Cisco Security Manager

Table Of Contents

Release Notes for Cisco Security Manager 3.1.1

Contents

Introduction

What's New in Security Manager 3.1.1

Installation Notes

Cisco Security Manager 3.1.1 Download and Installation Instructions

Cisco Security Manager 3.1.1 Service Pack 3 Download and Installation Instructions

Important Notes

IPS and IOS IPS Notes

Resolved Problems

Known Problems

Catalyst 6500/7600 Configuration

Client Software

Deployment

Device Management

Diagnostics, Monitoring, and Troubleshooting Tools

Discovery

Firewall Services

Installation and Upgrade

IPS and IOS IPS

Miscellaneous Issues

PIX/ASA/FWSM Configuration

Policy Objects

Router Configuration

Site-to-Site/Remote Access/SSL VPN Configuration

Tools

User Interface

Auto Update Server (AUS) 3.1.1

AUS Known Problems

Documentation Updates

IPS Event Viewer

New Features in Security Manager 3.1

Discovering Remote Access VPN Policies

Device OS Version Interoperability with Device Managers Started from Security Manager

Where To Go Next

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines

Release Notes for Cisco Security Manager 3.1.1

---

Revised: April 14, 2008

CDC Date: April 14, 2008

Contents

Introduction

This document contains release note information for the following:

•Cisco Security Manager 3.1.1 (including Service Packs 1, 2, and 3)

Cisco Security Manager (Security Manager) enables you to manage security policies on Cisco security devices. Security Manager supports integrated provisioning of firewall, VPN, and IPS services across IOS routers, PIX and ASA security appliances, and Catalyst 6500/7600 services modules (FWSM, VPNSM, VPN SPA, and ISDM-2). Security Manager also supports provisioning of many platform-specific settings, for example, interfaces, routing, identity, QoS, logging, and so on.

Security Manager efficiently manages a wide range of networks, from small networks consisting of a few devices through to large networks with thousands of devices. Scalability is achieved through a rich feature set of shareable objects and policies and device grouping capabilities.

Security Manager supports multiple configuration views optimized around different task flows and use cases.

•Auto Update Server 3.1

The Auto Update Server (AUS) is a tool for upgrading PIX security appliance software images, ASA software images, PIX Device Manager (PDM) images, Adaptive Security Device Manager (ASDM) images, and PIX security appliance and ASA configuration files. Cisco IOS routers that have dynamic IP addresses communicate with AUS that is running the Cisco Networking Services (CNS) Gateway Protocol to provide their IP addresses.

Security Manager can interoperate with AUS. To manage the devices in Security Manager, you must provide the device identity and the AUS information when you add a device. Security Manager uses the device identity information to retrieve the device IP address from an AUS that can be reached.

---

Note Before using Cisco Security Manager 3.1.1, we recommend that you read this entire document. However, it is critical that you read the "Important Notes" section, the "Installation and Upgrade" section, and the Installation Guide for Cisco Security Manager 3.1 before installing or upgrading to Cisco Security Manager 3.1.1.

---

This release note document includes ID numbers and headlines for each known problem identified in the document and a description of each. This document also includes a list of resolved problems. If you accessed this document from Cisco.com, you can click any ID number, which takes you to the appropriate release note enclosure in the Bug Toolkit. The release note enclosure contains symptoms, conditions, and workaround information.

What's New in Security Manager 3.1.1

•Upgrade from Security Manager 3.0.2 and 3.1.

•Ability to cross-launch ASDM 5.0(7) from Security Manager for ASA 7.0(1) through ASA 7.0(7) and PIX 7.0(1) through PIX 7.0(6). For more information, see Device OS Version Interoperability with Device Managers Started from Security Manager.

•Ability to cross-launch the following most recently released device managers from Security Manager for the OS versions running on a device (Reference CSCsj51974).

–ASDM 5.2(3) support for ASA and PIX 7.2.

–PDM 4.1(5) support for FWSM 2.x.

–ASDM 5.2(2)F support for FWSM 3.x.

–SDM 2.4.1 support for the most recent and previous releases of Cisco IOS software running on your Cisco router.

•Cisco Security Manager 3.1.1 Service Pack 1 problem resolutions (Table 3) and additional device support:

Cisco IPS 4270 Sensor - http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/index.html

•Cisco Security Manager 3.1.1 Service Pack 2 problem resolutions (Table 2).

•Support for Windows 2003 Server SP2.

•The ability to start the device manager from Security Manager for security appliances even if the HTTPS port number on the device is changed to any port number other than the default value of 443. In Security Manager 3.1, you could start the device manager from Security Manager only if the HTTPS port number on the device was retained at the default value.

If you started the device manager for a device with a different HTTPS port number than the currently configured value, the changed port number does not take effect for the first instance of device manager launch. This failure occurs because Security Manager attempts to establish a connection with a device with the cached port number, based on the connection timeout and retry count values specified in the Device Communication page. However, subsequent attempts to start the device manager are successful because Security Manager connects to the device using the changed port number.

•A new export utility, which runs from the command line, that you can use to generate and export a device inventory report in csv format.

•The option to control whether devices are automatically preselected for deployment.

•Improvements to activity approval notifications. Only users who are viewing data that has been updated by another user are prompted to refresh their view of the data.

Installation Notes

You can install Security Manager 3.1.1 server software directly, or you can upgrade the software on a server where either Security Manager 3.1 or Security Manager 3.0.2 is installed. In addition to reading the following installation notes, we strongly recommend that you refer to the Installation Guide for Cisco Security Manager 3.1 for important information regarding server requirements, server configuration, and post-installation tasks.

•Upgrading to Security Manager 3.1.1 from version 3.0.2 or 3.1: Before you can successfully upgrade to Security Manager 3.1.1 from a prior version of Security Manager (versions 3.0.2 or 3.1 only), you must make sure that the Security Manager database does not contain any pending data, in other words, data that has not been committed to the database. If the Security Manager database contains pending data, you must commit or discard all uncommitted changes, then back up your database before you perform the upgrade. For instructions, see "Upgrading Server Applications" in the Installation Guide for Cisco Security Manager 3.1.

•Upgrading to Security Manager 3.1.1 from version 3.0.2: Before you can successfully upgrade to Security Manager 3.1.1 from Security Manager 3.0.2, you need to uninstall Cisco Security Agent (CSA) then reboot your system for the upgrade to be successful. After you manually uninstall the old CSA and reboot, you need to invoke the 3.1.1 upgrade script to execute the actual upgrade.

•Service Packs: Service packs cannot be installed by themselves. They are intended for installation on an existing installation of Cisco Security Manager 3.1.1. Service Pack 3 is superset of Service Pack 2, (and Service Pack 2 is a superset of Service Pack 1), so you can install Service Pack 3 with or without installing Service Pack 2 first. For more information, see Cisco Security Manager 3.1.1 Service Pack 3 Download and Installation Instructions.

•Restoring Databases: If you have installed any service packs on your server and you restore a database that was backed up prior to installing those services packs, you must reapply the service packs after restoring the database.

Cisco Security Manager 3.1.1 Download and Installation Instructions

To download and install Cisco Security Manager 3.1.1:

---

Step 1 Log in to Cisco.com.

Step 2 Go to http://www.cisco.com/go/csmanager, then click Download Software.

---

Note RME is not included in the downloadable version of the installation utility. For information on installing Resource Manager Essentials, please refer to the Installation Guide for Cisco Security Manager 3.1.

---

Step 3 Download fcs-csm-311-w2k-k9.exe.

---

Note Save the installation utility on a disk that is local to your server. Installation cannot succeed over a network connection to a remote volume, even if installation seems to succeed.

---

Step 4 Run the file that you downloaded.

The InstallShield Wizard extracts files to a temporary directory and checks their integrity while it constructs the Cisco Security Manager Setup application, which starts automatically.

---

Note For detailed installation instructions, refer to the Installation Guide for Cisco Security Manager 3.1.

---

---

Tip If an error message says the file contents cannot be unpacked, we recommend that you empty the Temp directory, scan for viruses, delete the C:\Program Files\Common Files\InstallShield directory, then reboot and retry.

---

---

Cisco Security Manager 3.1.1 Service Pack 3 Download and Installation Instructions

---

Note The 12 known problems that were resolved in Security Manager 3.1.1 SP3 are not available in Security Manager 3.2. Therefore, if you upgrade to 3.2.0 from 3.1.1 SP3, you will lose the added functionality that was provided in SP3.

---

To download and install Cisco Security Manager 3.1.1 Service Pack 3:

---

Step 1 Log in to Cisco.com.

Step 2 Navigate to http://www.cisco.com/pcgi-bin/tablebuild.pl/csm-app.

Step 3 Download the file fcs-csm-311-sp3-w2k-k9.exe.

Step 4 To install the service pack, close all open applications, including the Cisco Security Manager Client.

Step 5 Manually stop the Cisco Security Agent (CSA) from Start > Settings > Control Panel > Administrative Tools > Services.

Step 6 Install the Security Manager 3.1.1 FCS build (with or without Service Pack 1) on your server if you have not already done so.

Step 7 Run the fcs-csm-311-sp1-w2k-k9.exe file that you previously downloaded.

Step 8 In the Install Cisco Security Manager 3.1.1 Service Pack 3 dialog box, click Next and then Install in the next screen.

Step 9 After the updated files have been installed, click Finish to complete the installation.

---

Note The Daemon Manager is automatically stopped and restarted during the installation process.

---

Step 10 After the patch has been applied, navigate to the client installation directory and clear the cache file, for example, <Client Install Directory>/cache.

---

Important Notes

•When you perform a policy query in Security Manager, interface names are not case sensitive. However, when you perform a policy query in a Cisco Security Monitoring, Analysis, and Response System Appliance (MARS appliance), interface names are case sensitive. For example, outside and Outside are considered exclusive by a MARS appliance, while they are equivalent in Security Manager. As a result, a name logged in the syslog event might not match the name in Security Manager. Syslog messages use lowercase for all interface names. To work around this problem, use lowercase for all interface names and in the definition of interface roles in Security Manager.

•When you back up the Security Manager 3.1.1 database that does not contain Resource Manager Essentials (RME) data from one server, and restore it to a different server running RME, a licensing error occurs. This problem occurs if you installed Security Manager 3.1.1 using the free evaluation license. To work around this error, reinstall RME on the server where you want to restore the Security Manager database.

•In IOS 12.3(14)T, many of the predefined inspection protocols were introduced; however, certain commands are not generated if inspection rules configured in Security Manager conflict with port definitions of predefined inspection protocols.

•You might receive a persistent error message such as "Internal Error, please save the logs and contact TAC." If this should occur, please select Tools  > Security Manager Diagnostics and send the resulting CSMDiagnostics.zip file to the Technical Assistance Center.

•If you have a device that uses commands that were unsupported in previous versions of Security Manager, these commands are not automatically populated into Security Manager as part of the upgrade to Security Manager 3.1.1. If you deploy back to the device, these commands are removed from the device because the commands are not part of the target policies configured in Security Manager. We recommend that you set the correct values for the newly added attributes in the Security Manager GUI so that the next deployment will correctly provision these commands. You can also rediscover the platform settings from the device; however, you will need to take necessary steps to save and restore any shared Security Manager policies that are assigned to the device.

•If you upgrade to Security Manager 3.1.1 from Security Manager 3.0.2, the ordering of BGP CLI "neighbor distribute-list acl" may be shown incorrectly in preview full configuration due to Security Manager 3.0.2 bugs CSCsk55138 and CSCsk55140. To correct this, please rediscover this device.

•For the Cisco Security Monitoring, Analysis, and Response System Appliance (MARS) cross-launch panel to appear on the Cisco Security Manager Suite home page, you need to manually register the MARS appliance on the Common Services application registration page. To do this, perform the following:

1. From the Cisco Security Manager Suite home page, click the Server Administration link. The Common Services Admin page appears.

2. Select HomePage Admin > Application Registration. The Application Registrations Status page appears.

3. Click Register. The Choose Location for Registrations page appears.

4. Select Register From Templates, then click Next.

5. Select Monitoring, Analysis and Response System, then click Next.

6. Enter the server name, server display name, and port and protocol information for the MARS appliance, then click Next.

7. Verify registration information, then click Finish. The MARS launch point will now appear from the Cisco Security Manager Suite homepage.

---

Note If you choose to add the cross-launch to MARS later, simply launch your web browser and enter http://SecManServer:1741, where SecManServer is the name of the computer where Cisco Security Manager Suite is installed. If you are using SSL, the default URL is https://SecManServer:443.

---

IPS and IOS IPS Notes

•A Cisco Services for IPS service license is required for the installation of signature updates on IPS 5.x appliances, Catalyst and ASA service modules, and router network modules.

•Avoid connecting to the database directly, because doing so can cause performance reductions and unexpected system behavior.

•Do not run SQL queries against the database.

•If an online help page displays blank in your browser view, refresh the browser.

•With the release of the S227 signature update on May 12, 2006, the minimum required version for 5.x signature updates was incremented from IPS version 5.0(5) to 5.0(6). Sensors running IPS 5.x software versions earlier than the minimum required version will fail until the sensor is upgraded to the supported level. Note that the minimum required version for 5.x signature updates is generally set to the latest available service pack within 30 to 45 days of that service pack's release.

---

Caution If you did not set Category CLI commands on your IOS IPS device to select a subset of IPS signatures that the device will attempt to compile, Security Manager will push CLI commands to enable the IOS IPS Basic category to prevent the device resources from being overloaded. These CLI commands are not managed by Security Manager after they are deployed. You can change these manually on the device to select another set of signatures to compile.

---

Resolved Problems

Service Pack 3 is superset of Service Pack 2 and Service Pack 1, so it contains all problem resolutions included in Service Pack 2 and Service Pack 1, as well as those in Service Pack 3.

•Table 1 identifies the problems resolved by Security Manager 3.1.1 (Service Pack 3).

•Table 2 identifies the problems resolved by Security Manager 3.1.1 (Service Pack 2).

•Table 3 identifies the problems resolved by Security Manager 3.1.1 (Service Pack 1).

•Table 4 identifies the problems that were documented in the Security Manager 3.1 release notes as known problems and that have since been resolved. For information on resolved problems that were resolved in earlier releases, please refer to the release note document for each previous release.

---

Note The 12 known problems that were resolved in Security Manager 3.1.1 SP3 are not available in Security Manager 3.2. Therefore, if you upgrade to 3.2.0 from 3.1.1 SP3, you will lose the added functionality that was provided in SP3.

---

Table 1 Resolved Problems in Service Pack 3 

CSCsl13680—Cannot load rule table when policies have duplicated order_id Description: Under a rare condition, the Access Rules table cannot be loaded after you add or delete rules in the table.

CSCsl13733— Two policies in the same policy group have same order_id Description: A duplicate order_id in the same policy group might occur when multiple firewall policy groups are modified with an insertion.

CSCsm15485—xDM:IPS Device Manager relaunch always prompts about previous instance Description: When you start IPS Device Manager (IDM) from a Security Manager client, you are prompted with a message stating that an instance is already open even if no previous instance of device manager is running.

CSCsm72772—Firewalls unable to access AUS; apache reports access violation error Description: Firewall devices (PIX/ASA running 6.x, 7.x) are not able to access the AUS server. Apache generates "Access Violations."

CSCsm79337—Performance tuning on platform validations Description: While submitting changes to the device, Security Manager hangs for a long time at the validating screen.

CSCso00786—FWSM discovery completed before the policy discovery of VCs Description: All policies are deleted on the Security Contexts when you deploy to a device or when you do a preview config.

CSCso04982—Should undo device target type change for IOS/IPS Description: After an IOS device is added to Security Manager, the device target type cannot be changed unless it is deleted, then added again.

CSCso20860—"access-list mode auto-commit" sent to standby unit fails discovery Description: Security Manager 3.1.1 discovering an FWSM 3.1(x) blade in multi-context mode with active/active failover configured fails.

CSCso23669—Invalid VPN hard validation error for non-support for TACACS+ Description: TACACS+ should be supported for authentication for remote access purposes.

CSCso46954—Remove log error entry in Device Access Utility to avoid false alarm Description: Each time a PIX or ASA device is accessed in Security Manager, unwanted error log entries are printed in vmsbesvcs.log.

CSCso52320—Deployment to PIX 6.3 devices fails with error in transcript Description: When you deploy large configuration changes to PIX 6.2 devices, deployment fails with the "Error: 24112 : IO error during SSL communication" message recorded in the transcript.

CSCso52353—Wrong error message during 3.1.1 SP3 installation Description: When you install Security Manager 3.1.1 SP3 on top of 3.1.1 that is already running on a server, an error message is displayed at the end of the installation, even though the operation is successful.

Table 2 Resolved Problems in Service Pack 2 (Also included in Service Pack 3) 

CSCsl45826—Static NAT does not allow networks with non-host addresses Description: When adding a Static NAT to a PIX/ASA/FWSM device, the original address and translated address fields report an error if a network object that contains a non-host address is selected.

CSCsl62051—Deploy url-mempool up to 10240 should be allowed on single context FWSM Description: For multiple context FWSMs, Security Manager allows url-mempool to be configured to a value between 2-512 and fails to deploy configurations with a value set greater than 512. For single context FWSMs, Security Manager should allow the deployment of configurations with a url-mempool value between 2-10240.

CSCsl70798—IOS-NAT: Incorrect editing of ACL used in dynamic NAT policy Description: When a dynamic NAT rule on IOS is referring to an ACL policy object, and the ACL policy object is modified in Security Manager, after deployment, the ACEs (contents) of the ACL on the device might be in a different order than the order of the ACEs in Security Manager.

CSCsj59435—ASA 8.0 new URL Description: Unable to import ASA 8.0 if SSL VPN/WEBVPN is enabled on the device.

CSCsk77124—Not all entries logged to CSV are available in ACS when switching to ACS Description: Not all Cisco Security Manager activity is being logged to the ACS server.

CSCsl50379—ACL policy object conflict detection is performance inefficient Description: In the case of ACL policy objects, each ACL can refer to multiple ACE policy objects. Each ACE policy object could in turn refer to multiple Network policy objects. This kind of nested references makes conflict detection a performance intensive task. Each additional ACE object in the system makes a perceivable difference in the performance of discovery.

CSCsl77673—IOSIPS:Device target type change is not allowed after device is added Description: When an IOS router device is added to Cisco Security Manager without IPS capability, later if the user reimages the ISR with an IOS image which supports IPS, rediscovering the ISR will not discover IPS policies.

CSCsl30739—Security Manager - IPS License Sort by Expires: Alphabetical Instead of Chronological Description: When sorting the IPS licenses by "Expires On", the licenses become sorted in alphabetical order rather than chronological expiration order.

CSCsl52675—Security Manager does not allow 32 bit subnet mask for PPPoE interface Description: Security Manager does not allow 255.255.255.255 subnet mask to be configured for interfaces. This check should be removed for PPPoE interfaces with setroute enabled.

CSCsm01861—Security Manager might hang and not respond while discovering large number of devices Description: Security Manager might hang not respond while discovering large number of devices.

Table 3 Resolved Problems in Service Pack 1 (Also included in Service Pack 2) 

CSCsi82908—Need to easily add subcommands to policy map using flexconfig Description: Security Manager's flexconfig does not contain a system variable for the dynamic "policy-map" and "class-map" names that are generated on PIX/ASA/FWSM devices. To apply an advanced inspection map that is not supported by Security Manager, you must use the flexconfig; however, since the names are dynamic, you must preview the configuration and manually change the flexconfig every time a change is made in order to match the dynamic name. This enhancement uses system variables that allow you to reference policy-map or class-map names in the flexconfig for ASA/PIX/FWSM devices.

CSCsj39745—Removing filter resets position of the selection bar Description: If you create a filter in the access rules table, then select an entry within the table some table-pages down, if you click Clear, the access rules browser jumps to the beginning of the table and the rule is no longer selected.

CSCsj82904—Ignore CE reply saying device already on CE after CSM add device to CE Description: This is an enhancement. CNS CE reply states the device already exists in CE when Security Manager creates a device via CE API call. CE might return misinformation in some cases.

CSCsj83293—Restarting server then launching SDP servlet causes exception Description: When you restart the Security Manager server without launching the Security Manager client, initiating flexconfig through the SDP servlet causes a class not found exception.

CSCsj97405—AAA include/exclude command modeled incorrectly Description: The AAA include/exclude commands can each have multiple instances, but the current rule file models them as a single instance command and, therefore, leaves only one instance after processing.

CSCsj97990—Printing from VMS diff dialog has incomplete lines Description: Printing from a diff dialog (e.g. Tools -> Preview Configuration, Tools -> Configuration Archive -> View diff) might produce an incomplete document. "Incompleteness" includes: the document might be missing its last several rows; some rows might be cropped along the right-hand side; and page breaks might occur in the middle of row text.

CSCsj99578—Error when copying policy to device regarding NTP settings Description: When you add a new Device to Security Manager 3.1, then copy a shared policy, the following error message results: "Both NTP and Clock are configured on same Device".

CSCsk01014—Unreferenced Object Groups are created by Security Manager Description: When you make a simple change to the access rule table, you might see several unreferenced object groups deployed to a device.

CSCsk15141—User Group Address Pool client validation fails for singleton IP address Description: IOS User Group validation fails in the GUI when the IP Address Pool is configured with a singleton address. IP address ranges can be configured fine in the IOS User Group Address Pool.

CSCsk28731—Discovery of protocol object is not displayed properly Description: A protocol object-group containing TCP and UDP protocols that is used in an access-list (access-rule) is not discovered correctly.

CSCsk35151—Failed to generate delta config - #provF1ExtendedAce($aclname $access $p Description: When you deploy multiple devices in the same job, you might encounter a deployment failure.

CSCsk41945—Restart "stopped" CNS job if device in the job is in Queue state Description: After the CNS server has been rebooted, it sets all CNS jobs to the 'stopping' state, which is the failed CNS job status. The Security Manager monitor will then treat this state as a failure, mark the Security Manager job as 'failed' and clear the CNS job.

CSCsk43245—FAILOVER Active/Active discovery action message misleading Description: If a PIX/ASA or FWSM firewall is configured for Active/Active Failover, adding the 'Management IP Address' within the respective Security Contexts' > Device Properties > General section will be removed after the initial deployment if it is not replicated within the System Execution Space's (System Contex) > Security Context policy page.

CSCsk45589—QoS needs to support 'set ip precedence' for discovery and provision Description: The following QoS commands cannot be discovered into Security Manager: match ip precedence x match ip dscp x set ip precedence x set ip dscp x

CSCsk46053—Multiple remarks generated from a single NAT command Description: There are two symptoms: 1) When you add multiple NAT-0 rules that have the same interface and direction, the remarks for these rules are generated multiple times. 2) When the "Do not translate VPN traffic" checkbox is enabled, the NAT-0 rules are not generated.

CSCsk49274—Deployment Manager refresh causes selected job focus to be lost Description: A selected row in the deployment job table is no longer visible/selected on screen.

CSCsk50690—CSM may redeploy the ACL used in router SNMP with reordered entries Description: Security Manager deploys the standard ACL used in the router SNMP configuration. Under certain conditions, in a subsequent deployment, even if no changes are made to the ACL, Security Manager might remove the standard ACL that was previously deployed and redeploy a new ACL with the entries (ACEs) re-ordered.

CSCsk51104—Dirtiness calculation is returning more devices than it should Description: VPN operations keep getting slower and slower with time. In some cases, even if you modify one spoke policy, all spokes show up in the "Modified Device List" during deployment.

CSCsk56996—CSM allows multiple deployment jobs to be created for the same device Description: Security Manager allows multiple deployment jobs to be created for the same device, which might cause deployment to fail.

CSCsk59006—Add VPN API to getNodesForDevices Description: Added new API to VpnToolAPI for getting the Vpn Nodes given to the devices.

CSCsk60352—Incorrect out-of-band (OOB) check-in for failover configuration Description: Incorrect OOB message might be reported in a failover configuration. If a failover occurs after you deploy to the active unit, a subsequent deployment might report the following out-of-band change: !< !failover lan unit primary !> !failover lan unit secondary !>>>> End of differences. !Out of Band (OOB) change detected on device: <device-name>. Stop !provisioning.

CSCsk60919—Out Of Memory error during deployment, job loading, or creation Description: When several devices exist in the system and there are several deployment jobs, sometimes when the Deployment Manager GUI is invoked, the GUI hangs and an Out Of Memory error is observed in the server log.

CSCsk66500—Need IP address support in ASA transparent mode with OS 7.2 and later Description: The IP address is negated for Management0/0 interface.

CSCsk71303—Recreate CNS job after CNS reload Description: When the CNS server reboots, all pending CNS jobs will be put in the STOP state, but they are actually in the INVALID state. This means that restarting the jobs will not put them back in a valid pending state. Security Manager must delete these CNS jobs and recreate new ones, then correspond these new CNS jobs with existing Security Manager jobs when the CNS server reboots.

CSCsk71349—VPN device deletion logic should prevent dangling device in VPN Description: When a device is deleted from Device view and the device participates in a VPN, you should get a warning or error message that explains if the device can or cannot be deleted from the VPN. If you proceed, the device is also removed from the VPN. In some specific conditions, the warning or error message is not displayed and the device is deleted from Security Manager, but the VPN still maintains a reference to the device, which causes database inconsistencies that result in errors to activity validation and deployment.

CSCsk71804—CNS job recreation results in peculiar behavior Description: In rare cases, a Cisco CNS server might not update CNS job status to the Completed state after the status of all devices inside the CNS job has already been updated to a final state. As a result, Security Manager cannot update the corresponding Security Manager job status.

CSCsk71815—API to check if a user is in Security Manager session Description: There is not an easy way to track Security Manager client user login session information from the Security Manager itself (either through an API or DesktopServlet command).

CSCsk72256—Password not being URL encoded when sent to the server Description: Deployment or cross-launch to other applications from Security Manager might not work.

CSCsk83049—Preview Config > IOS (Full) diff Running Config shows PKI cert deleted Description: If a Crypto RSA key (chain) is generated within an ISR's configuration, and is imported into Security Manager, a Preview Configuration operation will display that the key material is marked red for deletion.

CSCsk83637—DMVPN: No IP on protected interface results in 0.0.0.0 Description: Security Manager generates '0.0.0.0' as part of the VPN dynamic routing protocol.

CSCsk83674—Failover: FWSM 3.1.x negates stateful failover link after discovery Description: If a configuration pre-exists on the FWSM firewall where the LAN failover and stateful failover interfaces are shared, for example: failover failover lan unit primary failover lan interface failover Vlan2 failover replication http failover link failover Vlan2 failover interface ip failover 1.1.1.1 255.255.255.252 standby 1.1.1.2 After the import, performing a preview configuration shows that the stateful failover link is incorrectly removed from the configuration with the next deployment: no failover link failover vlan 2

CSCsk88551—Transcript does not reflect commands sent to device in failure condition Description: Transcript does not exist, although Security Manager has started with device communication.

CSCsk90736—Aborted job starts immediately instead of scheduled time Description: When a deployment job is created and then aborted, if it is deployed after and scheduled to run at a later time, it starts immediately, within 5 minutes.

CSCsk95039—Stateful failover link exception if interface has no PIM and no IGMP Description: Security Manager generates "pim" and "igmp" CLI on those interfaces that multicast is not enabled.

CSCsk95480—Security Manager login not working for IPS for deployment Description: Failure to update IPS signatures or deploy changes to IPS from Cisco Security Manager.

CSCsk96974—VPN discovery fails because of transformset mismatch Description: VPN discovery fails.

CSCsk97453—DMVPN discovery on Catalyst 6500 Series fails with database exception Description: When discovering a DMVPN between a catalyst 6500 or cisco 7600 device and any other router, the VPN discovery fails with an error message that states there was a DatabaseException.

CSCsl04866—3.1.1 SP1 should check for base version before installation Description: 3.1.1 SP1 can be installed on versions such as 3.0.2, 3.0 etc.

CSCsl04942—Set CNS device image ID when creating a device Description: Even though CNS doesn't integrate with CNS image service, it would be beneficial if Security Manager can set the image ID when creating a CE device for customers who use CNS image service, such as CiscoIT. This should be a feature that can be turned on/off in a property file, since the set image ID will create a separate object in the CE database. For a customer that doesn't use image service, this is not desired.

CSCsl06586—Need to unregister plugins for policies not managed by Security Mgr Description: Security Manager might still manage the CLIs for unmanaged policies that are configured from Tools > Administration > Policy Management.

CSCsl12476—GRE mode policy cannot be saved in Policy View Description: In the Policy View the policy "GRE Modes" cannot be saved after any change is made to the default values

CSCsl13103—ASA5505: duplex is not properly discovered Description: For an ASA 5505, the speed and duplex of the switchports are set to be auto/auto no matter what the speed and duplex are set to on the device.

CSCsl14080—aaa-server commands always in delta in some cases Description: The aaa-server <aaa_tag> (inside) host command is always generated in delta and deployed to the device in some cases.

CSCsl15364—IPsec + HSRP: protected networks not discovered Description: When discovering a VPN with HSRP configured on the hubs, the protected networks are not discovered. Discovery status reports that the protected networks are not discovered.

CSCsl27209—Deployment causes IPS signature updates to be tuned back to default Description: When you use Security Manager to deploy IPS signature updates, Security Manager changes tuned signatures back to default if the update contains modified signatures.

CSCsl29732—Edit Address Pool - Exception on launching Network Selector Description: When the Address Pool selector in the Address Pool Wizard has its select button clicked, nothing happens and an exception is seen in the client log.

CSCsl33369—Table Filters: Sometimes 2nd and 3rd dropdowns are disabled Description: The second and third columns are greyed out and you cannot create any filters.

CSCsl40954—CCO credentials in cleartext in tomcat stdout.log during CCO license upd Description: After an update via CCO operation for any sentinel license type of devices, CCO credentials are displayed in clear text inside the CCO request xml string in stdout.log.

Table 4 Resolved Problems in Security Manager 3.1.1 

CSCsh64420—Deployment fails modifying ACE in AAA ACL on FWSM3.1.1 Description: For FWSM3.1(1) context, if you modify the AAA rules table, then deploy the change to the device, you might get the following deployment error: ERROR: Unable to find AAA ACE Error acl_updated: aaa_acl_changed failed ERROR: Unable to delete ACE from dependent modules

CSCsh96644—FWSM ACL remarks may cause inline editing manual commit failure Description: Deploying to FWSM 3.1(4) fails with an error saying "Specified remark does not exist" in the deployment transcript. This happens only when the "Let FWSM decide when to compile access-list" admin setting is unchecked and the access policies contain a number of comments.

CSCsi11697—Deploy fails after rollback operation followed by URL filter change Description: When you use Security Manager to roll back an ASA 7.2(2) device to a configuration that contains default inspection class-map and policy-map "global_policy". If you change Web Filter rules, then deploy the change, the deploy operation might fail.

CSCsi16937—FWSM: Need validation for non-standard netmask in address pool Description: Deployment might fail if an IP address is configured with a non-standard mask for an address pool. Although the UI allows it, the only device version that allows non-standard masks is PIX/ASA 7.2+.

CSCsi23773—TCP Map: Always generates range CLI for TCP map Description: If TCP Map is assigned in the "IPS, Qos and Connection Rules" then redundant tcp-options commands might be generated even if no changes are made to the TCP Map or related policy.

CSCsi27421—Deploy removes ACEs when creating ObjectGroup disabled for FWSM 3.1(3-4) Description: If an access-list entry (ACE) with an object group is internally expanded into a number of ACEs and if one of the expanded ACEs is inserted into the access-list, FWSM 3.1(3)12 and later rejects this ACE with an error "found duplicate element".

CSCsi29146—Deployment using AUS fails after upgrade from 3.0 to 3.1 Description: Security Manager deployment details may show 'Interface defined on device does not have a name' warnings if the interface name is empty. For example, some of the interfaces defined on a device do not have a name defined. Rules bound just to these interfaces will not be deployed.

CSCsi49748—Transparent rules not removed from device when deleted in Security Mgr Description: If you delete the transparent firewall rules from Security Manager and deploy to the device, the rules are not removed from the device; however, Security Manager continues to show those rules as deleted.

CSCsi49794—AclNamePreserv: Deploy fails due to diff source addr in delta for static Description: When you change an access list that is shared between a static command and another command, deployment to the device might fail.

CSCsi51974—Hit Count: Disabled for inherited rules Description: The Hit Count option, which is accessed from the Tools menu that is located below the Access Rules table, is disabled when you select access rules that belong to an inherited policy.

CSCsi54973—Network objects with non-std netmask show "no value" with show cell cmd Description: Show cell contents for Sources/Destinations might show empty contents or "no value" if the cell contains a network with a non-standard mask.

CSCsi56443—Unable to create network obj from cell if cell contains IP address range Description: The Create Network from Cell contents or Create Network from Selected Contents does not work if the cell contains an IP address range.

CSCsi66073—CSM 3.1 Installation Has a Link To The Non-Existent IPS Manager Description: You receive a 404 error when attempting to access IPS Manager in CSM 3.1. This link should not exist, because Security Manager 3.1 manages IPS devices in the client, not through the IPS Manager.

CSCsi76604—Data archival does not work in IEV started from Security Manager Description: Database archival feature that enables you to archive real-time events does not work in IEV started from Security Manager. However, this problem does not occur on a system in which IEV is installed separately from Cisco.com and started outside of Security Manager.

CSCsi91028—Need to upgrade network hashcode Description: During import, a network policy object might not get reused, even if the contents in Security Manager are the same as the contents of the network being imported.

CSCsi96716—Security Mgr 3.1: Upgrade from 3.0 - aip-ssm coverts to 'Unknown' in DCR Description: Users are unable to add AIP-SSM devices from DCR into Security Manager 3.1. This occurs when the user was previously managing AIP-SSM devices with Security Manager 3.0, upgraded from Security Manager 3.0 to 3.1, and then attempted to add these devices from DCR.

CSCsj55213—ExportIpsCredentials.pl fails with stack trace Description: Some IPS MC 2.2 backups contain sensor information that is not complete. This can happen if a default device is added and never discovered before a backup is made.

CSCsj85371—Security Manager: does not deploy bypass-mode 'on' to IPS sensor Description: When deploying to an IPS sensor with the bypass mode set to 'on', the 'on' is replaced with 'auto' during deployment, causing the sensor to come out of bypass mode.

CSCsj57610—IPS Licensing - Update from CCO Failed Description: Attempts to update the sensor license from Cisco.com fail.

CSCsj43832—Autodownload does not work when proxy server uses NTLM auth mechanism Description: When downloading from Cisco.com and using an IIS proxy server, the download will fail.

Known Problems

This section contains information about the problems known to exist in Cisco Security Manager 3.1.1 (including Service Packs 1 and 2).

Catalyst 6500/7600 Configuration

Table 5 Catalyst 6500/7600 Configuration 

CSCsi17582—Cannot change the data port VLAN running mode after negating CLI on IDSM Description: Deployment fails when you attempt to change the running mode of the data port VLAN from Trunk (IPS) to Capture (IDS) from the IDSM Data Port VLANs dialog box and the following error message is displayed: Command Rejected: Remove trunk allowed vlan configuration from data port 1 before configuring capture allowed-vlans

CSCsi17608—Deployment fails when allowed VLAN ID is modified on IDSM capture port Description: If you modify the allowed VLANs of an IDSM data port that has been configured as a capture port and deploy configurations to the device, the following error occurs: "Capture not allowed on a SPAN destination port"

CSCsi24091—Deploy fails if you change access to trunk mode & enable DTP negotiation Description: Deployment might fail when you attempt to modify the physical port configuration type from access to trunk mode for a Catalyst switch and keep the Enable DTP negotiation check box selected in the trunk port mode.

CSCsi31232—Catalyst 6500/7600 chassis discovery fails after upgrade from 3.0 to 3.1 Description: When you migrate a Security Manager 3.0 or 3.0.1 database to 3.1 in workflow mode, and try to discover the configuration of the upgraded Catalyst 6500 Series switch, Cisco 7600 Series router, or FWSM managed using the chassis before creating an activity, discovery fails.

Client Software

Table 6 Client Software 

CSCsd39354—Some Windows users see no desktop shortcut or Start menu shortcut Description: On a PC with many users, only the person who installs Security Manager Client can see the desktop and Start menu shortcuts that show that Security Manager Client is installed.

Deployment

Table 7 Deployment 

CSCsc22934—ACL limitations on Layer 2 interfaces on IOS ISR devices Deployment fails if access rules containing certain options are associated with Layer 2 interfaces of ISR routers.

CSCse23064—Enrollment URL CLI causes failure in deployment to AUS managed device Description: Deployment to AUS-managed device fails if the deployment configuration contains the CLI command "enrollment url http:..."

CSCsi09797—Job state for completed jobs is "Deploying" for CNS-managed IOS routers Description: After Security Manager successfully deploys the configuration file to CNS, and Cisco IOS routers configured for CNS poll and apply the configuration changes at the predefined polling period, the Status column in the Deployment Manager window continues to display the job state as "Deploying".

CSCsi31224—Preview failed after deploying config to AUS server Description: A device's certificate is changed after retrieving the config file from the AUS server. The certificate stored in Security Manager would be out of sync with the device, hence cause the preview to fail with certificate mismatched error.

Device Management

Table 8 Device Management 

CSCsc51908—Cannot add a system context from DCR into Security Manager Description: If you try to import a system context that belongs to a multi-mode PIX Firewall 7.0 or an ASA device from DCR to Security Manager, the import fails and an error message results.

CSCsd49045—Unclear error message when IOS SSL deployment exceeds maximum size Description: Deployment to Cisco IOS router fails when SSL is the transport protocol and you see a confusing error message.

CSCsd71001—Not able to import AUS device from DCR Description: You cannot import an AUS-managed device from DCR to Security Manager.

CSCse70089—RBAC-Authorization and duplicate display name errors when adding devices Description: Authorization and duplicate display name errors occur when you add devices to a Security Manager server that uses Cisco Secure ACS for AAA.

Diagnostics, Monitoring, and Troubleshooting Tools

Table 9 Diagnostics, Monitoring, and Troubleshooting Tools 

CSCsi04942—IEV error while installing only Common Services 3.0.5 or AUS 3.1 Description: When you install only Common Services 3.0.5 or AUS 3.1 from the Security Manager DVD, an IEV error message is displayed even if you did not select Security Manager 3.1 during installation.

CSCsi08390—IEV installation fails on systems without C: drive Description: During installation of Security Manager server 3.1 on systems that do not contain C: drive, IEV server fails to install and an error message is displayed. Also, an error is logged in the server installation log file.

CSCsi27178—Several pages are blank in SDM 2.4 after discarding changes Description: After you perform configuration changes for Cisco IOS devices using SDM 2.4 started from the Security Manager client and click Discard Changes to reset to the previously applied configurations, many of the pages are blank or empty.

CSCsi86335—Cross-launch of IEV client fails if Symantec application is running Description: You cannot start IEV client from Security Manager client on a system in which the Symantec Client Firewall Port Scanning Module or Symantec Secure Port application is running.

Discovery

Table 10 Discovery 

CSCse99139—Rediscovery of inventory alone can create device-override building blocks Description: Device level overrides for policy objects corresponding to object groups can be created after discovering only the inventory policies like interfaces.

CSCsi33347—Auto-update:Changing order of AUS servers does not generate commands Description: On a 7.2 ASA/PIX with multiple AUS servers, changing the order of the AUS servers does not generate any commands.

CSCsi45142—AAA - source intf disc from global cmd instead of aaa subcommand Description: The interface parameter is not discovered for the AAA-server building block discovered from IOS routers.

Firewall Services

Table 11 Firewall Services 

CSCsa81103—Unable to create an access rule with TCP flags Description: Security Manager does not support TCP flag specifications, such as urg, fin, psh, and ack, in access rules. As a result, during discovery, Security Manager drops the specifications.

CSCsa81104—Unable to create an access rule to match QoS parameters Description: Security Manager does not support ACE options such as DSCP, ToS, or precedence. As a result, during discovery, Security Manager drops the options.

CSCsa98978—Hit Count does not expand FWSM devices with object-group enabled Description: Although the GUI allows you to enable the Object Group Search option for FWSM devices, the FWSM does not expand object groups when listing access rules after a "show access-list" command and Hit Count results are inaccurately displayed.

CSCsb85487 —Need warning when ACL deployment to IOS devices can cut off access Description: Security Manager does not check if the firewall rules that you configured in Security Manager permit management traffic (SSH and HTTPS) to the IOS device being managed. As a result, after firewall rules are deployed to the device, connection to the device might be lost.

CSCsc81905—QIT: Empty ACL is deployed on 87x series routers for BGP port Description: IOS 87x ISR routers do not support BGP as a routing protocol or as a service in ACLs when the device has only 24 MB of memory; however, BGP is supported when the device has more than 24 MB memory. Security Manager does not detect the amount of memory available on the device and cannot enforce any restrictions. As a result, job deployment containing an ACL with ACEs having BGP will fail.

CSCsc84443—IP HTTP server cli is not removed after the policy is unassigned Description: IOS devices require that HTTP is used as the traffic type for authentication proxy, which generates the command ip http server. Security Manager does not remove the CLI when authentication proxy is unassigned from the device in Security Manager.

CSCsc85416—User configured AAA/AuthProxy CLIs are not removed from the device Description: If an AuthProxy configured on an IOS device has a user-specified name that does not comply with the naming convention used by Security Manager, the name is not removed if the device is discovered and the policy is unassigned.

CSCsc87646—Deployment to IOS device fails if AuthProxy is assigned to L2 interface Description: If you create AAA or inspection rules for "all" interfaces on an IOS device, deployment fails if the device is using Layer 2 port.

CSCsd26482—IOS "access-list" Standard ACL is not supported by Hit Count Description: IOS devices use standard ACLs for filtering; however, standard ACLs are not recognized when Hit Count reports are generated.

CSCsd30481—PIX 6.3: needs warning for the Time Range object in access rules Description: When you create an access rule for a PIX 6.x device, you can specify a time range in the GUI; however, the device does not support the time range feature in the ACE and no warning is displayed during activity validation or deployment.

CSCsd33025—Deployment fails on a device with too many AAA server groups Description: If Security Manager tries to deploy AAA server groups to a device that already has the maximum number of AAA server groups, deployment fails.

CSCsd60788—No port-map command generated if rules and predefined protocols conflict Description: IOS inspection port-map commands are not generated if inspection rules configured in Security Manager conflict with port definitions of predefined inspection protocols.

CSCsg35578—Import ACE: Validation not done if the config is not in show run format Description: Some options are omitted from rules that are created using the Import Rules tool, for example, empty port values and destination port values that are not validated for 'eq' and 'neq' for IOS devices.

CSCsh68101—Activity Report: Issues with access rules table Description: Rule section changes are not reported in the activity reports.

CSCsh94210—Problems matching interface when reusing AAA policy objects Description: AAA Server policy objects cannot be reused because of mismatched interfaces. This might result from an interface role used to define an interface that is not matched to a physical interface after rediscovery. For PIX/ASA7.x devices, this might result from using "inside" (or an interface name that starts with "inside") to describe the interface.

CSCsi18871—PIX 7.1 gtp-map subcommand order is not preserved Description: Changes to the match-condition order for a gtp-map used in a PIX 7.0 or PIX 7.1 device do not get deployed to the device.

CSCsi23683—Deployment fails when you reconfigure bridge-groups in transparent rules Description: When you associate interfaces with another bridge-group and provision it in Security Manager, the deployment shows an error; however, the device in this case has been provisioned correctly.

CSCsi34298—Webfilter: Deployment fails if overlapping filter commands are defined Description: If two filter commands of the same type are defined with the same port ranges (service) or overlapping port ranges and overlapping networks, deployment to a device fails. The device does not accept overlapping filter commands.

CSCsi35479—HTTP policy: Commands generated for every deployment Description: For ASA 7.2 HTTP Maps, if the body match maximum is set to 0 (zero), the device accepts the command as "body-match-maximum" but shows it in show run as "body-match-maximum 0". This causes the delta to always contain the removal of the http policy-map subcommands and adding them back.

CSCsi50493—DataLoader's load method needs to handle quotes Description: The access rules table might not finish loading for a newly discovered device if the discovered configuration has access-list remarks that contain quotes or double quotes.

CSCsi87422—Security Mgr does not allow overlapping globals on different interfaces Description: When you create overlapping global rules on different interfaces for PIX/ASA/FWSM devices, Security Manager returns an error about overlapping IP ranges even though the global interfaces are different.

CSCsj16898—Inspection rule for WAAS is not discovered in FWSM 3.2(0)89 Description: WAAS inspection rules are not shown in the inspection rules table for FWSM devices.

CSCsj17336—Inspect rule: DCE RPC policy map and inspect rule not discovered Description: DCE RPC inspection maps are not shown in the inspection rules table or the policy object manager.

CSCsj64024—Find is not working for contracted local rules Description: Find/Replace does not find any matching results even though the value to search for does exist in the rule table.

CSCsj97405—AAA include/exclude command modelled incorrectly Description: The AAA include/exclude commands can each have multiple instances, but the current rule file models them as a single instance command and therefore leaves only one instance after processing.

CSCsk12692—Unsupported CLIs in the previous version are negated after upgrade Description: After you upgrade from Security Manager 3.0.1 to 3.1 or Security Manager 3.0.2 to 3.1.1, the command "ip http server" is deployed to an IOS router if the router already has the command "ip http secure-server". Command "ip http server" will turn on the HTTP server on the router.

CSCsk19314—Upgrade 3.0.2 to 3.1.1: Deploy fails if dynamic NAT rules exist on dev Description: Deployment to file or device might fail with a Null Pointer Exception for an IOS router device with NAT rules configured.

CSCsk46057—Upgrade should restore csm.properties files Description: When you upgrade Security Manager from version 3.0.2 to 3.1.1, any changes that you made in the csm.properties file are lost.

Installation and Upgrade

Table 12 Installation and Upgrade 

CSCsb65932—The Windows language version must be either English or Japanese Description: On your Security Manager server and on every PC on which you install Security Manager Client, you must use either the English (United States) or Japanese version of Windows.

CSCsh85196—Apache server fails to start due to dll name conflict Description: If other software that uses OpenSSL (such as Legato or Veritas backup software) is installed on the same machine as Security Manager, the apache server fails to start.

CSCsi06508—CSM reverts to CW Local authentication after upgrading from 3.0 to 3.1 Description: The authentication mode for Security Manager reverts from ACS authentication to CiscoWorks Local authentication after the server is upgraded from Security Manager 3.0 to Security Manager 3.1.

CSCsi24016—ACS permissions are not updated after upgrading from CSM 3.0.1 to 3.1 Description: Updated permissions are not added to the default user roles for Security Manager in ACS after upgrading from Security Manager 3.0.1 to Security Manager 3.1.

CSCsi04116—AUS option cannot be deselected during inline upgrade from 3.0.1 to 3.1 Description: When you perform an inline upgrade from Security Manager 3.0.1 to Security Manager 3.1, the Auto Update Server 3.1 option in the component selection screen of the installation wizard is grayed out and selected by default. As a result, AUS 3.1 is always installed on your server system, leaving you with no choice to deselect it during inline upgrade.

CSCsj97840—Installer is overwriting gatekeeper.cfg file (multihome file) Description: Multihome configuration does not work after upgrade.

CSCsk06133—RBAC: Upgrade from 3.0.2 to 3.1.1 hangs at CSAgent installation Description: The Installer appears to hang when upgrading from CSM 3.0.2 at the Stopping CSAgent point.

CSCsk39707—Installer fails to upgrade the HA agent files into the Veritas directory Description: Security Manager Veritas Cluster Server (VCS) agent files are not updated after installation of Security Manager.

CSCsk41218—Client uninstall not cleaning out install dir; install JVM unintuitive Description: When you upgrade to Security Manager 3.1.1 from 3.0.2, you are prompted that a Java Virtual Machine is being installed and you are asked if you want to override the directory. No is preselected, but you should select Yes.

IPS and IOS IPS

Table 13 IPS and IOS IPS 

CSCsh67506—Dynamic IP address IOS router imported by CNS cannot be discovered Description: Discovery and deployment of IOS IPS devices through CNS servers does not work. In the Add Device Wizard, the Option IPS should not be selected; the device should be created as an IOS only device. If the device had already been created as an IPS device, then there will be errors while discovering and deploying the IPS-related policies, but all other policies will get discovered/deployed properly.

CSCsh76667—Changing a custom sig to a different engine breaks config generation Description: After discovering a device that has a custom signature with the atomic-ip engine, deleting that custom signature, and creating a new custom sig with an engine different from atomic-ip, configuration preview will cause errors an d the configuration will not be generated.

CSCsh86189—Sig update fails when using HTTP if console logging is on Description: Signature update to a IOS IPS device can fail if using HTTP as protocol and if the device console logging is turned on.

CSCsi31784—Greenfield IOS IPS device added at one sig level lower than the highest Description: When using the Add Device > Add New Device option, sometimes the signature release level associated with the device is not the same as the highest level available in Security Manager.

CSCsi45590—Cannot add IOS IPS device with TrendMicro V version Description: IOS IPS devices that have Trend signatures on the device cannot be discovered by Security Manager.

CSCse95933—IPS related policies should be listed in device properties page Description: In the device properties page, under the policy object overrides, policies which are not needed for IPS are listed but should not be.

CSCsf24765—Summary page missing names for VLAN & promiscuous VLAN groups Description: The Interface summary tab does not have columns for VLAN Pair name or VLAN group name. This can be observed after creating a VLAN pair or VLAN group and then viewing the Summary tab.

CSCsg24936—SigTuning: Handling of special policy names Description: The IPS policy names "Default" and "Local" are used with special meaning, but a user can create a policy with these names, potentially causing confusion.

CSCsg25899—6.x related pol should not be listed for 5.x devices in copy & share policy Description: When copying policies or sharing policies with an IPS 5.1 device as the source, the policy tree contains the IPS 6.0 policies Anomaly Detection and External Product Interface, even though these are IPS 6.0 policies.

CSCsg26218—Icon next to NTP shows the NTP is not default when it is not the case Description: When an IPS 4240 device is added without configuring an NTP server, so that default NTP values are in effect, the icon next to NTP is shown with the dotted lines, which indicates, incorrectly, that the policy is changed from the default.

CSCsg38052—VLAN groups need to display "unassigned" VLANs Description: When the VLAN groups are set to unassigned nothing is displayed in the vlan groups tab VLANs tab or the Summary page VLANs tab.

CSCsg51052—After Abort, progress bar continues to 100% and Status remains Started Description: This defect occurs after clicking the Update via CCO button on the Tools > Admin > Licensing > IPS page. If "cancel" is clicked, the progress bar shows 100% and the operation is stopped, but the status displayed does not change from "starting."

CSCsg80289—Warning message is displayed during blocking policy deployment. Description: This defect occurs when configuring the user profile and master blocking policies on an IPS 6.0 device. A warning message appears even though deployment is successful.

CSCsh02407—Autoupdate setting value for a device should be same in device tree Description: This defect occurs in the "Apply update To:" table on the Tools > Security Manager Administration > IPS update page. When a setting for one device is changed in one group, the setting for the same device listed under another group is not updated.

CSCsh36604—EAO: After editing row, the edited row is displayed as a last row Description: For certain policies which contain information in a table, if a user edits a row, afterwards the edited row will be moved to the last row in the table.

CSCsh52484—Licensing Date Varies between sensor CLI and sensor Description: The license expiration date seen in the Security Manager client can disagree with the expiration dte seen by using the CLI.

CSCsh53265—IPS, IPS update admin page, check box initialization Description: The check boxes for shared signature policies in the "Apply Update To:" table on the Tools > Security Manager Administration > IPS Update page do not precisely reflect the update policy of a device that has a local signature policy inherited from the shared signature policies.

CSCsh77105—Signatures removed from current.xml Description: This defects occurs during deployment. If a signature "edit" parameter (severity, enable, disable, action, retired, or SFR) is the same as the value defined in the default, then it is assumed that the parameter is defined from default, even though the parameter might have been edited.

CSCsh86808—Sig policy icon is blank after being removed from shared sig policy Description: The signature policy icon appears blank when the device is removed from a shared signature policy.

CSCsi01650—The show content option in context menu for victim addr is not working Description: If you select Show Content from the popup menu in the Victim Address column then you will actually be seeing the content of the Attacker Address column.

CSCsi14306—Download config to device fails during major upgrade Description: While applying the major upgrade 6.0(1) to a device running 5.x, the package is successfully pushed to the device, but the deployment job fails with the error "Failed to download config to device."

CSCsi18661—Deploy of new variable does not work Description: This defect occurs when creating a policy object and then configuring allowed hosts, anomaly detection, or signature setting policies. After deploying the configuration to the device, the policy object name will not be kept in the device.

CSCsi26525—OOB OPACL changes not synchronized after successful deploy Description: Out-of-band (OOB) OPSIG/OPACL (signature ID 50000-59999) configuration changes on a device are not automatically synchronized during deployment.

CSCsi33159—Greenfield device is showing 5.1(4)E1 but should be 5.1(5)E1 Description: This defect occurs when adding a new IPS device. For a 5.1(5)E1 device, the device version is shown, incorrectly, as 5.1(4)E1.

CSCsi39380—Security Manager trying to deploy multiple IP addresses and fails Description: Deployment of an NTP policy with policy objects fails under certain conditions.

CSCsi44605—IPS variable names cannot contain special characters Description: For IPS devices (only) in Security Manager the special characters - and _ are not allowed. If they are used, validation will fail when attempting to create network policy objects.

CSCsi47289—Policy object overridden at VS level is not deployed correctly Description: Policy object values are not deployed correctly if they are overridden at the virtual sensor level.

CSCsj60530—Inventory alone discovery fails for IPS6.x device for submit operation Description: Activity validation after "Inventory" discover a device with virtual sensor fail due to no Allowed Host.

CSCsj62074—Blocking: Unable to edit the interface under Router tab Description: Unable to edit the interface name and direction of a blocking interface under the "Router" and "Catalyst 6500" tabs of the IPS Blocking policy.

CSCsl41758—VLAN pair editing of interface - OK doesn't save changes Description: After a vlan inline pair is created, if you try to modify the interface name, the edit vlan inline pair UI screen does not allow you to save the changed information.

Miscellaneous Issues

Table 14 Miscellaneous Issues 

CSCse59404—Certificates are out of sync with IOS versions prior to 12.3T Description: Certificate mismatch or not trusted errors result during deployment and discovery for IOS devices.

PIX/ASA/FWSM Configuration

Table 15 PIX/ASA/FWSM Configuration 

CSCsb17962—Service objects with same content can cause problems during discovery Description: If multiple service objects have different names but the same definitions, the wrong service object might be used during discovery. Because the service objects are equivalent, deployment using a service object with a different name does not cause problems.

CSCsd12592—Need to catch conflicting NAT commands during validation Description: Deployment fails for NAT commands and an error message states that the NAT command is a duplicate and was already defined on the device.

CSCsd38176—Logging rate limit - discovery and deployment do not use logging level Description: Values in the Logging Level column of the Individually Rate Limited Syslog Messages table are not used and are overwritten after rediscovery.

CSCsd39283—Deployment fails on no allocate-interface command in ASA/PIX70 multimode Description: If you deallocate a subinterface from a security context and delete it from the interface table, deployment fails on PIX 7.x and ASA devices in multiple mode.

CSCsd41095—AUS deployment fails if static settings in Security Manager duplicated Description: If a device has duplicate MAC addresses in the static arp table and the static mac-address-table, or if Security Manager policies have duplicate MAC addresses in the arp table and the mac-address table, the AUS deployment might fail.

CSCsd61768—"policy-map" cmds renamed on initial deployment without policy changes Description: Device import discovers an enabled policy map and its related commands as service policy rules and traffic flow objects. Security Manager does not preserve the original policy map names on a device.

CSCsd61906—PIX contact credentials (username/password) are deployed every time Description: After you configure your username, password, and privilege level on the Contact Credentials page, the information is sent to the device during every deployment.

CSCse36406—Failover suspend-config-sync option is removed Description: The suspend-config-sync option was removed from Security Manager because of a problem in configuration rollback.

CSCse41791—FWSM rollback fails when combined in one job with Catalyst rollback Description: If you use one job to roll back the configurations of both an FWSM and a Catalyst device, the FWSM rollback fails. You must roll back the Catalyst device first, then use a second job to roll back the FWSM.

CSCse47710—Warning to change admin context should note connection loss Description: Changing the admin context in multi- or mixed mode causes the connection between Security Manager and the device to be lost.

CSCse48708—FWSM 2.x VCs interface table is empty after discovery Description: After discovering FWSM 2.x security context devices, some of the vlan interfaces are missing from the devices' interface table.

CSCse50869—FWSM 3.1 discovery via config file creates context in router mode Description: After you add and discover a FWSM 3.1(x) multi-mode, mixed OS mode device from a configuration file, all security context devices are created in Security Manager as "router" OS mode, even though some of them might really be "transparent" OS mode.

CSCse59177—FWSM interface alias causes deployment to fail Description: Security Manager does not support interface alias for FWSM devices. If you try to configure interface alias on an FWSM, it might result in deployment failure for a security context.

CSCse51450—OSPF validations are not adequate Description: Security Manager does not prevent certain invalid OSPF configurations from being discovered.

CSCse57737—The user defined bridge group name cannot be rediscovered Description: A bridge group name defined in the Security Manager user interface cannot be rediscovered.

CSCsh20731—FAILOVER - Active/Active deploys to Standby unit and returns errors Description: When deploying to a virtual context that is designated for Failover group 2 (and subsequently becomes the Standby context on the Primary unit), numerous errors are returned for every command deployed.

CSCsi05756—PPPoE & FAILOVER - No validation that both features cannot co-exist Description: Security Manager allows a user to configure failover along with PPPoE even though that configuration is not supported.

CSCsi09814—Configuration updates fail for CNS-managed PIX Firewall devices Description: Although Security Manager successfully deploys the configuration file to CNS, PIX Firewall devices configured to use CNS as the transport server cannot retrieve updates from CNS at the preset polling time and an error is entered in the device log file.

CSCsi23903—FWSM 3.2 rollback does not work if it contains mac-add static command Description: After you roll back the configuration of an FWSM 3.2 that contains the mac-address-table static inside interface_name mac_address command, the configuration on the device remains the same as what existed before rollback.

CSCsi24397—SLA: needs add activity validation for interface roles Description: When an SLA monitor object is used in route tracking by static route, PPPoE, or DHCP, no commands for the SLA monitor are generated if the SLA monitor object references an interface role that cannot be resolved to a valid interface policy on the device.

CSCsi42889—Swapping interface names causes deployment failure Description: Swapping interface names among the interfaces on a device causes a deployment to fail.

CSCsi44546—RIP configuration commands in PIX/ASA 7.2(1) cannot be fully managed Description: RIP configuration commands in PIX/ASA 7.2(1) cannot be fully managed using Security Manager 3.1.

CSCsi51062—ASA5505:Deployment fails for mgmt-only option set with 4 nameif configur Description: On an ASA 5505 device that has four interfaces configured using nameif, if you select the Management Only option for an interface that has backup interface configured, deployment to the device fails.

CSCsk05938—Bridge group config is missing on some FWSM VC interface after upgrade Description: One vlan interface on an FWSM 3.1 virtual context will sometimes lose the bridge group configuration after you upgrade from Security Manager 3.0.1 to 3.1

CSCsk43245—Failover Active/Active discovery action message misleading Description: If a PIX/ASA or FWSM firewall is configured for Active/Active Failover, adding the "Management IP Address" within the respective Security Context's > Device Properties > General section will be removed after the initial deployment if it is not replicated within the System Execution Space's (System Context) > Security Context policy page. After a discovery or rediscovery of a firewall configured with Active/Active Failover, the Discovery Status page incorrectly instructs the user to enter the Management IP Address within the Device Properties configuration.

Policy Objects

Table 16 Policy Objects 

CSCsd70915—GTP Map: Deployment fails due to PDP and signaling timeout issues Description: When you deploy an inspection rule with the gtp-map command, the deployment fails and an error message states that the signaling timeout value is less than the PDP timeout value.

Router Configuration

Table 17 Router Configuration 

CSCsc77534—NAT interface deployment fails on 83x Series routers Description: The deployment of NAT interface commands ip nat inside and ip nat outside fails on Cisco 83x Series routers.

CSCsc91151—Virtual interfaces not being removed from router configurations Description: Virtual interfaces remain intact in a Cisco IOS router configuration even after you delete these interfaces from the Interfaces page in Security Manager.

CSCsf09088—PPP policy does not support if-needed and local-case keywords for AAA Description: Security Manager partially discovers PPP configurations that contain the if-needed and local-case keywords for AAA.

CSCsg45483—Dynamic NAT rules duplicated without removing original rules Description: Dynamic NAT rules that are discovered are duplicated by Security Manager without removing the original rules during the next deployment.

CSCsh18926—NetFlow deployment fails on subinterfaces Description: Deployment fails when NetFlow is configured on a subinterface, even though a validation error is not given.

CSCsh42944—NAC policy deployment fails on Layer 2 interfaces Description: Deployment fails for a Network Admission Control (NAC) policy. The ip admission command is not recognized on the device.

CSCsh57310—Static NAT network rule flagged as invalid Description: A static NAT network rule that was discovered from a device configuration is flagged as invalid during activity validation.

CSCsi16871—SDP - Invalid characters not detected in device name formula Description: Deployment fails due to invalid characters defined in the SDP device name formula.

CSCsi20458—802.1x - Number of retries command not generated correctly Description: The dot1x max-req value command is generated at the global level of the device configuration instead of the interface level.

CSCsi25845—PPP - No validation for multilink support on device Description: Deployment fails because PPP policy includes multilink commands that are not supported on the device.

CSCsi27208—OSPF Interface - field values cannot be removed and saved when editing Description: If you delete the contents of a text field when editing an OSPF interface policy, Security Manager does not save the changes.

CSCsi45209—Static routing - deployment failure after DB upgrade Description: Deployment and preview configuration fail for static routing policies after a database upgrade.

CSCsi50311—OSPF MD5 key not removed if interface authentication is clear-text/none Description: When you change the authentication type used by an OSPF interface from MD5 to clear-text or disable authentication, the identification number of the MD5 authentication key (ip ospf message-digest-key command) is not removed from the interface after deployment.

CSCsi55374—aaa authorization network cli not generated on a device for PPA policy Description: If you select the Custom Method List option to use a remote AAA server for authorization in a PPP policy and modify the default authorization method defined in the AAA policy, the AAA authorization command for network connections is not generated on the device after deployment.

CSCsi56618—aaa authorization network cli is not generated in preview config for PPA Description: If a router has been configured to use the default authorization method defined in the AAA policy for a PPP connection and the AAA network authorization settings are changed in the AAA policy, the aaa authorization network {default | list-name} command might not be generated in the preview configuration due to a conflict with the authorization method defined in the PPP policy.

Site-to-Site/Remote Access/SSL VPN Configuration

Table 18 Site-to-Site/Remote Access/SSL VPN Configuration 

CSCsb66843—Unable to delete the IPSec Profile Description: If you have DMVPN or VRF configured on an IOS router and you try to change or remove this configuration in Security Manager, deployment fails and you receive a message that the IPSec profile is still in use and cannot be deleted. This is an IOS problem, not a problem intrinsic to Security Manager. To work around this problem, reload the device, then manually remove the IPSec profile. If the configuration is saved to the startup-config, make a backup text file of the startup-config, remove the IPSec profile, reload the device, then copy the updated file to the device and save the changes to the startup-config.

CSCsd84663—Deployment fails on Cat6k when changing VPNSM/VPN SPA slot/subslot Description: If you change the slot or subslot of a VPNSM or VPN SPA blade on a Catalyst 6500/7600 device, either in a VPN topology that was deployed, or in an IPSec proposal that was assigned to the device in a remote access VPN and deployed, deployment fails when you try to redeploy the VPN topology or device.

CSCse94752—Support for IOS version 12.2(33)SRA on 7600 devices Description: Some commands integrated into Cisco IOS Release 12.2(33)SRA, such as crypto engine slot slot/subslot {inside | outside}, on Cisco 7600 Series Routers are not supported during deployment and discovery.

CSCsf27513—Cisco Secure Desktop 3.1 GUI not up-to-date with application versions Description: When you create a Secure Desktop Configuration object from the Policy Object Manager window, spelling errors, outdated software program versions, and non-support of recent component releases are noticed during the configuration of a group-based VPN feature policy. This occurs because Security Manager 3.1 supports only CSD Release 3.1.1, which works with ASA 7.1, in which these GUI inconsistencies exist.

CSCsf32244—Deployment fails on preconfigured Easy VPN spoke Description: When you configure a spoke in an Easy VPN topology using Security Manager, and the spoke is already configured as a remote client in an Easy VPN that is not managed by Security Manager, deployment fails if both configurations are on the same external interface.

CSCsg70106—Activity validation takes several minutes to complete Description: An activity's validation process takes a long time to complete because the Security Manager's database is very large. This may be due to the number of devices, objects, policies, and VPN configurations defined on the server.

CSCsg89249—Deployment fails on ASA 7.2(1) when removing IKE policy Description: When you try to remove an IKE policy configuration from an ASA device that is running OS version 7.2(1) or 7.2(2), deployment fails.

CSCsg94596—Deploy fails on live ASA 7.2(1) RA server while removing IKE policy Description: In a remote access VPN configuration, when you unassign IKE proposals from a live ASA 7.2(1) device, deployment fails due to an error with the no crypto isakmp command.

CSCsh14709—Deployment fails on ASA 5505/PIX 6.3 Easy VPN remote client Description: In an Easy VPN topology, you cannot modify specific CLI commands including interface settings, on an ASA 5505 or PIX 6.3 device that is configured as a remote client. For a list of the CLI commands that cannot be modified, see the Commands That Cannot be Configured When Easy VPN is Enabled section in FAQs and Troubleshooting Guide for Cisco Security Manager 3.x.

CSCsh57280—Standby group change removes crypto map in H&S/RA VPN with HA Description: In a hub-and-spoke or remote access VPN configured with High Availability, if you change the standby group number after a deployment, the crypto map is removed from the interface on a subsequent deployment.

CSCsh91913—Auto Update fails on ASA devices with auto-signon Description: When you enable an SSL VPN connection profile on an ASA security appliance managed by AUS and configure the auto-signon command in an ASA user group, deployment of configuration changes to the device fails when you enable the device to request AUS for updates. This problem occurs when the same auto-signon commands have been configured in the same ASA user group on the device. Although deployment is shown as successful in the Deployment Manager window, an error is recorded in the AUS event report that the file was not downloaded to the device.

CSCsh93894—AUS deployment fails if PKI trustpoint sub-commands are in reverse order Description: When you configure a PIX device with a PKI configuration, AUS deployment fails because Security Manager generates the CLI commands in the wrong order.

CSCsi09998—LDAP server URL required for CA servers that do not run LDAP protocol Description: In a site-to-site VPN configuration, the LDAP Server URL field in the CA Information tab of the PKI Enrollment dialog box is mandatory if one of the "CRL..." options is selected from the Revocation Check Support list. This means you cannot add a CA server to a PKI object without entering the URL of the LDAP server from which the CRL is downloaded, even if the CA server does not use LDAP as the querying protocol for revoking certificates on the device.

CSCsi11214—CDP disabled for mGRE tunnels when ODR defined for large scale DMVPN Description: When you deploy to a large scale DMVPN topology after configuring On-Demand Routing (ODR) as the routing protocol, the Cisco Discovery Protocol (CDP) is not enabled for the multipoint GRE (mGRE) tunnels. This problem occurs when CDP is not enabled at the global level on all supported interfaces.

CSCsi11854—Static routes not generated on devices in GRE Dynamic IP tunnel Description: In a hub-and-spoke VPN topology in which the assigned technology is GRE Dynamic IP, when you configure a static routing protocol as your secured IGP, the CLI commands for static routes are not generated for the protected networks in the tunnel.

CSCsi19059—No validation error when large tunnel key value turns negative in DMVPN Description: In a hub-and-spoke VPN topology, when you define a tunnel key with a large value in a DMVPN policy and save the changes, the tunnel key changes to a negative value after deployment. No error is displayed when you validate your activity, but an error message appears on submission and deployment.

CSCsi20081—Activity validation error in Easy VPN topologies using the same server Description: When you configure two Easy VPN hub-and-spoke topologies using the same hub device for the Easy VPN server, and define different VPN interfaces and protected networks for the hub, an activity validation error states that the same interface has been defined for the IPsec proposals on the Easy VPN server hub.

Tools

Table 19 Tools 

CSCse69546—Backup/restore fails when Cygnus Solutions software is installed Description: Backup/restore fails when Cygnus Solutions software is installed and Cygnus mounted drives are being used.

User Interface

Table 20 User Interface 

CSCsb84290—File selector is not refreshed when new files are added Description: If you add files to the server when the "Choose File" dialog is open, the file selector does not refresh to display the new files.

CSCsc66055—Client is unresponsive when TACACS+ server is unavailable Description: The Security Manager client stops responding when the Cisco Secure ACS that is performing user authentication goes down or becomes unavailable.

Auto Update Server (AUS) 3.1.1

AUS Known Problems

Table 21 Known Problems 

CSCsd25476—Configuration file download for an AUS-managed ASA device fails Description: If you configure an ASA device in transparent mode and use AUS to deploy configuration changes from Security Manager to the device, deployment is shown as successful, although the device does not contain the deployed changes. The AUS event report shows that the file was successfully sent to the device without error and a "Wakeup information for process auto-update lost" message is recorded in the device log.

Documentation Updates

Topics in this section describe updates and changes to the user documentation for Security Manager 3.1.1.

IPS Event Viewer

This documentation update applies to the Online Help for Cisco Security Manager 3.1.

Replace the note on modifying Cisco Security Agent policies to enable communication between IEV client and IEV server with the following information.

•To enable communication between IEV server and IEV client, you need to modify the Cisco Security Agent or any other anti-virus and network firewall software policies on the Security Manager server to configure TCP ports 60002 and 60003 as open ports. If the server has a preexisting installation of the full Cisco Security Agent, the standalone agent is not installed on the system when you install Security Manager. In such a case, configure the Cisco Security Agent network services to accept connections on TCP ports 60002 and 60003. However, if the server on which you install Security Manager was not previously installed with the full, commercial version of Cisco Security Agent, the Security Manager installer installs a customized, standalone agent on your server and opens the necessary TCP ports for communication between IEV server and IEV client.

•When you start IEV client from the Security Manager client system, IEV client automatically opens TCP port 5001 to establish communication with the IEV server.

The following is additional information regarding the guidelines when working with IEV started from Security Manager:

You cannot start IEV client from a Security Manager client if the Security Manager server has also been installed on the same system.

New Features in Security Manager 3.1

This documentation update applies to the User Guide for Cisco Security Manager 3.1and online help.

The following information is incorrect in the "What's New in Cisco Security Manager 3.1" section of Chapter 1, Getting to Know Security Manager, and needs to be removed from the list of new features in 3.1:

Linkage between Security Manager and MARS for logs.

Discovering Remote Access VPN Policies

This documentation update applies to the User Guide and Online Help for Cisco Security Manager 3.1.

The following is additional information regarding the discovery of remote access VPN policies that are configured on a device, and applies to the "Managing Remote Access VPNs" chapter:

Remote access VPN policies are not selected by default for discovery in the Create Discovery Task dialog box.

Device OS Version Interoperability with Device Managers Started from Security Manager

This documentation update applies to the User Guide and Online Help for Cisco Security Manager 3.1.

The following table replaces the table, which lists the device manager version supported for the software version running on the device when you start the device manager from Security Manager, in the Using Monitoring, Troubleshooting, and Diagnostic Tools chapter.

---

Note If you are using Security Manager 3.1, the table of supported device manager and device OS versions available in the User Guide and Online Help for Cisco Security Manager 3.1 holds good. This updated table applies only if you upgrade to Security Manager 3.1.1 SP 1 from an earlier version of Security Manager. For a complete list of device manager versions that can be started from Security Manager 3.1.1 for the various software versions running on devices, see Release Notes for Cisco Security Manager 3.1.1.

---

Table 22 Supported Device Manager Versions and Device OS Versions 

Device Manager	Device Manager OS Version	Device OS Version
ASDM	6.0(2)	ASA 8.0(2)1 , PIX 8.0(2)
	5.2(2)F	FWSM 3.1, 3.2(1)1
	5.2(3)	PIX 7.2, ASA 7.21
	5.1(2)	ASA 7.11, PIX 7.1
	5.0(7)	ASA 7.0(1) through ASA 7.0(7)1, PIX 7.0(1) through PIX 7.0(6)
PDM	4.1(5)	FWSM 2.2, 2.31
	3.0(4)	PIX 6.3
	2.1(1)	PIX 6.2, FWSM 1.11
	1.1(2)	PIX 6.0, 6.1
IDM	5.1	IPS 5.0(x), IPS 5.1(x)
	6.0	IPS 6.0(x)
SDM	2.4.1	Most recent and previous releases of Cisco IOS software running on your Cisco router.

1 Device managers can be started for FWSM blades and ASA devices running in transparent mode (Layer 2 firewall) or routed mode (Layer 3 firewall) and supporting single security context or multiple security context

Where To Go Next

If you want to:	Do this:
Install Security Manager server or client software	See Installation Guide for Cisco Security Manager 3.1.
Understand the basics	See the interactive JumpStart guide that opens automatically when you start Security Manager.
Get up and running with the product quickly	See the "Checklist for Getting Started with Security Manager" topic in the online help, or see Chapter 1 of User Guide for Cisco Security Manager 3.1.
Define essential settings	See the "Define These Settings First" topic in the online help, or see Chapter 2 of User Guide for Cisco Security Manager 3.1.
Manage user authentication and authorization	See the following topics in the online help, or see Chapter 2 of User Guide for Cisco Security Manager 3.1. •Setting Up User Permissions •Integrating Security Manager with Cisco Secure ACS
Bootstrap your devices	See the "Preparing the Devices for Security Manager to Manage" topic in the online help, or see Chapter 5 of User Guide for Cisco Security Manager 3.1.
Install entitlement applications	Your Security Manager license grants you the right to install certain other applications — including specific releases of RME and Performance Monitor — that are not installed when you install Security Manager. You can install these applications at any time. See the Introduction to Component Applications section in Chapter 1 of Installation Guide for Cisco Security Manager 3.1.

Related Documentation

Table 23 describes the product documentation that is available. For information on ordering printed documents, see Obtaining Documentation, Obtaining Support, and Security Guidelines.

Table 23 Product Documentation 

Document Title	Available Formats
Installation Guide for Cisco Security Manager 3.11	•PDF on the product DVD-ROM. •On Cisco.com at this URL: http://www.cisco.com/en/US/products/ps6498/products_installation_guide_book09186a00807eb563.html
User Guide for Cisco Security Manager 3.1	•PDF on the product DVD-ROM. •On Cisco.com at this URL: http://www.cisco.com/en/US/products/ps6498/products_user_guide_book09186a00807eaea2.html
Supported Devices and Software Versions for Cisco Security Manager 3.1	On Cisco.com at this URL: http://www.cisco.com/en/US/products/ps6498/products_device_support_table09186a00807eae7e.html
FAQs and Troubleshooting Guide for Cisco Security Manager 3.x	On Cisco.com at this URL: http://www.cisco.com/en/US/products/ps6498/prod_troubleshooting_guide_book09186a008063fb75.html
Migrating from CiscoWorks VPN/Security Management Solution to Cisco Security Manager	On Cisco.com at this URL: http://www.cisco.com/en/US/products/ps6498/products_upgrade_guides_book09186a008063ea05.html
High Availability Installation Guide for Cisco Security Manager 3.1	On Cisco.com at this URL: http://www.cisco.com/en/US/products/ps6498/products_installation_guide_book09186a0080771e48.html
User Guide for Auto Update Server 3.1	On Cisco.com at this URL: http://www.cisco.com/en/US/products/ps6498/products_user_guide_book09186a00807ebc2b.html
Supported Devices and Software Versions for Auto Update Server 3.0	On Cisco.com at this URL: http://www.cisco.com/en/US/products/ps6498/products_device_support_table09186a0080631344.html
Installation and Release Notes for Cisco Performance Monitor 3.1	On Cisco.com at this URL: http://www.cisco.com/en/US/products/ps6498/products_release_and_installation_notes09186a00807ebd19.html
Context-sensitive online help	Click the Help button in a window or dialog box.

1 Includes "Importing IPS MC 2.2 Data" using IpsMcDbUpgrade.pl.

Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

This document is to be used in conjunction with the documents listed in the "Related Documentation" section.

CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2007-2008 Cisco Systems, Inc. All rights reserved.