Table Of Contents
Release Notes for Cisco Security Manager 4.3
Introduction
Supported Component Versions and Related Software
What's New
Installation Notes
Service Pack 2 Download and Installation Instructions
Important Notes
Open Caveats
Resolved Caveats
Resolved Caveats—Release 4.3 Service Pack 2
Resolved Caveats—Release 4.3 Service Pack 1
Resolved Caveats—Release 4.3
Resolved Caveats—Releases Prior to 4.3
Where to Go Next
Product Documentation
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Notes for Cisco Security Manager 4.3
First Published: June 14, 2012
Last Revised: March 7, 2013
These release notes are for use with Cisco Security Manager 4.3.
Security Manager 4.3 is now available. Registered SMARTnet users can obtain release 4.3 from the Cisco support website by going to http://www.cisco.com/go/csmanager and clicking Download Software under Support.
This chapter contains the following topics:
•
Introduction
•Supported Component Versions and Related Software
•What's New
•Installation Notes
•Service Pack 2 Download and Installation Instructions
•Important Notes
•Open Caveats
•Resolved Caveats
•Where to Go Next
•Product Documentation
•Obtaining Documentation, Obtaining Support, and Security Guidelines
Introduction
Note Use this document in conjunction with the documents identified in Product Documentation. The online versions of the user documentation are also occasionally updated after the initial release. As a result, the information contained in the Cisco Security Manager end-user guides on Cisco.com supersedes any information contained in the context-sensitive help included with the product. For more information about specific changes, please see Where to Go Next.
This document contains release note information for the following:
•Cisco Security Manager 4.3—Cisco Security Manager (Security Manager) enables you to manage security policies on Cisco security devices. Security Manager supports integrated provisioning of firewall, VPN, and IPS services across IOS routers, PIX and ASA security appliances, IPS sensors and modules, and some services modules for Catalyst 6500 switches and some routers. (You can find complete device support information under Cisco Security Manager Compatibility Information on Cisco.com.) Security Manager also supports provisioning of many platform-specific settings, for example, interfaces, routing, identity, QoS, logging, and so on.
Security Manager efficiently manages a wide range of networks, from small networks consisting of a few devices to large networks with thousands of devices. Scalability is achieved through a rich feature set of device grouping capabilities and objects and policies that can be shared.
•Auto Update Server 4.3—The Auto Update Server (AUS) is a tool for upgrading PIX security appliance software images, ASA software images, PIX Device Manager (PDM) images, Adaptive Security Device Manager (ASDM) images, and PIX security appliance and ASA configuration files. Security appliances with dynamic IP addresses that use the auto update feature connect to AUS periodically to upgrade device configuration files and to pass device and status information.
Note Before using Cisco Security Manager 4.3, we recommend that you read this entire document. In addition, it is critical that you read the Important Notes, the Installation Notes, and the Installation Guide for Cisco Security Manager 4.3 before installing or upgrading to Cisco Security Manager 4.3.
This document lists the ID numbers and headlines for issues that may affect your operation of the product. This document also includes a list of resolved problems. If you accessed this document from Cisco.com, you can click any ID number, which takes you to the appropriate release note enclosure in the Bug Toolkit. The release note enclosure contains symptoms, conditions, and workaround information.
Supported Component Versions and Related Software
The Cisco Security Management Suite of applications includes several component applications plus a group of related applications that you can use in conjunction with them. The following table lists the components and related applications, and the versions of those applications that you can use together for this release of the suite. For a description of these applications, see the Installation Guide for Cisco Security Manager 4.3.
Note For information on the supported software and hardware that you can manage with Cisco Security Manager, see the Supported Devices and Software Versions for Cisco Security Manager online document under Cisco Security Manager Compatibility Information on Cisco.com.
Table 1 Supported Versions for Components and Related Applications
Application
|
Support Releases
|
Component Applications
|
Cisco Security Manager
|
4.3
|
Auto Update Server
|
4.3
|
CiscoWorks Common Services
|
4.0
|
Related Applications
|
Cisco Security Monitoring, Analysis and Response System (CS-MARS)
|
6.0.7, 6.1.1
|
Cisco Secure Access Control Server (ACS) for Windows
Notes
•Cisco Secure ACS Solution Engine 4.1(4) is also supported.
•You can use other versions of Cisco Secure ACS if you configure them as non-ACS TACACS+ servers. A non-ACS configuration does not provide the granular control possible when you configure the server in ACS mode.
|
4.1(3, 4), 4.2(0)
|
Cisco Configuration Engine
|
3.5, 3.5(1)
|
Beginning with Version 4.3, Cisco Security Manager no longer includes the companion application Performance Monitor or the companion application CiscoWorks Resource Manager Essentials (RME).
What's New
Cisco Security Manager 4.3 Service Pack 2
Security Manager 4.3 Service Pack 2 provides fixes for various problems. For more information, see Resolved Caveats—Release 4.3 Service Pack 2.
Cisco Security Manager 4.3 Service Pack 1
Security Manager 4.3 Service Pack 1 provides fixes for various problems. For more information, see Resolved Caveats—Release 4.3 Service Pack 1.
This service pack also provides support for the following:
•Internet Explorer 9.0, but only in Compatibility View
Tip To use Compatibility View, open Internet Explorer 9, go to Tools > Compatibility View Settings, and add the Security Manager server as a "website to be displayed in Compatibility View."
•Firefox 13.0.x, 14.0.x , 15.0.x
•ASR release 3.5, 3.6, 3.7
•The following IPS platforms:
–IPS 4240
–IPS 4255
–IPS 4260
–IPS 4270-20
–IPS 4345
–IPS 4345-DC
–IPS 4360
–IPS 4510
–IPS 4520
–ASA 5500 AIP SSM-10
–ASA 5500 AIP SSM-20
–ASA 5500 AIP SSM-40
–ASA 5512-X IPS SSP
–ASA 5515-X IPS SSP
–ASA 5525-X IPS SSP
–ASA 5545-X IPS SSP
–ASA 5555-X IPS SSP
–ASA 5585-X IPS SSP-10
–ASA 5585-X IPS SSP-20
–ASA 5585-X IPS SSP-40
–ASA 5585-X IPS SSP-60
Before you can manage IPS 7.1(6)E4 on the following platforms in Security Manager (IPS 4240, IPS 4255, IPS 4260, ASA 5500 AIP SSM-10, ASA 5500 AIP SSM-20, ASA 5500 AIP SSM-40), you must upgrade Security Manager 4.3 to Service Pack 1.
Please refer to the IPS 7.1(6)E4 release notes for more details (http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_release_notes_list.html).
Cisco Security Manager 4.3
In addition to resolved caveats, this release includes the following new features and enhancements:
•A new Security Manager client application, Health and Performance Monitor (HPM), which lets you monitor key health and performance data for ASA devices, IPS devices, and VPN services by providing network-level visibility into device status and traffic information.
•A new Security Manager client application, Image Manager, which simplifies the distribution and management of images on internal and edge firewall devices in your network. It enables you to:
–Reliably upgrade devices, with sufficient fallback and recovery mechanisms built in to ensure minimal network downtime
–Download and maintain a repository of different types and versions of images
–Evaluate images
–Analyze impact of upgrading images to the devices in the network
–Prepare for and plan an upgrade
•A new North Bound Application Programming Interface (NB API), which is designed to be used by third party API client Programs that may wish to read network security configuration information directly from the Security Manager application. The NB API is broken into services that enable access to both global as well as device specific network configuration policies for all Cisco devices managed by Cisco Security Manager. For more information, see the Cisco Security Manager 4.3 API Specification (Version 1.0) at the following URL: http://www.cisco.com/en/US/products/ps6498/products_programming_reference_guides_list.html.
•You can now implement local RBAC using Common Services 4.0. Common Services 4.0 provides device-level RBAC, defining custom roles for users, and customizing existing roles for users. For more information, see Installation Guide for Cisco Security Manager.
•New Policy Bundle feature that allows you to manage a collection of shared policies as a group. You can quickly create a policy bundle using any of the shared policies available in Security Manager. You can also create a new bundle using the shared policies that are currently assigned to a specific device. Changes to any of the shared policies that are part of a bundle are automatically propagated to any devices that have that policy bundle assigned.
•New Ticket Management feature that allows you to associate a ticket ID with policy changes, easily add and update comments pertaining to those changes, and quickly navigate to an external change management system from Security Manager. Change reports can be generated for specific tickets.
•New Automatic Conflict Detection feature reports conflicts in your access rules table automatically. Operations like adding, editing, or deleting rules will continually present a report of conflicts on which you can act to correct or simplify the rules table. The conflict report is part of the rules table, so you can view the report at the same time while operating on it. Annotations on the rules indicate conflicts and different icons are used to indicate different types of conflicts.
•New Global Search feature that allows you to search for devices, policy objects, policies, and tickets that contain a particular search string. The scope of the search can be limited to just devices, policy objects, policies, or tickets. The search feature supports semantic searching for IP addresses. The search results window makes it easy to navigate to or act on the items returned in a search.
•Find Usage feature has been greatly enhanced to make finding the policies that use a particular object and to enable working with those policies much easier.
•You can now navigate to specific items in selection trees by typing in the name of the item to which you want to navigate. Security Manager will take you to the first item in the tree that matches the text you enter.
•Items in the Security Manager interface can now be selected which allows you to cut-and-paste text from various items for use in other objects, rules, devices, or for searching. You can copy rows from a table in Security Manager and paste into another application in CSV format.
•Semantic filtering based on IP/Network addresses is now supported for Network/Hosts policy objects and firewall rules tables.
•Policy Object Manager includes the following enhancements:
–Ability to dock/un-dock the Policy Object Manager to the Configuration Manager window.
–Ability to drag-and-drop policy objects onto policies.
–Favorites, Recent Objects, and All Object Types groupings to make finding and working with policy objects easier.
–Policy Object Manager table now shows additional information for policy objects: Number of Overrides, Last Modified Date, Last Ticket, and Referenced Information.
•The Hit Count feature has been enhanced to include the Last Hit time for IPv4 access rules on ASA 8.3(1) and later.
•Security Manager can now be configured to deploy FlexConfigs only one time after creation or modification of a FlexConfig, or to deploy FlexConfigs with each deployment. By default, Security Manager deploys FlexConfigs one time.
•You can now export shared policies that have been modified since a specified date. You can also select the specific shared policies that you want to export.
•Support for Identity criteria in following tools: Combine Rules, Hit Count, Import Rules, and ACL optimization.
•Support for IPv6 Extension Header on ASA 8.4(2) and later.
•Support for IPv6 static routes.
•Support for ICMP code in IPv4 and IPv6 access rules, service objects, and object groups.
•Support for the following additional PAT Pool options:
–Flat Port Range—Enables use of the entire 1024 to 65535 port range (or 0-65535 if the include-reserve option is configured) when allocating ports.
–Extended PAT Table—Enable extended PAT, which uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information.
•Support for the Cisco ASA-5500 Series Adaptive Security Appliance (support for ASA version 8.6.1)
•Support for the Cisco IPS 4300 Series Sensors [IPS Version 7.1(3) onwards]
•Support for the Cisco ASA 5500 Series IPS Security Services Processor [IPS Version 7.1(3) onwards]
•Enhancements to IPS updates
•IPv6 support for IPS
•Support for IPS 7.1(3)
•IPS package bundling for simpler downloading
Installation Notes
•The "Licensing" chapter in the installation guide enables you to determine which license you need. (The license you need depends upon whether you are performing a new installation or upgrading from one of several previous versions.) It also describes the various licenses available, such as standard, professional, and evaluation. It is available at http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.3/installation/guide/licensing.html.
•Do not modify casuser (the default service account) or directory permissions that are established during the installation of the product. Doing so can lead to problems with your being able to do the following:
–Logging in to the web server
–Logging in to the client
–Performing successful backups of all databases
•You can install Security Manager server software directly, or you can upgrade the software on a server where Security Manager is installed. The Installation Guide for Cisco Security Manager for this release of the product explains which previous Security Manager releases are supported for upgrade and provides important information regarding server requirements, server configuration, and post-installation tasks.
•Before you can successfully upgrade to Security Manager 4.3 from a prior version of Security Manager, you must make sure that the Security Manager database does not contain any pending data, in other words, data that has not been committed to the database. If the Security Manager database contains pending data, you must commit or discard all uncommitted changes, then back up your database before you perform the upgrade. The Installation Guide for Cisco Security Manager for this release contains complete instructions on the steps required for preparing the database for upgrade.
•We do not support installation of Security Manager on a server that is running any other web server or database server (for example, IIS or MS-SQL). Doing so might cause unexpected problems that may prevent you from logging into or using Cisco Security Manager.
•Be aware of the following important points before you upgrade:
–Ensure that all applications that you are upgrading are currently functioning correctly, and that you can create valid backups (that is, the backup process completes without error). If an application is not functioning correctly before an upgrade, the upgrade process might not result in a correctly functioning application.
Note It has come to Cisco's attention that some users make undocumented and unsupported modifications to the system so that the backup process does not back up all installed CiscoWorks applications. The upgrade process documented in the installation guide assumes that you have not subverted the intended functioning of the system. If you are creating backups that back up less than all of the data, you are responsible for ensuring you have all backup data that you require before performing an update. We strongly suggest that you undo these unsupported modifications. Otherwise, you should probably not attempt to do an inline upgrade, where you install the product on the same server as the older version; instead, install the updated applications on a new, clean server and restore your database backups.
Service Pack 2 Download and Installation Instructions
To download and install service pack 2, follow these steps:
Note You must install the Cisco Security Manager 4.3 FCS build on your server before you can apply this service pack.
Caution Before installing this service pack, please back up the following file:
MDC\athena\config\DCS.properties
If you have previously modified the DCS.properties file, you will need to reconfigure it after installing the service pack.
Step 1 Go to http://www.cisco.com/go/csmanager, and then click Download Software under the Support heading on the right side of the screen.
Step 2 Enter your user name and password to log in to Cisco.com.
Step 3 Click Security Manager (CSM) Software, expand the 4.3 folder under All Releases, and then click 4.3sp2.
Step 4 Download the file fcs-csm-430-sp2-win-k9.exe.
Step 5 To install the service pack, close all open applications, including the Cisco Security Manager Client.
Step 6 If Cisco Security Agent is installed on your server, manually stop the Cisco Security Agent service from Start > Settings > Control Panel > Administrative Tools > Services.
Step 7 Run the fcs-csm-430-sp2-win-k9.exe file that you previously downloaded.
Step 8 In the Install Cisco Security Manager 4.3 Service Pack 2 dialog box, click Next and then click Install in the next screen.
Step 9 After the updated files have been installed, click Finish to complete the installation.
Step 10 On each client machine that is used to connect to the Security Manager server, you must perform the following steps to apply the service pack before you can connect to the server using that client:
a. If Cisco Security Agent is installed on the client, manually stop the Cisco Security Agent service from Start > Settings > Control Panel > Administrative Tools > Services.
b. Launch the Security Manager client.
You will be prompted to "Download Service Pack".
c. Download the service pack and then launch the downloaded file to apply the service pack.
Step 11 (Optional) Go to the client installation directory and clear the cache, for example, <Client Install Directory>/cache.
Important Notes
The following notes apply to the Security Manager 4.3 release:
•You cannot use Security Manager to manage an IOS or ASA 8.3+ device if you enable password encryption using the password encryption aes command. You must turn off password encryption before you can add the device to the Security Manager inventory.
•On any ASA managed by Security Manager, upgrading the software from a version earlier than 8.3 to version 8.3 and later will necessitate deleting the device from the Security Manager inventory, then rediscovering the device and performing some one-time manual clean-up of certain policy objects, NAT rules, and ACL entries.
Security Manager does not check for content equivalence between objects and object-groups, so it is possible duplicate policy objects will be created—you must manually correct this situation. In addition, device upgrade and subsequent deletion and rediscovery can result in significant changes to NAT rules, and may also change IP addresses in Access Control Lists. Be sure to closely examine the NAT rules and ACLs on the device, and manually update them as necessary.
•ASA 8.3 ACLs use the real IP address of a device, rather than the translated (NAT) address. During upgrade, rules are converted to use the real IP address. All other device types, and older ASA versions, used the NAT address in ACLs.
•The device memory requirements for ASA 8.3 are higher than for older ASA releases. Ensure that the device meets the minimum memory requirement, as explained in the ASA documentation, before upgrade. Security Manager blocks deployment to devices that do not meet the minimum requirement.
•If you have a device that uses commands that were unsupported in previous versions of Security Manager, these commands are not automatically populated into Security Manager as part of the upgrade to this version of Security Manager. If you deploy back to the device, these commands are removed from the device because they are not part of the target policies configured in Security Manager. We recommend that you set the correct values for the newly added attributes in Security Manager so that the next deployment will correctly provision these commands. You can also rediscover the platform settings from the device; however, you will need to take necessary steps to save and restore any shared Security Manager policies that are assigned to the device.
•Device and Credential Repository (DCR) functionality within Common Services is not supported in Security Manager 4.3.
•A Cisco Services for IPS service license is required for the installation of signature updates on IPS 5.x+ appliances, Catalyst and ASA service modules, and router network modules.
•Do not connect to the database directly, because doing so can cause performance reductions and unexpected system behavior.
•Do not run SQL queries against the database.
•If an online help page displays blank in your browser view, refresh the browser.
•Cisco Secure ACS 5.0 is supported in only non-ACS TACACS+ mode by Security Manager 4.3.
•If you do not manage IPS devices, consider taking the following performance tuning step. In $NMSROOT\MDC\ips\etc\sensorupdate.properties, change the value of packageMonitorInterval from its initial default value of 30,000 milliseconds to a less-frequent value of 600,000 milliseconds. Taking this step will improve performance somewhat. [$NMSROOT is the full pathname of the Common Services installation directory (the default is C:\Program Files\CSCOpx).]
•The IPS packages included with Security Manager do not include the package files that are required for updating IPS devices. You must download IPS packages from Cisco.com or your local update server before you can apply any updates. The downloaded versions include all required package files and replace the partial files that are included in the Security Manager initial installation.
Open Caveats
This section describes the open and resolved caveats with respect to this release.
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
http://www.cisco.com/support/bugtools
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
The following caveats affect this release and are part of Security Manager 4.3:
•ASA, PIX, and FWSM Firewall Devices Caveats
•Cisco IOS Router Devices Caveats
•Cisco IPS and IOS IPS Devices Caveats
•Client and Server Install Caveats
•Device Management, Discovery, and Deployment Caveats
•Event Viewer Caveats
•Firewall Services Caveats
•FlexConfig Caveats
•Health and Performance Monitor Caveats
•Image Manager Caveats
•Miscellaneous Caveats
•Report Manager Caveats
•VPN Device and Configuration Support Caveats
Note In some instances, a known problem might apply to more than one area, for example, a PIX device might encounter a problem during deployment. If you are unable to locate a particular problem within a table, expand your search to include other tables. In the foregoing example, the known problem might be listed in either the Deployment table or the PIX/ASA/FWSM Configuration table.
Table 1-2 ASA, PIX, and FWSM Firewall Devices Caveats
Reference Number
|
Description
|
CSCtd60804
|
CSM managing A/A FWSM will not use configured management ip of context
|
Table 1-3 Cisco IOS Router Devices Caveats
Reference Number
|
Description
|
CSCth95357
|
XE: Deploy Fails when Memory Critical Notifications are Changed
|
CSCti15944
|
CLI: "dot1x pae authenticator" generated after deployment of 802.1x
|
CSCtq12795
|
Generic Router: AAA rules getting negated.
|
CSCtz51039
|
Security Manager CSM 4.2 removes logging config when policy not managed.
|
CSCtz83960
|
Discovery of 7600 with MFR intfc fails with java.lang.NullPointerExcept.
|
CSCtz91926
|
Discovery error on ASR with ATM sub-interfaces
|
CSCua07289
|
CSM re-configure the auto summary for EIGRP
|
CSCuc18988
|
Max. no. of attempts field greyed out in AAA for ASR device.
|
Table 1-4 Cisco IPS and IOS IPS Devices Caveats
Reference Number
|
Description
|
CSCtk36259
|
MU-IPS Licensing page taking too long for Refresh / CCO Update operation
|
CSCts81689
|
Auto update is not happen when major upd is done on the device inbetween
|
CSCtz39799
|
IPS AAA Policy dialog throws a error message after patch upgrade
|
CSCtz39869
|
Inventory/policy alone discovery for ips with VS generates negate comman
|
CSCua35862
|
IPS 7.1.5 version support for 32 bit legacy IPS platforms
|
Table 1-5 Client and Server Install Caveats
Reference Number
|
Description
|
CSCtg58541
|
CSM coexistence problem with Symantec Event Manager startup sequence
|
CSCtq99125
|
Installation: Evaluation and Licensing options get enabled simultaneous
|
CSCtr71792
|
ETSGJ-CH:CSM Launch Icons Missing on XP JOS Client
|
CSCtr72248
|
ETSGJ-CH:Not able to proceed with install if going back to previous page
|
CSCts04588
|
System Requirements fails, showing negative value in available space
|
CSCtw92122
|
Installer shows error when install path is not in C:
|
CSCty59588
|
HA: While assigning permissions for casusers on secnode, perm errors
|
CSCub17120
|
Auto update fails due to lack of 2048-bit root certificates
|
Table 1-6 Device Management, Discovery, and Deployment Caveats
Reference Number
|
Description
|
CSCtr14734
|
Device and policy import fails with dev file
|
CSCtu27077
|
CS works: Added devices are not shown in "device and credentials" page.
|
CSCty03766
|
CSM 3.3.1 autodeploy started despite it was suspended
|
CSCtz10703
|
CSM config Rollback with FWSM may result in network outage
|
CSCtz47322
|
CSM 4.2 -ASA Group Policies with standard ACLs not discovered correctly
|
CSCua25601
|
CSM AUS - JAVA error if using Update Now Button
|
CSCua38184
|
Deployment hung after management interface is shut
|
CSCua57973
|
CSM Policy 'submit & deploy' may fail when not applied to all devices
|
CSCua86550
|
CSM tries accessing device without using configured username
|
Table 1-7 Event Viewer Caveats
Reference Number
|
Description
|
CSCtg54222
|
Eventing Restore: Restore failing or partially succeeding in some cases
|
CSCtg57676
|
Internal error thrown when portlist is used in service object filter.
|
CSCtg57745
|
Filtering does not work when only protocol name is used in service obj.
|
CSCtg57839
|
Results not correct when network obj with non-contiguous mask is used.
|
CSCtl73195
|
BB names having underscore in name can't be shown in the event viewer
|
CSCty47776
|
CSM Event viewer not able to recover corrupted index file
|
CSCua21128
|
Null pointer exception while filtering IPS events based on Event Type Id
|
CSCua31440
|
CSM Event viewer does not show User & Group Name if it contains "#"
|
Table 1-8 Firewall Services Caveats
Reference Number
|
Description
|
CSCtf32208
|
Deployment fails with ACE edit in ACL BB
|
CSCtg80500
|
Manual-NAT: need validation for "neq" operator in static NAT
|
CSCti08077
|
system context Config file discovery fails with ASA 5580 platfo
|
CSCtl10613
|
Int: ASA 5580/85 should support max 1034 int allocation to context
|
CSCto67515
|
ASA/ASASM Failover commands not negated
|
CSCto80002
|
UID: Deployment fails when domain is used in ACL and is deleted
|
CSCtq04794
|
NAT: Deployment is failing for object NAT for Translate DNS rule
|
CSCtq20157
|
Delta is empty after unassigning Inspection settings.
|
CSCtq20876
|
Generic Router: Deployment fails after unassigning web filter settings
|
CSCtq20997
|
NAT:Subnet Can not be used as mapped Source in Dynamic NAT policy
|
CSCtq24069
|
UID: repeated ACL delta with ACL match protocol inspection
|
CSCtq36739
|
NAT: Same Mapped address cannot be used to perform both NAT and PAT
|
CSCtq63721
|
UID: order of AAA server negation/appending _1 on discovery should modify
|
CSCtq68629
|
Dynamic NAT: Network/Hosts Selection window is empty
|
CSCtq82588
|
Discovery fails for device with scan safe AAA in CSM 4.1
|
CSCtq82698
|
NAT: Unable to Edit Static Object NAT
|
CSCtq83500
|
Correct CLI is not generated for Inspection rules.
|
CSCtq85580
|
Object NAT: Unable to create rule due to device locking issue
|
CSCtr00850
|
CSM should read the OSPF configuration correctly
|
CSCtr12016
|
ETSGJ-CH:Japanese User not displayed in Identity UserGroup UI
|
CSCtr12155
|
ETSGJ-CH:Japanese User Group shows Name as Square blocks in JOS Client
|
CSCtr17688
|
NAT: No validation for FQDN in pre ASA 8.3 NAT
|
CSCtr25092
|
ETSGJ-CH:Pop-up for wrong bind in Identity needs to be revisited
|
CSCtr25195
|
ETSGJ-CH:Domain name with special characters are permitted
|
CSCtr30676
|
Deployment fails when http accounting banner from file is configured
|
CSCtr71998
|
ETSGJ-CH:Incremental pop-up for a wrong MAC in Cat6k ASA-SM Failover
|
CSCtr90006
|
Generic Router:Inspection policy message from device should be handled
|
CSCts15802
|
Scan Safe-Deployment fails when enabling Encryption IOS
|
CSCts25221
|
Edit ACL in Identity Policy-CSM generates incorrect order of cli
|
CSCtw48451
|
Override BB are not mapping with BBs used in import rules
|
CSCtx12163
|
IOS devices no longer supporting non contiguous subnet mask
|
CSCtx47521
|
Extended pat table option should be disabled
|
CSCtx51882
|
ACD: Navigation from conflict details fails to rule in rule section
|
CSCty77037
|
Remove unreferenced Object-Group option can cause deployment error
|
CSCty81780
|
IPv6 route gets negated after remote upgrade
|
CSCtz25896
|
Network Object: Duplicate Object (object-group) Creation in CSM
|
CSCtz31123
|
CSM changes access-list names of ZBF feature
|
CSCtz61379
|
CSM 4.2 SP1 bad response time for viewing NAT table
|
CSCtz70420
|
Unable to configure flow-export service policy via CSM GUI
|
CSCtz78135
|
ASR: ZBF Disabled & Enabled Rule found similar in GUI
|
CSCtz92786
|
RBAC: Privileges for NAT policies on ASA 8.3 not working
|
CSCua05710
|
Deploy & Preview fails with internal error exception in VpnIPSecBuilder
|
CSCua19013
|
CSM 4.2 SP1 Removes BVI Interface From ASA When OOB Changes Detected
|
CSCua48896
|
CSM 4.2 inconsistency in displaying static in Network Object NAT rules
|
CSCua73760
|
CSM: ZBF zones with object overrides may fail validation
|
CSCua93528
|
Hit Count is not showing for TCP/UDP services
|
CSCub18695
|
Security Manager CSM 4.3 does not show \"no proxy-arp\" option on ASASM
|
Table 1-9 FlexConfig Caveats
Reference Number
|
Description
|
CSCtz91443
|
Modify Flex Config results-com-cisco-nm-vms-template-TemplateActyHandler
|
Table 1-10 Health and Performance Monitor Caveats
Reference Number
|
Description
|
CSCtt95667
|
FW: Certificates should be displayed as part of Non VPN Views
|
CSCtx48130
|
VPN: SitetoSite VPN tunnel details not proper with dynamic cryptomap 8.4
|
CSCtz75708
|
HPM:Not able to enable VPN monitoring for devices added in wizard
|
CSCtz88089
|
VPN: Summary Panel Includes Count even when RA / S2S is not Enabled
|
Table 1-11 Image Manager Caveats
Reference Number
|
Description
|
CSCtw86862
|
Device inventory details are not shown in Image management after upgrade
|
CSCtx73090
|
IMGMT: HTTP413 error for image copy even if there's ample space on flash
|
CSCtz71944
|
IM not able to handle upgrade from ASA 7.x to 8.x in failover setup
|
Table 1-12 Miscellaneous Caveats
Reference Number
|
Description
|
CSCtq45738
|
CSM - Sybase SQL Anywhere listening on UDP broadcast
|
CSCtq99617
|
CSM UI unresponsive for a long period in MU testing
|
CSCtr61274
|
PCAP:Without change the packet parameter value Next tab is not enabled
|
CSCtt97627
|
Flexconfigs modified/deleted not removed from preview and got deployed
|
CSCtz86049
|
No error/Warning if spaces present in IP address in POM
|
Table 1-13 Report Manager Caveats
Reference Number
|
Description
|
CSCtz86266
|
Security Manager Event Viewer does not purge files in \MDC\reports\temp
|
CSCtz94281
|
Schedule Report Does Not Run if UnMonitored in Eventing
|
CSCua04310
|
Report manager is hitting Out of Memory for every 15/20 days period
|
Table 1-14 VPN Device and Configuration Support Caveats
Reference Number
|
Description
|
CSCth43310
|
GRE H&S-Default route is not discovered for Informer device
|
CSCtl82579
|
IKEv2 connection is down for default connection-type of CSM
|
CSCtq06818
|
Group Encryp Policy-unassigned from policy view not restoring default val
|
CSCtq15281
|
Config wizard-Auto-update client is not deployed properly
|
CSCtq29212
|
SSL-CSM is not generates proper URL when configuring bookmark
|
CSCtq67354
|
preview fails,rule name(SSLVPN->othersett->content rewrite) having space
|
CSCtq86149
|
deployment fails:existing Virtual Template int with type serial - Ezvpn
|
CSCtr06681
|
preview fails: if SSO name is given with spaces
|
CSCtr28222
|
IPSec Proposal is not discovered, if DVTI/VRF is configured in ISR
|
CSCtr40704
|
Double Quotes generation in Client Access rule in Group Policy
|
CSCtr64655
|
VPN discovery fails:using tunnel_3des as Ikev1 TS in ASA-ISR combination
|
CSCts30832
|
Preview failed due to FQDN acl BB used in group policy.
|
CSCtz36471
|
CSM: importing IOS VPN devices makes changes to the crypto acl
|
CSCtz47183
|
IPS 43xx: Standalone Transparent Mode Device Deployment Fails
|
CSCua07115
|
CSM 4.2: Pushes'no svc ask none' in DfltAccessPolicy during deployment
|
CSCua45351
|
CSM: UI slowness when loading IKE and IPSEC policies
|
CSCub03972
|
CSM Web URL Filtering for ACL doesn't support /?RedirectPrinters=true
|
CSCub44499
|
CSM 4.3: Does not understand DAP attributes
|
Resolved Caveats
This section describes the resolved caveats with respect to this release.
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
http://www.cisco.com/support/bugtools
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
This section contains the following topics:
•Resolved Caveats—Release 4.3 Service Pack 2
•Resolved Caveats—Release 4.3 Service Pack 1
•Resolved Caveats—Release 4.3
•Resolved Caveats—Releases Prior to 4.3
Resolved Caveats—Release 4.3 Service Pack 2
The following customer found or previously release-noted caveats have been resolved in Cisco Security Manager 4.3 Service Pack 2.
Reference Number
|
Description
|
CSCtn22006
|
Discovery fails if Anyconnect image is present in disk1 of the device
|
CSCty24613
|
Cannot assign NAT shared policy if no-proxy-arp is configured
|
CSCtz80073
|
CSM GUI column missing in Access Rules when copied to Excel/Wordpad
|
CSCua04310
|
Report manager is hitting Out of Memory for every 15/20 days period
|
CSCua31272
|
ACD: Slow with large number of objects
|
CSCua45351
|
CSM: UI slownes when loading IKE and IPSEC policies
|
CSCub00807
|
Rediscovery of ASA Multi mode device deleting devices from GUI session
|
CSCub37992
|
CSM 4.3 Failed to generate delta config for pix 6.3(5)
|
CSCub54051
|
CSM: L2L VPN discovery changes the crypto ACL
|
CSCub74884
|
CSM 4.3 deploys standard access-list with sequence number
|
CSCub75305
|
Enhancement for CSM to support per-user-override for ethertype ACL
|
CSCub94587
|
Policy Object CSV export of Service objects fails with error
|
CSCub99533
|
CSM should not accept single quote while creating activity
|
CSCuc20035
|
CSMgrDeviceExport.pl script fails with error -no data to be displayed
|
CSCuc68581
|
Add Device Fails - CSM 4.3/CS 4 using RBAC requires Daemon restart
|
CSCuc71502
|
Packet Capture does not recognize a manually input IP address
|
CSCuc71694
|
Race Condition, if 2 different users create capture, it overwrites on FW
|
CSCuc72424
|
CSM 4.3 Global Search not able to cross correlate or drilldown w/objects
|
CSCuc74129
|
CSM: Unable to approve activity after services restart
|
CSCuc76194
|
Hitcount not working if there is network singleton object in the policy
|
CSCuc81785
|
Apache 2.2.22 migration
|
CSCuc95783
|
New ips package bundling support for IPS 6.2.5+ train
|
CSCud07652
|
CSM 4.3 - deployment fails as CSM generating the ACL in wrong sequence
|
CSCud11450
|
Alert configuration settings not available in the remote upgrade server
|
CSCud21768
|
CSM 4.3 - Rule expiry email notification not working
|
CSCud38055
|
CSM 4.3 Image manager update fails due to lack of proxy user/pwd
|
CSCud52044
|
Event Manager clearing all data after stop/start.
|
CSCud93674
|
Issues removing original service from manual static PAT
|
CSCud93690
|
Interface name with a period is renamed with a backslash
|
CSCud93697
|
NAT rule creation and move within policy creates duplicate NAT in CSM
|
CSCud97755
|
CSM 4.3-SP1: CSM query window shows wrong matches
|
CSCue02174
|
CSM 4.3 sometimes uses wrong user credentials to connect to device
|
CSCue05074
|
Incorrect messaging in "Find Usage" for local rule inherited from policy
|
CSCue13895
|
CSM 4.3 w/ASA 8.3+ - No errors on interfaces with duplicate IP addresses
|
CSCue13911
|
CSM 4.3 w/ASA 8.3+ - No error when interface IP's have overlapped subnet
|
CSCue16970
|
CSM: IPS Updates from Cisco.com Fail Due to Lack of Cybertrust Root Cert
|
CSCue17124
|
CSM allows duplicate static routes to different interfaces
|
CSCue22784
|
CSM 4.3 SP1 CP5 - CSM rule expiry notification not working
|
CSCue45261
|
CSM 4.3 - Null authentication pushed by CSM to router
|
Resolved Caveats—Release 4.3 Service Pack 1
The following customer found or previously release-noted caveats have been resolved in Cisco Security Manager 4.3 Service Pack 1.
Reference Number
|
Description
|
CSCtq45738
|
CSM - Sybase SQL Anywhere listening on UDP broadcast
|
CSCtr61274
|
PCAP: Without change the packet parameter value Next tab is not enabled
|
CSCtw65753
|
CSM DB backup should stop and start daemon if daemon is running
|
CSCtz10703
|
CSM config Rollback with FWSM may result in network outage
|
CSCtz25896
|
Network Object: Duplicate Object (object-group) Creation in CSM
|
CSCtz31123
|
CSM changes access-list names of ZBF feature
|
CSCtz36471
|
CSM: importing IOS VPN devices makes changes to the crypto acl
|
CSCtz39799
|
IPS AAA Policy dialog throws a error message after patch upgrade
|
CSCtz61379
|
CSM 4.2 SP1 bad response time for viewing NAT table
|
CSCtz71944
|
IM not able to handle upgrade from ASA 7.x to 8.x in failover setup
|
CSCtz83960
|
Discovery of 7600 with MFR intfc fails with java.lang.NullPointerExcept.
|
CSCtz86049
|
No error/Warning if spaces present in IP address in POM
|
CSCtz86266
|
Security Manager Event Viewer does not purge files in \MDC\reports\temp
|
CSCtz88089
|
VPN: Summary Panel Includes Count even when RA / S2S is not Enabled
|
CSCtz91926
|
Discovery error on ASR with ATM sub-interfaces
|
CSCtz94281
|
Schedule Report Does Not Run if UnMonitored in Eventing
|
CSCua05710
|
Deploy & Preview fails with internal error exception in VpnIPSecBuilder
|
CSCua07115
|
CSM 4.2: Pushes'no svc ask none' in DfltAccessPolicy during deployment
|
CSCua07289
|
CSM re-configure the auto summary for EIGRP
|
CSCua21128
|
Null pointer exception while filtering IPS events based on Event Type Id
|
CSCua35862
|
IPS 7.1.5 version support for 32 bit legacy IPS platforms
|
CSCua38184
|
Deployment hung after management interface is shut
|
CSCua48896
|
CSM 4.2 inconsistency in displaying static in Network Object NAT rules
|
CSCua57973
|
CSM Policy 'submit & deploy' may fail when not applied to all devices
|
CSCua73760
|
CSM: ZBF zones with object overrides may fail validation
|
CSCua86550
|
CSM tries accessing device without using configured username
|
CSCua93528
|
Hit Count is not showing for TCP/UDP services
|
CSCub03972
|
CSM Web URL Filtering for ACL doesn't support /?RedirectPrinters=true
|
CSCub17120
|
Auto update fails due to lack of 2048-bit root certificates
|
CSCub18695
|
Security Manager CSM 4.3 does not show \"no proxy-arp\" option on ASASM
|
CSCub44499
|
CSM 4.3: Does not understand DAP attributes
|
Resolved Caveats—Release 4.3
The following customer found or previously release noted caveats have been resolved in this release.
Reference Number
|
Description
|
CSCsq32343
|
HitCount -- Internal Failure
|
CSCsv85664
|
Security Manager swaps names of policies while deploying to device
|
CSCtd58292
|
SSL-Logs are not deployed and discovered properly in CSM for DAP
|
CSCtg24571
|
CSM does not allow configuration of GETVPN on 800 router series
|
CSCtl01221
|
VPN deployment - wrong CLI set transform-set Translation ERROR
|
CSCtl74570
|
CSM/CSDM Client fails to open imported Cisco Secure Desktop config
|
CSCtn53016
|
CSM May Fail to Archive Configuration
|
CSCtq15568
|
Cisco Security Manager ip address display sorting issue
|
CSCtq37145
|
Deployment report generation failing
|
CSCtq63992
|
CSM - Arbitrary command execution vulnerability
|
CSCtq76058
|
CSM VPN Deployment Failure - ASA out of space of flash:
|
CSCtq79031
|
CSM: improvisation of error message during discovery for IOS IPS devices
|
CSCtq82517
|
CSM can not understand track 1 command
|
CSCtq84735
|
CSM should generate explicit "exit" command after crypto ca trustpoint
|
CSCtr03397
|
preview fails: On changing client firewall attribute in group policy
|
CSCtr14169
|
Could see delta after importing ips device with VS
|
CSCtr18414
|
CSM viewing activity report generates 404 Not Found error
|
CSCtr19568
|
Issues in IPS smoke suite
|
CSCtr24667
|
After editing IPS sig to default from local, the delta is empty
|
CSCtr26291
|
CSM: If no DNS server config exists, pushing DNS policy to sensor fails
|
CSCtr43198
|
Deploy fails when cluster key is less than 4 characters - Validation req
|
CSCtr52300
|
CSM 4.1 - Unable to create Extranet VPN
|
CSCtr63510
|
CSM: Edit VPN Policy Page takes 15-20 minutes to load
|
CSCtr63643
|
CSM fails to deploy policy NAT with address overlap error
|
CSCtr75589
|
CSM unable to download PCAP captures from multi context firewall
|
CSCtr76645
|
CSM Device provisioning failed when deploying to ASA due to OOM error
|
CSCtr77986
|
CSM Reporting stops polling the device
|
CSCtr79564
|
Bundle defect for known vulnerabilities in CiscoWorks Common Services
|
CSCtr89863
|
During upgrade from 4.0.1 to 4.1 recurring scheduled jobs get corrupted
|
CSCts10324
|
Modified configuration is missing in change report
|
CSCts18265
|
CSM 4.1 VPN topology for EzVPN throws authentication error while deployi
|
CSCts26028
|
Deployment errors at CSM if changes at tunnels were made
|
CSCts60132
|
CSM Client Device View broken after change of Date format on CSM server
|
CSCts64059
|
Unable to Create Static PAT Rule on Galapagos FCS
|
CSCts68196
|
CSM: overlapping static NAT lines may result in deployment failure
|
CSCts69080
|
IOS 15.2(1)T is getting discovered as 12.3(14)T
|
CSCts90728
|
CSM 4.2: Multiple context ASA discovery may fail.
|
CSCts97492
|
CSM does not allow AnyConnect Firewall rules to be added.
|
CSCtt12429
|
AAA Server object not accepting IP Address only Host object with same IP
|
CSCtt17760
|
CSM 4.2 policy static pat failing activity validation
|
CSCtt25934
|
CSM removes ip local pool from the connection profiles
|
CSCtt29984
|
CSM VPN backup servers list using hostname needs warning with workaround
|
CSCtt31482
|
CSM 4.2 cannot discover PIX config due to clock policy settings
|
CSCtt34300
|
CSM adds ipv6 address to multiple interfaces
|
CSCtt42016
|
CSM 4.2 AnyConnect profile CLI Not Recognized by the config Parser
|
CSCtt46935
|
CSM removes ACL completely in order to insert ACE remarks
|
CSCtt75762
|
Sys: HPM Client can't be launched in ACS integrated mode
|
CSCtt99845
|
CSM: Preview Configuration error "Failed to generate delta config"
|
CSCtu01132
|
CSM 4.2 fails to parse ASA static NAT config with any any as source
|
CSCtu03796
|
CSM allows to configure duplicate nat rules for ASA running 8.3/later
|
CSCtu04287
|
CSM 4.2 does not populate properly AAA Method
|
CSCtu06530
|
CSM: Longer time validating all tunnels if 1 got newly added/modified
|
CSCtu09777
|
Mars 6.0.6 (3368) and CSM 4.2
|
CSCtu17920
|
Partial support for VPN with IPS 43xx
|
CSCtu32955
|
CSM 4.1 not able to validate ASA-multiple context with same interface IP
|
CSCtu42763
|
non allowed chars should not be allowed in description in rules
|
CSCtu43687
|
CSM with Pix causes Policy Discovery Failure due to NTP server settings
|
CSCtu47306
|
ASA Platform: proxy ARP and anti-spoofing must be supported for all I/Fs
|
CSCtv23528
|
CSM 4.2 'Internal DB error' during import of an exported device file.
|
CSCtw48300
|
VPN: Summary Panel: Client Based Sessions Does not Consider AnyConnect
|
CSCtw51453
|
CSM 4.2: FW half closed timeout - set connection - validation error
|
CSCtw51977
|
Sybase error code 54W01 during CSM hierarchy query
|
CSCtw52054
|
CSM4.2: ACL Query, Client hangs when 'Go to Query' is used in the window
|
CSCtw57799
|
Unable to manage ASR1K that uses match protocol command set
|
CSCtw60431
|
VPN user with '@' symbol not parsed from syslog.
|
CSCtw65753
|
CSM DB backup should check for running DB Engine before re-starting DM
|
CSCtw65998
|
On DB backup failure, backup.pl doesn't restart the daemons
|
CSCtw69201
|
CSM signature updates aren't written in flash for ISO 15.0 and above
|
CSCtw72136
|
CSM deploy to file missing error check for non-existent directory
|
CSCtw78669
|
CSM Doesn't allow more than 2152 nested objects per object
|
CSCtw80494
|
CSM causes FWSM traffic outage when adding new vlan to vlan-group
|
CSCtw84292
|
Event Viewer stops displaying events due to hung thread
|
CSCtx03788
|
Create Object-Groups for Multiple Source Option Not Working in CSM 4.2
|
CSCtx05031
|
CSM 4.2: Report Manager fails to generate Scheduled Reports
|
CSCtx38317
|
CSM 4.2 disorders ACL entries on catalyst 6500 after sorting sections
|
CSCtx38576
|
CSM 4.2 Activity validation cause incorrect duplicate vpn topology error
|
CSCtx59431
|
CSM vulnerable to HTTP response splitting
|
CSCtx67856
|
Imgmt: 5580 device - Error Device not supported in Imgmt application
|
CSCtx71173
|
Using Custom Roles in ACS is blocking the import functionality in CSM
|
CSCtx72107
|
CSM: during discovery CSM needs to distinguish between devices
|
CSCtx80393
|
CSM 4.2 - Group-policy option not available under Ldap Attribute Map
|
CSCtx81553
|
IPS Config change fails when scheduled with Signature update in WFmode
|
CSCtx82325
|
Numbered ACL Discovery Issue
|
CSCtx83710
|
CSM cannot detect ip local pool under group-policy
|
CSCtx90787
|
CSM 4.2 deletes access-list entries on ASA
|
CSCty22303
|
Setting device displayname to longest possible length breaks device view
|
CSCty35110
|
CSM should not require device deletion after ASA 8.3+ upgrade
|
CSCty77095
|
CSM 4.2 FWSM No delta is generated if changing -Uauth Inactivity timeout
|
CSCty80629
|
CSM system reports should show a warning for unsupported criteria
|
CSCty98560
|
CSM: Overrides IPS Sensor Command & Control (Mgt) Interface Config
|
Resolved Caveats—Releases Prior to 4.3
For the list of caveats resolved in releases prior to this one, see the following documents:
•http://www.cisco.com/en/US/products/ps6498/prod_release_notes_list.html
Where to Go Next
Product Documentation
For the complete list of documents supporting this release, see the release-specific document roadmap:
•Guide to User Documentation for Cisco Security Manager
http://www.cisco.com/en/US/products/ps6498/products_documentation_roadmaps_list.html
Lists document set that supports the Security Manager release and summarizes contents of each document.
•For general product information, see:
http://www.cisco.com/go/csmanager
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2012-2013 Cisco Systems, Inc. All rights reserved.
Feedback
