Cisco Security Manager

Table Of Contents

Release Notes for Cisco Security Manager 3.2

Contents

Introduction

What's New in Security Manager 3.2

Installation Notes

Cisco Security Manager 3.2 Download and Installation Instructions

Cisco Security Manager 3.2 Service Pack 2 Download and Installation Instructions

Important Notes

Resolved Problems

Known Problems

AUS Known Problems

Backup and Restore Known Problems

Catalyst 6500/7600 Configuration

Client Software

Deployment

Device Management

Diagnostics, Monitoring, and Troubleshooting Tools

Discovery

Firewall Services

Installation and Upgrade

IPS and IOS IPS

PIX/ASA/FWSM Configuration

Policy Objects

Router Configuration

Site-to-Site/Remote Access/SSL VPN Configuration

Tools

User Interface

Documentation Updates

Using AUS with a Custom HTTPS Port Number for Security Manager Server

Limit on the Number of Keywords Supported for MARS Events Lookup from a Policy

Where To Go Next

Related Documentation

Obtaining Documentation and Submitting a Service Request

Release Notes for Cisco Security Manager 3.2

---

Revised: June 20, 2008

Contents

Introduction

---

Note This document is occasionally updated after initial release; therefore, a hardcopy or PDF version of the document might not contain the latest information. We recommend that you refer to the online version (http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.2/release/notes/csmrn32.html) whenever possible.

---

---

Note This document is to be used in conjunction with the documents listed in the Related Documentation.

---

This document contains release note information for the following:

•Cisco Security Manager 3.2 (including Service Pack 2)

Cisco Security Manager (Security Manager) enables you to manage security policies on Cisco security devices. Security Manager supports integrated provisioning of firewall, VPN, and IPS services across IOS routers, PIX and ASA security appliances, and Catalyst 6500/7600 services modules (FWSM, VPNSM, VPN SPA, and ISDM-2). Security Manager also supports provisioning of many platform-specific settings, for example, interfaces, routing, identity, QoS, logging, and so on.

Security Manager efficiently manages a wide range of networks, from small networks consisting of a few devices to large networks with thousands of devices. Scalability is achieved through a rich feature set of device grouping capabilities and objects and policies that can be shared.

Security Manager supports multiple configuration views optimized around different task flows and use cases.

•Auto Update Server 3.2

The Auto Update Server (AUS) is a tool for upgrading PIX security appliance software images, ASA software images, PIX Device Manager (PDM) images, Adaptive Security Device Manager (ASDM) images, and PIX security appliance and ASA configuration files. Cisco IOS routers that have dynamic IP addresses communicate with AUS that is running the Cisco Networking Services (CNS) Gateway Protocol to provide their IP addresses.

Security Manager can interoperate with AUS. To manage the devices in Security Manager, you must provide the device identity and the AUS information when you add a device. Security Manager uses the device identity information to retrieve the device IP address from an AUS that can be reached.

---

Note Before using Cisco Security Manager 3.2, we recommend that you read this entire document. However, it is critical that you read the "Important Notes" section, the "Installation and Upgrade" section, and the Installation Guide for Cisco Security Manager 3.2 before installing or upgrading to Cisco Security Manager 3.2.

---

This release note document includes ID numbers and headlines for each known problem identified in the document and a description of each. This document also includes a list of resolved problems. If you accessed this document from Cisco.com, you can click any ID number, which takes you to the appropriate release note enclosure in the Bug Toolkit. The release note enclosure contains symptoms, conditions, and workaround information.

What's New in Security Manager 3.2

•In Service Pack 2, support for the Cisco IPS E2 Engine Update. After E2 is released, all new Cisco IPS signature releases will require E2.

•Improved integration between Cisco Security Manager and CS MARS (requires CS MARS version 4.3.4, 5.3.4, or a later release).

–Security Manager now supports integration with multiple instances of CS MARS.

–Support for connection establishment and teardown syslog messages for policy lookup from MARS events and events lookup from Security Manager policies.

–The Signature Summary table in Security Manager 3.2 (IPS > Signatures > Signatures) enables navigation to MARS to view the realtime or historical events detected by the selected signature. You can also select multiple signatures from the Signatures policy table and view events generated by them.

–The Access Rules page in Security Manager 3.2 (Firewall > Access Rules) enables you to select an ACE and navigate to the realtime and historical events generated by the ACE in MARS. For events matching a rule, only events generated by access rules are displayed. However, for events matching a flow, events generated by connection setup/teardown are also displayed in addition to those generated by firewall access rules in the Query page of MARS. You can also look up historical and realtime events matching the source or destination address of an ACE.

–The Query Results and Incident Details pages in MARS enable you to look up and modify the access rule in Security Manager that generated the event. Using MARS, you can also navigate from events that are generated during the establishment or tearing down of a TCP, UDP, or ICMP connection to the permit ACE in Security Manager for that specific event. You can start the Security Manager client from the read-only policy lookup table in MARS and modify the matching rules, without having to open the client in a separate session.

–The Query Results and Incident Details pages in MARS enable you to look up and modify the signature in Security Manager that generated the event on IPS and IOS IPS devices. For IPS events, MARS displays the read-only popup window from which you can click Edit Signature to navigate to the Signatures policy page in Security Manager and modify the matching IPS signature. You can also click Event Action Filter from the read-only popup window to configure a filter on the basis of signature categories to remove one or more actions from the signature event.

•Support for FWSM 3.2(2) and 3.2(3).

•Support for ASA 7.2.2, 7.2.3, and 7.2.4.

•ASA 8.0/8.1 Support:

–Firewall, Firewall Settings, and Platform support for all features that are backwards-compatible with 7.2.2 features.

–Support for Netflow logging.

•Support for ASA 5580-20 and 5580-40.

•Support for 3200 Series routers.

•Support for 2600XM routers.

•Support for 1861 ISR router.

•Support for configuration of RACLs, Interfaces, VLANs, Port Security, and FlexConfigs on Catalyst 3550, 3560, 3560E, 3750. 3750E, 3750 Metro, 4500 Series, 4948, and 4948 10GE switches.

•Support for IOS 12.2(33) SRA and SRB on the 7600 platform.

•Cisco Security Manager 3.2 supports the Cisco Intrusion Prevention System Advanced Integration Module (AIM-IPS). You can install AIM-IPS in Cisco 1841, 2800 series, and 3800 series routers.

•Notification for expiring rules.

•Enhancements to the Copy Policies feature.

•Improved inventory import/export support.

•Enhancements to email notifications.

•Display of inheritance information for policies.

•Deployment schedules.

•Windows Vista support for Cisco Security Manager client.

•Support for Internet Explorer 7.x and Firefox 2.x.

•High-availability support for IEV.

•Cisco Security Manager 3.2 supports the Cisco IPS 4270-20 Sensor.

Installation Notes

You can install Security Manager 3.2 server software directly, or you can upgrade the software on a server where either Security Manager 3.0.2, 3.1, or 3.1.1 is installed. In addition to reading these installation notes, we strongly recommend that you refer to the Installation Guide for Cisco Security Manager 3.2 for important information regarding server requirements, server configuration, and post-installation tasks.

---

Note The 12 known problems that were resolved in Security Manager 3.1.1 SP3 are not available in Security Manager 3.2. Therefore, if you upgrade to 3.2 from 3.1.1 SP3, you will lose the added functionality that was provided in 3.1.1 SP3.

---

Before you can successfully upgrade to Security Manager 3.2 from a prior version of Security Manager (versions 3.0.2, 3.1, or 3.1.1 only), you must make sure that the Security Manager database does not contain any pending data, in other words, data that has not been committed to the database. If the Security Manager database contains pending data, you must commit or discard all uncommitted changes, then back up your database before you perform the upgrade. For instructions, see "Upgrading Server Applications" in the Installation Guide for Cisco Security Manager 3.2.

---

Note Service packs cannot be installed by themselves. They are intended for installation on an existing installation of Cisco Security Manager 3.2. Service Pack 2 is a superset of Service Pack 1, so you can install Service Pack 2 with or without installing Service Pack 1 first. For more information, see Cisco Security Manager 3.2 Service Pack 2 Download and Installation Instructions.

---

Cisco Security Manager 3.2 Download and Installation Instructions

---

Note The 12 known problems that were resolved in Security Manager 3.1.1 SP3 are not available in Security Manager 3.2. Therefore, if you upgrade to 3.2 from 3.1.1 SP3, you will lose the added functionality that was provided in 3.1.1 SP3.

---

To download and install Cisco Security Manager 3.2:

---

Step 1 Log in to Cisco.com.

Step 2 Go to http://www.cisco.com/go/csmanager, then click Download Software.

---

Note RME is not included in the downloadable version of the installation utility. For information on installing Resource Manager Essentials, please refer to the Installation Guide for Cisco Security Manager 3.2.

---

Step 3 Download fcs-csm-32-w2k-k9.exe.

---

Note Save the installation utility on a disk that is local to your server. Installation cannot succeed over a network connection to a remote volume, even if installation seems to succeed.

---

Step 4 Run the file that you downloaded.

The InstallShield Wizard extracts files to a temporary directory and checks their integrity while it constructs the Cisco Security Manager Setup application, which starts automatically.

---

Note For detailed installation instructions, refer to the Installation Guide for Cisco Security Manager 3.2.

---

---

Tip If an error message says the file contents cannot be unpacked, we recommend that you empty the Temp directory, scan for viruses, delete the C:\Program Files\Common Files\InstallShield directory, then reboot and retry.

---

---

Cisco Security Manager 3.2 Service Pack 2 Download and Installation Instructions

Service Pack 2 is a superset of Service Pack 1, so you can install it with or without installing Service Pack 1 first.

---

Note Some of the known problems that were resolved in Security Manager 3.1.1 SP3 are not available in Security Manager 3.2 SP1. Therefore, if you upgrade to 3.2 from 3.1.1 SP3, you will lose the added functionality that was provided in 3.1.1 SP3.

---

To download and install Cisco Security Manager 3.2 Service Pack 2:

---

Step 1 Log in to Cisco.com.

Step 2 Navigate to http://www.cisco.com/pcgi-bin/tablebuild.pl/csm-app.

Step 3 Download the file fcs-csm-320-sp2-win-k9.exe.

Step 4 To install the service pack, close all open applications, including the Cisco Security Manager Client.

Step 5 Manually stop the Cisco Security Agent (CSA) from Start > Settings > Control Panel > Administrative Tools > Services.

Step 6 Install the Security Manager 3.2 FCS build (with or without Service Pack 1) on your server if you have not already done so.

Step 7 Run the fcs-csm-320-sp2-win-k9.exe file that you previously downloaded.

Step 8 In the Install Cisco Security Manager 3.2 Service Pack 2 dialog box, click Next, and then click Install in the next screen.

Step 9 After the updated files have been installed, click Finish to complete the installation.

---

Note The Daemon Manager will be automatically stopped and restarted during the installation process.

---

---

Important Notes

•Interface names are not case-sensitive in Security Manager, although they are case-sensitive in a Cisco Security Monitoring, Analysis, and Response System Appliance (MARS appliance). For example, outside and Outside are considered exclusive by a MARS appliance, while they are equivalent in Security Manager. As a result, when you perform a query for a Security Manager policy from an event generated in MARS, an interface name logged in the syslog event might not match the interface name of that policy in Security Manager. Syslog messages use lowercase for all interface names. To work around this problem, use lowercase for all interface names and in the definition of interface roles in MARS.

•If the client system used to access the MARS GUI is not on the same side of the NAT boundary as the MARS appliance and the Security Manager server, you can perform policy lookup in read-only mode. However, you cannot start the Security Manager client from the read-only policy lookup table to modify matching policies. The client system must be on the same side of the NAT as the MARS appliance and the Security Manager if you want to start the Security Manager client from MARS to modify the matching policy.

•Security Manager client must be on the same side of the NAT boundary as the MARS appliance and the Security Manager server to query MARS events from policies.

•For a list of known problems in MARS related to policy table lookup from MARS syslogs and events lookup from Security Manager policies, see Release Notes for Cisco Security MARS Appliance 4.3.4 and 5.3.4. The known problems in Security Manager related to these features are documented in the Diagnostics, Monitoring, and Troubleshooting Tools.

•Performance Monitor is not available for installation from the Security Manager 3.2 DVD. If you are running Security Manager 3.1 and Performance Monitor 3.1 on the same system and upgrade Security Manager to 3.2, Performance Monitor stops working. This problem occurs because of the difference in the version of Common Services between Security Manager 3.2 and Performance Monitor 3.1.

We recommend that you install Security Manager and Performance Monitor on separate systems. Also, we recommend that you do not upgrade Security Manager to 3.2 if you have Performance Monitor 3.1 running on the same server. The next version of Performance Monitor, 3.2, will be released shortly, at which point, both the applications can coexist on the same server.

•In IOS 12.3(14)T, many of the predefined inspection protocols were introduced; however, certain commands are not generated if inspection rules configured in Security Manager conflict with port definitions of predefined inspection protocols.

•You might receive a persistent error message such as "Internal Error, please save the logs and contact TAC." If this should occur, please select Tools  > Security Manager Diagnostics and send the resulting CSMDiagnostics.zip file to the Technical Assistance Center.

•If you have a device that uses commands that were unsupported in previous versions of Security Manager, these commands are not automatically populated into Security Manager as part of the upgrade to Security Manager 3.2. If you deploy back to the device, these commands are removed from the device because the commands are not part of the target policies configured in Security Manager. We recommend that you set the correct values for the newly added attributes in the Security Manager GUI so that the next deployment will correctly provision these commands. You can also rediscover the platform settings from the device; however, you will need to take necessary steps to save and restore any shared Security Manager policies that are assigned to the device.

•If you upgrade to Security Manager 3.2 from Security Manager 3.0.2, the ordering of BGP CLI "neighbor distribute-list acl" may be shown incorrectly in preview full configuration due to Security Manager 3.0.2 bugs CSCsk55138 and CSCsk55140. To correct this, please rediscover this device.

•If you changed the HTTP or HTTPS port number on your Security Manager server to a any port number other than the default value, connection to the server from the Security Manager client fails because the client tries to contact the server using the default port values. In Security Manager 3.2, two properties, HTTP_PORT and HTTPS_PORT, can be added to the client.info file located in the ..\Cisco Systems\Cisco Security Manager Client\jars folder on your client system to configure the port numbers you configured on your server. Add the following lines to the client.info file after opening it in a text editor such as Notepad and save the changes:

HTTP_PORT=<port_number> 

HTTPS_PORT=<port_number> 

When you start the client the next time, it uses the updated port numbers, based on the protocol selected, to communicate with the server.

•For the Cisco Security Monitoring, Analysis, and Response System Appliance (MARS) cross-launch panel to appear on the Cisco Security Manager Suite home page, you need to manually register the MARS appliance on the Common Services application registration page. To do this, perform the following:

1. From the Cisco Security Manager Suite home page, click the Server Administration link. The Common Services Admin page appears.

2. Select HomePage Admin > Application Registration. The Application Registrations Status page appears.

3. Click Register. The Choose Location for Registrations page appears.

4. Select Register From Templates, then click Next.

5. Select Monitoring, Analysis and Response System, then click Next.

6. Enter the server name, server display name, and port and protocol information for the MARS appliance, then click Next.

7. Verify registration information, then click Finish. The MARS launch point will now appear from the Cisco Security Manager Suite homepage.

---

Note If you choose to add the cross-launch to MARS later, simply launch your web browser and enter http://SecManServer:1741, where SecManServer is the name of the computer where Cisco Security Manager Suite is installed. If you are using SSL, the default URL is https://SecManServer:443.

---

•A Cisco Services for IPS service license is required for the installation of signature updates on IPS 5.x appliances, Catalyst and ASA service modules, and router network modules.

•Avoid connecting to the database directly, because doing so can cause performance reductions and unexpected system behavior.

•Do not run SQL queries against the database.

•If an online help page displays blank in your browser view, refresh the browser.

•With the release of the S227 signature update on May 12, 2006, the minimum required version for 5.x signature updates was incremented from IPS version 5.0(5) to 5.0(6). Sensors running IPS 5.x software versions earlier than the minimum required version will fail until the sensor is upgraded to the supported level. Note that the minimum required version for 5.x signature updates is generally set to the latest available service pack within 30 to 45 days of that service pack's release.

---

Caution If you did not set Category CLI commands on your IOS IPS device to select a subset of IPS signatures that the device will attempt to compile, Security Manager will push CLI commands to enable the IOS IPS Basic category to prevent the device resources from being overloaded. These CLI commands are not managed by Security Manager after they are deployed. You can change these manually on the device to select another set of signatures to compile.

---

Resolved Problems

Service Pack 2 is a superset of Service Pack 1, so it contains all of the problem resolutions included in Service Pack 1 as well as those in Service Pack 2 itself.

•Table 1 identifies the problems resolved by Security Manager 3.2 Service Pack 2.

•Table 2 identifies the problems resolved by Security Manager 3.2 Service Pack 1.

Table 3 identifies the problems that were documented in the Security Manager 3.1.1 release notes as known problems and that have since been resolved. For information on resolved problems that were resolved in earlier releases, please refer to the release note document for each previous release.

---

Note Known problems that were resolved in Security Manager 3.1.1 SP3 are not available in Security Manager 3.2. Therefore, if you upgrade to 3.2 from 3.1.1 SP3, you will lose the added functionality that was provided in 3.1.1 SP3.

---

Table 1 Resolved Problems in Service Pack 2 

CSCsq42037—CSM should push AIM specific packages to AIM device Description: This problem occurs after downloading (in Cisco Security Manager) an Advanced Integration Module (AIM)-specific 6.0(5)E2 package and standard 6.0(5) package from Cisco.com. The problem is that the user cannot deploy the AIM-specific 6.0(5)E2 package to AIM.

CSCsq02485—Deploy job fails when engine update is pushed to AIM Description: This problem occurs after downloading (in Cisco Security Manager) the E2 engine upgrade package and an E2-based signature update from Cisco.com. The problem is that Cisco Security Manager fails to push the E2-based signature update to the Advanced Integration Module (AIM).

Table 2 Resolved Problems in Service Pack 1 

CSCsl13733— Two policies in the same policy group have same order_id Description: A duplicate order_id in the same policy group might occur when multiple firewall policy groups are modified with an insertion.

CSCsl37261—In a single interface dev,InlinePairName is stored even after cancelling Description: While creating an inline interface pair, if you cancel the create dialog or an error occurs, the Cisco Security Manager interface retains the inline pair name.

CSCsl74264—Deployment or Config Archive rollback fails on IOS/IPS devices Description: An error occurs when deployment job or Config Archive rollback is performed on an IOS/IPS device.

CSCsl85278—Edit is not working for inline pair when interface contains vlan-group Description: In an IPS sensor, after the user clicks Interface and adds an inline pair, and then creates a VLAN group using that inline pair, the user cannot edit the inline pair. The inline pair can be edited if the VLAN group is deleted. After editing, the VLAN group can be added back.

CSCsl85296—Inline pair should not be listed in vlan-group for IDSM Description: Cisco Security Manager lists IDSM inline interface pairs in the VLAN groups interface list.

CSCsm53472—Auto refresh text on Deployment Manager should be black Description: The fonts used for the auto refresh text in Deployment Manager is difficult to read.

CSCsm63057—Rediscovery IOS router failed with JDOM exception while parsing XML input Description: Discovery/Rediscovery/Deployment fails with a JDOM exception when http authentication has not been correctly set up on a device or if the user does not have the correct privilege level assigned.

CSCsm78461—CSM does not discover vlan group assigned to VS for IPS device Description: The subinterface of a VLAN group assigned to a virtual sensor is not discovered under the following conditions: For an IPS device, use CLI to add an inline pair interface, and then create a VLAN group, using this inline pair interface, with a subinterface.

CSCsm79337—Performance tuning on platform validations Description: While submitting changes to the device, Security Manager hangs for a long time at the validating screen.

CSCso00786—FWSM discovery completed before the policy discovery of VCs Description: All policies are deleted on the Security Contexts when you deploy to a device or when you do a preview config.

CSCso00883—Scheduled deployment job reports 'device not available' at deploy time Description: Scheduled deployment job reports that devices are not available when the scheduled time elapses. This problem is known to occur on Catalyst 6000 devices only.

CSCso06513—IEV reports stop working after upgrade to Security Manager 3.1.1 or 3.2 Description: After you upgrade from Security Manager 3.1 to 3.1.1 or 3.2, the three default reports in the IEV client started from Security Manager: Top Alerts, Top Attackers, and Top Victims, stop functioning.

CSCso09627—Change ids mode causes out of sync between CSM and router Description: Synchronization between Security Manager and AIM-IPS modules is lost when the user attempts to configure more than one monitoring mode (inline and promiscuous).

CSCso20860—"access-list mode auto-commit" sent to standby unit fails discovery Description: Security Manager 3.1.1 discovering an FWSM 3.1(x) blade in multi-context mode with active/active failover configured fails.

CSCso23669—Invalid VPN hard validation error for non-support for TACACS+ Description: TACACS+ should be supported for authentication for remote access purposes.

CSCso28542—IOSIPS CTs should not be used when user is not using IOSIPS feature Description: Cisco Security Manager attempts to connect to the IPS subsystem during deployment on an IOS-IPS device even if the user is not managing the IPS subsystem on the device. This results in deployment failure if HTTPS is not configured on the device.

CSCso46006—FlexConfigs not editable Description: In certain situations, a FlexConfig might become locked and uneditable.

CSCso51830—Preview delta contains "no pdm history enable" Description: The "no pdm history enable" command is incorrectly imported as part of an object-group.

CSCso52320—Deployment to PIX 6.3 devices fails with error in transcript Description: When you deploy large configuration changes to PIX 6.2 devices, deployment fails with the "Error: 24112 : IO error during SSL communication" message recorded in the transcript.

CSCso53513—LDAP Attr Map: predefined attribute name changed in 8.0 Description: Cisco Security Manager doesn't support changes to LDAP attributes in ASA 8.0.

CSCso60422—PIX Interface: add support on discovery "no shutdown" from config file Description: Cisco Security Manager does not properly support the "no shutdown" command.

CSCso66342—Cannot discover WS-C3550-24-PWR, 3750-24TS Description: Need support for importing Cisco Catalyst 3750-24TS switches and Cisco Catalyst 3550-24 PWR switches.

CSCso75616—IPS Discovery fails when hostname is entered w/o ip address Description: Discovery of an IPS sensor fails if only the host name is supplied.

CSCso90637—Cannot add firewall rules after upgrade from 3.1 to 3.2 Description: After upgrading to Cisco Security Manager 3.2 from an earlier version, changes to the access rules of a firewall are not saved.

CSCsq01937—admin settings can't be retrieved properly after migration Description: After upgrading to Cisco Security Manager 3.2 from an earlier version, admin settings are not retrieved properly.

CSCsq02803—FWSM Context discovery fails Description: Context discovery fails for ASA multi mode devices running 2.x images with both standalone discovery and discovery through a chassis.

Table 3 Resolved Problems in Security Manager 3.2 

CSCsd30481—PIX 6.3: needs warning for the Time Range object in access rules Description: When you create an access rule for a PIX 6.x device, you can specify a time range in the GUI; however, the device does not support the time range feature in the ACE and no warning is displayed during activity validation or deployment.

CSCsd38176—Logging rate limit - discovery and deployment do not use logging level Description: Values in the Logging Level column of the Individually Rate Limited Syslog Messages table are not used and are overwritten after rediscovery.

CSCsd39354—Some Windows users see no desktop shortcut or Start menu shortcut Description: On a PC with many users, only the person who installs Security Manager Client can see the desktop and Start menu shortcuts that show that Security Manager Client is installed.

CSCsd61768—"policy-map" cmds renamed on initial deployment without policy changes Description: Device import discovers an enabled policy map and its related commands as service policy rules and traffic flow objects. Security Manager does not preserve the original policy map names on a device.

CSCsg45483—Dynamic NAT rules duplicated without removing original rules Description: Dynamic NAT rules that are discovered are duplicated by Security Manager without removing the original rules during the next deployment.

CSCsh42944—NAC policy deployment fails on Layer 2 interfaces Description: Deployment fails for a Network Admission Control (NAC) policy. The ip admission command is not recognized on the device.

CSCsh57310—Static NAT network rule flagged as invalid Description: A static NAT network rule that was discovered from a device configuration is flagged as invalid during activity validation.

CSCsh85196—Apache server fails to start due to dll name conflict Description: If other software that uses OpenSSL (such as Legato or Veritas backup software) is installed on the same machine as Security Manager, the apache server fails to start.

CSCsh86808—Sig policy icon is blank after being removed from shared sig policy Description: The signature policy icon appears blank when the device is removed from a shared signature policy.

CSCsh91913—Auto Update fails on ASA devices with auto-signon Description: When you enable an SSL VPN connection profile on an ASA security appliance managed by AUS and configure the auto-signon command in an ASA user group, deployment of configuration changes to the device fails when you enable the device to request AUS for updates. This problem occurs when the same auto-signon commands have been configured in the same ASA user group on the device. Although deployment is shown as successful in the Deployment Manager window, an error is recorded in the AUS event report that the file was not downloaded to the device.

CSCsh93894—AUS deployment fails if PKI trustpoint sub-commands are in reverse order Description: When you configure a PIX device with a PKI configuration, AUS deployment fails because Security Manager generates the CLI commands in the wrong order.

CSCsi04942—IEV error while installing only Common Services 3.0.5 or AUS 3.1 Description: When you install only Common Services 3.0.5 or AUS 3.1 from the Security Manager DVD, an IEV error message is displayed even if you did not select Security Manager 3.1 during installation.

CSCsi09998—LDAP server URL required for CA servers that do not run LDAP protocol Description: In a site-to-site VPN configuration, the LDAP Server URL field in the CA Information tab of the PKI Enrollment dialog box is mandatory if one of the "CRL..." options is selected from the Revocation Check Support list. This means you cannot add a CA server to a PKI object without entering the URL of the LDAP server from which the CRL is downloaded, even if the CA server does not use LDAP as the querying protocol for revoking certificates on the device.

CSCsi11214—CDP disabled for mGRE tunnels when ODR defined for large scale DMVPN Description: When you deploy to a large scale DMVPN topology after configuring On-Demand Routing (ODR) as the routing protocol, the Cisco Discovery Protocol (CDP) is not enabled for the multipoint GRE (mGRE) tunnels. This problem occurs when CDP is not enabled at the global level on all supported interfaces.

CSCsi11854—Static routes not generated on devices in GRE Dynamic IP tunnel Description: In a hub-and-spoke VPN topology in which the assigned technology is GRE Dynamic IP, when you configure a static routing protocol as your secured IGP, the CLI commands for static routes are not generated for the protected networks in the tunnel.

CSCsi16871—SDP - Invalid characters not detected in device name formula Description: Deployment fails due to invalid characters defined in the SDP device name formula.

CSCsi23683—Deployment fails when you reconfigure bridge-groups in transparent rules Description: When you associate interfaces with another bridge-group and provision it in Security Manager, the deployment shows an error; however, the device in this case has been provisioned correctly.

CSCsi27208—OSPF Interface - field values cannot be removed and saved when editing Description: If you delete the contents of a text field when editing an OSPF interface policy, Security Manager does not save the changes.

CSCsi34298—Webfilter: Deployment fails if overlapping filter commands are defined Description: If two filter commands of the same type are defined with the same port ranges (service) or overlapping port ranges and overlapping networks, deployment to a device fails. The device does not accept overlapping filter commands.

CSCsi35479—HTTP policy: Commands generated for every deployment Description: For ASA 7.2 HTTP Maps, if the body match maximum is set to 0 (zero), the device accepts the command as "body-match-maximum" but shows it in show run as "body-match-maximum 0". This causes the delta to always contain the removal of the http policy-map subcommands and adding them back.

CSCsi45209—Static routing - deployment failure after DB upgrade Description: Deployment and preview configuration fail for static routing policies after a database upgrade.

CSCsi50311—OSPF MD5 key not removed if interface authentication is clear-text/none Description: When you change the authentication type used by an OSPF interface from MD5 to clear-text or disable authentication, the identification number of the MD5 authentication key (ip ospf message-digest-key command) is not removed from the interface after deployment.

CSCsi50493—DataLoader's load method needs to handle quotes Description: The access rules table might not finish loading for a newly discovered device if the discovered configuration has access-list remarks that contain quotes or double quotes.

CSCsi55374—aaa authorization network cli not generated on a device for PPA policy Description: If you select the Custom Method List option to use a remote AAA server for authorization in a PPP policy and modify the default authorization method defined in the AAA policy, the AAA authorization command for network connections is not generated on the device after deployment.

CSCsi56618—aaa authorization network cli is not generated in preview config for PPA Description: If a router has been configured to use the default authorization method defined in the AAA policy for a PPP connection and the AAA network authorization settings are changed in the AAA policy, the aaa authorization network {default | list-name} command might not be generated in the preview configuration due to a conflict with the authorization method defined in the PPP policy.

CSCsi87422—Security Mgr does not allow overlapping globals on different interfaces Description: When you create overlapping global rules on different interfaces for PIX/ASA/FWSM devices, Security Manager returns an error about overlapping IP ranges even though the global interfaces are different.

CSCsj16898—Inspection rule for WAAS is not discovered in FWSM 3.2(0)89 Description: WAAS inspection rules are not shown in the inspection rules table for FWSM devices.

CSCsj17336—Inspect rule: DCE RPC policy map and inspect rule not discovered Description: DCE RPC inspection maps are not shown in the inspection rules table or the policy object manager.

CSCsj62074—Blocking: Unable to edit the interface under Router tab Description: Unable to edit the interface name and direction of a blocking interface under the "Router" and "Catalyst 6500" tabs of the IPS Blocking policy.

CSCsj64024—Find is not working for contracted local rules Description: Find/Replace does not find any matching results even though the value to search for does exist in the rule table.

CSCsj97405—AAA include/exclude command modelled incorrectly Description: The AAA include/exclude commands can each have multiple instances, but the current rule file models them as a single instance command and therefore leaves only one instance after processing.

CSCsk19314—Upgrade 3.0.2 to 3.1.1: Deploy fails if dynamic NAT rules exist on dev Description: Deployment to file or device might fail with a Null Pointer Exception for an IOS router device with NAT rules configured.

CSCsl41758—VLAN pair editing of interface - OK doesn't save changes Description: After a vlan inline pair is created, if you try to modify the interface name, the edit vlan inline pair UI screen does not allow you to save the changed information.

Known Problems

This section contains information about the problems known to exist in Cisco Security Manager 3.2. The known problems are arranged into the following tables:

---

Note In some instances, a known problem might apply to more than one area, for example, a PIX device might encounter a problem during deployment. If you are unable to locate a particular problem within a table, expand your search to include other tables. In the example provided, the known problem could be listed in either the Deployment table or the PIX/ASA/FWSM Configuration table.

---

•AUS Known Problems

•Backup and Restore Known Problems

•Catalyst 6500/7600 Configuration

•Client Software

•Deployment

•Device Management

•Diagnostics, Monitoring, and Troubleshooting Tools

•Discovery

•Firewall Services

•Installation and Upgrade

•IPS and IOS IPS

•PIX/ASA/FWSM Configuration

•Policy Objects

•Router Configuration

•Site-to-Site/Remote Access/SSL VPN Configuration

•Tools

•User Interface

AUS Known Problems

Table 4 AUS Known Problems 

CSCsc89457—AUS GUI does not close automatically when exiting CiscoWorks Description: A user logs out from the CiscoWorks session after launching AUS, but the AUS GUI remains open. If another user with a different role opens a new CiscoWorks session, other users can navigate the AUS GUI briefly in the original window. This problem occurs whether the CiscoWorks server or the Cisco Secure Access Control Server (ACS) manages authentication and authorization for AUS.

CSCsd25476—Configuration file download for an AUS-managed ASA device fails Description: If you configure an ASA device in transparent mode and use AUS to deploy configuration changes from Security Manager to the device, deployment is shown as successful, although the device does not contain the deployed changes. The AUS event report shows that the file was successfully sent to the device without error and a "Wakeup information for process auto-update lost" message is recorded in the device log.

Backup and Restore Known Problems

Table 5 Backup and Restore Known Problems 

CSCso33321—Database restore from versions earlier than 3.0.2 to 3.2 is not blocked Description: Although Security Manager 3.2 supports upgrades only from the following previous versions: 3.0.2, 3.0.2 SP1, 3.1, 3.1.1, 3.1.1 SP1 and SP2, restoring a Security Manager database earlier than 3.0.2 goes through properly on a 3.2 server, without any error message or termination of this operation.

Catalyst 6500/7600 Configuration

Table 6 Catalyst 6500/7600 Configuration 

CSCsi17582—Cannot change the data port VLAN running mode after negating CLI on IDSM Description: Deployment fails when you attempt to change the running mode of the data port VLAN from Trunk (IPS) to Capture (IDS) from the IDSM Data Port VLANs dialog box and the following error message is displayed: Command Rejected: Remove trunk allowed vlan configuration from data port 1 before configuring capture allowed-vlans

CSCsi17608—Deployment fails when allowed VLAN ID is modified on IDSM capture port Description: If you modify the allowed VLANs of an IDSM data port that has been configured as a capture port and deploy configurations to the device, the following error occurs: "Capture not allowed on a SPAN destination port"

CSCsi24091—Deploy fails if you change access to trunk mode & enable DTP negotiation Description: Deployment might fail when you attempt to modify the physical port configuration type from access to trunk mode for a Catalyst switch and keep the Enable DTP negotiation check box selected in the trunk port mode.

CSCso00820—Incorrect message during discovery failure of Catalyst 6500 Series IDSM Description: If you are adding a Cisco Catalyst 6500 Series switch that contains an Intrusion Detection System Services Module (IDSM), and import fails during discovery of the IDSM, the resulting error message will contain non-specific information.

Client Software

Table 7 Client Software 

CSCsk41218—Client uninstall not cleaning out install dir; install JVM unintuitive Description: When you upgrade to Security Manager 3.1.1 from 3.0.2, you are prompted that a Java Virtual Machine is being installed and you are asked if you want to override the directory. No is preselected, but you should select Yes.

CSCsm99798—Installing Security Manager client fails with CSA enabled Description: When you install Security Manager client 3.2, security applications, such as Cisco Security Agent that are running on your system, might prevent the execution of certain installation steps and the operation fails.

Deployment

Table 8 Deployment 

CSCsc22934—ACL limitations on Layer 2 interfaces on IOS ISR devices Description: Deployment fails if access rules containing certain options are associated with Layer 2 interfaces of ISR routers.

CSCsd70915—GTP Map: Deployment fails due to PDP and signaling timeout issues Description: When you deploy an inspection rule with the gtp-map command, the deployment fails and an error message states that the signaling timeout value is less than the PDP timeout value.

CSCsi09797—Job state for completed jobs is "Deploying" for CNS-managed IOS routers Description: After Security Manager successfully deploys the configuration file to CNS, and Cisco IOS routers configured for CNS poll and apply the configuration changes at the predefined polling period, the Status column in the Deployment Manager window continues to display the job state as "Deploying".

CSCsj29304—Unable to Deploy IPS Category Settings Using SSH Description: You cannot use SSH when deploying IOS-IPS category settings to a device. Instead, configure the device to use SSL for deployment.

CSCsm95151—Preview/deploy error when configs reference non-existent policy maps Description: When an QoS policy class map has an ACL that is shared with another policy map, removing the interface associated with the QoS policy class map causes an error.

CSCsm99625—Deployment to FWSM shows success despite failed cmd in transcript Description: When deploying configuration changes from Cisco Security Manager to a FWSM, saving the configuration on the device fails; however, deployment reports it as successful.

CSCso32942—Wrong delta generated when AIM & NAT are assigned ACL with underscore Description: When a device has an ACL object with an underscore in its name assigned to both a NAT policy and an AIM-IPS monitoring policy, deployment to the device fails.

Device Management

Table 9 Device Management 

CSCsh94602—Lost Connectivity to System Context After Changing admin Credentials Description: If you change the credentials for the admin context when using HTTPS as the transport protocol, Security Manager cannot connect to the system execution space (for FWSM). Ensure that you define the same credentials for both the admin context and the system execution space when using HTTPS.

CSCsi31224—Preview failed after deploying config to AUS server Description: A device's certificate is changed after retrieving the config file from the AUS server. The certificate stored in Security Manager would be out of sync with the device, hence cause the preview to fail with certificate mismatched error.

Diagnostics, Monitoring, and Troubleshooting Tools

Table 10 Diagnostics, Monitoring, and Troubleshooting Tools 

CSCsi08390—IEV installation fails on systems without C: drive Description: During installation of Security Manager server 3.1 on systems that do not contain C: drive, IEV server fails to install and an error message is displayed. Also, an error is logged in the server installation log file.

CSCsi86335—Cross-launch of IEV client fails if Symantec application is running Description: You cannot start IEV client from Security Manager client on a system in which the Symantec Client Firewall Port Scanning Module or Symantec Secure Port application is running.

CSCsk28603—Security Manager client not brought to focus during lookup from MARS Description: If your Security Manager client session is active when you perform policy lookup from the MARS GUI, the existing Security Manager client window is not brought to the foreground or into focus by default.

CSCsk55251—MARS events matching the first instance of duplicate rule not shown Description: If you create duplicates of a base rule in the Access Rules page of Security Manager, the events matching the second identical rule are only displayed in MARS when you perform a lookup.

CSCsk78778—Error not shown for unavailable ACE during MARS events lookup Description: An error message is not displayed if you delete an access rule in Security Manager and perform lookup from the MARS events query results page that was opened by performing a lookup from the same access rule in Security Manager.

CSCsk94278—Read-only policy page in MARS is blank after starting Security Manager Description: When you start the Security Manager client from the read-only policy query page in MARS, the read-only page is refreshed and is displayed blank. However, you are prompted to install the Security Manager client and the page for downloading the application is opened.

CSCsl51577—"Policy not found error" for lookup from default signature in MARS Description: If you try to perform events lookup from the default signature, a "Policy not found" error message is displayed. However, if you edit the default signature and save it, the policy icon changes to show that a local policy is configured on the device and you can navigate to events in MARS.

CSCsl67356—Security Manager client does not launch because of browser settings Description: When you try to start the Security Manager client from the read-only policy query window in MARS, the File Download dialog box appears prompting you to confirm whether you want to download the CsmContentProvider file to your system.

CSCsl94979—Device resolution for multiple context-FWSM fails during policy lookup Description: The disconnection between the Host Name field in the Device Properties page and the Host Name field in the policy page under the Device Admin section of the Security Manager GUI causes problems on FWSM blades with multiple contexts because a unique context cannot be identified during policy lookup from MARS events.

CSCsm50836—MARS credentials retained in cache after changing authentication option Description: MARS user credentials for events lookup are retained in the Security Manager cache even after you change the authentication mechanism to prompt the user for Security Manager credentials instead of MARS credentials.

CSCsm68564—Disabled rules not shown as inactive in read-only policy page in MARS Description: When you look up a MARS event generated by an access rule, disabled rules in the Security Manager rules table are not shown as inactive in the read-only policy query window.

CSCsm96824—Events lookup using Security Manager started from MARS fails Description: If you configured the option to use Security Manager credentials for events lookup, neither the query page in MARS nor the login dialog box is displayed and events lookup fails.

Discovery

Table 11 Discovery 

CSCse99139—Rediscovery of inventory alone can create device-override building blocks Description: Device level overrides for policy objects corresponding to object groups can be created after discovering only the inventory policies like interfaces.

CSCsi14676—Discovery hangs for FWSM with 100+ contexts Description: When using HTTPS as the transport protocol, the connection to the security contexts in an FWSM can hang if the connectivity between the Security Manager server and the device is unstable.

CSCsi45142—AAA - source intf disc from global cmd instead of aaa subcommand Description: The interface parameter is not discovered for the AAA-server building block discovered from IOS routers.

CSCsl70926—Unable to Rediscover a PIX Device After Upgrading the OS Description: If you upgrade the operating system version on a PIX device, rediscovering policies on the device might fail if the device includes RIP policies. Unassign the RIP policy before rediscovering the device.

Firewall Services

Table 12 Firewall Services 

CSCsa81103—Unable to create an access rule with TCP flags Description: Security Manager does not support TCP flag specifications, such as urg, fin, psh, and ack, in access rules. As a result, during discovery, Security Manager drops the specifications.

CSCsa81104—Unable to create an access rule to match QoS parameters Description: Security Manager does not support ACE options such as DSCP, ToS, or precedence. As a result, during discovery, Security Manager drops the options.

CSCsa98978—Hit Count does not expand FWSM devices with object-group enabled Description: Although the GUI allows you to enable the Object Group Search option for FWSM devices, the FWSM does not expand object groups when listing access rules after a "show access-list" command and Hit Count results are inaccurately displayed.

CSCsb85487 —Need warning when ACL deployment to IOS devices can cut off access Description: Security Manager does not check if the firewall rules that you configured in Security Manager permit management traffic (SSH and HTTPS) to the IOS device being managed. As a result, after firewall rules are deployed to the device, connection to the device might be lost.

CSCsc81905—QIT: Empty ACL is deployed on 87x series routers for BGP port Description: IOS 87x ISR routers do not support BGP as a routing protocol or as a service in ACLs when the device has only 24 MB of memory; however, BGP is supported when the device has more than 24 MB memory. Security Manager does not detect the amount of memory available on the device and cannot enforce any restrictions. As a result, job deployment containing an ACL with ACEs having BGP will fail.

CSCsc84443—IP HTTP server cli is not removed after the policy is unassigned Description: IOS devices require that HTTP is used as the traffic type for authentication proxy, which generates the command ip http server. Security Manager does not remove the CLI when authentication proxy is unassigned from the device in Security Manager.

CSCsc85416—User configured AAA/AuthProxy CLIs are not removed from the device Description: If an AuthProxy configured on an IOS device has a user-specified name that does not comply with the naming convention used by Security Manager, the name is not removed if the device is discovered and the policy is unassigned.

CSCsd26482—IOS "access-list" Standard ACL is not supported by Hit Count Description: IOS devices use standard ACLs for filtering; however, standard ACLs are not recognized when Hit Count reports are generated.

CSCsd33025—Deployment fails on a device with too many AAA server groups Description: If Security Manager tries to deploy AAA server groups to a device that already has the maximum number of AAA server groups, deployment fails.

CSCsd60788—No port-map command generated if rules and predefined protocols conflict Description: IOS inspection port-map commands are not generated if inspection rules configured in Security Manager conflict with port definitions of predefined inspection protocols.

CSCsg35578—Import ACE: Validation not done if the config is not in show run format Description: Some options are omitted from rules that are created using the Import Rules tool, for example, empty port values and destination port values that are not validated for 'eq' and 'neq' for IOS devices.

CSCsh68101—Activity Report: Issues with access rules table Description: Rule section changes are not reported in the activity reports.

CSCsh94210—Problems matching interface when reusing AAA policy objects Description: AAA Server policy objects cannot be reused because of mismatched interfaces. This might result from an interface role used to define an interface that is not matched to a physical interface after rediscovery. For PIX/ASA7.x devices, this might result from using "inside" (or an interface name that starts with "inside") to describe the interface.

CSCsi18871—PIX 7.1 gtp-map subcommand order is not preserved Description: Changes to the match-condition order for a gtp-map used in a PIX 7.0 or PIX 7.1 device do not get deployed to the device.

CSCsk12692—Unsupported CLIs in the previous version are negated after upgrade Description: After you upgrade from Security Manager 3.0.1 to 3.1 or Security Manager 3.0.2 to 3.1.1, the command "ip http server" is deployed to an IOS router if the router already has the command "ip http secure-server". Command "ip http server" will turn on the HTTP server on the router.

CSCsm97107—Webfilter server n2h2 command is generated on redeployment Description: On FWSM 3.2, when the Webfilter url-server type is selected in N2H2/SmartFilter, the url-server command will be removed and redeployed on each deployment to the device.

CSCso06762—Deployment fails when deleting new service object in ASA 8.x device Description: ASA 8.x supports new service object groups that are not supported by Security Manager 3.2. If you configure a new service object group and use it in ACEs in the device, Security Manager 3.2 can discover the device; however, the access list is only partially discovered. The ACEs using the new service object group will not be discovered in Security Manager.

CSCso17504—Unable to delete NAT0 ACL & st