Table Of Contents
Release Notes for Cisco Security Manager 4.2
Introduction
Supported Component Versions and Related Software
What's New
Installation Notes
Service Pack 1 Download and Installation Instructions
Cisco IPS 7.1(4)E4 Service Pack Download and Installation Instructions
Important Notes
Caveats
Open Caveats— Release 4.2
Resolved Caveats—Release 4.2 Service Pack 1
Resolved Caveats—Release 4.2
Resolved Caveats—Releases Prior to 4.2
Where to Go Next
Product Documentation
Obtaining Documentation and Submitting a Service Request
Release Notes for Cisco Security Manager 4.2
First Published: September 6, 2011
Last Revised: March 6, 2012
These release notes are for use with Cisco Security Manager 4.2.
Security Manager 4.2 is now available. Registered SMARTnet users can obtain release 4.2 from the Cisco support website by going to http://www.cisco.com/go/csmanager and clicking Download Software in the Support box.
This chapter contains the following topics:
•
Introduction
•Supported Component Versions and Related Software
•What's New
•Installation Notes
•Service Pack 1 Download and Installation Instructions
•Cisco IPS 7.1(4)E4 Service Pack Download and Installation Instructions
•Important Notes
•Caveats
•Where to Go Next
•Product Documentation
•Obtaining Documentation and Submitting a Service Request
Introduction
Note Use this document in conjunction with the documents identified in Product Documentation. The online versions of the user documentation are also occasionally updated after the initial release. As a result, the information contained in the Cisco Security Manager end-user guides on Cisco.com supersedes any information contained in the context-sensitive help included with the product. For more information about specific changes, please see Where to Go Next.
This document contains release note information for the following:
•Cisco Security Manager 4.2 (Including Service Pack 1)—Cisco Security Manager (Security Manager) enables you to manage security policies on Cisco security devices. Security Manager supports integrated provisioning of firewall, VPN, and IPS services across IOS routers, PIX and ASA security appliances, IPS sensors and modules, and some services modules for Catalyst 6500 switches and some routers. (You can find complete device support information under Cisco Security Manager Compatibility Information on Cisco.com.) Security Manager also supports provisioning of many platform-specific settings, for example, interfaces, routing, identity, QoS, logging, and such.
Security Manager efficiently manages a wide range of networks, from small networks consisting of a few devices to large networks with thousands of devices. Scalability is achieved through a rich feature set of device grouping capabilities and objects and policies that can be shared.
•Auto Update Server 4.2—The Auto Update Server (AUS) is a tool for upgrading PIX security appliance software images, ASA software images, PIX Device Manager (PDM) images, Adaptive Security Device Manager (ASDM) images, and PIX security appliance and ASA configuration files. Security appliances with dynamic IP addresses that use the auto update feature connect to AUS periodically to upgrade device configuration files and to pass device and status information.
•Performance Monitor 4.2—Performance Monitor is a browser-based tool that monitors and troubleshoots the health and performance of services that contribute to network security. It helps you to isolate, analyze, and troubleshoot events in your network as they occur, so that you can increase service availability. Supported service types are remote-access VPN, site-to-site VPN, firewall, Web server load-balancing, and proxied SSL.
Note Before using Cisco Security Manager 4.2, we recommend that you read this entire document. In addition, it is critical that you read the Important Notes, the Installation Notes, and the Installation Guide for Cisco Security Manager 4.2 before installing or upgrading to Cisco Security Manager 4.2.
This document lists the ID numbers and headlines for issues that may affect your operation of the product. This document also includes a list of resolved problems. If you accessed this document from Cisco.com, you can click any ID number, which takes you to the appropriate release note enclosure in the Bug Toolkit. The release note enclosure contains symptoms, conditions, and workaround information.
Supported Component Versions and Related Software
The Cisco Security Management Suite of applications includes several component applications plus a group of related applications that you can use in conjunction with them. The following table lists the components and related applications, and the versions of those applications that you can use together for this release of the suite. For a description of these applications, see the Installation Guide for Cisco Security Manager 4.2.
Note For information on the supported software and hardware that you can manage with Cisco Security Manager, see the Supported Devices and Software Versions for Cisco Security Manager online document under Cisco Security Manager Compatibility Information on Cisco.com.
Table 1 Supported Versions for Components and Related Applications
Application
|
Support Releases
|
Component Applications
|
Cisco Security Manager
|
4.2
|
Auto Update Server
|
4.2
|
Performance Monitor
|
4.2
|
CiscoWorks Common Services
|
3.3
|
Resource Manager Essentials (RME)
|
4.3
|
Related Applications
|
Cisco Security Monitoring, Analysis and Response System (CS-MARS)
|
6.0.7, 6.1.1
|
Cisco Secure Access Control Server (ACS) for Windows
Notes
•Cisco Secure ACS Solution Engine 4.1(4) is also supported.
•You can use other versions of Cisco Secure ACS if you configure them as non-ACS TACACS+ servers. A non-ACS configuration does not provide the granular control possible when you configure the server in ACS mode.
|
4.1(3, 4), 4.2(0)
|
Cisco Configuration Engine
|
3.5, 3.5(1)
|
What's New
Cisco Security Manager 4.2 Service Pack 1
Security Manager 4.2 Service Pack 1 provides fixes for various problems. For more information, see Resolved Caveats—Release 4.2 Service Pack 1.
This service pack also enables support for IPS 7.1(4)E4. For instructions on applying the IPS 7.1(4)E4 service pack to a sensor using Security Manager 4.2 Service Pack 1, see Cisco IPS 7.1(4)E4 Service Pack Download and Installation Instructions.
Cisco Security Manager 4.2
In addition to resolved caveats, this release includes the following new features and enhancements:
•Support for ISR ScanSafe integration, a cloud-based SaaS (Software As A Service) feature, which can transparently redirect selected traffic for content scanning and malware protection. You can use ScanSafe Web Security to provide differentiated services to particular users, user groups, and IPs.
•Support for the Cisco Catalyst 6500 Series ASA Services Module running ASA Software Release 8.5(1). Event Viewer and Report Manager work with this new service module. However, the service module does not support VPN configuration, so reports related to VPN are not applicable.
•Support for ASA Software release 8.4(2), including the following features:
–Identity-aware firewall, allowing you to create ACL rules that are sensitive to the Active Directory (AD) username or user group membership of the person sending traffic through the ASA. Additionally, you can use fully-qualified domain names (FQDN) for source or destination rather than IP addresses. There are new policy objects for Identity User Group and FQDN network/host objects, and all device policies that allow identity-aware ACLs are supported: AAA rules, access rules (IPv4 and IPv6), inspection rules, Botnet Traffic Filter classification, and service policy rules. A new policy, Identity Options, identifies the AD servers, AD agents, and other identity-related settings.
–PAT Pool, Round Robin, No Proxy ARP, and Route Lookup features have been added to Manual NAT rules. With PAT Pool, you can define a pool of IP addresses specifically for PAT, and you can select a "round robin" algorithm for port allocation during PAT.
–Event Viewer includes new columns for user name and FQDN information in syslog messages that include them. There are new syslog messages related to identity-aware firewall: 746001-746019.
–Support for IPv6 addresses for DNS servers.
–You can now configure an ASA to permit or deny VPN connections from endpoints with an AnyConnect Essentials license on a per-dynamic access policy (DAP) basis. The following mobile platforms support this capability: AnyConnect for iPhone/iPad/iPod versions 2.5.x and AnyConnect for Android versions 2.4.x. It is not required to enable CSD to configure these specific attributes.
–Support for a new policy pushed down to the AnyConnect Secure Mobility Client for resolving DNS addresses over split tunnels. This policy applies to VPN connections using the SSL or IPsec/IKEv2 protocol and instructs the AnyConnect client to resolve all DNS addresses through the VPN tunnel. If DNS resolution fails, the address remains unresolved and the AnyConnect client does not try to resolve the address through public DNS servers.
–Auto Update Server and Performance Monitor support.
•Support for Cisco IOS Software Release 15.2(1)T on 88x, 89x, 19xx, 29xx, and 39xx routers only. ScanSafe is the only supported new feature in this version.
•Support for IPS modules on ASA 5585 with Cisco ASA 5585 IPS Security Services Card.
•A new generic router support model. If an Integrated Service Router (ISR) or Aggregation Services Router (ASR) model is not explicitly supported, you can manage the device as a generic router. Available features are based on the software version running on the device.
•You can now choose between client and server file systems when performing the following file operations:
–Installing Security Manager license files
–Importing/exporting device inventory files
–Importing/exporting shared policies
–Creating the following file objects: Cisco Secure Desktop Package, Plug-In, AnyConnect Profile, AnyConnect Image, Hostscan Image
Installation Notes
•"Licensing," a new chapter in the installation guide, enables you to determine which license you need. (The license you need depends upon whether you are performing a new installation or upgrading from one of several previous versions.) It also describes the various licenses available, such as standard, professional, and evaluation." It is available at http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.2/installation/guide/licensing.html.
•VMware ESX 4.1 and VMware ESXi 4.1 are supported with this release of Security Manager.
•AUS 4.2 is supported with this release of Security Manager.
•Performance Monitor 4.2 is supported with this release of Security Manager.
•Do not modify casuser (the default service account) or directory permissions that are established during the installation of the product. Doing so can lead to problems with your being able to do the following:
–Logging in to the web server
–Logging in to the client
–Performing successful backups of all databases
•You can install Security Manager server software directly, or you can upgrade the software on a server where Security Manager is installed. The Installation Guide for Cisco Security Manager for this release of the product explains which previous Security Manager releases are supported for upgrade and provides important information regarding server requirements, server configuration, and post-installation tasks.
Tip Remote upgrade from Security Manager 3.3.x to Security Manager 4.2 is supported. Refer to Installation Guide for Cisco Security Manager
•Before you can successfully upgrade to Security Manager 4.2 from a prior version of Security Manager, you must make sure that the Security Manager database does not contain any pending data, in other words, data that has not been committed to the database. If the Security Manager database contains pending data, you must commit or discard all uncommitted changes, then back up your database before you perform the upgrade. The Installation Guide for Cisco Security Manager for this release contains complete instructions on the steps required for preparing the database for upgrade.
•We do not support installation of Security Manager on a server that is running any other web server or database server (for example, IIS or MS-SQL). Doing so might cause unexpected problems that may prevent you from logging into or using Cisco Security Manager.
•Be aware of the following important points before you upgrade:
–Ensure that all applications that you are upgrading are currently functioning correctly, and that you can create valid backups (that is, the backup process completes without error). If an application is not functioning correctly before an upgrade, the upgrade process might not result in a correctly functioning application.
Note It has come to Cisco's attention that some users make undocumented and unsupported modifications to the system so that the backup process does not back up all installed CiscoWorks applications. The upgrade process documented in the installation guide assumes that you have not subverted the intended functioning of the system. If you are creating backups that back up less than all of the data, you are responsible for ensuring you have all backup data that you require before performing an update. We strongly suggest that you undo these unsupported modifications. Otherwise, you should probably not attempt to do an inline upgrade, where you install the product on the same server as the older version; instead, install the updated applications on a new, clean server and restore your database backups.
–If you install RME on the same server as Security Manager, do not apply the MDF.zip file available with the RME IDU patch. Applying this file will damage the device support files in Security Manager, and you will need to contact Cisco Technical Support to correct the problem. If you install RME on a server separate from Cisco Security Manager, this restriction does not apply.
–If you upgrade to Security Manager 4.2 from Security Manager 3.3.x, you may experience large delta configurations due to changes that were implemented after Security Manager 3.3.1. For more information, please see CSCta56918 and CSCth52454.
Service Pack 1 Download and Installation Instructions
To download and install service pack 1, follow these steps:
Note You must install the Cisco Security Manager 4.2 FCS build on your server before you can apply this service pack.
Step 1 Go to http://www.cisco.com/go/csmanager, and then click Download Software under the Support heading on the right side of the screen.
Step 2 Enter your user name and password to log in to Cisco.com.
Step 3 Click Security Manager (CSM) Software, expand the 4.2 folder under All Releases, and then click 4.2sp1.
Step 4 Download the file fcs-csm-42-sp1-win-k9.exe.
Step 5 To install the service pack, close all open applications, including the Cisco Security Manager Client.
Step 6 If Cisco Security Agent is installed on your server, manually stop the Cisco Security Agent service from Start > Settings > Control Panel > Administrative Tools > Services.
Step 7 Run the fcs-csm-42-sp1-win-k9.exe file that you previously downloaded.
Step 8 In the Install Cisco Security Manager 4.2 Service Pack 1 dialog box, click Next and then click Install in the next screen.
Step 9 After the updated files have been installed, click Finish to complete the installation.
Step 10 On each client machine that is used to connect to the Security Manager server, you must perform the following steps to apply the service pack before you can connect to the server using that client:
a. If Cisco Security Agent is installed on the client, manually stop the Cisco Security Agent service from Start > Settings > Control Panel > Administrative Tools > Services.
b. Launch the Security Manager client.
You will be prompted to "Download Service Pack".
c. Download the service pack and then launch the downloaded file to apply the service pack.
Step 11 (Optional) Go to the client installation directory and clear the cache, for example, <Client Install Directory>/cache.
Cisco IPS 7.1(4)E4 Service Pack Download and Installation Instructions
This section describes how to download and apply the IPS 7.1(4)E4 service pack to sensors using Cisco Security Manager 4.2 Service Pack 1, or a later release.
For more information about IPS 7.1(4)E4, please refer to Release Notes for Cisco Intrusion Prevention System IPS 7.1(4)E4 at http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_release_notes_list.html.
SUPPORTED PLATFORMS
Cisco IPS 7.1(4)E4 is supported on the following platforms:
•ASA 5585-X IPS SSP-10
•ASA 5585-X IPS SSP-20
•ASA 5585-X IPS SSP-40
•ASA 5585-X IPS SSP-60
•IPS 4270-20
Note Before you can manage IPS 7.1(4)E4 in Cisco Security Manager, you must upgrade to Cisco Security Manager 4.2 Service Pack 1, or a later release.
To apply IPS 7.1(4)E4 to a sensor using Security Manager 4.2 Service Pack 1, or a later release, follow these steps:
Step 1 Download the service pack ZIP file, IPS-CSM-K9-7.1-4-E4.zip, to the <CSM-install-dir>/MDC/ips/updates directory.
Step 2 Launch the IPS Update Wizard from Tools > Apply IPS Update.
Step 3 Select Sensor Updates from the drop-down menu, select the IPS-CSM-K9-7.1-4-E4.zip file, and then click Next.
Step 4 Select the device(s) to which you want to apply the service pack, then click Finish.
Step 5 Deploy these changes to the affected sensors using Deployment Manager. Deployment Manager can be launched from Manage > Deployments.
Important Notes
The following notes apply to the Security Manager 4.2 release:
•You cannot use Security Manager to manage an ASA 8.3+ device if you enable password encryption using the password encryption aes command. You must turn off password encryption before you can add the device to the Security Manager inventory.
•If you upgrade an ASA to release 8.3(x) or higher from 8.2(x) or lower, you must delete the device from the Security Manager inventory and add it back again for the policies to work correctly.
•ASA 8.3 ACLs use the real IP address of a device, rather than the translated (NAT) address. During upgrade, rules are converted to use the real IP address. All other device types, and older ASA versions, used the NAT address in ACLs.
•The device memory requirements for ASA 8.3 are higher than the requirements for older ASA releases. Ensure that the device meets the minimum memory requirement, as explained in the ASA documentation, before upgrade. Security Manager blocks deployment to devices that do not meet the minimum requirement.
•If you have a device that uses commands that were unsupported in previous versions of Security Manager, these commands are not automatically populated into Security Manager as part of the upgrade to this version of Security Manager. If you deploy back to the device, these commands are removed from the device because they are not part of the target policies configured in Security Manager. We recommend that you set the correct values for the newly added attributes in Security Manager so that the next deployment will correctly provision these commands. You can also rediscover the platform settings from the device; however, you will need to take necessary steps to save and restore any shared Security Manager policies that are assigned to the device.
•A Cisco Services for IPS service license is required for the installation of signature updates on IPS 5.x+ appliances, Catalyst and ASA service modules, and router network modules.
•Do not connect to the database directly, because doing so can cause performance reductions and unexpected system behavior.
•Do not run SQL queries against the database.
•If an online help page displays blank in your browser view, refresh the browser.
•Cisco Secure ACS 5.0 is not supported by Security Manager 4.2.
•If you do not manage IPS devices, consider taking the following performance tuning step. In $NMSROOT\MDC\ips\etc\sensorupdate.properties, change the value of packageMonitorInterval from its initial default value of 30,000 milliseconds to a less-frequent value of 600,000 milliseconds. Taking this step will improve performance somewhat. [$NMSROOT is the full pathname of the Common Services installation directory (the default is C:\Program Files\CSCOpx).]
•The IPS packages included with Security Manager do not include the package files that are required for updating IPS devices. You must download IPS packages from Cisco.com or your local update server before you can apply any updates. The downloaded versions include all required package files and replace the partial files that are included in the Security Manager initial installation.
Caveats
This section describes the open and resolved caveats with respect to this release.
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
http://www.cisco.com/support/bugtools
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
This section contains the following topics:
•Open Caveats— Release 4.2
•Resolved Caveats—Release 4.2 Service Pack 1
•Resolved Caveats—Release 4.2
•Resolved Caveats—Releases Prior to 4.2
Open Caveats— Release 4.2
The following caveats affect this release and are part of Security Manager 4.2:
•ASA, PIX, and FWSM Firewall Devices Caveats
•CSM Client and Server Install Caveats
•Cisco Catalyst 6000 Device Support Caveats
•Cisco IOS Router Devices Caveats
•Cisco IPS and IOS IPS Devices Caveats
•Device Management, Discovery, and Deployment Caveats
•Event Viewer Caveats
•Firewall Services Caveats
•Miscellaneous Caveats
•Policy Management Caveats
•Report Manager Caveats
•VPN Device and Configuration Support Caveats
Note In some instances, a known problem might apply to more than one area, for example, a PIX device might encounter a problem during deployment. If you are unable to locate a particular problem within a table, expand your search to include other tables. In the foregoing example, the known problem might be listed in either the Deployment table or the PIX/ASA/FWSM Configuration table.
Table 2 ASA, PIX, and FWSM Firewall Devices Caveats
Reference Number
|
Description
|
CSCse51450
|
OSPF validations are not adequate
|
CSCsh20731
|
FAILOVER - Active/Active deploys to Standby unit and returns errors
|
CSCsi34972
|
OSPF Discovery: Deployment of incomplete OSPF policy invalid
|
CSCsi44546
|
RIP configuration commands in PIX/ASA 7.2(1) cannot be fully managed
|
CSCsl51451
|
Enable DHCPD auto configuration with interface option not discovered
|
CSCsm82107
|
Discovery of a multi-mode ASA added to CSM as a new device fails
|
CSCsr17662
|
Deployment of IPS command truncated if containing class map is changed
|
CSCtd60804
|
CSM managing A/A FWSM will not use configured management ip of context
|
CSCtl46305
|
Target OS for PIX firewall shows unsupported versions.
|
CSCtr89348
|
CSM 4.1 - DNS inspect parameter message-length not deploying properly
|
Table 3 CSM Client and Server Install Caveats
Reference Number
|
Description
|
CSCte49471
|
CSM installer should check for supported SP during install
|
CSCte56524
|
Not able to launch the CSM client after upgrade (CSM3.3SP1 to CSM4.0)
|
CSCtg58541
|
CSM coexistence problem with Symantec Event Manager startup sequence
|
CSCtq99125
|
Installation: Evaluation and Licensing options get enabled simultaneous
|
CSCtr71792
|
ETSGJ-CH:CSM Launch Icons Missing on XP JOS Client
|
CSCtr72248
|
ETSGJ-CH:Not able to proceed with install if going back to previous page
|
CSCts04588
|
System Requirements fails, showing negative value in available space
|
Table 4 Cisco Catalyst 6000 Device Support Caveats
Reference Number
|
Description
|
CSCsi17608
|
Deployment fails when allowed VLAN ID is modified on IDSM capture port
|
CSCsi24091
|
Deploy fails if you change access to trunk mode & enable DTP negotiation
|
Table 5 Cisco IOS Router Devices Caveats
Reference Number
|
Description
|
CSCsf09088
|
PPP policy does not support if-needed and local-case keywords for AAA
|
CSCsh18926
|
NetFlow deployment fails on subinterfaces
|
CSCsi20458
|
802.1x-Number of retries command not generated correctly
|
CSCsi25845
|
PPP-No validation for multilink support on device
|
CSCsi45142
|
AAA - source intf disc from global cmd instead of aaa subcommand
|
CSCsi45204
|
QoS policy not discovered when WRED is enabled
|
CSCsr14267
|
Discovery failure with target os 12.3(9) does not exist
|
CSCsr45265
|
Negation is not getting generated for policies using nonexistent ACL
|
CSCsz79334
|
Deployment fails on changing VTY authentication method frm AAA to local.
|
CSCta73192
|
NTP Authentication key is not negated for 3945 router
|
CSCta84886
|
RIP-Deployments fails for RIP policy but CLI are pushed into the device
|
CSCta84894
|
BGP-Unassign bgp pol+Deploy,Deployment fails for 861 Router for 15.0 ima
|
CSCta84907
|
Deployment fails after unassigning BGP policy
|
CSCth57536
|
Filters not working in QOS->Control Plane and Interfaces->settings->CEF
|
CSCth66433
|
No auto-summary in EIGRP discovered as auto-summary for infusion device
|
CSCth79839
|
ASR: Advanced Interface Settings: MOP needs to be enabled by default
|
CSCth94343
|
HTTP-Radius Retransmit on Dev-Key Not Disc & Retransmit Removed on Deploy
|
CSCth94684
|
Static: No Cli Generated when Null0 Interface is selected
|
CSCth94764
|
RIP: "Chain" is Masked instead of Key Chain Name
|
CSCth94840
|
XNE: Syslog: Both Standard and XML Syslog Buffers are Allowed on Device
|
CSCth94895
|
XE:MemoryThreshold Notification can be configure only for Free Processor
|
CSCth95357
|
XE: Deploy Fails when Memory Critical Notifications are Changed
|
CSCti02291
|
EIGRP Removed if Network is Changed
|
CSCti02324
|
ASR - BGP - redistribute static - clns does not appear on device
|
CSCti02438
|
Dialer Profile - Named Acl is Created During Discovery
|
CSCti02504
|
PVC - UI Issues
|
CSCti02548
|
ASR - PVC/OAM - Unsupported Cli
|
CSCti02928
|
Cannot Rollback from Config Archive nor Deployment Manager
|
CSCti15944
|
CLI: "dot1x pae authenticator" generated after deployment of 802.1x
|
CSCti22798
|
Infusion: RAVPN Checkbox should be disabled in Bulk Re-discovery Panel
|
CSCtl43989
|
ASR - No validation in CSM when configuring unsupported cli for ASR
|
CSCto83093
|
vlan group UI not showing Bennu in the select tab
|
CSCtq04456
|
Deploy to file fails with permission error to non-default folder
|
CSCtq12795
|
Generic Router: AAA rules getting negated.
|
CSCtq21073
|
HTTP - Numbered ACL is discovered as Named ACL in CSM GUI
|
CSCtq42937
|
Preview fails in EIGRP redistribute config, if BW,delay conf in 10 digit
|
CSCtq82517
|
CSM can not understand track 1 command
|
CSCtr99373
|
Preview config fails when BGP AS value is edited
|
Table 6 Cisco IPS and IOS IPS Devices Caveats
Reference Number
|
Description
|
CSCse95933
|
IPS related policies should be listed in device properties page
|
CSCsg25899
|
IPS 6.x pol. should not be listed for 5.x devices in copy & share policy
|
CSCsg38052
|
VLAN groups need to display "unassigned" VLANS
|
CSCsg51052
|
After Abort, progress bar continues to 100% and Status remains = Started
|
CSCsg78129
|
Copy policies between devices with VS as source only shows VS's as destn
|
CSCsg80289
|
Warning message is displayed during blocking policy deployment.
|
CSCsh02407
|
Autoupdate setting value for a device should be same in device tree.
|
CSCsh36604
|
IPS EAO: After editing a row, the ed. row is displayed as the last row
|
CSCsh52484
|
IPS Licensing Date varies between sensor CLI and sensor
|
CSCsh53265
|
On IPS Update page, checkbox for shared sig. policy can be incorrect
|
CSCsh67506
|
Dynamic IP address IOS router imported by CNS cannot be discovered
|
CSCsh77105
|
During deployment, signatures removed from current.xml
|
CSCsh86189
|
Sig update fails when using HTTP if console logging is on
|
CSCsi01650
|
EAF: Show content option in context menu for victim addr is not working
|
CSCsi26525
|
OOB OPACL changes not resynced after successful deploy
|
CSCsi39380
|
Deployment of NTP policy with policy objects sometimes fails
|
CSCsi44605
|
IPS variable names cannot contain special characters.
|
CSCsi47289
|
Policy object overridden at VS level is not deployed correctly
|
CSCsj60530
|
Inventory alone discovery fails for IPS 6.x device for submit operation
|
CSCsl70245
|
Licensing: Repeated clicking of refresh button shows duplicate entries
|
CSCsm72033
|
Deployment Failed error on Event Action Rules
|
CSCso11145
|
CSM daily autodownload every 2 days should start from the present date
|
CSCso11482
|
MultiContext not handled in ApplyIPSUpdate wizard upon SigEditParams
|
CSCso17575
|
Intf Policy copy betn same IPS models but diff interface cards fails
|
CSCsr19163
|
OS Id.'s ->Restrict to these IP address field should not map to pol. obj
|
CSCsr31140
|
Err loading pg if NTP policy from 6.1 dev is copied to 6.0/5.1 dev
|
CSCsv44809
|
Rules and AD profile name changes with multiple vs profile config
|
CSCsv85664
|
Security Manager swaps names of policies while deploying to device
|
CSCsv91055
|
Security Manager Deployment UI shows OOB for unsupported commands
|
CSCsx72883
|
Link for Interface help for SSC is redirected to Product Overview
|
CSCsx98868
|
IOS IPS: Cannot deploy custom signature for "normalizer" engine
|
CSCsy03168
|
IOS IPS: SDEE properties cannot be discovered if SDEE is disabled
|
CSCsy47123
|
Unable to unshare a shared policy for un-supported platform in dev view
|
CSCsy56978
|
IOS IPS version should be updated with changes in IOS version
|
CSCsy60393
|
Security Manager does not push "category ios_ips basic" command properly
|
CSCsy89865
|
Not able to do signature update on IPS-4260 running 5.1(8)E2.9S342.0
|
CSCta90115
|
Cannot deploy service module policy in IOS
|
CSCtb16577
|
On applying sig pkg to the device, New sig(s) is not listed on sig page
|
CSCtb40828
|
Signature deploy failed with "category ios_ips default" command
|
CSCtb55176
|
Sensor update fails on applying sensor pkg manually with OOB change
|
CSCtc81519
|
IPS Validation warnings still show up after unassigning shared policies
|
CSCte61977
|
Delta shown for user profiles(no conf chng)after remote upgrade (3.3.1)
|
CSCtf40838
|
Licence Refresh functionality is broken when navigating between tabs
|
CSCtg47573
|
Event Action Filter variable problem
|
CSCtg49034
|
Migration log: IPS backward compatible devices are not reported
|
CSCti00195
|
Reference context copy overrides the non-reference context local tuning
|
CSCti23458
|
AAA policy managd as backward compatible throws wrong error post upgrade
|
CSCti35244
|
Validation error when sharing the new engine with older signature device
|
CSCtj35527
|
Certificate page sud show proper error msg when it shows non-retrievable
|
CSCtk12711
|
Right-click does not work on Virtual Sensor page
|
CSCtk36259
|
MU-IPS Licensing page taking too long for Refresh / CCO Update operation
|
CSCtk36308
|
MU-Anomaly detection page not responsive if more than one user logged in
|
CSCtl08815
|
Multi context issue in shared signature makes import/export funct broken
|
CSCtl73918
|
Packages are not extracted to temp folder if i manually copy it to updat
|
CSCtl78355
|
IPS Sig discovery Failing
|
CSCtn20133
|
Error thrown for Sensor/sig update during registratn of IPS pkgs
|
CSCto96587
|
50k-60k sig not visible in sig UI for some dvcs after inline upgrade
|
CSCto98324
|
CSM 4.0.1 failed to deploy scheduled IPS signature update
|
CSCtq15040
|
IOS-IPS device should be disabled if i select sig levl less than dev levl
|
CSCtq15050
|
Applied level and deployed level mismatch after sensor update
|
CSCtq15107
|
IPS SSC-5 card should not come under IPS chassis while filtering
|
CSCtq20695
|
Deployment fails if the shared sign. Policy has the new custom signature
|
CSCtq21338
|
In Device view, CSM allow to create custom sign. with unsupported engine
|
CSCtq26908
|
IPS Device locked because of n/w operator user signature policy assignment
|
CSCtq32569
|
Changes made on sign. pol not reflected in CSM after device re-discovery
|
CSCtq36805
|
Upgrade from 4.0 to 4.2 does not change forced registration flag status
|
CSCtq79031
|
CSM: improvisation of error message during discovery for IOS IPS devices
|
CSCtq87982
|
Shared IPS User Accounts Policy does not respond
|
CSCtq99717
|
Two different behaviors of 50k signature for E3 device
|
CSCtr06099
|
IPS Lic AutoUpdate mail doesn't show correct reason for failed download
|
CSCtr14169
|
Could see delta after importing ips device with VS
|
CSCtr24667
|
After editing IPS sig to default from local, the delta is empty
|
CSCtr28546
|
Change report not generated for Global correlation policies
|
CSCtr47632
|
IPS Updates -> Reset doesn't reset values to existing values
|
CSCts30206
|
After editing IPS sig to default from local, the delta is empty in CSM
|
Table 7 Device Management, Discovery, and Deployment Caveats
Reference Number
|
Description
|
CSCsh63248
|
Add field in DM to specify whether device is Admin Context or not
|
CSCsi18673
|
Security Manager deployment may trigger ObjectGroup name warnings.
|
CSCsi18678
|
Security Manager deployment may trigger interface name warnings
|
CSCsk59843
|
DCS to monitor the Admin context CLI
|
CSCsq32343
|
HitCount -- Internal Failure
|
CSCta39358
|
[Rollback]Rollback is not working properly with ASA
|
CSCtc77997
|
Missing information in the FQ logic.
|
CSCte65524
|
Failover: Deployment takes a long time
|
CSCtf78036
|
Deployment summary shows successful though deployment not done.
|
CSCth77654
|
Failover License Checkbox not updated after re-discovery
|
CSCtj62038
|
Scalability: Cannot import IPS devices with specific signature levels
|
CSCtk16274
|
ENH:CSM should re-use csm-generated obj-group name after new discovery
|
CSCtk34582
|
Scalability:Need baseline for max number of devices that can be exported
|
CSCtk59808
|
CSM should warn about AUS during device export if AUS is confgd
|
CSCtl13130
|
Perf 4.1 - ER04 - QA07 - QA08 -Time to Deployment CPU hocking 100% Conf
|
CSCtn53016
|
CSM May Fail to Archive Configuration
|
CSCtq37145
|
Deployment report generation failing
|
CSCtq76058
|
CSM VPN Deployment Failure - ASA out of space of flash:
|
CSCtr14734
|
Device and policy import fails with dev file.
|
CSCtr76645
|
CSM Device provisioning failed when deploying to ASA
|
CSCtr79983
|
ETSGJ-CH:Report fails when device using wrong cred csv file
|
CSCtr89863
|
During upgrade from 4.0.1 to 4.1 recurring scheduled jobs get corrupted
|
Table 8 Event Viewer Caveats
Reference Number
|
Description
|
CSCtd27974
|
Floating view minimized by default.
|
CSCtd33930
|
Real-time event row selection not retaining
|
CSCtd49651
|
Select all in custom filter with filter criteria not correct.
|
CSCtd59852
|
Custom filter does not remember values when some filter is applied.
|
CSCtd71393
|
Event Viewer must provide the ability to filter in a signature ID
|
CSCtd74239
|
"Backplane" & "physical" interface fields are always blank for events
|
CSCtd80726
|
Time slider doesn't show correct trend for view with long duration.
|
CSCte18239
|
Continue showing 'Navigating to.' dialog even if crosslaunch is canceled
|
CSCte37331
|
Internal error thrown on opening view having BB which is deleted.
|
CSCte37802
|
Custom filters using BB should have view option to see BB contents.
|
CSCtf07664
|
No warning if event data store size is reduced than actual stored events
|
CSCtf61897
|
Unselecting a sigId should unselect it under all Signature Categories
|
CSCtg17154
|
Floating window goes invisible on clicking Cancel Close
|
CSCtg35646
|
Closing pre-defined view with filter changes should ask for save as.
|
CSCtg46517
|
ASA Eventing: Incorrect event names for some syslogs
|
CSCtg54222
|
Eventing Restore: Restore failing or partially succeeding in some cases
|
CSCtg57676
|
Internal error thrown when portlist is used in service object filter.
|
CSCtg57745
|
Filtering does not work when only protocol name is used in service obj.
|
CSCtg57839
|
Results not correct when network obj with non-contiguous mask is used.
|
CSCtg75129
|
VmsEventServer doesn't come up after CSM DB restore.
|
CSCtg78128
|
Save required after device/BB is deleted and custom view is launched.
|
CSCti05104
|
Need latest syslog-msg.xml file for Event Details for AC Milan
|
CSCtj17754
|
IP to Object name mapping for Multiple objects not showing properly
|
CSCtl73195
|
BB names having underscore in name can't be shown in the event viewer
|
CSCtq77833
|
CSM is Monitoring UnManaged Devices
|
CSCtq80065
|
Event Name missing for Some Failover and IPSec Syslogs
|
CSCtq80146
|
Parser code should be enhanced to parse the identity fields correctly
|
CSCtq80691
|
716037: Action field shows login instead of failed
|
CSCtr01963
|
E-->P Issue:ACL Deny (idenity),1st rule with service:IP,2nd rule:ICMP
|
CSCtr01965
|
Policy match improper:1st rule:user-group,2nd rule:user from this grp
|
CSCtr24061
|
E-->P correlation Error:1st Rule:based on FQDN,2nd rule:based on ip-add
|
Table 9 Firewall Services Caveats
Reference Number
|
Description
|
CSCsc22934
|
ACL limitations for Layer 2 interfaces on IOS ISR devices
|
CSCsh68101
|
Activity Report: Issues with access rules table change report
|
CSCsh94210
|
Problems matching interface name when reusing AAA policy objects
|
CSCsi18871
|
Inspect Map: PIX 7.1 gtp-map subcommand order is not preserved
|
CSCsk33350
|
Discovery of PAM Mappings with Inspection Rules is incorrect
|
CSCsk46057
|
Changes to csm.properties files lost during Security Manager upgrade
|
CSCsz53354
|
MAC Exempt list cannot be ordered
|
CSCtb00116
|
Wrong error message after sorting the Access control by ACL name
|
CSCtb03821
|
Failover: Deployment fails with subinterface as failover Interface
|
CSCtb51491
|
Delta generated for Object-groups
|
CSCtc44562
|
DES: Unmanaged policy-map configs removed after discovery
|
CSCtc77998
|
SNMP Policy: Port field is applicable to only the admin context.
|
CSCtd71241
|
Unassign of translation rules should remove object nat rules also
|
CSCte08355
|
Auto NAT: Ordering of Auto NAT rules is not correct.
|
CSCte44602
|
Bottom align single row column headers if other headers are on 2 rows
|
CSCtf32208
|
Deployment fails with ACE edit in ACL BB
|
CSCtf68128
|
Proposed Performance optimization in NAT (translation and simplified)
|
CSCtf86613
|
Generates the duplicate port-map commands with ZBF port-map config
|
CSCtg08943
|
Deployment fails because of duplicate entries in the NAT address pool.
|
CSCtg21437
|
Discovery fails if IOS config contains OGs with name larger than 64 char
|
CSCtg48075
|
Simplified NAT: Additional validation required in Activity Validation
|
CSCtg60293
|
<NAT Rule> select Edit Source, not displaying BB selector Dialog
|
CSCtg64802
|
Edit BB throws Exception, After select OK button,If same name BB present
|
CSCtg73323
|
Add Singleton network object (host/network) takes more time than groups
|
CSCtg77573
|
Section feature supporting in NAT on ASA 8.3 and above
|
CSCtg80500
|
Manual-NAT: need validation for "neq" operator in static NAT
|
CSCtg84393
|
Fail to Removing un-reference object-groups leads to deployment fails
|
CSCtg89541
|
Discovery of asr-group in ASA 8.3.1 on CSM is not displayed
|
CSCti08077
|
System context Config file discovery fails with ASA 5580 platform
|
CSCtj77174
|
Intf:failover Interface should not available to context allocation
|
CSCtk76853
|
CSM: Interface ID should not be edited while having sub-interfaces.
|
CSCtl10613
|
Int: ASA 5580/85 should support max 1034 int allocation to context
|
CSCtl20879
|
ZBF: Need validation for un-supported ZBF protocols with ISR 15.1(1)T
|
CSCtl73632
|
Discovery: CSM negating BG if BVI isn't configured
|
CSCto26357
|
CSM: Deployment may fail due to internal error in plugin
|
CSCto61104
|
NAT configuration import fails when object-groups reused in policy
|
CSCto61255
|
Object groups not auto-expanded in NAT configuration with ASA 8.3+
|
CSCto67515
|
ASA/ASASM Failover commands not negated
|
CSCto71138
|
Not able to discover Bennu in Mixed mode
|
CSCto80002
|
UID: Deployment fails when domain is used in ACL and is deleted
|
CSCto86202
|
ASASM - No validation error thrown while exceeding max number of VLAN
|
CSCto90377
|
ACL name on Global interface is appended with numeric and incrementing
|
CSCtq04794
|
NAT: Deployment is failing for object NAT for Translate DNS rule
|
CSCtq04895
|
Deployment fails when session hash table size is changed in inspection.
|
CSCtq12431
|
Deployment throws error for Web filter rules.
|
CSCtq15020
|
Inspection Rule: Unsupported protocols like gtp
|
CSCtq20157
|
Delta is empty after unassigning Inspection settings.
|
CSCtq20876
|
Generic Router: Deployment fails after unassigning web filter settings
|
CSCtq20997
|
NAT:Subnet Can not be used as mapped Source in Dynamic NAT policy
|
CSCtq24069
|
UID: repeated ACL delta with ACL match protocol inspection
|
CSCtq26390
|
STD ACL BB name is getting incremented after each rediscovery
|
CSCtq36739
|
NAT: Same Mapped address cannot be used to perform both NAT and PAT
|
CSCtq61010
|
L4TM: Drop Rules with non-enabled interface deployment failure
|
CSCtq63721
|
UID: order of AAA server negation/appending _1 on discovery should modiy
|
CSCtq68629
|
Dynamic NAT: Network/Hosts Selection window is empty
|
CSCtq74805
|
ACL BB: cli not generated for any + other objects in source
|
CSCtq82588
|
Discovery fails for device with scan safe AAA in CSM 4.1
|
CSCtq82698
|
NAT: Unable to Edit Static Object NAT
|
CSCtq83500
|
Correct CLi is not generated for Inspection rules.
|
CSCtq85580
|
Object NAT: Unable to create rule due to device locking issue
|
CSCtq85855
|
LDAP AAA server BB does not validate IOS Secure Trustpoint configuration
|
CSCtq88821
|
FWSM: No validation error thrown when user exceeds the VLAN intrf number
|
CSCtq94059
|
Unreferenced Scansafe configurations not removed from device
|
CSCtq96883
|
CSM should not create multiple Auth-proxy ACLs with same content
|
CSCtr00850
|
CSM should read the OSPF configuration correctly
|
CSCtr11101
|
UID: Support for ASDM 6.4.5 in CSM
|
CSCtr12016
|
ETSGJ-CH:Japanese User not displayed in Identity UserGroup UI
|
CSCtr12155
|
ETSGJ-CH:Japanese User Group shows Name as Square blocks in JOS Client
|
CSCtr17688
|
NAT: No validation for FQDN in pre-broadview NAT
|
CSCtr23004
|
Vlan Id field should not accept characters for FWSM
|
CSCtr25092
|
ETSGJ-CH:Pop-up for wrong bind in Identity needs to be revisited
|
CSCtr25195
|
ETSGJ-CH:Domain name with special characters are permitted
|
CSCtr25642
|
CSM adding CSM_STD as prefix to acl used in SNMP during each discovery
|
CSCtr27870
|
BTF: CSM accepts same domain name in whitelist and Blacklist
|
CSCtr28629
|
Discover LDAP server grp - unreferenced ldap server gets discovered.
|
CSCtr30676
|
Deployment fails when http accounting banner from file is configured
|
CSCtr37328
|
Bennu SNMP: Ipsec traps not supported for bennu
|
CSCtr40562
|
Backend ACL optimization not working if uid rules are there
|
CSCtr40784
|
Deploy fails on ASA 8.0.2 with search timeout for LDAP
|
CSCtr48355
|
UID: delta with CSM defined object-group on discovery
|
CSCtr63643
|
CSM fails to deploy policy NAT with address overlap error
|
CSCtr71998
|
ETSGJ-CH:Incremental pop-up for a wrong MAC in Bennu Failover
|
CSCtr77739
|
Sub-interface should not be listed in the Priority Queue Window
|
CSCtr77747
|
Validation error not thrown without Priority Queue configured
|
CSCtr90006
|
Generic Router:Inspection policy message from device should be handled
|
CSCtr91603
|
Disabling failover commands not delivered when deleting interface
|
CSCtr95638
|
Deployment fails for cisco map para when negating from ldap attribut map
|
CSCts12854
|
User Identity: User with spaces negating the rules after discovery
|
CSCts15802
|
Scan Safe-Deployment fails when enabling Encryption IOS
|
CSCts25221
|
Edit ACL in Identity Policy-CSM generates incorrect order of cli
|
CSCts64059
|
Unable to Create Static PAT Rule in Security Manager 4.2
|
Table 10 Miscellaneous Caveats
Reference Number
|
Description
|
CSCsi08390
|
IEV installation fails on systems without C: drive
|
CSCsm68564
|
Disabled rules not shown as inactive in read-only policy page in MARS
|
CSCsz81607
|
Last run entry not seen in Deployment Schedule on page refresh.
|
CSCta17924
|
MCP: Tunnel packet counters not updated for P2P S2S VPN on VSPA.
|
CSCte37778
|
Manual NAT: Incomplete display of menu bar
|
CSCtf79977
|
Setting log level to SEVERE for Event management logs debug messages
|
CSCth07721
|
CSM is not prompting for license again when invalid license is given
|
CSCth10625
|
Pro- Time Bound license is behaving like pro- permanent license
|
CSCth15163
|
MCP:Packet In and Out Counters not updated for a device in DMVPN topology
|
CSCti05398
|
PCAP:User shud be allowd to selet diff set of match criteria for egress
|
CSCti14989
|
PCAP:Summary of the capture invoked should be available at last page
|
CSCti37651
|
Security Manager diagnostics generates an invalid compressed archive
|
CSCti48133
|
PCAP:ASA versions support for ICMP code types uinder match
|
CSCti69981
|
PCAP:Need to modify the buffer range supported for different Versions
|
CSCtj32678
|
PCAP:Close all the packet capture wizard window without any service msg
|
CSCtj35011
|
PCAP:Capture should not be run for systemcontext - multicontext mode
|
CSCtj56384
|
PCAP:unable to fetch ACLs/interfcs for FWSM 2.3.5
|
CSCtl03769
|
User cannot log in to two apps if one app is waiting for license upload
|
CSCtl24217
|
Appropriate access privilege required on CSM Client folder
|
CSCtq15568
|
Cisco Security Manager ip address display sorting issue
|
CSCtq28715
|
CSM Login Failed while changing of Browser-Server Security Mode
|
CSCtq51633
|
Audit Reports Page does not get refreshed
|
CSCtq99048
|
MU:Report Manager terminate the session in workflow mode for same user
|
CSCtq99617
|
CSM UI unresponsive for a long period in MU testing
|
CSCtr18414
|
CSM viewing activity report generates 404 Not Found error
|
CSCtr26291
|
CSM: If no DNS server config exists, pushing DNS policy to sensor fails
|
CSCtr56793
|
Apache server may be vulnerable to published vulnerabilities
|
CSCtr61274
|
PCAP:Without change the packet parameter value Next tab is not enabled
|
CSCtr75589
|
CSM unable to download PCAP captures from multi context firewall
|
CSCts05909
|
Unable to launch the Packet tracer
|
CSCts10324
|
Modified configuration is missing in change report
|
Table 11 Policy Management Caveats
Reference Number
|
Description
|
CSCti07129
|
KCD:Interface configuration is mandatory for configuring Kerberos server
|
CSCtq67296
|
Proper error message should be shown while adding invalid ip
|
CSCts04696
|
Port List "WEBPORTS" differs from IPS appliance's default value.
|
CSCts10232
|
CSM: Some policy in Policy management cannot be changed.
|
Table 12 Report Manager Caveats
Reference Number
|
Description
|
CSCti04934
|
Device list filter refresh problem in already opened report
|
CSCti39645
|
Pie chart not shown correctly when data variation is large.
|
CSCti61948
|
User reports charts not correct for high number of users.
|
CSCti87974
|
Top value selection criteria in case of same event count
|
CSCtj33513
|
Blank report is generated if report is scheduled at hour boundary
|
CSCtj40305
|
Selection of IPS virtual sensor has problem in device selection tree
|
CSCtj63486
|
All values are not marked on the target analysis report scatter chart
|
CSCtj63551
|
Data should not be populated in the custom report if all value not avail
|
CSCtj79680
|
Generating deleted report doesn't show correct error.
|
CSCtk67911
|
ETSGJ-CH:Scheduled Reports not working in a Windows Enterprise Server
|
CSCtk76360
|
Device Filter Does Not Show Selected Devices
|
CSCtk82943
|
Custom report list not refreshed on report deletion.
|
CSCtl24554
|
Setting log level to SEVERE logs debug messages in vmsreportsbe log
|
CSCtl42393
|
Multiple custom report deletion from view menu doesnt work correctly.
|
CSCtl73197
|
VPN Reports: XY/Bar Chart shows Different Values
|
CSCtl82197
|
Service object override support in reports
|
CSCtl82531
|
Changes to service objects are not updated in reports
|
CSCtn58094
|
Report Improper When Print With Yes Option in Settings Changed Dialog
|
CSCto72678
|
Ikev2 User Details Shown under SSL Technology
|
CSCtq48792
|
Report generation fails for All Devices & is incorrect for filtered dev
|
CSCtq94844
|
Custom Top Signatures Report Does Not show any Data After Applying Filte
|
CSCtr07307
|
Not able to de-select signature id while modifying reports
|
CSCtr77986
|
CSM Reporting stops polling the device
|
Table 13 VPN Device and Configuration Support Caveats
Reference Number
|
Description
|
CSCse94752
|
Support for IOS version 12.2(33)SRA on 7600 devices
|
CSCsg70526
|
EzVPN - default tunnel-groups are not handled by Security Manager
|
CSCsh14709
|
Deployment fails on ASA 5505/PIX 6.3 Easy VPN remote client
|
CSCsh79282
|
Cat6k-SPA GRE+Multicast - unsupported
|
CSCsl27928
|
Validation error should be thrown if int ip & pool address are same
|
CSCso63006
|
IPSEC VPN import failed when crypto ACL contains intf in source/dest
|
CSCsq66815
|
Side-effects due to missing Protected Network's assignmnt usage info.
|
CSCsr23893
|
Remote Access VPN - Activity validation reports error for http-form
|
CSCsy83931
|
VPN policy discovery fails when tunnel source defined with IP address.
|
CSCsz33172
|
Deployment fails in 7600 due to wrong order in CLI negation
|
CSCsz79453
|
CS Mgr discovery fails when NAT IP address is configured with LPIT.
|
CSCta92510
|
Regular ipsec discovery - Preshared key Aggressive mode not discovered
|
CSCtc18700
|
CS Mgr 3.3 not showing modified DfltGrpPolicy in RA VPN
|
CSCtd58292
|
SSL-Logs are not deployed and discovered properly in CSM for DAP
|
CSCtg24571
|
CSM does not allow configuration of GETVPN on 800 router series
|
CSCth43310
|
GRE H&S-Default route is not discovered for Informer device
|
CSCti77655
|
Report for Un-sharing RA policy is not shown in Activity Rport
|
CSCtj61073
|
IKEv1 PKI is discovered when discoverying VPN with IKEv2 config
|
CSCtj79406
|
Options are missing in Device category of DAP Entry
|
CSCtk18164
|
Activity change report RAVPN-Dynamic access tab not proper
|
CSCtk18274
|
Unnecessary fields shown in Activity change report
|
CSCtl74570
|
CSM/CSDM Client fails to open imported Cisco Secure Desktop config
|
CSCtl82579
|
IKEv2 connection is down for default connection-type of CSM
|
CSCtn22006
|
Discovery fails if Anyconnect image is present in disk1 of the device
|
CSCtq04222
|
Missing Validation - OSPF/EIGRP protocols not supported in McLeran Device
|
CSCtq06818
|
Group Encryp Policy-unassigned from policyview not restoring default val
|
CSCtq15214
|
Preview config fails for High Availability on ISR device
|
CSCtq15281
|
Config wizard-Auto-update client is not deployed properly
|
CSCtq17986
|
RAVPN - Deploy fails on ISR if vrf enabled on interface with IP
|
CSCtq29194
|
SSL VPN policies are not discovered into GUI for ISR device
|
CSCtq29212
|
SSL-CSM is not generates proper URL when configuring bookmark
|
CSCtq29393
|
Group member device goes unreachable if GETVPN is configured
|
CSCtq36736
|
Some VPN features can fail after a restore to a different drive
|
CSCtq51116
|
Need validation, double quote not supported in user message field of DAP
|
CSCtq53852
|
DNS should be configured if Bookmark uses url
|
CSCtq56534
|
RA-ASA-Unnecessary Warning When IPsec/IKE Not Configured on the device
|
CSCtq56815
|
RA - SSLVPN - Access Policy - Two Errors When Interface does not match
|
CSCtq61776
|
Deployment fails if no interface given for aaa-server in KCD server conf
|
CSCtq67354
|
Preview fails,rule name(SSLVPN->othersett->content rewrite) having space
|
CSCtq84735
|
CSM should generate explicit "exit" command after all subcommands
|
CSCtq86149
|
Deployment fails:existing Virtual Template int with type serial - Ezvpn
|
CSCtq87518
|
Do not show Default DAP policy, if RA-VPN is not selected at discovery
|
CSCtq94313
|
Only able to configure one extranet vpn following the site-to-site
|
CSCtr03397
|
Preview fails: On changing client firewall attribute in group policy
|
CSCtr06681
|
Preview fails: if SSO name is given with spaces
|
CSCtr09093
|
CSM Changes object names after discovery
|
CSCtr28222
|
IPSec Proposal is not discovered, if DVTI/VRF is configured in ISR
|
CSCtr37691
|
Validation required when IKEV1 and IPSec-Over-TCP config simultaneously
|
CSCtr40704
|
Double Quotes generation in Client Access rule in Group Policy
|
CSCtr43198
|
Deploy fails when cluster key is less than 4 characters - Validation req
|
CSCtr45896
|
CSM needs way to recover from dVTI Remote Access VPN without source int
|
CSCtr52300
|
CSM 4.1 - Unable to create Extranet VPN
|
CSCtr56268
|
Validation error says anyconct not found in GP even after dis fullclient
|
CSCtr56468
|
Import of SSLVPN with csd configured is failing in .dev file
|
CSCtr62226
|
No Error Popup when FQDN is chosen under group in conn prof-Ok not work
|
CSCtr63510
|
CSM: Edit VPN Policy Page takes 15-20 minutes to load
|
CSCtr64655
|
VPN discovery fails:using tunnel_3des as Ikev1 TS in ASA-ISR combination
|
CSCtr75136
|
HS-GRE:Preview fails in HUB, if spoke is conf with dialer backup setting
|
CSCts18265
|
CSM 4.1 VPN topology for EzVPN throws authentication error while deployi
|
CSCts26028
|
Deployment errors at CSM if changes at tunnels were made
|
CSCts30832
|
Preview failed due to FQDN acl BB used in group policy.
|
Resolved Caveats—Release 4.2 Service Pack 1
The following customer found or previously release-noted caveats have been resolved in Cisco Security Manager 4.2 Service Pack 1.
Reference Number
|
Description
|
CSCtl01221
|
VPN deployment - wrong CLI set transform-set Translation ERROR
|
CSCtl53112
|
Detect/notify if server patch is not matching with client patch after CP
|
CSCtq37145
|
Deployment report generation failing
|
CSCtq82517
|
CSM can not understand track 1 command
|
CSCtq84735
|
CSM should generate explicit "exit" command after all subcommands
|
CSCtr24667
|
After editing IPS sig to default from local, the delta is empty
|
CSCtr39761
|
Investigate downloadable 'Device Support' mapping for IPS sensor images
|
CSCtr63510
|
CSM: Edit VPN Policy Page takes 15-20 minutes to load
|
CSCtr77986
|
CSM Reporting stops polling the device
|
CSCts26028
|
Deployment errors at CSM if changes at tunnels were made
|
CSCts33056
|
Security Issue in Apache
|
CSCts64059
|
Unable to Create Static PAT Rule on Galapagos FCS
|
CSCts68196
|
CSM: overlapping static NAT lines may result in deployment failure
|
CSCts69080
|
IOS 15.2(1)T is getting discovered as 12.3(14)T
|
CSCts90728
|
CSM 4.2: Multiple context ASA discovery may fail.
|
CSCtt11056
|
PIX interface names missing from preview config after CSM 4.x.x upgrade
|
CSCtt17760
|
CSM 4.2 policy static pat failing activity validation
|
CSCtt25934
|
CSM removes ip local pool from the connection profiles
|
CSCtt42016
|
CSM 4.2 AnyConnect profile CLI Not Reconized by the config Parser
|
CSCtt99845
|
CSM: Preview Configuration error "Failed to generate delta config"
|
CSCtu01132
|
CSM 4.2 fails to parse ASA static NAT config with any any as source
|
CSCtu03796
|
CSM allows to configure duplicate nat rules for ASA running 8.3/later
|
CSCtu04287
|
CSM 4.2 doens't populate properly AAA Method
|
CSCtu06530
|
CSM: Longer time validating all tunnels if 1 got newly added/modified
|
CSCtu09777
|
Mars 6.0.6 ( 3368 ) and CSM 4.2
|
CSCtu09867
|
CSD package 3.5.2003 with CSM 4.2
|
CSCtu13096
|
CSM mid deployment crash with no warning due daemon restart
|
CSCtu32955
|
CSM 4.1 not able to validate ASA-multiple context with same interface IP
|
CSCtw57799
|
Unable to manage ASR1K that uses match protocol command set
|
CSCtw60431
|
VPN user with '@' symbol not parsed from syslog.
|
CSCtw72458
|
Upgraded IPS always downloading FlexLM license in CSM
|
CSCtw80494
|
CSM causes FWSM traffic outage when adding new vlan to vlan-group
|
CSCtw84292
|
Event Viewer stops displaying events due to hung thread
|
CSCtx01237
|
CSM device reports stopped running
|
CSCtx03788
|
Create Object-Groups for Multiple Source Option Not Working in CSM 4.2
|
CSCtx05356
|
Vpn Performance Improvements
|
CSCtx20826
|
DfltGrpPolicy: Delta seen in preview every time
|
CSCtx38576
|
CSM 4.2 Activity validation cause incorrect duplicate vpn topology error
|
CSCtx71173
|
Using Custom Roles in ACS is blocking the import functionality in CSM
|
CSCtx97080
|
Patch images for IPS 7.1.x not shown in apply ips update wizard
|
Resolved Caveats—Release 4.2
The following customer found or previously release noted caveats have been resolved in this release.
Reference Number
|
Description
|
CSCsk49274
|
Deployment Manager refresh causes selected job focus to be lost
|
CSCsy30953
|
CSM 3.2.2 does not release feature locks on a discarded activity
|
CSCsy51377
|
Package download fails with error msg Download not enough space on disk
|
CSCta69399
|
CSM incorrectly handles '\t' when parsing configuration in the database.
|
CSCtb31451
|
In 3.2.2, database corruption in device_dirty_status table
|
CSCtc57010
|
No validation for incorrect speed/duplex setting for 10G Interface
|
CSCtd49734
|
Network/Service BB objects should retain the order
|
CSCtd71798
|
CSM: ASA VPN creation/discovery failure if interface ip is not static
|
CSCtf08622
|
CSM will not recognize new AAA syntax from IOS 12.4(22)T
|
CSCtf51909
|
CSM does not deploy crypto related configuration to AUS
|
CSCtf88750
|
CS admin "logged in users" page shows only one logged in user account
|
CSCtg23806
|
CSM discovery fail when Signature ID 50000 or later is modified
|
CSCtg45140
|
Custom Filter shows Empty Categories for Syslog and Signature
|
CSCtg60036
|
CSM: EDS & dependent processes not coming up in HA/DR failover scenario
|
CSCth80101
|
Check for update in IPS should be sorted according to pkg category
|
CSCti05733
|
PCAP:Source,Dest Host/Network fields should also accept "any"
|
CSCti08012
|
Chart generation when all count values are zero
|
CSCti36267
|
CSM: Remote Access VPN 'send FQDN to client' checkbox doesn't function
|
CSCti55212
|
Unable to remove password management from tunnel group
|
CSCti66531
|
Edit device overrides dialog takes unduly long to load if many overrides
|
CSCtj07811
|
Deployment fails when regenerate RSA keys on SSH policy
|
CSCtj22159
|
PIX6.3/PIX7.0/ASA device can not initiate aggressive mode key exchange
|
CSCtj22180
|
CSM does not generate cli when aggressive mode is selected
|
CSCtj25820
|
CSM: IPS signature registration fails with out of memory errors
|
CSCtj28416
|
CSM: "Login URL access is forbidden" "403 - Forbidden Error"
|
CSCtj38707
|
Email notification should be meaningful if device has no service contrac
|
CSCtj66554
|
ETSGJ-CH: CSM: 4.1, Device Manager not getting Launched
|
CSCtk34217
|
Time discrepancy in deployment schedule
|
CSCtk66798
|
CSM removes existing NAT0 ACL and creates new one per interface
|
CSCtk70077
|
CSM thread hangs when firewall device non-responsive
|
CSCtk99876
|
Getting a Invalid URL error when entering the RDP2 bookmark
|
CSCtl07614
|
CSM: null values for peer_device_id column in vpn_gre_hack_ip_allocation
|
CSCtl12391
|
VPN reports:Device Certificate validation not being done while polling
|
CSCtl13001
|
ISC:Can allocate more than 32 data interfaces to transparent ASA context
|
CSCtl31226
|
CSM is not able to properly deploy long commands due to end device limit
|
CSCtl41907
|
MCP (Perf. Monitor) 4.1: Discovery fails for ISR router with IOS 15.1
|
CSCtl42709
|
CSM: input fields for url bookmark show garbage characters
|
CSCtl46657
|
ASA version 7.2.5 not listed in Device Addition Wizard
|
CSCtl50326
|
Aggressive mode should be enabled if customer use pre-shared key for cli
|
CSCtl69335
|
Workflow mode: editing combobox values in policy view
|
CSCtl69696
|
Policy PAT wizard should validate service instead of throwing error when
|
CSCtl73442
|
Clearing of service filter doesn't update Gui correctly.
|
CSCtl85703
|
CSV export doesn't show all reporting ASA device as one entry in botnet.
|
CSCtl93135
|
Object panel is not displayed correctly
|
CSCtl93834
|
Scheduled backup not removed on uninstallation of CSM
|
CSCtl94142
|
Change report shows passwords in clear text
|
CSCtl98948
|
Etherchannel: Portchannel with Sub i/f's should not be editablefw
|
CSCtn08829
|
CSM: Adding IOS IPS device failing from MARs Seed file.
|
CSCtn22578
|
Null Pointer Exception when deploying a new update for IPS signature.
|
CSCtn50273
|
CSM 4.0.1 Deployment fails with internal error exception
|
CSCtn59534
|
CSM: IOS IPS "basic" signature category deploys "default" signature set
|
CSCtn86414
|
CSM: Require a way to disable navigation pane on the webvpn portal
|
CSCtn89448
|
Manual Sensor Update is not possible for Spyker device
|
CSCtn89741
|
3.3.1 installer changes attributes to read-only
|
CSCtn99442
|
CSM files vms.info and csm.info are not updated when software is updated
|
CSCto24584
|
NAT Rule:Activity Validation error for Network BB containing 0.0.0.0/0
|
CSCto43677
|
Nullpointerexception in RAVPNServicePlugin prevents VPN deployments
|
CSCto45885
|
Group-Alias command does not support spaces
|
CSCto64543
|
Subnet mask is not imported in ASA 8.4 TFW
|
CSCto65761
|
CSM 4.1 does not accept sub domain email address.
|
CSCto67692
|
CSM wrong deployment of AAA auth-proxy accounting commands
|
CSCto69957
|
Activity report for a newly discovered VPN hub device taking ~24 hours
|
CSCto80408
|
CSM: IPS Updates "User ID not authorized to download encrypted software"
|
CSCto89808
|
CSM 4.1: Unable to query policies using port names or numbers
|
CSCto97908
|
CSM incorrectly marks services like 'tcp/6014' as invalid format
|
CSCtq05198
|
CSM Deployment changes ASA Remote Access Preshared Key to masked value
|
CSCtq09888
|
Unable to Deploy/Preview When Priority Queuing Applied to Subinterface
|
CSCtq10018
|
CSM deployment error with ips signature modification and flexconfig
|
CSCtq15566
|
Site-to-site vpn filter is not refreshing properly with bad look and feel
|
CSCtq32486
|
CSM negating On-demand-routing (ODR) while pushing config
|
CSCtq34874
|
CSM 4.1 deletes dap.xml and data.xml files if RA VPN policy not discover
|
CSCtq36736
|
Some VPN features can fail after a restore to a different drive
|
CSCtq45738
|
CSM - Sybase SQL Anywhere listening on UDP broadcast
|
CSCtq52989
|
CSM 4.1: Login credentials not updated
|
CSCtq54521
|
CSM 4.0.1 Failed to get factory defaults ASA 8.2.2.4 with AUS Deployment
|
CSCtq54997
|
CSM validate a QoS policy incorrectly "Qos Preclassify is not supported"
|
CSCtq63992
|
CSM - Arbitrary command execution vulnerability
|
CSCtq66536
|
CSM 4.1: Upgraded DB, does not expand QOS policies on a device
|
CSCtq75813
|
ACS Authorization Failure Message - CSM RBAC Setup
|
CSCtq75963
|
CSM - ACS RBAC Integration: CWHP RBAC ACS Error
|
CSCtq97900
|
Exporting shared access-policy causes errors in policy
|
CSCtr07302
|
CSM - License file installation fails with special character in path
|
CSCtr17370
|
CSM 3.3.1 negates the current command on FWSM
|
CSCtr23677
|
CSM does not show L2L VPN with CAT6K Endpoint
|
CSCtr32994
|
Device export failing when db restored from another server
|
CSCtr59324
|
CSM 4.1 Deployment errors due to the order of VPN IP pools
|
CSCtr70041
|
CSM should not try tor remove class-default on ASR1K
|
CSCtr84356
|
MCP Perfmon gathers incorrect memory usage information from ASDM handler
|
CSCtr87647
|
Crypto ca certificate map pushes multiple time the same commands
|
CSCtr89120
|
DOC: CSM 4.1 Configuring DAP policies for PIX is not supported.
|
Resolved Caveats—Releases Prior to 4.2
For the list of caveats resolved in releases prior to this one, see the following documents:
•http://www.cisco.com/en/US/products/ps6498/prod_release_notes_list.html
Where to Go Next
If you want to:
|
Do this:
|
Install Security Manager server or client software.
|
See Installation Guide for Cisco Security Manager 4.2.
|
Understand the basics.
|
See the interactive JumpStart guide that opens automatically when you start Security Manager.
|
Get up and running with the product quickly.
|
See "Getting Started with Security Manager" in the online help, or see Chapter 1 of User Guide for Cisco Security Manager 4.2.
|
Complete the product configuration.
|
See "Completing the Initial Security Manager Configuration" in the online help, or see Chapter 1 of User Guide for Cisco Security Manager 4.2.
|
Manage user authentication and authorization.
|
See the following topics in the online help, or see Chapter 7 of Installation Guide for Cisco Security Manager 4.2.
•Setting Up User Permissions
•Integrating Security Manager with Cisco Secure ACS
|
Bootstrap your devices.
|
See "Preparing Devices for Management" in the online help, or see Chapter 2 of User Guide for Cisco Security Manager 4.2.
|
Install entitlement applications.
|
Your Security Manager license grants you the right to install certain other applications—including specific releases of RME and Performance Monitor—that are not installed when you install Security Manager. You can install these applications at any time. See the Introduction to Component Applications section in Chapter 1 of Installation Guide for Cisco Security Manager 4.2.
|
Product Documentation
For the complete list of documents supporting this release, see the release-specific document roadmap:
•Guide to User Documentation for Cisco Security Manager
http://www.cisco.com/en/US/products/ps6498/products_documentation_roadmaps_list.html
Lists document set that supports the Security Manager release and summarizes contents of each document.
•For general product information, see:
http://www.cisco.com/go/csmanager
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.
This document is to be used in conjunction with the documents listed in the "Product Documentation" section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2011-2012 Cisco Systems, Inc. All rights reserved.
Feedback
