 Feedback
|
Table Of Contents
Release Notes for Cisco Security Manager 3.2.1
What's New in Security Manager 3.2.1
Cisco Security Manager 3.2.1 Service Pack 1 Download and Installation Instructions
Cisco Security Manager 3.2.1 Download and Installation Instructions
Catalyst 6500/7600 Configuration
Diagnostics, Monitoring, and Troubleshooting Tools
Site-to-Site/Remote Access/SSL VPN Configuration
Understanding IPS Licensing Restrictions
Understanding ASCII Limitations for Text
Policy Discovery Restriction for Adding Devices Using Configuration Files
Using AUS with a Custom HTTPS Port Number for Security Manager Server
Limit on the Number of Keywords Supported for MARS Events Lookup from a Policy
Obtaining Documentation and Submitting a Service Request
Release Notes for Cisco Security Manager 3.2.1
Revised: April 26, 2010
Note
Do not use this version of Security Manager to manage ASA 8.3 devices. This version of Security Manager configures ASA 8.3 devices in downward-compatibility mode, meaning that the device configuration does not use the new features introduced in version 8.3. Because of the extensive changes introduced with version 8.3, it is not downwardly-compatible with older ASA releases. If you want to manage ASA 8.3 devices with Security Manager, you must upgrade to Security Manager 4.0.
Introduction
Note
This document contains release note information for the following:
•
Cisco Security Manager (Security Manager) enables you to manage security policies on Cisco security devices. Security Manager supports integrated provisioning of firewall, VPN, and IPS services across IOS routers, PIX and ASA security appliances, and Catalyst 6500/7600 services modules (FWSM, VPNSM, VPN SPA, and ISDM-2). Security Manager also supports provisioning of many platform-specific settings, for example, interfaces, routing, identity, QoS, logging, and so on.
Security Manager efficiently manages a wide range of networks, from small networks consisting of a few devices to large networks with thousands of devices. Scalability is achieved through a rich feature set of device grouping capabilities and objects and policies that can be shared.
Security Manager supports multiple configuration views optimized around different task flows and use cases.
•
The Auto Update Server (AUS) is a tool for upgrading PIX security appliance software images, ASA software images, PIX Device Manager (PDM) images, Adaptive Security Device Manager (ASDM) images, and PIX security appliance and ASA configuration files. Cisco IOS routers that have dynamic IP addresses communicate with AUS that is running the Cisco Networking Services (CNS) Gateway Protocol to provide their IP addresses.
Security Manager can interoperate with AUS. To manage the devices in Security Manager, you must provide the device identity and the AUS information when you add a device. Security Manager uses the device identity information to retrieve the device IP address from an AUS that can be reached.
Note
This release note document includes ID numbers and headlines for each known problem identified in the document and a description of each. This document also includes a list of resolved problems. If you accessed this document from Cisco.com, you can click any ID number, which takes you to the appropriate release note enclosure in the Bug Toolkit. The release note enclosure contains symptoms, conditions, and workaround information.
What's New in Security Manager 3.2.1
•
•
•
–
–
•
–
–
•
•
•
•
–
–
–
•
•
•
•
•
•
•
•
Installation Notes
•
•
•
•
Cisco Security Manager 3.2.1 Service Pack 1 Download and Installation Instructions
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Note
Step 10
Cisco Security Manager 3.2.1 Download and Installation Instructions
To download and install Cisco Security Manager 3.2.1:
Step 1
Step 2
Note
Step 3
Note
Step 4
The InstallShield Wizard extracts files to a temporary directory and checks their integrity while it constructs the Cisco Security Manager Setup application, which starts automatically.
Note
Tip
Important Notes
•
•
•
•
•
•
•
•
HTTP_PORT=<port_number>HTTPS_PORT=<port_number>When you start the client the next time, it uses the updated port numbers, based on the protocol selected, to communicate with the server.
•
1.
2.
3.
4.
5.
6.
7.
Note
•
•
•
•
•
Caution
Resolved Problems
Table 2 contains problems that were resolved in Security Manager 3.2.1 Service Pack 1.
Table 1 contains problems that were resolved in Security Manager 3.2.1.
Table 1 Resolved Problems in Security Manager 3.2.1 Service Pack 1
Description: The GUI does not support the policy object selector under the following conditions: Edit the signature with ID 2100, which has a sweep engine; click on the Edit parameter and click on the Engine, then Src (or Dst) Addr Filter and click on the field. The user will be unable to reference a Policy object (variable) for the src and dst addr filter parameter for sweep signatures.
Description: The Security Manager Client hangs when you click the Retrieve From Device button on the Device Properties > Credentials panel to retrieve the certificate thumbprint from the device.
Description: Deployment of "neq" option in a service or portlist object is not correct.
Description: For IPS 6.1(1) E2 devices, a null pointer exception is encountered if the "Bypassmode" is changed and the Save button is clicked under either of these conditions: (1)IPS > Interfaces > Physical Interfaces or (2) IPS > Interfaces > Summary.
Description: The email subcommand under the trustpoint CLI should not be negated upon a discovery and deployment from Security Manager.
Description: Previewing a configuration shows the Port Forwarding Lists that were created within the DAP configuration as being cleared erroneously.
Description: This problem occurs in policy view (shared policy view) in the AIM-IPS policy under Interfaces > settings > AIM-IPS after edit and save, but you can continue after clicking OK.
Description: When deploying SSL VPN policies that include portal customization with unicode UTF-8 characters, deployment status can be displayed as "Deployed Sucessfully" even if the ASA device rejects the portal customization xml file.
Description: Preview policy-map type inspect DNS always shows delta.
Description: Import an ASA device that has Public Key Infrastructure (PKI) configured for VPN, and one or more trustpoints with the "fqdn none" option employed. Subsequent deployment removes the "fqdn none" command if the trustpoint has an enrollment type "self" or "terminal."
Description: PIX and ASA do not support crypto ACL with ICMP service and a type specified.
Description: If the configuration option stopDownloadOnError is enabled, when rollback of an SSL VPN configuration fails, Security Manager will try to restore the initial SSL VPN configuration present in the device before the rollback was started. If a CLI fails the download, then Security Manager will stop downloading the rest of the CLI.
Description: On ASA/PIX/FWSM devices, the ACL remark might get negated in the delta.
Description: Activity validation fails with an error that the address pool is not supported on the given device.
Description: An error is shown when you try to validate changes or open the interface policy editor for interface roles that are non-overridable.
Description: ASA 8.0(3)12 and later use a different smart tunnel command syntax. When an ASA device running 8.0(3)12 or later is imported into Security Manager, and the device contains the cli "smart-tunnel auto-start ..." in its configuration, the group policy GUI shows a blank smart tunnel field and the smart tunnel object is not discovered.
Description: Security Manager allows you to create networks using a range format (e.g., 10.20.0.0-10.20.255.255), but an exception results when a range is entered or selected.
Description: Currently, Security Manager supports configuration of the Authenticated NTP Server (Platform > Device Admin > Server Access > NTP). Security Manager supports configuration of NTP Server IP Address, Key and Key ID. To configure Unauthenticated NTP Server, you are no longer required to enter a Key and Key ID when configuring an NTP server.
Description: When attempting to add multiple new devices to Security Manager via the Add Device From File function (CSM client application > File menu > New Device... > Add Device From File option), even if you provide a valid CS-MARS format .csv seed file, the Security Manager client application still shows an error.
Description: Security Manager throws a UI validation error.
Description: New VPN dynamic route is incorrectly generated during deployment.
Table 2 Resolved Problems in Security Manager 3.2.1
Description: When you create a Secure Desktop Configuration object from the Policy Object Manager window, spelling errors, outdated software program versions, and non-support of recent component releases are noticed during the configuration of a group-based VPN feature policy. This occurs because Security Manager 3.1 and 3.2 support only CSD Release 3.1.1, which works with ASA 7.1, in which these GUI inconsistencies exist.
Description: When you try to remove an IKE policy configuration from an ASA device that is running OS version 7.2(1) or 7.2(2), deployment fails.
Description: In a remote access VPN configuration, when you unassign IKE proposals from a live ASA 7.2(1) device, deployment fails due to an error with the no crypto isakmp command.
Description: In a hub-and-spoke or remote access VPN configured with High Availability, if you change the standby group number after a deployment, the crypto map is removed from the interface on a subsequent deployment.
Description: In a hub-and-spoke VPN topology, when you define a tunnel key with a large value in a DMVPN policy and save the changes, the tunnel key changes to a negative value after deployment. No error is displayed when you validate your activity, but an error message appears on submission and deployment.
Description: You cannot use SSH when deploying IOS-IPS category settings to a device. Instead, configure the device to use SSL for deployment.
Description: An "http redirect" is not discovered for an interface if no corresponding "http <ip> <mask>" exists. Discovery for "http redirect" (and for "http authentication-certificate") requires IP address/mask assignments on the related interfaces.
Description: Deployment to an AIM-IPS or to its parent router should be possible individually or together, but under some conditions, deployment to both fails on 28xx routers.
Description: Discovery is only partially successful for a Catalyst switch with two IDSMs.
Description: If you copy only the logging filters policy and not the event lists policy from the source device to the target device, deployment fails when you attempt to configure logging filters for event lists that are not available on the target device.
Description: If you attempt to edit the name of a PPPoE user which is already assigned to a VPDN group, the new name is not picked up.
Description: This defect occurs when discovering a router (R1) without AIM-IPS and discovering a second router (R2) with AIM-IPS. After a copy operation, the source interfaces of R1 are listed in the UI for R2, even though R2 does not have the interfaces on it. Also, the IDS-Sensor is on 0/1 but after the copy operation it is shown as IDS-Sensor 0/0.
Description: A user name/password credential cannot be applied to a FWSM 3.2 system context; deployment fails.
Description: The CLI can be used to edit properties such as fidelity, alert, event action, retire, and enable on default signature engines supported by IOS IPS. After such editing and then discovery in Security Manager, the changes in these properties are not preserved for the following two engines: Normalize and Service-RPC.
Description: After tuning a service-smb-advanced engine signature by changing the fidelity and changing the Service Port value, discovery works for the fidelity change but not for the Service Ports change.
Description: The EditUpdateSchedule dialog box produces unreliable results.
Description: The add, edit, and delete actions have no effect on the Interface Inline Pair, Vlan Pair, or Vlan Group when in Workflow mode with all activities closed. However, second and subsequent attempts are successful.
Description: Deployment fails when a virtual sensor is created in an IDS module that is discovered on a Catalyst 6000-series switch, but deployment succeeds when the IDS module is discovered directly.
Description: If you add multiple NTP server entries on a PIX/ASA in multiple-context mode, and then click Save, only one entry is actually saved.
Description: Removing a Timeout policy does not reset timeout parameters to their default values; the expected result.
Description: The user is not able to modify the Description and Default VLAN for an IDS module.
Description: When an QoS policy class map has an ACL that is shared with another policy map, removing the interface associated with the QoS policy class map causes an error.
Description: On FWSM 3.2, when the Webfilter url-server type is selected in N2H2/SmartFilter, the url-server command will be removed and redeployed on each deployment to the device.
Description: Under certain conditions, Security Manager detects out-of-band changes on an IOS IPS device but does not push them to the device.
Description: When deploying configuration changes from Cisco Security Manager to a FWSM, saving the configuration on the device fails; however, deployment reports it as successful.
Description: If you are adding a Cisco Catalyst 6500 Series switch that contains an Intrusion Detection System Services Module (IDSM), and import fails during discovery of the IDSM, the resulting error message will contain non-specific information.
Description: Detailed error messages are not displayed in Missing Interface Intercept ACL validation errors due to a typo in the properties file.
Description: ASA 8.x supports new service object groups that are not supported by Security Manager 3.2. If you configure a new service object group and use it in ACEs in the device, Security Manager 3.2 can discover the device; however, the access list is only partially discovered. The ACEs using the new service object group will not be discovered in Security Manager.
Description: SNMP Port value cannot be changed for Admin context on an ASA in multiple mode.
Description: Deleting rules from NAT > Translation Rules on a PIX/ASA/FWSM device sometimes does not work after a discovery or an activity approval.
Description: When a device has an ACL object with an underscore in its name assigned to both a NAT policy and an AIM-IPS monitoring policy, deployment to the device fails.
Description: Although Security Manager 3.2 supports upgrades only from the following previous versions: 3.0.2, 3.0.2 SP1, 3.1, 3.1.1, 3.1.1 SP1 and SP2, restoring a Security Manager database earlier than 3.0.2 goes through properly on a 3.2 server, without any error message or termination of this operation.
Description: IPS devices receive an update instead of a download only when the server is at a more recent signature level.
Description: Deploying a router (IOS IPS device) with no IOS IPS enabled can result in Security Manager pushing the ISP signature category command to the device.
Known Problems
This section contains information about the problems known to exist in Cisco Security Manager 3.2.1. The known problems are arranged into the following tables:
Note
•
•
•
AUS Known Problems
Table 3 AUS Known Problems
Description: A user logs out from the CiscoWorks session after launching AUS, but the AUS GUI remains open. If another user with a different role opens a new CiscoWorks session, other users can navigate the AUS GUI briefly in the original window. This problem occurs whether the CiscoWorks server or the Cisco Secure Access Control Server (ACS) manages authentication and authorization for AUS.
Description: If you configure an ASA device in transparent mode and use AUS to deploy configuration changes from Security Manager to the device, deployment is shown as successful, although the device does not contain the deployed changes. The AUS event report shows that the file was successfully sent to the device without error and a "Wakeup information for process auto-update lost" message is recorded in the device log.
Catalyst 6500/7600 Configuration
Table 4 Catalyst 6500/7600 Configuration
Description: Deployment fails when you attempt to change the running mode of the data port VLAN from Trunk (IPS) to Capture (IDS) from the IDSM Data Port VLANs dialog box and the following error message is displayed:
Command Rejected: Remove trunk allowed vlan configuration from data port 1 before configuring capture allowed-vlansDescription: If you modify the allowed VLANs of an IDSM data port that has been configured as a capture port and deploy configurations to the device, the following error occurs:
"Capture not allowed on a SPAN destination port"Description: Deployment might fail when you attempt to modify the physical port configuration type from access to trunk mode for a Catalyst switch and keep the Enable DTP negotiation check box selected in the trunk port mode.
Deployment
Table 5 Deployment
Description: Deployment fails if access rules containing certain options are associated with Layer 2 interfaces of ISR routers.
Description: When you deploy an inspection rule with the gtp-map command, the deployment fails and an error message states that the signaling timeout value is less than the PDP timeout value.
Description: After Security Manager successfully deploys the configuration file to CNS, and Cisco IOS routers configured for CNS poll and apply the configuration changes at the predefined polling period, the Status column in the Deployment Manager window continues to display the job state as "Deploying".
Description: Rolling back configurations on FWSM 3.2 removes the crypto key from the device, preventing device access.
Device Management
Table 6 Device Management
Description: If you change the credentials for the admin context when using HTTPS as the transport protocol, Security Manager cannot connect to the system execution space (for FWSM). Ensure that you define the same credentials for both the admin context and the system execution space when using HTTPS.
Diagnostics, Monitoring, and Troubleshooting Tools
Table 7 Diagnostics, Monitoring, and Troubleshooting Tools
Description: During installation of Security Manager server 3.1 on systems that do not contain C: drive, IEV server fails to install and an error message is displayed. Also, an error is logged in the server installation log file.
Description: You cannot start IEV client from Security Manager client on a system in which the Symantec Client Firewall Port Scanning Module or Symantec Secure Port application is running.
Description: If your Security Manager client session is active when you perform policy lookup from the MARS GUI, the existing Security Manager client window is not brought to the foreground or into focus by default.
Description: If you create duplicates of a base rule in the Access Rules page of Security Manager, the events matching the second identical rule are only displayed in MARS when you perform a lookup.
Description: An error message is not displayed if you delete an access rule in Security Manager and perform lookup from the MARS events query results page that was opened by performing a lookup from the same access rule in Security Manager.
Description: When you start the Security Manager client from the read-only policy query page in MARS, the read-only page is refreshed and is displayed blank. However, you are prompted to install the Security Manager client and the page for downloading the application is opened.
Description: If you try to perform events lookup from the default signature, a "Policy not found" error message is displayed. However, if you edit the default signature and save it, the policy icon changes to show that a local policy is configured on the device and you can navigate to events in MARS.
Description: When you try to start the Security Manager client from the read-only policy query window in MARS, the File Download dialog box appears prompting you to confirm whether you want to download the CsmContentProvider file to your system.
Description: The disconnection between the Host Name field in the Device Properties page and the Host Name field in the policy page under the Device Admin section of the Security Manager GUI causes problems on FWSM blades with multiple contexts because a unique context cannot be identified during policy lookup from MARS events.
Description: MARS user credentials for events lookup are retained in the Security Manager cache even after you change the authentication mechanism to prompt the user for Security Manager credentials instead of MARS credentials.
Description: When you look up a MARS event generated by an access rule, disabled rules in the Security Manager rules table are not shown as inactive in the read-only policy query window.
Description: If you configured the option to use Security Manager credentials for events lookup, neither the query page in MARS nor the login dialog box is displayed and events lookup fails.
Description: The Report > Remote Access > Users > Session report in Cisco Performance Monitor does not show a report for ASA security appliances.
Discovery
Table 8 Discovery
Description: Device level overrides for policy objects corresponding to object groups can be created after discovering only the inventory policies like interfaces.
Description: If you upgrade the operating system version on a PIX device, rediscovering policies on the device might fail if the device includes RIP policies. Unassign the RIP policy before rediscovering the device.
Firewall Services
Table 9 Firewall Services
Description: Security Manager does not support TCP flag specifications, such as urg, fin, psh, and ack, in access rules. As a result, during discovery, Security Manager drops the specifications.
Description: Security Manager does not support ACE options such as DSCP, ToS, or precedence. As a result, during discovery, Security Manager drops the options.
Description: Although the GUI allows you to enable the Object Group Search option for FWSM devices, the FWSM does not expand object groups when listing access rules after a "show access-list" command and Hit Count results are inaccurately displayed.
Description: Security Manager does not check if the firewall rules that you configured in Security Manager permit management traffic (SSH and HTTPS) to the IOS device being managed. As a result, after firewall rules are deployed to the device, connection to the device might be lost.
Description: IOS 87x ISR routers do not support BGP as a routing protocol or as a service in ACLs when the device has only 24 MB of memory; however, BGP is supported when the device has more than 24 MB memory. Security Manager does not detect the amount of memory available on the device and cannot enforce any restrictions. As a result, job deployment containing an ACL with ACEs having BGP will fail.
Description: IOS devices require that HTTP is used as the traffic type for authentication proxy, which generates the command ip http server. Security Manager does not remove the CLI when authentication proxy is unassigned from the device in Security Manager.
Description: If an AuthProxy configured on an IOS device has a user-specified name that does not comply with the naming convention used by Security Manager, the name is not removed if the device is discovered and the policy is unassigned.
Description: IOS devices use standard ACLs for filtering; however, standard ACLs are not recognized when Hit Count reports are generated.
Description: If Security Manager tries to deploy AAA server groups to a device that already has the maximum number of AAA server groups, deployment fails.
Description: IOS inspection port-map commands are not generated if inspection rules configured in Security Manager conflict with port definitions of predefined inspection protocols.
Description: Some options are omitted from rules that are created using the Import Rules tool, for example, empty port values and destination port values that are not validated for 'eq' and 'neq' for IOS devices.
Description: Rule section changes are not reported in the activity reports.
Description: AAA Server policy objects cannot be reused because of mismatched interfaces. This might result from an interface role used to define an interface that is not matched to a physical interface after rediscovery. For PIX/ASA7.x devices, this might result from using "inside" (or an interface name that starts with "inside") to describe the interface.
Description: Changes to the match-condition order for a gtp-map used in a PIX 7.0 or PIX 7.1 device do not get deployed to the device.
Description: After you upgrade from Security Manager 3.0.1 to 3.1 or Security Manager 3.0.2 to 3.1.1, the command "ip http server" is deployed to an IOS router if the router already has the command "ip http secure-server". Command "ip http server" will turn on the HTTP server on the router.
Description: If a nested service object is used in a Policy Static rule, deployment might give an error that there is a protocol mismatch and fail to deploy to device.
Description: For ASA/PIX 7.x and above, and FWSM 3.x and above, when no interface is specified in a AAA server object, there is no error or warning message on this during activity validation.
Description: Deployment to the device might fail for filter commands on PIX/ASA/FWSM devices if there are services with overlapping ports.
Description: When you create a service policy object in Security Manager with a name that exceeds 64 characters., then deploy the configuration to a ASA/PIX 8.x device, a deployment error results, stating that the service object group name exceeds the maximum size of 64 characters.
Installation and Upgrade
Table 10 Installation and Upgrade
Description: On your Security Manager server and on every PC on which you install Security Manager Client, you must use either the English (United States) or Japanese version of Windows.
Description: Multihome configuration does not work after upgrade.
Description: Security Manager Veritas Cluster Server (VCS) agent files are not updated after installation of Security Manager.
Description: When you perform an inline upgrade from Security Manager 3.1 to 3.2 on a server in which Cisco Secure ACS is running, the following message is displayed:
Error: C:\PROGRA~1\CSCOpx\objects\db\win32\dbunic9.dll is used by another running process.Description: If you modified the HTTPS port number on your Security Manager server by running the changeport.exe <port_num> -s command at the NMSROOT/MDC/Apache directory prompt (where NMSROOT is the directory in which Security Manager is installed) and also updated the client.info file on your Security Manager client with the server port number, starting AUS or Common Services from the Cisco Security Management Suite page fails.
Description: On the System Requirements screen of the Security Manager installation, the Back button does not return you to the previous step.
Description: In some situations, the Cisco Security Agent cannot be shut down by the Cisco Security Manager installer and must be shut down manually.
Description: When upgrading from Security Manager 3.2 to 3.2.1, the Security Manager component is not successfully re-registered with the ACS server.
Description: If you select the option to not create shortcuts during Security Manager installation, the Cisco Security Manager Client application is not available from the Start menu.
IPS and IOS IPS
Table 11 IPS and IOS IPS
Description: Discovery and deployment of IOS IPS devices through CNS servers does not work. In the Add Device Wizard, the Option IPS should not be selected; the device should be created as an IOS only device. If the device had already been created as an IPS device, then there will be errors while discovering and deploying the IPS-related policies, but all other policies will get discovered/deployed properly.
Description: After discovering a device that has a custom signature with the atomic-ip engine, deleting that custom signature, and creating a new custom sig with an engine different from atomic-ip, configuration preview will cause errors an d the configuration will not be generated.
Description: Signature update to a IOS IPS device can fail if using HTTP as protocol and if the device console logging is turned on.
Description: This defects occurs during deployment. If a signature "edit" parameter (severity, enable, disable, action, retired, or SFR) is the same as the value defined in the default, then it is assumed that the parameter is defined from default, even though the parameter might have been edited.
Description: If you select Show Content from the popup menu in the Victim Address column then you will actually be seeing the content of the Attacker Address column.
Description: Out-of-band (OOB) OPSIG/OPACL (signature ID 50000-59999) configuration changes on a device are not automatically synchronized during deployment.
Description: This defect occurs when adding a new IPS device. For a 5.1(5)E1 device, the device version is shown, incorrectly, as 5.1(4)E1.
Description: Deployment of an NTP policy with policy objects fails under certain conditions.
Description: For IPS devices (only) in Security Manager the special characters - and _ are not allowed. If they are used, validation will fail when attempting to create network policy objects.
Description: Policy object values are not deployed correctly if they are overridden at the virtual sensor level.
Description: Discovery fails for a device that has more than one row for a target value such as "high." Deployment from Security Manager to a device that has out-of-band changes fails, too. Removing one entry from the device lets both operations succeed.
Description: Deployment to a IOS router containing NM-CIDs (router module) fails if AIM-IPS Interface Policy is accidentally deployed to the router.
Description: In the areas of Event Actions and Anomaly Detection, creating variables of the same name leads to Deployment errors.
Description: If the user creates a greenfield device, and the device has IPS metadata which is not registered in the Security Manager database, and then the user edits IPS policy and tries to deploy it to the device, deployment fails.
Description: Licenses for IPS 4270-20 devices are not applied correctly if a trial version has already been used on that particular device.
Description: Deployment fails after (1) creating a policy object for Target Value Rating and another policy object for OS-Identification and then (2) copying the Event Action policy to an IPS 5.1 device. (Only the TVR is applicable to the 5.1 device.)
Description: This defect occurs when a user creates a greenfield IOS IPS device, enables IPS, adds IPS policy, and previews it. The preview doesn't show the IPS drop-down option.
Description: When copying from a live device at 12.4(15)T3 to a greenfield device at 12.4(11)T2, signature engine parameters are not copied.
Description: For some Network Information policy changes, Security Manager goes through the Deployment without performing an out-of-band check.
Description: This defect occurs in Workflow mode with more than one user, for example, User1 and User2. User1 logs in, creates a new activity, creates a greenfield sensor, and clicks on Validate; the result is an AllowedHosts error, so User1 closes the activity. Next, User2 logs in, creates a new activity, creates a greenfield IOS IPS, and clicks on Validate; the result is an AllowedHosts error for the 1st device AND an InterfaceRule error for User2's IOS IPS device.
Description: When IPS updates are scheduled to be downloaded with option set as "Daily" and every two days at a designated time, automatic download does not work at the correct intervals.
Description: During IPS updates on IOS IPS devices, changes made in the Edit Parameters area are lost after deployment when more than one context is involved.
Description: Some IPS automatic update take effect without submitting and approving an activity.
Description: For some IPS devices, including the IPS-4260, copying the interface policy from one device to an identical device fails when the interface configurations are different.
Description: This defect is seen after copying a virtual sensor policy, with interfaces assigned to the VS, from one IPS sensor to a second sensor of the same model. If the user unassigns the interface policy on the second sensor, and then submits and deploys, deployment fails but no validation error is thrown.
Description: This problem occurs when the user leaves the Cisco.com or proxy server settings empty and schedules auto Download, Apply, and Deploy for selected devices. Cisco Security Manager does not check CCO or proxy server settings before allows user to configure Auto deploy to device.
Description: This problem occurs when the user clicks on the change report. The result is an error saying, "The changes you made for this activity are not available for viewing..." It happens for the activities/changes done as part of the IPS auto update.
Description: When using 0.0.0.0-255.255.255.255 in the OS Identification field in Network Information, this value is automatically converted to BB call <any> which the customer does not want to be converted this way. This causes a problem for the monitoring task. When the customer modifies the Target Value Rating (TVR) in this screen the BB <any> is sent to the devices.
Description: When Security Manager fails to push a signature package to an IPS device in a deployment job because of an expired license or a device timeout, subsequent signature tuning deployments also fail.
Description: Security Manager fails to display the signature description from the local NSDB for signatures newly added into signature updates for version S340 or higher.
Description: For IPS 6.1.1 devices, Security Manager shows the Enable one-way TCP reset option, but it is not supported and will not generate a delta during deployment.
Description: "Error loading page" for the NTP page occurs if the user copies an NTP policy from an IPS device running 6.1.1 to an IPS device running 5.x or 6.0.4.
Description: For default settings for the NTP option on an IPS 6.0.5 E2 device, Security Manager negates unauthorized NTP under certain conditions.
Description: When devices are being imported through the "Add Devices from file" option, some errors appear for IP address format in the Event Action Rules policy.
Description: When managing an IPS 6.1(1)E2 device, NTP server details are lost after configuration of unauthenticated NTP.
Description: For IDSM devices running 6.1(1), virtual sensors cannot be copied.
PIX/ASA/FWSM Configuration
Table 12 PIX/ASA/FWSM Configuration
Description: If multiple service objects have different names but the same definitions, the wrong service object might be used during discovery. Because the service objects are equivalent, deployment using a service object with a different name does not cause problems.
Description: Deployment fails for NAT commands and an error message states that the NAT command is a duplicate and was already defined on the device.
Description: If you deallocate a subinterface from a security context and delete it from the interface table, deployment fails on PIX 7.x and ASA devices in multiple mode.
Description: After you configure your username, password, and privilege level on the Contact Credentials page, the information is sent to the device during every deployment.f
Description: Changing the admin context in multi- or mixed mode causes the connection between Security Manager and the device to be lost.
Description: Security Manager does not prevent certain invalid OSPF configurations from being discovered.
Description: A bridge group name defined in the Security Manager user interface cannot be rediscovered.
Description: Security Manager does not support interface alias for FWSM devices. If you try to configure interface alias on an FWSM, it might result in deployment failure for a security context.
Description: When deploying to a virtual context that is designated for Failover group 2 (and subsequently becomes the Standby context on the Primary unit), numerous errors are returned for every command deployed.
Description: Creating a Failover policy that uses the same IP address as another interface, especially the Management IP address, does not produce a conflict message.
Description: Assigning a PPPoE-enabled interface to a device's Failover configuration does not produce an error message. PPPoE and Failover should not be configured on the same device interface.
Description: Any interface designated as a backup interface should not be used for Failover. However, no checks are performed for this condition.
Description: Swapping the VLAN interfaces assigned as LAN-based and Stateful Failover links on an FWSM 2.3(x) causes a deployment failure.
Description: Although Security Manager successfully deploys the configuration file to CNS, PIX Firewall devices configured to use CNS as the transport server cannot retrieve updates from CNS at the preset polling time and an error is entered in the device log file.
Description: De-allocating an interface from a security context, then assigning that interface as a failover link, and deploying these changes all at once causes a deployment error.
Description: When an SLA monitor object is used in route tracking by static route, PPPoE, or DHCP, no commands for the SLA monitor are generated if the SLA monitor object references an interface role that cannot be resolved to a valid interface policy on the device.
Description: On a 7.2 ASA/PIX with multiple AUS servers, changing the order of the AUS servers does not generate any commands.
Description: Swapping interface names among the interfaces on a device causes a deployment to fail.
Description: RIP configuration commands in PIX/ASA 7.2(1) cannot be fully managed using Security Manager 3.1.
Description: On an ASA 5505 device that has four interfaces configured using nameif, if you select the Management Only option for an interface that has backup interface configured, deployment to the device fails.
Description: Deployment may fail after deleting a subinterface included in the Failover monitor table.
Description: On an ASA in transparent mode, an error may occur if you add a "Management Only" subinterface before configuring the "Management Only" interface.
Description: After import/discovery of a security appliance on which Accounting enabled but no Privilege Level set, the default Privilege Level is 1; it should be zero.
Description: After adding a new multiple-mode ASA to Security Manager, attempts to discover it fail, with an "Invalid device type or version" message.
Description: The CLI commands generated by copying a policy (specifically Logging Filters in this case) from one device to another may not be displayed in Preview Configuration, although the policy was copied successfully.
Description: Cisco Security Manager 3.2 does not support ASA/FWSM interface names with () signs.
Description: Security Manager does not currently support configuration of the sensor <sensor_name> portion of the ips command, although it will pass that portion through during initial deployment of a so-configured device. However, with ips {inline | promiscuous} {fail-close | fail-open} sensor <sensor_name> configured on a device, if the containing class map changes for any reason, Security Manager will redeploy only the ips {inline | promiscuous} {fail-close | fail-open} portion of the command.
Description: When creating an HTTP policy, an HTTP server port number is provided. Following assignment of this policy to a device, the generated CLI includes this port number, which will cause deployment to fail. Instead of using a shared HTTP policy, enable the HTTP server on devices individually (via Device View).
Policy Objects
Table 13 Policy Objects
Description: After you create an extended ACL on a router in Security Manager, if you preview the configuration, you might get an error in some cases.
Router Configuration
Table 14 Router Configuration
Description: The deployment of NAT interface commands ip nat inside and ip nat outside fails on Cisco 83x Series routers.
Description: Virtual interfaces remain intact in a Cisco IOS router configuration even after you delete these interfaces from the Interfaces page in Security Manager.
Description: Security Manager partially discovers PPP configurations that contain the if-needed and local-case keywords for AAA.
Description: Deployment fails when NetFlow is configured on a subinterface, even though a validation error is not given.
Description: The dot1x max-req value command is generated at the global level of the device configuration instead of the interface level.
Description: Deployment fails because PPP policy includes multilink commands that are not supported on the device.
Description: If Security Manager is upgraded to 3.2.1 or the Security Manager database from an earlier release is restored in 3.2.1, you might receive a deployment error if a named ACL was assigned to HTTP.
Description: Deployment config has 'ntp server' configuration command even though no changes were made to the NTP policy.
Description: You can select an unsupported OS version when adding a new device by clicking on an OS version folder (indicated by the right arrow) in the Target OS Version tree, instead of clicking on an end node of the tree (indicated by a diamond-shaped icon). If you select an unsupported OS version, you will see receive a "failed to get version upgrade information for device" error during discovery of that device.
Description: Negation is not getting generated for policies using nonexistent ACL.
Site-to-Site/Remote Access/SSL VPN Configuration
Table 15 Site-to-Site/Remote Access/SSL VPN Configuration
Description: If you have DMVPN or VRF configured on an IOS router and you try to change or remove this configuration in Security Manager, deployment fails and you receive a message that the IPSec profile is still in use and cannot be deleted. This is an IOS problem, not a problem intrinsic to Security Manager.
Description: If you change the slot or subslot of a VPNSM or VPN SPA blade on a Catalyst 6500/7600 device, either in a VPN topology that was deployed, or in an IPsec proposal that was assigned to the device in a remote access VPN and deployed, deployment fails when you try to redeploy the VPN topology or device.
For detailed workaround information, see the Workaround enclosure.
Description: Some commands integrated into Cisco IOS Release 12.2(33)SRA, such as crypto engine slot slot/subslot {inside | outside}, on Cisco 7600 Series Routers are not supported during deployment and discovery.
Description: When you configure a spoke in an Easy VPN topology using Security Manager, and the spoke is already configured as a remote client in an Easy VPN that is not managed by Security Manager, deployment fails if both configurations are on the same external interface.
Description: An activity's validation process takes a long time to complete because the Security Manager's database is very large. This may be due to the number of devices, objects, policies, and VPN configurations defined on the server.
Description: In an Easy VPN topology, you cannot modify specific CLI commands including interface settings, on an ASA 5505 or PIX 6.3 device that is configured as a remote client.
For a list of the CLI commands that cannot be modified, see the Commands That Cannot be Configured When Easy VPN is Enabled section in FAQs and Troubleshooting Guide for Cisco Security Manager 3.x.
Description: If you discover configuration from an ASA device running 8.0(3) that contains the ssl certificate-authentication interface outside port 443 command and remote access VPN policies, the command is changed to the no form when you preview the configuration.
Description: If you change Port Forwarding for a deployed Dynamic Access policy from Auto-start to Disable, or from Enable to Disable, incorrect commands are deployed to the device; the subsequent deployment will fail.
Description: Security Manager 3.1.1 did not support PIX/ASA 8.x devices directly; these were imported as 7.x devices. Following an upgrade to Security Manager 3.2.1, these remain mapped as 7.x devices. However, in Security Manager 3.2.1, SSL VPN is not supported for 7.x, and as such the Dynamic Access policy is empty.
Description: While discovering SSL VPN configurations from an ASA device running 8.1.1.5, the application list in the SSL VPN portal customization object may not be populated correctly in Security Manager. The application list on Security Manager's portal customization object editor may show missing entries.
Description: Security Manager 3.2.1 does not support SSL VPN for ASA 7.x; however, it does not prevent you from assigning IPSec, SSL and SSL group policies to the Remote Access connection profile on these devices. Deployment will subsequently fail.
Description: After discovering an ASA 8.x device with WebVPN configured with SSO and cache file-system parameters, if you de-assign the SSL VPN policies, the SSO and the cache file-system configurations are not removed.
Description: When HTTP form is selected as the authentication server in the AAA tab of the connection profile, a validation error occurs.
Description: After configuring http pac, if you switch to http proxy, then the http proxy commands do not appear in the device configuration.
Description: A deployment error occurs when multiple bookmarks are referenced by a dynamic access policy (DAP) and one of those bookmark names has a space in it.
Description: Preview Configuration of a firewall configuration file containing invalid commands results in an error instead of a warning. In addition, the error message content is incorrect.
Tools
Table 16 Tools
Description: Backup/restore fails when Cygnus Solutions software is installed and Cygnus mounted drives are being used.
User Interface
Table 17 User Interface
Description: The Security Manager client stops responding when the Cisco Secure ACS that is performing user authentication goes down or becomes unavailable.
Description: When you try to log in to the Security Manager client after installing the 3.2 software on your system, a popup message is displayed with the message "CMF session-id cannot be assigned". When you try to log in to the CiscoWorks home page from your Security Manager 3.2 server, the following message is displayed:
ForbiddenYou don't have permission to access /cwhp/LiaisonServlet on this server.Additionally, a 403 Forbidden error was encountered while trying touse an ErrorDocument to handle the request.Description: If a user adds a space before or after the username when logging in, the session is considered different from a session without the extra space when working in non-Workflow mode. This can lead to problems when the user tries to submit changes to the database.
Documentation Updates
Topics in this section describe updates and changes to the user documentation for Auto Update Server 3.2 and Security Manager 3.2.1.
Understanding IPS Licensing Restrictions
Some IPS devices, such as the IPS 4270 or the AIP SSM-40 in an ASA device, require that you have a Cisco.com account to update the license. Security Manager allows you to configure either Cisco.com or a local server as an IPS Update server. However, if you use a device that requires a Cisco.com account, you must configure Cisco.com as the IPS Update server; you cannot configure a local server as the IPS Update server.
This restriction will be reflected in the following topics in the "Managing the Security Manager Server" chapter:
•
Before You Begin
If you use Cisco.com, you must first configure the IPS Update server to be Cisco.com, so that you can specify the username and password. You must use Cisco.com for licensing if you are using a device that requires it; for example, an IPS 4270 or an AIP SSM-40 in an ASA device requires a Cisco.com account. For information on configuring Cisco.com as the IPS Update server, see "Configuring the IPS Update Server."
•
Before You Begin
You must first configure the IPS Update server to be Cisco.com, so that you can specify the Cisco.com username and password. For information on configuring Cisco.com as the IPS Update server, see "Configuring the IPS Update Server."
•
Tip
Understanding ASCII Limitations for Text
The user guide and online help will be updated with the following information in the "Working with the Security Manager User Interface" chapter:
"Devices typically restrict text to ASCII characters. If you include non-ASCII characters in Security Manager text fields that are used to generate commands in a device configuration file, the presence of those characters can prevent the configuration file from loading on the device. For example, a non-ASCII character in an interface description for an FWSM can prevent the device from loading the startup configuration when you restart the device.
Make sure that you do not include ASCII characters in any text field in Security Manager."
Policy Discovery Restriction for Adding Devices Using Configuration Files
One of the ways you can add devices to Security Manager is to use the device's configuration file. This method adds the device without Security Manager contacting the device. However, if you add a device using a configuration file, and discover security policies while adding the device, Security Manager cannot successfully discover policies that require that files be downloaded from the discovered device. This especially affects devices that include the svc image command in a web VPN configuration. The following paragraph will be added to the "Adding Devices to the Device Inventory" section in the "Managing Devices" chapter of the user guide as one of the cons of adding devices using configuration files:
"Also, you cannot successfully discover policies that require a connection with the device. For example, if a policy points to a file that resides on the device, adding the device using the configuration file will result in a Security Manager configuration that includes the no form of the command, because Security Manager cannot retrieve the referenced file from the device. For example, the svc image command for web VPNs might be negated."
Using AUS with a Custom HTTPS Port Number for Security Manager Server
This documentation update applies to the Online Help for Auto Update Server 3.2.
The following is additional information regarding using AUS to manage devices added to Security Manager, and applies to the "Interoperation of AUS and Cisco Security Manager" topic:
If you change the HTTPS port number of the Security Manager to any port number other than the default value using the changeport.exe command, you must also update the port number of AUS in the Port field of the Auto Update Server Properties dialog box (click Edit Server from the Auto Update field in General page of Device Properties). Otherwise, deployment to AUS-managed devices fails.
Limit on the Number of Keywords Supported for MARS Events Lookup from a Policy
This documentation update applies to the Online Help for Cisco Security Manager 3.2.
Replace the line describing the limit on the number of keywords supported during MARS events lookup from a Security Manager policy in the "Obtaining Events for an Access Rule Policy" section of the "Using Monitoring, Troubleshooting, and Diagnostic Tools" topic with the following description:
If the number of keywords or the sum of the number of sources, destinations, and protocols for an ACE or a signature exceeds the permissible limit of 150, an error message is displayed in the MARS GUI. The error message displays the possible cause and recommended action.
Where To Go Next
Table 18 Where To Go Next
Install Security Manager server or client software.
Understand the basics .
See the interactive JumpStart guide that opens automatically when you start Security Manager.
Get up and running with the product quickly .
See "Getting Started with Security Manager" in the online help, or see Chapter 1 of User Guide for Cisco Security Manager 3.2.1.
Complete the product configuration.
See "Completing the Initial Security Manager Configuration" in the online help, or see Chapter 1 of User Guide for Cisco Security Manager 3.2.1.
Manage user authentication and authorization.
See the following topics in the online help, or see Chapter 2 of User Guide for Cisco Security Manager 3.2.1.
•
•
Bootstrap your devices.
See "Preparing Devices for Management" in the online help, or see Chapter 5 of User Guide for Cisco Security Manager 3.2.1.
Install entitlement applications.
Your Security Manager license grants you the right to install certain other applications — including specific releases of RME and Performance Monitor — that are not installed when you install Security Manager. You can install these applications at any time. See the "Introduction to Component Applications" section in Chapter 1 of Installation Guide for Cisco Security Manager 3.2.1.
Related Documentation
Table 19 describes the product documentation that is available. For information on ordering printed documents, see Obtaining Documentation and Submitting a Service Request.
Table 19 Product Documentation
Guide to User Documentation for Cisco Security Manager 3.2.1
•
•
•
Installation Guide for Cisco Security Manager 3.2.1
•
•
User Guide for Cisco Security Manager 3.2.1
•
•
Supported Devices and Software Versions for Cisco Security Manager 3.2.1
On Cisco.com at this URL:
FAQ and Troubleshooting Guide for Cisco Security Manager 3.2
On Cisco.com at this URL:
Migrating from CiscoWorks VPN/Security Management Solution to Cisco Security Manager
On Cisco.com at this URL:
High Availability Installation Guide for Cisco Security Manager 3.1
On Cisco.com at this URL:
User Guide for Auto Update Server 3.2
•
•
Supported Devices and Software Versions for Auto Update Server 3.2
On Cisco.com at this URL:
Security Manager Integration with ACS
On Cisco.com at this URL:
http://www.cisco.com/en/US/products/ps6498/products_configuration_example09186a00808eada8.shtml
Release Notes for Cisco Security MARS Appliance 4.3.4
On Cisco.com at this URL:
http://www.cisco.com/en/US/products/ps6241/prod_release_notes_list.html
Release Notes for Cisco Security MARS Appliance 5.3.4
On Cisco.com at this URL:
http://www.cisco.com/en/US/products/ps6241/prod_release_notes_list.html
Context-sensitive online help
Click the Help button in a window or dialog box.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
CCDE, CCENT, CCSI, Cisco Eos, Cisco Explorer, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco TrustSec, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1002R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2004-2008 Cisco Systems, Inc. All rights reserved.
