes
|
IPv6:Bigger size pckts > mtu size dont go thru without inspect icmp
|
CSCej12122
|
Yes
|
no routing interface <if_name> does not reset youngest md5 key
|
CSCej12123
|
Yes
|
OSPF external routes preferred over internal with multiple processes
|
CSCej12600
|
Yes
|
After upgrade from 7.0.1, not-monitored inf became monitored
|
CSCsb50946
|
Yes
|
High cpu due to shun command
|
CSCsb51869
|
Yes
|
PKI: subject-name help should give a DN syntax example
|
CSCsb52950
|
Yes
|
With banner exec command and # as delimiter replication not correct
|
CSCsb53288
|
Yes
|
max conn limit not applied for multicast
|
CSCsb55104
|
Yes
|
Syslog message 710003 is overloaded; behaves different than in PIX 6.3
|
CSCsb56772
|
Yes
|
Skinny: conn torndown because TCP proxy sends more data than peer window
|
CSCsb57307
|
Yes
|
Scopy hangs when copying a file from f1 when using ssh version 2
|
CSCsb58444
|
Yes
|
downloadable ACL not removed on vpn termination
|
CSCsb58749
|
Yes
|
auto-detect not working for downloadable acl wildcard mask
|
CSCsb59776
|
Yes
|
Traceback in radius_snd when using - test aaa-server to Radius/SDI
|
CSCsb61644
|
Yes
|
PIX crashes when acessing ASDM over IPSec/TCP-10000 tunnel
|
CSCsb61990
|
Yes
|
Traceback in IKE Daemon (eip 0x00c2af18 memcpy:_memcpy+216) RadiusExpiry
|
CSCsb63002
|
Yes
|
snmp traceback with GetNext-Bulks with arbitrary OIDS--rem-access mib
|
CSCsb63781
|
Yes
|
VPN L2L Phase2 negotiation fails when using NAT-T and rekey on data
|
CSCsb65869
|
Yes
|
clear configure secondary does not clear global configurations
|
CSCsb66250
|
Yes
|
VPNFO: error bad vPifNum when write standby on vpnlb master
|
CSCsb67119
|
Yes
|
Inspect ESMTP incorrectly rewrites smtp reply containing 220 in text
|
CSCsb67664
|
Yes
|
Failover command needs to support input of hex keys
|
CSCsb68910
|
Yes
|
TCP MSS exceeded syslog number changed in 7.0.3.x
|
CSCsb71010
|
Yes
|
show vpn-sessiondb detail l2l displays 0 for rekey info for IKE sa
|
CSCsb72665
|
Yes
|
PIX may drop valid TCP segments that carry data in final segment
|
CSCsb74946
|
Yes
|
AAA authorization command accepts access-list with remark only
|
CSCsb76280
|
Yes
|
Traceback on replication attempt, on secondary with active-active config
|
CSCsb76955
|
Yes
|
MSIE Proxy Method in Default Policy Group is not initialized properly
|
CSCsb77249
|
Yes
|
doing no firewall trans, gives Failed to clear stats for . message
|
CSCsb77693
|
Yes
|
VPN-Session detail missing subnet masks for 501 management tunnels
|
CSCsb79023
|
Yes
|
Failover help message needs update for failover hex key
|
CSCsb79135
|
Yes
|
Failover hex key lost after reload
|
CSCsb79160
|
Yes
|
terminal width is not sync from the primary while failover config sync
|
CSCsb79387
|
Yes
|
Media-type unknown when install 1GE card to PIX-535 and PIX-525
|
CSCsb79601
|
Yes
|
Downloadable user ACL for IPSec clients not getting deleted
|
CSCsb80196
|
Yes
|
DHCP ID String is limited to 50 characters, should be 128
|
CSCsb82618
|
Yes
|
VPN: an abundance of removing peer from peer table failed events
|
CSCsb82663
|
Yes
|
Out of order TCP packets degrade HTTP inspection performance
|
CSCsb82686
|
Yes
|
AUS: after replace update, no pager still gives more prompt
|
CSCsb85087
|
Yes
|
Support timeouts for channel connections
|
CSCsb85124
|
Yes
|
VPNFO: certificate removal commands are not replicated properly
|
CSCsb86351
|
Yes
|
config missing on secondary for failover
|
CSCsb88991
|
Yes
|
Traceback: Thread Name: IKE Daemon (Old pc 0x00195bfd ebp 0x031bf44c)
|
CSCsb89147
|
Yes
|
certificate-to-username mapping broken for some DN attributes
|
CSCsb89384
|
Yes
|
VPN Failover: Timer processing stops after failover...
|
CSCsb93634
|
Yes
|
Can't assign host mask (255.255.255.255) to ip pools
|
CSCsb94618
|
Yes
|
copy command is broken - cannot copy files beginning with the letter c
|
CSCsb94651
|
Yes
|
Overlapping static statements should be allowed
|
CSCsb95044
|
Yes
|
VPNLB: default should not be a VPN Load Balancing submode command...
|
CSCsb95152
|
Yes
|
FIPS: Test Vector changes to support external algorithm testing
|
CSCsb95259
|
Yes
|
No hits shown on access-list associated to a group-policy vpn-filter
|
CSCsb96197
|
Yes
|
FIPS: pairwise key test not executed upon asdm connection
|
CSCsb98407
|
Yes
|
VOIP: outside NAT configuration fails for SIP/SKINNY Scripts
|
CSCsb98925
|
Yes
|
PIX-3-210007: LU allocate xlate failed is logged on the standby PIX
|
CSCsb99192
|
Yes
|
Show access-list | inc xxx causes traffic through device to be delayed
|
CSCsb99360
|
Yes
|
Logging queue 0 is wrongly shown as being unlimited queue
|
CSCsb99760
|
Yes
|
pix 7.0.2 extended split acl reverse of 6.3 format
|
CSCsb99778
|
Yes
|
Logging:logging class cmds using external host shouldnt exist in sys ctx
|
CSCsb99792
|
Yes
|
PATed ICMP conn stops PIX from responding to ICMP Echo-Requests
|
CSCsb99907
|
Yes
|
Long deny-message values do not get displayed via the show command
|
CSCsc01105
|
Yes
|
ASDM needs to return multiple lines - CRL retrieval error being reported
|
CSCsc02230
|
Yes
|
nat entry with outside keyword : ERROR: unable to download policy
|
CSCsc03061
|
Yes
|
CLI should generate Warning if kerberos-realm is not in all uppercase
|
CSCsc06273
|
Yes
|
LU allocate xlate failed for ftp data flow when PAT is configured
|
CSCsc06619
|
Yes
|
memory malloc error during import of certificate or pkcs12
|
CSCsc06702
|
Yes
|
VPN: Interface counters are incorrectly incremented on decrypted packets
|
CSCsc06839
|
Yes
|
GTP: F1 hit crash after <clear config all> + create + delete PDP req.
|
CSCsc07532
|
Yes
|
When changing password on radius server user gets logged off
|
CSCsc08684
|
Yes
|
PIX 7.0.2 built connection number shows up as negative on syslog
|
CSCsc09472
|
Yes
|
CTCP: max CTCP connections limit to 5 when CTCP port is TELNET/SSH port
|
CSCsc10182
|
Yes
|
telnet connections to the appliance are refused on active state change
|
CSCsc11493
|
Yes
|
Implement Syslog to ACL Rule Correlation
|
CSCsc14591
|
Yes
|
xlate and xlate perfmon print graph are all zeros
|
CSCsc14600
|
Yes
|
Traceback in _snp_nat_api_iface_portlist_cleanup+19 on clear conf all
|
CSCsc15015
|
Yes
|
Memory corruption in route_list_erase
|
CSCsc15378
|
Yes
|
Telnet to pix outside interface through IPSEC connection fails
|
CSCsc15737
|
Yes
|
VPNFO: vpnlb cmds produce error on standby after a no participate cmd
|
CSCsc16014
|
Yes
|
PIX 7.0 Spoofed TCP SYN packets can block legitimate TCP connections
|
CSCsc16503
|
Yes
|
Transparent firewall ASR UDP out traffic got errors and inbound failed
|
CSCsc22130
|
Yes
|
capture command does not accept smaller buffer sizes
|
CSCsc25161
|
Yes
|
In reboot loop after auto-update loaded image
|
CSCsc26331
|
Yes
|
PKI: CR should not be used to terminate certificate console input
|
CSCsc26445
|
Yes
|
some esmtp commands not supported in server responses
|
CSCsc27972
|
Yes
|
Traceback when changing crypto maps when Answer-Only in lower sequence
|
CSCsc28889
|
Yes
|
Upgrade pix 6.3.5 to 7.0.4 with PFS does not maintain ipsec group
|
CSCsc31195
|
Yes
|
PIX traceback in thread name: uauth (Old pc 0x009edcc1 ebp 0x0147281c)
|
CSCsc31564
|
Yes
|
memory corruption when copying image from a https server on PIX
|
CSCsc32430
|
Yes
|
vPif_isVpifNumValid:.. strings displayed when exiting telnet session
|
CSCsc32795
|
Yes
|
ERROR % displayed for Cryptochecksum after reboot
|
CSCsc34059
|
Yes
|
PIX denies FTP authorization for a user authorized for all IP traffic
|
CSCsc35308
|
Yes
|
VPNFO: P1 SA reference count should not be a stack variable...
|
CSCsc35952
|
Yes
|
Failover units lost synchronization
|
CSCsc36129
|
Yes
|
FTP passive mode does not work with dynamic NAT
|
CSCsc38604
|
Yes
|
In sh-acl output, display unique-id printed in syslog when that line hit
|
CSCsc41241
|
Yes
|
Port fix of CSCsc41236 from 3k to F1
|
CSCsc42204
|
Yes
|
Syslog ID 111005 no longer being logged when user exits config mode
|
CSCsc49830
|
Yes
|
PIX repeatedly rebooting after upgrading and using VPN
|
CSCsc49873
|
Yes
|
VPN-filter not applied for remote VPN clients without xauth enabled
|
CSCsc50543
|
Yes
|
ping traffic authorized when user configured to permit telnet only
|
CSCsc50781
|
Yes
|
active ftp fails with nat-exemption
|
CSCsc51711
|
Yes
|
MGCP not working with nat 0 acl
|
CSCsc57901
|
Yes
|
Memory leak when the standby unit fails to parse IKE messages
|
CSCsc57935
|
Yes
|
Failover should give warning when there is OS version difference
|
CSCsc58031
|
Yes
|
VPNLB: cluster encryption remains enabled even after a clear config all
|
CSCsc58416
|
Yes
|
PIX traceback in Dispatch Unit thread
|
CSCsc59298
|
Yes
|
VPN: IPSec errors are reported when trying to fragment compressed pkts
|
CSCsc60506
|
Yes
|
Large banner from RADIUS is causing traceback
|
CSCsc61078
|
Yes
|
rand() should not depend upon dbgtrace()
|
CSCsc65309
|
Yes
|
FO: lan failure doesn't invoke failover if config lacks standby IP addre
|
CSCsc65328
|
Yes
|
CTM ERROR: Failed to issue a command to the hardware messages on console
|
CSCsc65532
|
Yes
|
ASDM login page doesn't paint logo after clicked on Applet mode launch.
|
CSCsc67347
|
Yes
|
VPN locks up under throughput stress
|
CSCsc68126
|
Yes
|
PIX may run out of free TCP Sockets
|
CSCsc68390
|
Yes
|
sa_noise tool persuades users to log themselves out
|
CSCsc70975
|
Yes
|
Port numbers to be used while calculating ACE hash
|
CSCsc71588
|
Yes
|
VPNLB: vpn load-balancing will not work after issuing a clear config all
|
CSCeg80301
|
Yes
|
sh cpu cont all doesnt show load from ctxs when conns not inspected
|
CSCsc74542
|
Yes
|
Potential crash in ifs_image_destroy
|
CSCeh81062
|
Yes
|
wrong ip addr on outgoing packets when PAT and static port are used
|
CSCeh81351
|
Yes
|
GTP:Cannot create PDP Context when u clear config all and re-apply
|
CSCeh90617
|
Yes
|
Recompiling ACLs can cause packet drops on low-end platforms
|
CSCei00497
|
Yes
|
PIX/ASA 7.0 doesnt encrypt packets if next hop is PIX interface.
|
CSCsc77884
|
Yes
|
GTP: should check spare bits in header
|
CSCei02273
|
Yes
|
1st log message is not sent by mail in transparent firewall
|
CSCei15147
|
Yes
|
Cannot make more than 12 url-server persistent TCP connections
|
CSCei20466
|
Yes
|
Increase in CPU utilization when OSPF is enabled
|
CSCei24458
|
Yes
|
show ip local pool broken - doing show run ...
|
CSCei24685
|
Yes
|
priority-queue submode prompt does not start with config-
|
CSCei28659
|
Yes
|
Static Analysis doesnt run after make native
|
CSCei33696
|
Yes
|
reload after attempting to authenticate a ca after first try fails.
|
CSCsc81031
|
Yes
|
Missing RADIUS accounting information
|
CSCsc81236
|
Yes
|
PIX may reload unexpectedly when processing ICMP Error packets
|
CSCsc81302
|
Yes
|
RSA/SDI New Pin Mode doesn't work with RSA ACE Server 6.0
|
CSCei38636
|
Yes
|
VPN3K Port: Change to confidence interval
|
CSCei38646
|
Yes
|
VPN3K Port: IKE ID check
|
CSCei41326
|
Yes
|
AAA: fallback to LOCAL authentication does not work for SSH
|
CSCei51867
|
Yes
|
Usability - crypto config should be grouped together in CLI output
|
CSCei60811
|
Yes
|
Running config for specific banner cannot be displayed.
|
CSCei61532
|
Yes
|
VPNFO: Cant create IPSec SA on standby box with downloadable ACLs
|
CSCei62347
|
Yes
|
acl interval default value not shown when inactive parameter used
|
CSCei65306
|
Yes
|
IPv6-icmp build connection syslog does not get generated
|
CSCsc90254
|
Yes
|
TCP intercept not triggered with TCP module
|
CSCsc90434
|
Yes
|
Internal TCP echo server and client can be enabled with nat command
|
CSCsc91618
|
Yes
|
object-group is not included in calculation for syslog-to-ace hash
|
CSCei67562
|
Yes
|
TCP tunnel doesnt come up in some cases
|
CSCei69065
|
Yes
|
bad vPifNum error msg seen when config ssl trust-point
|
CSCei74588
|
Yes
|
Add support for showing/clearing NAT policies
|
CSCei74698
|
Yes
|
IPv6 Fragmented does not work for more than 24 fragments
|
CSCei77763
|
Yes
|
Tcp conn limit exceeded syslog not generated on telnet sess limit
|
CSCei83234
|
Yes
|
F1 err w show os <pid> <area> if area is in dotted IP format
|
CSCsd00536
|
Yes
|
OWA 5.5 error unable to get inbox and no authentication page
|
CSCsd00557
|
Yes
|
Login to CiscoWorks fails with 'Cookies Disabled';Refresh allows login
|
CSCsd00621
|
Yes
|
D/L access-lists do not get removed under certain conditions - svc fails
|
CSCsd00695
|
Yes
|
Block in http redirect should be freed using freeb(), not free()..
|
CSCsd00771
|
Yes
|
Distinguish SSL and IPSec in Load Balancing
|
CSCei83942
|
Yes
|
PPTP connection throug PIX dropped after 2 min of inactivity
|
CSCsd01166
|
Yes
|
show service policy set conn detail shows non-existent connection
|
Related Documentation
Use this document in conjunction with the PIX Firewall and Cisco VPN client Version 3.x documentation at the following websites:
http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/tsd_products_support_series_home.html
http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/tsd_products_support_series_home.html
Software Configuration Tips on the Cisco TAC Home Page
The Cisco Technical Assistance Center has many helpful pages. If you have a CDC account you can visit the following websites for assistance:
TAC Troubleshooting, Sample Configurations, Hardware Info, Software Installations and more:
http://www.cisco.com/en/US/partner/support/tsd_most_requested_tools.html
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
Feedback
