Table Of Contents
Release Notes for Security Manager 3.3.1
Introduction
Supported Component Versions and Related Software
What's New
Installation Notes
Important Notes
Caveats
Open Caveats— Release 3.3.1
Resolved Caveats —Release 3.3.1
Resolved Caveats —Releases Prior to 3.3.1
Where to Go Next
Product Documentation
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Notes for Security Manager 3.3.1
Published: November 9, 2009
These release notes are for use with the Cisco Security Manager (Security Manager), Release 3.3.1.
Release 3.3.1 is now available. Registered SMARTnet users can obtain release 3.3.1 from the Cisco support website by going to http://www.cisco.com/go/csmanager and clicking Download Software in the Support box.
This chapter contains the following topics:
•
Introduction
•Supported Component Versions and Related Software
•What's New
•Installation Notes
•Important Notes
•Caveats
•Where to Go Next
•Product Documentation
•Obtaining Documentation, Obtaining Support, and Security Guidelines
Introduction
Note Use this document in conjunction with the documents identified in Product Documentation. The online versions of the user documentation are also occasionally updated after the initial release. As a result, the information contained in the Cisco Security Manager end-user guides on Cisco.com supersedes any information contained in the context-sensitive help included with the product. For more information about specific changes, please see Where to Go Next.
This document contains release note information for the following:
•Cisco Security Manager 3.3.1—Cisco Security Manager (Security Manager) enables you to manage security policies on Cisco security devices. Security Manager supports integrated provisioning of firewall, VPN, and IPS services across IOS routers, PIX and ASA security appliances, and some services modules for Catalyst 6500 switches and some routers. (You can find complete device support information under Cisco Security Manager Compatibility Information on Cisco.com.) Security Manager also supports provisioning of many platform-specific settings, for example, interfaces, routing, identity, QoS, logging, and so on.
Security Manager efficiently manages a wide range of networks, from small networks consisting of a few devices to large networks with thousands of devices. Scalability is achieved through a rich feature set of device grouping capabilities and objects and policies that can be shared.
•Auto Update Server 3.3.1—The Auto Update Server (AUS) is a tool for upgrading PIX security appliance software images, ASA software images, PIX Device Manager (PDM) images, Adaptive Security Device Manager (ASDM) images, and PIX security appliance and ASA configuration files. Security appliances with dynamic IP addresses that use the auto update feature connect to AUS periodically to upgrade device configuration files and to pass device and status information.
•Performance Monitor 3.3.1—Performance Monitor is a browser-based tool that monitors and troubleshoots the health and performance of services that contribute to network security. It helps you to isolate, analyze, and troubleshoot events in your network as they occur, so that you can increase service availability. Supported service types are remote-access VPN, site-to-site VPN, firewall, Web server load-balancing, and proxied SSL.
Note Before using Cisco Security Manager 3.3.1, we recommend that you read this entire document. In addition, it is critical that you read the Important Notes section, the "Upgrade Notes" section, and the Installation Guide for Cisco Security Manager 3.3.1 before installing or upgrading to Cisco Security Manager 3.3.1.
This document lists the ID numbers and headlines for issues that may affect your operation of the product. This document also includes a list of resolved problems. If you accessed this document from Cisco.com, you can click any ID number, which takes you to the appropriate release note enclosure in the Bug Toolkit. The release note enclosure contains symptoms, conditions, and workaround information.
Supported Component Versions and Related Software
The Cisco Security Management Suite of applications includes several component applications plus a group of related applications that you can use in conjunction with them. The following table lists the components and related applications, and the versions of those applications that you can use together for this release of the suite. For a description of these applications, see the Installation Guide for Cisco Security Manager 3.3.1.
Note For information on the supported software and hardware that you can manage with Cisco Security Manager, see the Supported Devices and Software Versions for Cisco Security Manager online document under Cisco Security Manager Compatibility Information on Cisco.com.
Table 1 Supported Versions for Components and Related Applications
Application
|
Support Releases
|
Component Applications
|
Cisco Security Manager
|
3.3.1
|
Auto Update Server
|
3.3.1
|
Performance Monitor
|
3.3.1
|
CiscoWorks Common Services
|
3.2
|
Resource Manager Essentials (RME)
|
4.2
|
Cisco Security Agent
|
5.2
|
Related Applications
|
Cisco Security Monitoring, Analysis and Response System (CS-MARS)
|
6.0.1, 6.0.5
|
Cisco Secure Access Control Server (ACS) for Windows
Note Cisco Secure ACS Solution Engine 4.1(4) is also supported.
|
4.1(3, 4), 4.2(0)
|
Cisco Configuration Engine
|
3.0
|
What's New
In addition to resolved caveats, this release includes the following new features and enhancements:
•There is a new administrative setting for deploying ACLs generated from firewall access rules. You can elect to share ACLs. If you assign the same ACL to multiple interfaces, Security Manager can now create a single ACL and share it among the interfaces, rather than create a duplicate ACL for each interface. Sharing can occur only if you do not specify ACL names or require that Security Manager preserve existing names; your naming requirements are a higher priority than ACL sharing. The new property is on the Tools > Security Manager Administration > Deployment page.
•The following FWSM releases are supported in downward compatibility mode: 3.1(15), 3.2(12), 3.2(13), 4.0(5), 4.0(6).
•Cisco IOS Software release 15.0(1)M is supported.
•The following new integrated services router series are supported: 19xx, 29xx, 39xx. You can configure these devices in Security Manager and monitor them using Performance Monitor.
•The following new integrated services routers are supported: 866, 886SRST, 887M, 887Vdsl2.
•The Cisco IAD880 Series Integrated Access Devices are supported.
•If you use AUS to deploy configurations, Security Manager now includes the HTTP user name and password as well as the enable password when adding the device to AUS. This allows you to perform immediate auto updates (Update Now) actions on these devices when you are using local or TACACS+ authentication on your devices.
•If you use ACS to control access to Security Manager, users are now notified if authorization fails because all ACS servers are unavailable. An e-mail message is also sent to the Security Manager server administrator indicating that all ACS servers are unavailable and that users cannot log into the Security Manager server.
•Cisco IPS 7.0.2 is supported.
•The User Accounts page and related interface elements give you the capability of user management for IPS devices. Specifically, you can discover local users from the IPS device, create users, modify user credentials or privileges, delete user accounts, and perform other user management tasks.
•TCP State Bypass is now available on FWSM 3.2+ and ASA 8.2+ devices. TCP packets that match existing connections in the fast path can pass through the appliance without every aspect of the security policy being rechecked. This feature maximizes performance.
•Multiple IP addresses now can be specified in static route destinations, and in IGMP multicast group networks.
Installation Notes
You can install Security Manager server software directly, or you can upgrade the software on a server where Security Manager is installed. The Installation Guide for Cisco Security Manager for this release of the product explains which previous Security Manager releases are supported for upgrade and provides important information regarding server requirements, server configuration, and post-installation tasks.
Before you can successfully upgrade to Security Manager 3.3.1 from a prior version of Security Manager, you must make sure that the Security Manager database does not contain any pending data, in other words, data that has not been committed to the database. If the Security Manager database contains pending data, you must commit or discard all uncommitted changes, then back up your database before you perform the upgrade. The Installation Guide for Cisco Security Manager for this release contains complete instructions on the steps required for preparing the database for upgrade.
For the Installation Guide for Cisco Security Manager 3.3.1, go to the list of Cisco Security Manager installation and upgrade guides on Cisco.com.
Be aware of the following important points before you upgrade:
•If you upgrade from a release earlier than 3.3 to Security Manager 3.3 or higher, and you use Cisco Configuration Engine, you must upgrade Configuration Engine to 3.0 at the same time. Security Manager 3.3 and higher does not work with older versions of Configuration Engine.
•If you install RME on the same server as Security Manager 3.3.1, do not apply the MDF.zip file available with the RME IDU patch. Applying this file will damage the device support files in Security Manager, and you will need to contact Cisco Technical Support to correct the problem. If you install RME on a server separate from Cisco Security Manager, this restriction does not apply.
Important Notes
The following notes apply to the Security Manager 3.3.1 release:
•You can use IPv4 addresses only in Security Manager. Although some of the device software Security Manager supports allows you to use IPv6 addresses on commands, Security Manager does not support IPv6 addresses directly. If you want to configure IPv6 features using Security Manager, you can use FlexConfig policies.
•If you have a device that uses commands that were unsupported in previous versions of Security Manager, these commands are not automatically populated into Security Manager as part of the upgrade to this version of Security Manager. If you deploy back to the device, these commands are removed from the device because they are not part of the target policies configured in Security Manager. We recommend that you set the correct values for the newly added attributes in Security Manager so that the next deployment will correctly provision these commands. You can also rediscover the platform settings from the device; however, you will need to take necessary steps to save and restore any shared Security Manager policies that are assigned to the device.
•A Cisco Services for IPS service license is required for the installation of signature updates on IPS 5.x appliances, Catalyst and ASA service modules, and router network modules.
•Do not connect to the database directly, because doing so can cause performance reductions and unexpected system behavior.
•Do not run SQL queries against the database.
•If an online help page displays blank in your browser view, refresh the browser.
•With the release of the S227 signature update on May 12, 2006, the minimum required version for 5.x signature updates was incremented from IPS version 5.0(5) to 5.0(6). Sensors running IPS 5.x software versions earlier than the minimum required version will fail until the sensor is upgraded to the supported level. Note that the minimum required version for 5.x signature updates is generally set to the latest available service pack within 30 to 45 days of that service pack's release.
Caution If you did not set Category CLI commands on your IOS IPS device to select a subset of IPS signatures that the device will attempt to compile, Security Manager will push CLI commands to enable the IOS IPS Basic category to prevent the device resources from being overloaded. These CLI commands are not managed by Security Manager after they are deployed. You can change these manually on the device to select another set of signatures to compile.
Caveats
This section describes the open and resolved caveats with respect to this release.
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
http://www.cisco.com/support/bugtools
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
This section contains the following topics:
•Open Caveats— Release 3.3.1
•Resolved Caveats —Release 3.3.1
•Resolved Caveats —Releases Prior to 3.3.1
Open Caveats— Release 3.3.1
The following caveats affect this release and are part of Security Manager 3.3.1.
Note In some instances, a known problem might apply to more than one area, for example, a PIX device might encounter a problem during deployment. If you are unable to locate a particular problem within a table, expand your search to include other tables. In the example provided, the known problem could be listed in either the Deployment table or the PIX/ASA/FWSM Configuration table.
Table 2 ASA and PIX Firewall Devices Caveats
Reference Number
|
Description
|
CSCse51450
|
OSPF validations are not adequate
|
CSCsh20731
|
FAILOVER - Active/Active deploys to Standby unit and returns errors
|
CSCsi24397
|
SLA: Interface roles assigned to an SLA Monitor not validated
|
CSCsi34972
|
OSPF Discovery: Deployment of incomplete OSPF policy invalid
|
CSCsi42889
|
Swapping interface names causes deployment failure
|
CSCsi44546
|
RIP configuration commands in PIX/ASA 7.2(1) cannot be fully managed
|
CSCsl51451
|
Enable DHCPD auto configuration with interface option not discovered
|
CSCsm82107
|
Discovery of a multi-mode ASA added to CSM as a new device fails
|
CSCsr17662
|
Deployment of ips command truncated if containing class map is changed
|
CSCtb43369
|
Deployment fails when deleting redundant interface assigned to ACL
|
CSCtc29610
|
After policies copied to an ASA 5580, validation takes more than 3.5 hrs
|
Table 3 CSM Client and Server Install Caveats
Reference Number
|
Description
|
CSCtb69375
|
Uninstalling CSM 3.3 except CSM client popup mentioning "Cannot uninstal
|
CSCtc55570
|
Upgrade of CSM HA setup does not check proper perl file replacement
|
CSCtc79621
|
CSM client installation "Could not create the Java virtual machine."
|
CSCtc93470
|
CSM install should exit if cu is installing CSM on non En/Ja Local
|
Table 4 Cisco Catalyst 6000 Device Support Caveats
Reference Number
|
Description
|
CSCsi17608
|
Deployment fails when allowed VLAN ID is modified on IDSM capture port
|
CSCsi24091
|
Deploy fails if you change access to trunk mode & enable DTP negotiation
|
CSCsz85341
|
CSM deletes shared vlan group between svclc and firewall
|
Table 5 Cisco IOS Router Devices Caveats
Reference Number
|
Description
|
CSCsf09088
|
PPP policy does not support if-needed and local-case keywords for AAA
|
CSCsh18926
|
NetFlow deployment fails on subinterfaces
|
CSCsi20458
|
802.1x-Number of retries command not generated correctly
|
CSCsi25845
|
PPP-No validation for multilink support on device
|
CSCsi45142
|
AAA - source intf disc from global cmd instead of aaa subcommand
|
CSCsi45204
|
QoS policy not discovered when WRED is enabled
|
CSCsr14267
|
Discovery failure with target os 12.3(9) does not exist
|
CSCsr45265
|
Negation is not getting generated for policies using nonexistent ACL
|
CSCsz55274
|
Deployment to an ASR Fails when Configuring an Interface IP Address
|
CSCsz79334
|
Deployment fails on changing VTY authentication method frm AAA to local.
|
CSCta73192
|
NTP Authentication key is not negated for Xformer router of type 3945
|
CSCta84886
|
RIP-Deployments fails for RIP policy but CLI are pushed into the device
|
CSCta84894
|
BGP-Unassign bgp pol+Deploy,Deployment fails for 861 Router for 15.0 ima
|
CSCta84907
|
Xformer:Dep BGP+Change AS no. & Dep+Unassign BGP,Deployment fails
|
CSCta92949
|
QoS-Queue limit option supported by router(15.0) dosn't match with CSM
|
CSCtb04099
|
Deployment fails when configuring numbered ACL for QOS policy
|
CSCtb77960
|
Qos : Cannot save changes for default class for an ASR
|
CSCtc17882
|
Activity Validation causes MOP error on interface
|
Table 6 Cisco IPS and IOS IPS Devices Caveats
Reference Number
|
Description
|
CSCse95933
|
IPS related policies should be listed in device properties page
|
CSCsg25899
|
IPS 6.x pol. should not be listed for 5.x devices in copy & share policy
|
CSCsg38052
|
VLAN groups need to display "unassigned" VLANS
|
CSCsg51052
|
After Abort, progress bar continues to 100% and Status remains = Started
|
CSCsg78129
|
Copy policies betn devices with VS as src only shows VS's as destn
|
CSCsg80289
|
Warning message is displayed during blocking policy deployment.
|
CSCsh02407
|
Autoupdate setting value for a device should be same in device tree.
|
CSCsh36604
|
IPS EAO: After editing a row, the ed. row is displayed as the last row
|
CSCsh52484
|
IPS Licensing Date varies between sensor CLI and sensor
|
CSCsh53265
|
On IPS Update page, checkbox for shared sig. policy can be incorrect
|
CSCsh67506
|
Dynamic IP address IOS router imported by CNS cannot be discovered
|
CSCsh77105
|
During deployment, signatures removed from current.xml
|
CSCsh86189
|
Sig update fails when using HTTP if console logging is on
|
CSCsi01650
|
EAF: Show content option in context menu for victim addr is not working
|
CSCsi26525
|
OOB OPACL changes not resynced after successful deploy
|
CSCsi33159
|
Greenfield device is showing 5.1(4)E1 should be 5.1(5)E1
|
CSCsi39380
|
Deployment of NTP policy with policy objects sometimes fails
|
CSCsi44605
|
IPS variable names cannot contain special characters.
|
CSCsi47289
|
Policy object overridden at VS level is not deployed correctly
|
CSCsj60530
|
Inventory alone discovery fails for IPS 6.x device for submit operation
|
CSCsm72033
|
Deployment Failed error on Event Action Rules
|
CSCsm93970
|
Green field device Preview config does not show IPS pull down option
|
CSCsm94535
|
COPY POLICY:Engine parameter not copied to IOS-IPS GreenField device.
|
CSCso11145
|
CSM daily autodownload every 2 days should start from the present date
|
CSCso11482
|
MultiContext not handled in ApplyIPSUpdate wizard upon SigEditParams
|
CSCso17575
|
Intf Policy copy betn same IPS models but diff interface cards fails
|
CSCsr19163
|
OS Id.'s ->Restrict to these IP address field should not map to pol. obj
|
CSCsr31140
|
Err loading pg if NTP policy from 6.1 dev is copied to 6.0/5.1 dev
|
CSCsr46030
|
Copy Interface & VS policy from a 6.1(1)E2 to 6.1(1)E2 fails
|
CSCsv44809
|
Rules and AD profile name changes with multiple vs profile config
|
CSCsv57621
|
IPS Incorrect Interfaces discovery (removed from VS or disabled)
|
CSCsv59057
|
Sigupdate failed to an IOS device with NME module
|
CSCsv85664
|
Security Manager swaps names of policies while deploying to device
|
CSCsv91055
|
Security Manager Deployment UI shows OOB for unsupported commands
|
CSCsx20448
|
IPS 6.2 unsupported devices should not be shown for Update
|
CSCsx33551
|
Rollback on IOS IPS Device Fails If SSH Is Not Enabled
|
CSCsx52318
|
IPS Editing service ports for signatures throws error
|
CSCsx72883
|
Link for Interface help for SSC is redirected to Product Overview
|
CSCsx98868
|
IOS IPS : Cannot deploy custom signature for "normalizer" engine
|
CSCsy03168
|
IOS IPS: SDEE properties canot be discovered if SDEE is disabled
|
CSCsy47123
|
Unable to unshared a shared policy for un-supported platform in dev view
|
CSCsy47398
|
Rediscovery of Platform Settings Only Removes Virtual Sensors
|
CSCsy51377
|
Package download fails with error msg Download not enough space on disk
|
CSCsy56978
|
IOS IPS version should be updated with changes in IOS version
|
CSCsy60393
|
Security Manager does not push "category ios_ips basic" command properly
|
CSCsy89865
|
Not able to do signature update on IPS-4260 running 5.1(8)E2.9S342.0
|
CSCsz33707
|
Licenses are not shown in IPS tab post ACS Integration without refresh
|
CSCsz35545
|
Pre-ACS integrated devices are shown in IPS updates page
|
CSCta90115
|
Cannot deploy service module policy in IOS
|
CSCta93482
|
Deployment fails- shared sig policy with new custom sig to older version
|
CSCtb16577
|
on applying sig pkg to the device, New sig(s) is not listed on sig page
|
CSCtb25669
|
Edit Signature Parameter of New E4 engines gives strange errors
|
CSCtb34158
|
Global correlation policies show up blank after major ver sensor update
|
CSCtb40828
|
Signature deploy failed with "category ios_ips default" command
|
CSCtb40971
|
Caching issue : Sig update of 407 LWE failing for ISRs with IOS 12.4
|
CSCtb55176
|
Sensor update fails on applying sensor pkg manually with OOB change
|
CSCtb70183
|
Not able to Launch Activity Report After modification
|
CSCtb72766
|
sig update fails with "invalid typedefs" error but sig upd is successful
|
CSCtb81058
|
User Accounts managed in csm gets locked after deploy to IPS appliance
|
CSCtb81245
|
No Entry in Config Archive when deploy includes User Accounts Policy ...
|
CSCtb81691
|
Deploy/discovery of IPS Appliances fail with "can't identify user" error
|
CSCtc01735
|
IpsSensorUpdate policy locks device; device cannot be deleted
|
CSCtc29327
|
In 3.3, Sensors with Policy or Assignment Locked
|
CSCtc51619
|
Deployment failed for ISR G2 with IOS 15.0 FCS build
|
CSCtc57010
|
No validation for incorrect speed/duplux setting for 10G Interface
|
CSCtc61925
|
Global Correlation policies are not population upon dbrestoreorig.pl
|
CSCtc66970
|
Two stage upgrade and restore : Auto update settings disabled
|
CSCtc85407
|
CSM generates unnecessary delta with ip reordered for network object
|
CSCtc85738
|
CSManager IPS Auto Update Attempts to Update Unsupported Images
|
CSCtc85877
|
CSManager IPS Auto Updates - Doesn't Update Sig if Image Update Fails
|
CSCtc90943
|
CSM Can no associate more than 91 subinterface on an IPS Virtual Sensor
|
Table 7 Device Management, Discovery, and Deployment Caveats
Reference Number
|
Description
|
CSCsg70526
|
EzVPN - default tunnel-groups are not handled by Security Manager
|
CSCsh63248
|
Add field in DM to specify whether device is Admin Context or not
|
CSCsi09814
|
Configuration updates fail for CNS-managed PIX Firewall devices
|
CSCsi18673
|
Security Manager deployment may trigger ObjectGroup name warnings.
|
CSCsi18678
|
Security Manager deployment may trigger interface name warnings
|
CSCsk59843
|
DCS to monitor the Admin context CLI
|
CSCsq32343
|
HitCount -- Internal Failure
|
CSCsu98320
|
In 3.2.2, MU durability, user3 failed, ILLEGAL_STATE_TRANSITION
|
CSCsy98103
|
Config-diff shows diff between two configs though they are exactly same.
|
CSCsz81607
|
Last run entry not seen in Deployment Schedule on page refresh.
|
CSCta98850
|
Config Rollback fails for PIX security context
|
CSCtb10579
|
Multiline AuthProxy Banners lead to Deployment Failures
|
CSCtb31451
|
In 3.2.2, database corruption in device_dirty_status table
|
CSCtc43031
|
preview configuration failing network object non-contiguous mask
|
CSCtc70513
|
Deployment failing with unmanaged plug-ins
|
Table 8 Firewall Services Caveats
Reference Number
|
Description
|
CSCsc22934
|
ACL limitations for Layer 2 interfaces on IOS ISR devices
|
CSCsh68101
|
Activity Report: Issues with access rules table change report
|
CSCsh94210
|
Problems matching interface name when reusing AAA policy objects
|
CSCsi18871
|
Inspect Map: PIX 7.1 gtp-map subcommand order is not preserved
|
CSCsk33350
|
Discovery of PAM Mappings with Inspection Rules is incorrect
|
CSCsk46057
|
Changes to csm.properties files lost during Security Manager upgrade
|
CSCsq75974
|
Static Rules ACL with source interface are not discovered
|
CSCsr25786
|
AAA server object: no error issued when interface not specified
|
CSCsz53354
|
MAC Exempt list cannot be ordered
|
CSCta76862
|
Deployment fails when an access rule is added, edited or deleted
|
CSCtb00116
|
Wrong error message after sorting the Access control by ACL name
|
CSCtb03821
|
Failover: Deployment fails with subinterface as failover Interface
|
CSCtb59163
|
Import: Discovery of ASA 8.2 maps to 8.1(2)
|
CSCtb75312
|
Hit Count - Hit Count Internal Failure error
|
CSCtc35113
|
Space in notification e-mail causes deployment error
|
CSCtc43845
|
Failover: ASA license-related deployment failure
|
CSCtc49458
|
IOS Inspection rule with port number >6000 generated incorrectly
|
CSCtc54330
|
Cannot duplicate Service object that has override values
|
CSCtc56379
|
Shared Logging Setup Policies not seen under Policy View
|
CSCtc56731
|
Cannot edit device overrides in nested ACL objects
|
CSCtc84865
|
CSM ACL generation issue with nested service object-groups
|
Table 9 Miscellaneaous Caveats
Reference Number
|
Description
|
CSCse47834
|
MCP:Not able to Uninstall completely if MCP is installed
|
CSCsi08390
|
IEV installation fails on systems without C: drive
|
CSCsk11268
|
A User Can Open Multiple Sessions in Non-Workflow Mode
|
CSCsk78778
|
Error not shown for unavailable ACE during MARS events lookup
|
CSCsk94278
|
Read-only policy page in MARS is blank after starting Security Manager
|
CSCsm50836
|
MARS credentials retained in cache after changing authentication option
|
CSCsm68564
|
Disabled rules not shown as inactive in read-only policy page in MARS
|
CSCsw44997
|
ZBFW: ActRpt - Create Map, Overrride - not shown correctly
|
CSCsz38530
|
Multiuser: device can be deleted while deploying changes
|
CSCsz74628
|
Performance Monitor: Packet counters not updated in RA-VPN device page.
|
CSCsz74737
|
Performance Monitor: Site-to-site VPN charts updated with RA-VPN data.
|
CSCta17924
|
MCP: Tunnel packet counters not updated for P2P S2S VPN on VSPA.
|
CSCta33520
|
long job names causing MDCSupport.exe to fail
|
CSCta87566
|
Activity Report shows hostnames truncated
|
CSCtb42436
|
Changes made within Security Mgr cannot be saved or applied to device
|
CSCtb55368
|
MCP: Device int details are not displaying properly with Ez-VPN
|
CSCtb81848
|
Security Manager - Server does not start - regdaemon.xml corrupted
|
CSCtb97623
|
FWSM contexts not shown correctly in MCP
|
CSCtb97789
|
View tab in "managing devices" in MCP not working
|
CSCtc36711
|
CSM 3.x - Intermittent activity report PDF creation failure
|
CSCtc59058
|
MCP does not retain changes for multi-context FWSM contexts overnight
|
CSCtc59526
|
Security Manager client performance upgrade
|
CSCtc63141
|
Security Manager: fail to launch packet capture tool
|
CSCtc81467
|
Client unresponsive when move back and next in add new device window
|
Table 10 Policy Management Caveats
Reference Number
|
Description
|
CSCtc49550
|
Stack overflow error with network BB override option- Router
|
Table 11 VPN Device and Configuration Support Caveats
Reference Number
|
Description
|
CSCse94752
|
Support for IOS version 12.2(33)SRA on 7600 devices
|
CSCsh14709
|
Deployment fails on ASA 5505/PIX 6.3 Easy VPN remote client
|
CSCsh79282
|
Cat6k-SPA GRE+Multicast - unsupported
|
CSCso63006
|
IPSEC VPN import failed when crypto ACL contains intf in source/dest
|
CSCsq66815
|
Side-effects due to missing Protected Network's assignmnt usage info.
|
CSCsq87565
|
certificate-to-connection-profile map policy does not support map name
|
CSCsr23893
|
Remote Access VPN - Activity validation reports error for http-form
|
CSCsv31933
|
Onscrn kbd, internal pwd features set to default after migration
|
CSCsv98168
|
Static routing option on DMVPN generates incorrect routes on hub
|
CSCsy83931
|
VPN policy discovery fails when tunnel source defined with IP address.
|
CSCsz60736
|
CS Mgr not generating a workable configuration with unique tunnel source
|
CSCsz72524
|
DMVPN does not work even though spoke connectivity is selected.
|
CSCsz79453
|
CS Mgr discovery fails when NAT IP address is configured with LPIT.
|
CSCta86315
|
DMVPN-Discovery+deploy - NHRP auth value changed
|
CSCta92510
|
Regular ipsec discovery - Preshared key Aggressive mode not discovered
|
CSCtb34238
|
Bookmark is displayed empty during discovery for group policy.
|
CSCtb61976
|
SSLVPN - DAP changes not getting saved properly
|
CSCtc18700
|
CS Mgr 3.3 not showing modified DfltGrpPolicy in RA VPN
|
CSCtc30623
|
Global Settings - Save button does not work
|
CSCtc43399
|
Ability to add RDP2 plugin to ASA not supported
|
CSCtc53906
|
crl configure - policy value always set to both
|
CSCtc53977
|
Banner is added two times to the full config during discovery
|
CSCtc76822
|
SSL VPN discovery fails because of CSD package size
|
Resolved Caveats —Release 3.3.1
The following customer found or previously release noted caveats have been resolved in this release.
Reference Number
|
Description
|
CSCsi19584
|
Removing an interface used in access rules can cause deployment to fail
|
CSCsj38020
|
CSM3.1 Request for optimization of shared access-list generation
|
CSCsv10362
|
Config archive is not automatically purged
|
CSCsx16443
|
Apache Security issue with all versions of CSM
|
CSCsy61195
|
Deployment Fails when Changing BGP AS Number on ASR Device
|
CSCsz37841
|
CSM can't upgrade signature with "could not get device version" message
|
CSCsz46172
|
CSM Client stuck in Initializing
|
CSCsz58009
|
Validation fails with stack overflow on discovery of more IPS sig tuning
|
CSCsz58064
|
FWSM : Deployment should handle "Device can send Configuration in progre
|
CSCsz58766
|
After enabling VACL, CSM sends unsupported command to 6500 Sup1
|
CSCsz59552
|
CSM fail to validate the content of Network object.
|
CSCsz72119
|
AU: Sig update applied to dev with invalid lic when SP is also selected
|
CSCsz72156
|
AU does not apply minor update if the dev is at lower Engine/Sig level
|
CSCsz74432
|
Assignment of shared VPN policies not working from Policy view.
|
CSCsz75152
|
special char "\" in the ACL remarks causing discovery failure in 3.2.2
|
CSCsz82813
|
MCP does not retain changes for multi-context FWSM contexts
|
CSCsz87296
|
Deployment on IPS/IOS-IPS deletes tunings for retired\enabled sometime
|
CSCsz89897
|
ipsec-pass-thru not recognised by CSM for ASA version 7.1.2
|
CSCsz92007
|
CSM: Should allow semicolon delimiter in PKI certificate subject name.
|
CSCsz93753
|
virtual signature signature levels mismatched
|
CSCta00907
|
DMVPN: distribute-list ACL overwritten when spoke participates in 2 topo
|
CSCta03206
|
CSM deploys IOS FW "ip inspect max-incomplete low/high" in wrong order
|
CSCta08701
|
Cannot select FILE deployment Method for selected devices
|
CSCta18060
|
CSM installed Sybase DB is carrying sample DB of sports clothing
|
CSCta23518
|
Scheduled email to report vpn usage is failing.
|
CSCta53076
|
CSM uses incorrect syntax to push DCD config to ASA
|
CSCta53304
|
Error in Rediscover Peers removes the Hub and corrupts VPN
|
CSCta57896
|
Act Report shows modified but no change in column for ip reorder
|
CSCta61812
|
CSM - Summertime config overwritten during deployment
|
CSCta62887
|
CSM 3.3 cannot deploy "logging facility" on older PIX versions
|
CSCta62903
|
CSM incorrectly marks services like 'tcp/1234' as invalid format
|
CSCta64654
|
OK button is outside of screen in deployment dialog
|
CSCta69399
|
CSM incorrectly handles '\t' when parsing configuration in the database.
|
CSCta71926
|
"Error loading page" in IPS device view when user has no write privs
|
CSCta76629
|
Deployment to FWSM 3.1(4)6 hang
|
CSCta77790
|
CSM - Enabling DCD with default setting is not deployed
|
CSCta79659
|
MCP-CSM ill-timed P1 alerts send due to tcp-window 0 advertised
|
CSCta83590
|
CSM 3.3 'no monitor-interface' ASA base license deployment failure
|
CSCta87190
|
CSM allows to configure and deploy duplicate static translation rules
|
CSCta91066
|
Unchecking Inventory in Discover Policy causes Assignment to be deleted.
|
CSCtb08031
|
Inline upgrade csm3.2 > CSM 3.3 not deploying bkup changes in 1 scenario
|
CSCtb11258
|
CSM - Warning is needed during the discovery of a Cat6k in VSS mode
|
CSCtb16822
|
CSM: Database corruption due to deleted policy references
|
CSCtb20714
|
"File> View Changes" does not work correctly
|
CSCtb21172
|
ACL used by non-supported IOS policy is deleted
|
CSCtb24786
|
CSM 3.2.2 - Backup shows successful irrespectve of vms.tmpl missing
|
CSCtb25271
|
Changing VPN credentials override marks all devices using policy dirty
|
CSCtb44365
|
CSM cannot define speed nonegotiate on fiber gigabit ports on ASA-5580
|
CSCtb51855
|
NullPointerException when discovering VPN policies
|
CSCtb54928
|
CSM 3.3 Can't deploy "failover polltime interface without holdtime
|
CSCtb62827
|
CSM3.3: InspectMapsPlugin fail to generate raw configlets on deploy
|
CSCtb68566
|
CSM deploys incomplete VPN configuration for ASA site-to-site VPN
|
CSCtb72572
|
CSM 3.3 - cannot add PIX 6.3 anymore as a spoke in Ezvpn topology
|
CSCtb73211
|
Protected network discovery for L2L should be done with ACL on 3.3.0
|
CSCtb79468
|
Devices are treated as dirty after succeeded deployment
|
CSCtb80489
|
CSM is not able to add from network C7300 routers.
|
CSCtb81733
|
CSM discovery of EzVPN with certificates chooses wrong tunnel-group
|
CSCtb82114
|
"no monitor-interface" is automatically added on CSM
|
CSCtb82527
|
CSM tries to deploy pre-shared key for certificate based EzVPN topology
|
CSCtb84188
|
CSM - crypto map is missing when deploying to AUS
|
CSCtc16352
|
ADMIN cannot change config after READ ONLY user's unprivileged access
|
CSCtc38660
|
CSM IPS Updates Download - Unable to communicate with locator service
|
CSCtc53926
|
CSM - deploys "authorization-dn-attributes UID" in the tunnel group
|
CSCtc53954
|
CSM - certificate map - config might not be discovered in some cases
|
CSCtc56419
|
CSM - Policy view- logging setup returns an error
|
CSCtc82027
|
CSM: Doc bug in User Guide, does not provide steps to restore database
|
Resolved Caveats —Releases Prior to 3.3.1
For the list of caveats resolved in releases prior to this one, see the following documents:
•http://www.cisco.com/en/US/products/ps6498/prod_release_notes_list.html
Where to Go Next
If you want to:
|
Do this:
|
Install Security Manager server or client software.
|
See Installation Guide for Cisco Security Manager 3.3.1.
|
Understand the basics.
|
See the interactive JumpStart guide that opens automatically when you start Security Manager.
|
Get up and running with the product quickly.
|
See "Getting Started with Security Manager" in the online help, or see Chapter 1 of User Guide for Cisco Security Manager 3.3.1.
|
Complete the product configuration.
|
See "Completing the Initial Security Manager Configuration" in the online help, or see Chapter 1 of User Guide for Cisco Security Manager 3.3.1.
|
Manage user authentication and authorization.
|
See the following topics in the online help, or see Chapter 2 of User Guide for Cisco Security Manager 3.3.1.
•Setting Up User Permissions
•Integrating Security Manager with Cisco Secure ACS
|
Bootstrap your devices.
|
See "Preparing Devices for Management" in the online help, or see Chapter 5 of User Guide for Cisco Security Manager 3.3.1.
|
Install entitlement applications.
|
Your Security Manager license grants you the right to install certain other applications—including specific releases of RME and Performance Monitor—that are not installed when you install Security Manager. You can install these applications at any time. See the Introduction to Component Applications section in Chapter 1 of Installation Guide for Cisco Security Manager 3.3.1.
|
Product Documentation
For the complete list of documents supporting this release, see the release-specific document roadmap:
•Guide to User Documentation for Cisco Security Manager
http://www.cisco.com/en/US/products/ps6498/products_documentation_roadmaps_list.html
Lists document set that supports the Security Manager release and summarizes contents of each document.
•For general product information, see:
http://www.cisco.com/go/csmanager
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2009 Cisco Systems, Inc. All rights reserved.
