Table Of Contents
Release Notes for Cisco Security Manager 4.4
Introduction
Supported Component Versions and Related Software
What's New
Installation Notes
Service Pack 1 Download and Installation Instructions
Important Notes
Open Caveats
Resolved Caveats
Resolved Caveats—Release 4.4 Service Pack 1
Resolved Caveats—Release 4.4
Resolved Caveats—Releases Prior to 4.4
Where to Go Next
Product Documentation
Obtaining Documentation and Submitting a Service Request
Release Notes for Cisco Security Manager 4.4
First Published: February 21, 2013
Last Revised: May 23, 2013
These release notes are for use with Cisco Security Manager 4.4.
Security Manager 4.4 is now available. Registered SMARTnet users can obtain release 4.4 from the Cisco support website by going to http://www.cisco.com/go/csmanager and clicking Download Software under Support.
This chapter contains the following topics:
•
Introduction
•Supported Component Versions and Related Software
•What's New
•Installation Notes
•Service Pack 1 Download and Installation Instructions
•Important Notes
•Open Caveats
•Resolved Caveats
•Where to Go Next
•Product Documentation
•Obtaining Documentation and Submitting a Service Request
Introduction
Note Use this document in conjunction with the documents identified in Product Documentation. The online versions of the user documentation are also occasionally updated after the initial release. As a result, the information contained in the Cisco Security Manager end-user guides on Cisco.com supersedes any information contained in the context-sensitive help included with the product. For more information about specific changes, please see Where to Go Next.
This document contains release note information for the following:
•Cisco Security Manager 4.4—Cisco Security Manager (Security Manager) enables you to manage security policies on Cisco security devices. Security Manager supports integrated provisioning of firewall, VPN, and IPS services across IOS routers, PIX and ASA security appliances, IPS sensors and modules, Catalyst 6500 and 7600 Series ASA Services Modules (ASA-SM), and several other services modules for Catalyst switches and some routers. (You can find complete device support information under Cisco Security Manager Compatibility Information on Cisco.com.) Security Manager also supports provisioning of many platform-specific settings, for example, interfaces, routing, identity, QoS, logging, and so on.
Security Manager efficiently manages a wide range of networks, from small networks consisting of a few devices to large networks with thousands of devices. Scalability is achieved through a rich feature set of device grouping capabilities and objects and policies that can be shared.
•Auto Update Server 4.4—The Auto Update Server (AUS) is a tool for upgrading PIX security appliance software images, ASA software images, PIX Device Manager (PDM) images, Adaptive Security Device Manager (ASDM) images, and PIX security appliance and ASA configuration files. Security appliances with dynamic IP addresses that use the auto update feature connect to AUS periodically to upgrade device configuration files and to pass device and status information.
Note Before using Cisco Security Manager 4.4, we recommend that you read this entire document. In addition, it is critical that you read the Important Notes, the Installation Notes, and the Installation Guide for Cisco Security Manager 4.4 before installing or upgrading to Cisco Security Manager 4.4.
This document lists the ID numbers and headlines for issues that may affect your operation of the product. This document also includes a list of resolved problems. If you accessed this document from Cisco.com, you can click any ID number, which takes you to the appropriate release note enclosure in the Bug Toolkit. The release note enclosure contains symptoms, conditions, and workaround information.
Supported Component Versions and Related Software
The Cisco Security Management Suite of applications includes several component applications plus a group of related applications that you can use in conjunction with them. The following table lists the components and related applications, and the versions of those applications that you can use together for this release of the suite. For a description of these applications, see the Installation Guide for Cisco Security Manager 4.4.
Note For information on the supported software and hardware that you can manage with Cisco Security Manager, see the Supported Devices and Software Versions for Cisco Security Manager online document under Cisco Security Manager Compatibility Information on Cisco.com.
Table 1 Supported Versions for Components and Related Applications
Application
|
Support Releases
|
Component Applications
|
Cisco Security Manager
|
4.4
|
Auto Update Server
|
4.4
|
CiscoWorks Common Services
|
4.0
|
Related Applications
|
Cisco Security Monitoring, Analysis and Response System (CS-MARS)
|
6.0.7, 6.1.1
|
Cisco Secure Access Control Server (ACS) for Windows
Notes
•Cisco Secure ACS Solution Engine 4.1(4) is also supported.
•Cisco Secure ACS 5.x is supported for authentication only.
•You can use other versions of Cisco Secure ACS if you configure them as non-ACS TACACS+ servers. A non-ACS configuration does not provide the granular control possible when you configure the server in ACS mode.
|
4.1(3, 4), 4.2(0)
|
Cisco Configuration Engine
|
3.5, 3.5(1)
|
What's New
Cisco Security Manager 4.4 Service Pack 1
Security Manager 4.4 Service Pack 1 provides fixes for various problems. For more information, see Resolved Caveats—Release 4.4 Service Pack 1.
In addition to the resolved bugs listed below, this service pack also provides support for the following:
•Scansafe Web Security Policy for ISR 15.2(4)M2 devices
•IPS 7.2.1 version support for following platforms:
–IPS 4500 Series
–IPS 4300 Series
–ASA 5585-X IPS SSP-10
–ASA 5585-X IPS SSP-20
–ASA 5585-X IPS SSP-40
–ASA 5585-X IPS SSP-60
–ASA 5512-X IPS SSP
–ASA 5515-X IPS SSP
–ASA 5525-X IPS SSP
–ASA 5545-X IPS SSP
–ASA 5555-X IPS SSP
•NAT Rediscovery--An option has been added to allow rediscovery of NAT policy without affecting any existing shared policies.
After upgrading to ASA 8.3+, you do not need to delete the ASA device and then rediscover. Instead, you can just rediscover the NAT policies using the NAT Rediscovery option. This option will update the Security Manager configuration so that it matches the device configuration while preserving any existing shared policies, inheritance, flex-configs, and so on.
When upgrading an ASA device from 8.4.x to 9.0.1, you do not need to delete the device from Security Manager and then rediscover. When you upgrade to ASA 9.0.1, the device policies will be converted to the unified format. You can rediscover the unified NAT rules using the NAT Rediscovery option or you can convert the existing NAT policies to unified NAT policies with the help of the rule converter in Security Manager. For more information, see http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.4/user/guide/porules.html#wp672005.
You can also use the rule converter for the other firewall rules like access rules, AAA rules, and inspection rules if you want to manage these policies in unified firewall rules format.
Cisco Security Manager 4.4
In addition to resolved caveats, this release includes the following new features and enhancements:
•The following devices are now supported in Security Manager 4.4:
–ASA 9.0(1).
–ASA 9.1 and its compatible ASDM.
–ASA 8.4(5).
–Cisco Catalyst 7600 Series ASA Services Modules (ASA-SM).
–ASR backward compatibility support.
•In Configuration Manager with versions 9.0 and higher of the ASA, the separate policies and objects for configuring IPv4 and IPv6 addresses were "unified," meaning one set of the various firewall rules in which you can use either IPv4 or IPv6 addresses, or a mixture of both. In Policy view, IPv4 and unified versions of the related policy types are provided. In addition, a utility that you can use to convert existing IPv4 policies to unified policies is provided. In addition, a number of policy objects, such as the Networks/Hosts object, were updated to allow IPv4 and IPv6 addressing.
•Support for Cisco TrustSec configuration on ASA 9.0+ devices to provide security group based policy enforcement. Cisco TrustSec provides an access-control solution that builds upon an existing identity-aware infrastructure to ensure data confidentiality between network devices and integrate security access services on one platform. Cisco TrustSec along with the Cisco AnyConnect Secure Mobility Solution is a key component of Cisco's Borderless Network Security.
•Support for Clustering on ASA 5580 and 5585 devices running 9.0(1) or later. Clustering lets you group multiple ASAs together as a single logical device. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices.
The Packet Capture Wizard has been updated to support ASA clusters.
•Open Shortest Path First (OSPF) is an interior gateway routing protocol that uses link states rather than distance vectors for path selection. Version 3 is basically OSPFv2 enhanced for IPv6. To use OSPF to route both IPv4 and IPv6 packets, it is necessary to run both OSPFv2 and OSPFv3 concurrently. They co-exist with each other, but do not interact. OSPFv3 is supported on ASA 9.0+ devices operating in single-context, routed mode only. That is, multiple contexts and transparent mode are not supported. OSPFv2 is supported in multi-context mode.
•"Mixed mode" is now supported for ASA 9.0+ devices. This means you can have both routed- and transparent-mode contexts configured on the same multiple-mode device.
•The ASA CX is an Adaptive Security Appliance module that provides advanced context-aware security. The ASA CX is a key component of Cisco's Borderless Network Security. ASA CX devices are managed by the Cisco Prime Security Manager (PRSM) application—they cannot be directly managed by Cisco Security Manager. However, Security Manager has been enhanced to allow you to discover the presence of CX modules on ASA devices; to "cross launch" PRSM from the Configuration Manager application; and to share Policy Object data between Security Manager and PRSM (pronounced "prism").
•Health and Performance Monitor - The HPM application now presents monitoring information for individual contexts, as well as for members of ASA clusters; up/down status updates are also provided for site-to-site (S2S) VPN tunnels. Further, you can now export the data presented in the current Monitoring view to a PDF, HTML, or CSV file.
•Image Manager enhancements:
–Support for ASA clusters.
–Failover Device View provides summary information for Active and Standby nodes. Supports deletion and download of images from flash on Active device and deletion of images from flash on Standby devices.
–Security Manger 4.4 comes pre-packaged with CCA metadata files to make upgrading images more predictable and consistent. These pre-packaged files are available at <CSMRoot>\MDC\athena\ccometadata.
–Provides more detailed validation of image updates.
–The Ticket ID field in Image Manager has been decoupled from Configuration Manager. Ticket information can optionally be applied to image updates, but is not required and can contain values outside of those used for Configuration Manager tickets.
–The User Interface has been enhanced to support viewing of checksum details for images and to allow searching for bundles and devices.
•VPN enhancements:
–Support for Next Generation Encryption. The National Standards Association (NSA) specified a set of cryptographic algorithms that devices must support to meet U.S. federal standards for cryptographic strength. RFC 6379 defines the Suite B cryptographic suites. Because the collective set of algorithms defined as NSA Suite B are becoming a standard, the AnyConnect IPsec VPN (IKEv2 only) and public key infrastructure (PKI) subsystems now support them. The next generation encryption (NGE) includes a larger superset of this set adding cryptographic algorithms for IPsec V3 VPN, Diffie-Hellman Groups 14 and 24 for IKEv2, and RSA certificates with 4096 bit keys for DTLS and IKEv2.
–Server Certificate Verification feature enhances clientless SSL VPN support to enable SSL server certificate verification for remote HTTPS sites against a list of trusted CA certificates.
–Auto-Signon has been updated to allow configuration of dynamic parameters required in applications like Citrix XenApps and Outlook 2010.
–Bookmarks can quickly be created using templates for well known web applications.
–Support for specifying a preload URL, wait time, and post script, and for configuration of macros in post parameter configuration for bookmarks.
–Support for configuring secure remote access for Citrix Receiver applications running on mobile devices to XenApp and XenDesktop VDI servers through an ASA.
–Custom Policy Attribute allows for a more expeditious delivery and deployment of new endpoint features by giving the ASA the ability to generically support the addition of new client controls without the need for an ASA software upgrade.
–Ability to create and edit AnyConnect Profiles within Security Manager.
–IP local pools are now configurable in both tunnel group and group policy.
–Site-to-site VPN support on device in multi-context routed mode.
–Site-to-site VPN support on ASA Clusters.
–Site-to-site and remote access VPN support on ASA-SM.
•A new Device Status View that allows you to quickly see the status of the devices in the Security Manager inventory. The Device Status View window aggregates information from several applications and tools within Cisco Security Manager. You can use the Device Status View to quickly see the status of all your devices or specific groups of devices and can easily navigate to the areas in Security Manager you need to act on that information.
Select View > Device Status View to see information for all devices or select a device group in the Device selector to see information for the devices that are part of that device group or a subgroup.
•NAT - The user interface for configuring NAT rules and NAT objects has been redesigned to allow for easier configuration. NAT also now supports IPv6 network objects.
Per-session PAT support for ASA 9.0+ devices has been added. The per-session PAT feature improves the scalability of PAT and, for ASA clustering, allows each member unit to own PAT connections.
•Ticket/Activity Manager enhancements:
–You can now select multiple tickets or activities when discarding tickets/activities or rejecting activities.
–Activities with unapproved changes (Edit, Edit Open, or Submitted state) or tickets with unsubmitted changes (Edit or Edit Open state) are flagged for easy identification.
•Policy Object Manager enhancements:
–The Policy Object Manager provides icons to quickly show the status of policy objects that have been modified or are locked for editing. You can hover over the status icons to see details about the ticket/activity in which the policy object has been modified/locked and to navigate to that ticket/activity.
–You can now copy and paste objects using Ctrl+C and Ctrl+V as well as through the right-click menu.
–You can now enable or disable device overrides for multiple objects at the same time using the right-click menu.
•A List Filter field is now provided above the results in the Show Contents dialog box. You can use the List Filter field to quickly locate any entries that contain a specified text string.
•The Deployment administrative settings (Tools > Security Manager Administration > Deployment) now provides the following options:
–Preserve Sections for Access Rules-Whether to deploy the section name under which access rules are organized. This option ensures that if a device is discovered or rediscovered, the section names will not be lost.
–Generate CSM Rule Number-Whether to deploy the rule number used in the Cisco Security Manager user interface. This option helps in correlating an access rule in a device configuration to its position in rule table.
•Access Rule Hit Count and Last Hit Time information has been moved from a separate dialog to the access rule table for easier visibility. This also allows for sorting of the table based on hit count and last hit time. You can refresh hit count information by clicking the Refresh Hit Count button. You can view hit count details using the right-click menu.
•Access to tools for the rules tables have been moved to the right-click menu. Also, tools have been updated to support unified rules and security policy objects.
•Certificate trust management feature--Security Manager downloads ASA images and IPS packages from Cisco.com over HTTPS, which uses certificates for establishing trust. Beginning with version 4.4, Security Manager has a certificate trust management feature. This feature helps you with improved handling of Cisco.com certificates for both types of downloads, ASA image downloads and IPS update package downloads.
•Security Manager now allows you to generate a 2048-bit self-signed certificate under Megamenu > Server Administration > Server > Security > Single Server Management > Certificate Setup.
•ScanSafe is now supported on ASA devices. ScanSafe Web Security settings are configured from Firewall > Settings > ScanSafe Web Security. ScanSafe Web Security traffic classification rules are configured from Platform > Service Policy > Rules.
•In the service policy for an ASA device, you can now view, edit, or remove the virtual sensor in the service policy that you are adding or editing.
•Support is now provided for DHCP IPv6 Relay, in addition to DHCP IPv4 Relay.
•IPS Health Monitor is now supported in Security Manager beginning with IPS version 6.1. With the IPS Health Monitor, you configure the metrics, or parameters, that are used to determine the health and network security status of your IPS devices. Your IPS devices use these metrics to assign appropriate severity when sending IPS events. The results appear in the Health and Performance Monitor of Security Manager (Launch > Health and Performance Monitor).
•When working with IPS devices, you can specify Sig ID and subSigID while adding custom signatures.
•The IPS Signatures page now has detailed signature descriptions.
•A new feature, the Wall feature, can be used to send messages to all users who are logged in on the same Security Manager server.
•The NetFlow feature now supports configuration of Active Refresh Interval and Delay Flow Create.
•TCP intercept maximum threshold has been increased to 2,000,000.
•IS-IS pass-through support has been added for ASA/PIX/FWSM devices. "IS-IS pass-through support" means that IS-IS traffic can flow through the ASA in transparent mode.
Installation Notes
•The "Licensing" chapter in the installation guide enables you to determine which license you need. (The license you need depends upon whether you are performing a new installation or upgrading from one of several previous versions.) It also describes the various licenses available, such as standard, professional, and evaluation. It is available at http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.4/installation/guide/licensing.html.
•Do not modify casuser (the default service account) or directory permissions that are established during the installation of the product. Doing so can lead to problems with your being able to do the following:
–Logging in to the web server
–Logging in to the client
–Performing successful backups of all databases
•You can install Security Manager server software directly, or you can upgrade the software on a server where Security Manager is installed. The Installation Guide for Cisco Security Manager for this release of the product explains which previous Security Manager releases are supported for upgrade and provides important information regarding server requirements, server configuration, and post-installation tasks.
•Before you can successfully upgrade to Security Manager 4.4 from a prior version of Security Manager, you must make sure that the Security Manager database does not contain any pending data, in other words, data that has not been committed to the database. If the Security Manager database contains pending data, you must commit or discard all uncommitted changes, then back up your database before you perform the upgrade. The Installation Guide for Cisco Security Manager for this release contains complete instructions on the steps required for preparing the database for upgrade.
•We do not support installation of Security Manager on a server that is running any other web server or database server (for example, IIS or MS-SQL). Doing so might cause unexpected problems that may prevent you from logging into or using Cisco Security Manager.
•Be aware of the following important points before you upgrade:
–Ensure that all applications that you are upgrading are currently functioning correctly, and that you can create valid backups (that is, the backup process completes without error). If an application is not functioning correctly before an upgrade, the upgrade process might not result in a correctly functioning application.
Note It has come to Cisco's attention that some users make undocumented and unsupported modifications to the system so that the backup process does not back up all installed CiscoWorks applications. The upgrade process documented in the installation guide assumes that you have not subverted the intended functioning of the system. If you are creating backups that back up less than all of the data, you are responsible for ensuring you have all backup data that you require before performing an update. We strongly suggest that you undo these unsupported modifications. Otherwise, you should probably not attempt to do an inline upgrade, where you install the product on the same server as the older version; instead, install the updated applications on a new, clean server and restore your database backups.
•If you log in to a Security Manager server that is running a higher version than your client, a notification will be displayed and you will have the option of downloading the matching client version. If you log in to a Security Manager server that is running a higher version than your client, a notification will be displayed and you will have the option of downloading the matching client version.
•Beginning with Security Manager 4.4, AUS and the Security Manager client are installed in parallel to improve installation time.
•CiscoWorks Common Services 4.0 is installed automatically when you install Security Manager or AUS.
•Security Manager did not support disk drive space greater than 2 TB in earlier versions but does support it now.
•An error message will pop up if there is any database migration error; this will be at a point where installation can be taken forward without stopping.
Service Pack 1 Download and Installation Instructions
To download and install service pack 1, follow these steps:
Note You must install the Cisco Security Manager 4.4 FCS build on your server before you can apply this service pack.
Caution Before installing this service pack, please back up the following files:
MDC\ips\etc\sensorupdate.properties
MDC\eventing\config\communication.properties
If you have previously modified these files, you will need to reconfigure them after installing the service pack.
Step 1 Go to http://www.cisco.com/go/csmanager, and then click Download Software under the Support heading on the right side of the screen.
Step 2 Enter your user name and password to log in to Cisco.com.
Step 3 Click Security Manager (CSM) Software, expand the 4.4 folder under All Releases, and then click 4.4sp1.
Step 4 Download the file fcs-csm-440-sp1-win-k9.exe.
Step 5 To install the service pack, close all open applications, including the Cisco Security Manager Client.
Step 6 If Cisco Security Agent is installed on your server, manually stop the Cisco Security Agent service from Start > Settings > Control Panel > Administrative Tools > Services.
Step 7 Run the fcs-csm-440-sp1-win-k9.exe file that you previously downloaded.
Step 8 In the Install Cisco Security Manager 4.4 Service Pack 1dialog box, click Next and then click Install in the next screen.
Step 9 After the updated files have been installed, click Finish to complete the installation.
Step 10 On each client machine that is used to connect to the Security Manager server, you must perform the following steps to apply the service pack before you can connect to the server using that client:
a. If Cisco Security Agent is installed on the client, manually stop the Cisco Security Agent service from Start > Settings > Control Panel > Administrative Tools > Services.
b. Launch the Security Manager client.
You will be prompted to "Download Service Pack".
c. Download the service pack and then launch the downloaded file to apply the service pack.
Step 11 (Optional) Go to the client installation directory and clear the cache, for example, <Client Install Directory>/cache.
Important Notes
The following notes apply to the Security Manager 4.4 release:
•You cannot use Security Manager to manage an IOS or ASA 8.3+ device if you enable password encryption using the password encryption aes command. You must turn off password encryption before you can add the device to the Security Manager inventory.
•Without Service Pack 1
On any ASA managed by Security Manager, upgrading the software from a version earlier than 8.3 to version 8.3 and later will necessitate deleting the device from the Security Manager inventory, then rediscovering the device and performing some one-time manual clean-up of certain policy objects, NAT rules, and ACL entries.
Security Manager does not check for content equivalence between objects and object-groups, so it is possible duplicate policy objects will be created—you must manually correct this situation. In addition, device upgrade and subsequent deletion and rediscovery can result in significant changes to NAT rules, and may also change IP addresses in Access Control Lists. Be sure to closely examine the NAT rules and ACLs on the device, and manually update them as necessary.
With Service Pack 1
After upgrading to ASA 8.3+, you do not need to delete the ASA device and then rediscover. Instead, you can just rediscover the NAT policies using the NAT Rediscovery option. This option will update the Security Manager configuration so that it matches the device configuration while preserving any existing shared policies, inheritance, flex-configs, and so on.
When upgrading an ASA device from 8.4.x to 9.0.1, you do not need to delete the device from Security Manager and then rediscover. When you upgrade to ASA 9.0.1, the device policies will be converted to the unified format. You can rediscover the unified NAT rules using the NAT Rediscovery option or you can convert the existing NAT policies to unified NAT policies with the help of the rule converter in Security Manager. For more information, see http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.4/user/guide/porules.html#wp672005.
You can also use the rule converter for the other firewall rules like access rules, AAA rules, and inspection rules if you want to manage these policies in unified firewall rules format.
•ASA 8.3 ACLs use the real IP address of a device, rather than the translated (NAT) address. During upgrade, rules are converted to use the real IP address. All other device types, and older ASA versions, used the NAT address in ACLs.
•The device memory requirements for ASA 8.3 are higher than for older ASA releases. Ensure that the device meets the minimum memory requirement, as explained in the ASA documentation, before upgrade. Security Manager blocks deployment to devices that do not meet the minimum requirement.
•If you have a device that uses commands that were unsupported in previous versions of Security Manager, these commands are not automatically populated into Security Manager as part of the upgrade to this version of Security Manager. If you deploy back to the device, these commands are removed from the device because they are not part of the target policies configured in Security Manager. We recommend that you set the correct values for the newly added attributes in Security Manager so that the next deployment will correctly provision these commands. You can also rediscover the platform settings from the device; however, you will need to take necessary steps to save and restore any shared Security Manager policies that are assigned to the device.
•Device and Credential Repository (DCR) functionality within Common Services is not supported in Security Manager 4.4.
•A Cisco Services for IPS service license is required for the installation of signature updates on IPS 5.x+ appliances, Catalyst and ASA service modules, and router network modules.
•Do not connect to the database directly, because doing so can cause performance reductions and unexpected system behavior.
•Do not run SQL queries against the database.
•If an online help page displays blank in your browser view, refresh the browser.
•Security Manager 4.4 only supports Cisco Secure ACS 5.x for authentication. ACS 4.1(3), 4.1(4), or 4.2(0) is required for authentication and authorization.
•If you do not manage IPS devices, consider taking the following performance tuning step. In $NMSROOT\MDC\ips\etc\sensorupdate.properties, change the value of packageMonitorInterval from its initial default value of 30,000 milliseconds to a less-frequent value of 600,000 milliseconds. Taking this step will improve performance somewhat. [$NMSROOT is the full pathname of the Common Services installation directory (the default is C:\Program Files\CSCOpx).]
•The IPS packages included with Security Manager do not include the package files that are required for updating IPS devices. You must download IPS packages from Cisco.com or your local update server before you can apply any updates. The downloaded versions include all required package files and replace the partial files that are included in the Security Manager initial installation.
•The "License Management" link on the CiscoWorks Common Services home page has been removed.
•CsmReportServer and CsmHPMServer are now supported with 64-bit JRE.
•The "rsh" service has been changed to manual start mode. You can start it manually if you need it.
•The use of policy objects with IPS is different in Security Manager 4.4 than it was in previous versions. The area affected most is upgrading to Security Manager 4.4 from a previous version. Another affected area is the policy object type.
Open Caveats
This section describes the open caveats with respect to this release.
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
http://www.cisco.com/support/bugtools
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
The following caveats affect this release and are part of Security Manager 4.4:
•ASA, PIX, and FWSM Firewall Devices Caveats
•Cisco IOS Router Devices Caveats
•Cisco IPS and IOS IPS Devices Caveats
•Client and Server Install Caveats
•Device Management, Discovery, and Deployment Caveats
•Event Viewer Caveats
•Firewall Services Caveats
•Health and Performance Monitor Caveats
•Image Manager Caveats
•Miscellaneous Caveats
•Policy Management Caveats
•VPN Device and Configuration Support Caveats
Note In some instances, a known problem might apply to more than one area, for example, a PIX device might encounter a problem during deployment. If you are unable to locate a particular problem within a table, expand your search to include other tables. In the foregoing example, the known problem might be listed in either the Deployment table or the PIX/ASA/FWSM Configuration table.
Table 2 ASA, PIX, and FWSM Firewall Devices Caveats
Reference Number
|
Description
|
CSCtd60804
|
CSM managing A/A FWSM will not use configured management ip of context
|
Table 3 Cisco IOS Router Devices Caveats
Reference Number
|
Description
|
CSCth95357
|
XE: Deploy Fails when Memory Critical Notifications are Changed
|
CSCti15944
|
CLI: "dot1x pae authenticator" generated after deployment of 802.1x
|
CSCtq12795
|
Generic Router : AAA rules getting negated.
|
Table 4 Cisco IPS and IOS IPS Devices Caveats
Reference Number
|
Description
|
CSCtk36259
|
MU-IPS Licensing page taking too long for Refresh / CCO Update operation
|
CSCug68487
|
CSM isn't closing all the HTTPS session as part of config deployment
|
Table 5 Client and Server Install Caveats
Reference Number
|
Description
|
CSCtq99125
|
Installation: Evaluation and Licensing options get enabled simultaneous
|
CSCtr71792
|
ETSGJ-CH:CSM Launch Icons Missing on XP JOS Client
|
CSCtr72248
|
ETSGJ-CH:Not able to proceed with install if going back to previous page
|
CSCue21624
|
Some or All Devices are Missing in Device View
|
Table 6 Device Management, Discovery, and Deployment Caveats
Reference Number
|
Description
|
CSCub81927
|
Scal Testing: DB error during deployment
|
CSCuc13848
|
Getting error while submitting a ticket for Validation.
|
CSCud15187
|
CSM: AUS changes do not replicate to standby firewall
|
CSCue46254
|
CSM 4.3 SP1 deployment fails due to attempt to remove referenced object
|
Table 7 Event Viewer Caveats
Reference Number
|
Description
|
CSCtg54222
|
Eventing Restore: Restore failing or partially succeeding in some cases
|
CSCtg57676
|
Internal error thrown when portlist is used in service object filter.
|
CSCtg57745
|
Filtering does not work when only protocol name is used in service obj.
|
CSCtg57839
|
Results not correct when network obj with non-contiguous mask is used.
|
CSCtl73195
|
BB names having underscore in name can't be shown in the event viewer
|
CSCua81392
|
CSM 4.2 - Eventing directory does not get deleted
|
CSCuc72706
|
CSM fails to purge old partition
|
CSCuc85344
|
Incorrect filtering for All-IPv6-Address and All-IPv4-Address BB
|
Table 8 Firewall Services Caveats
Reference Number
|
Description
|
CSCtf32208
|
Deployment fails with ACE edit in ACL BB
|
CSCtg80500
|
Manual-NAT: need validation for "neq" operator in static NAT
|
CSCti08077
|
system context Config file discovery fails with ASA 5580 platfo
|
CSCtl10613
|
Int: ASA 5580/85 should support max 1034 int allocation to context
|
CSCto67515
|
ASA/ASASM Failover commands not negated
|
CSCto80002
|
UID: Deployment fails when domain is used in ACL and is deleted
|
CSCtq04794
|
NAT: Deployment is failing for object NAT for Translate DNS rule
|
CSCtq20157
|
Delta is empty after unassigning Inspection settings.
|
CSCtq20876
|
Generic Router: Deployment fails after unassigning web filter settings
|
CSCtq20997
|
NAT:Subnet Can not be used as mapped Source in Dynamic NAT policy
|
CSCtq24069
|
UID: repeated ACL delta with ACL match protocol inspection
|
CSCtq36739
|
NAT: Same Mapped address cannot be used to perform both NAT and PAT
|
CSCtq63721
|
UID: order of AAA server negation/appending _1 on discovery should modiy
|
CSCtq68629
|
Dynamic NAT : Network/Hosts Selection window is empty
|
CSCtq82588
|
Discovery fails for device with scan safe AAA in CSM 4.1
|
CSCtq82698
|
NAT : Unable to Edit Static Object NAT
|
CSCtq83500
|
Correct CLI is not generated for Inspection rules.
|
CSCtq85580
|
Object NAT: Unable to create rule due to device locking issue
|
CSCtr00850
|
CSM should read the OSPF configuration correctly
|
CSCtr12016
|
ETSGJ-CH:Japanese User not displayed in Identity UserGroup UI
|
CSCtr12155
|
ETSGJ-CH:Japanese User Group shows Name as Square blocks in JOS Client
|
CSCtr17688
|
NAT: No validation for FQDN in pre ASA 8.3 NAT
|
CSCtr25092
|
ETSGJ-CH:Pop-up for wrong bind in Identity needs to be revisited
|
CSCtr25195
|
ETSGJ-CH:Domain name with special characters are permitted
|
CSCtr30676
|
Deployment fails when http accounting banner from file is configured
|
CSCtr71998
|
ETSGJ-CH:Incremental pop-up for a wrong MAC in Cat6k ASA-SM Failover
|
CSCtr90006
|
Generic Router:Inspection policy message from device should be handled
|
CSCts15802
|
Scan Safe-Deployment fails when enabling Encryption IOS
|
CSCts25221
|
Edit ACL in Identity Policy-CSM generates incorrect order of cli
|
CSCtw48451
|
Override BB are not mapping with BBs used in import rules
|
CSCtx47521
|
Extended pat table option should be disabled
|
CSCtx51882
|
ACD: Navigation from conflict details fails to rule in rule section
|
CSCty77037
|
Remove unreferenced Object-Group option can cause deployment error
|
CSCtz70420
|
Unable to configure flow-export service policy via CSM GUI
|
CSCtz78135
|
ASR: ZBF Disabled & Enabled Rule found similar in GUI
|
CSCtz92786
|
RBAC: Privileges for NAT policies on ASA 8.3 not working
|
CSCud37752
|
ASA Image Downgrade From 9.0 to 8.4.4 Contain Xlate Rules in Preview
|
CSCud62338
|
CSM Object Override Screens May Not Work After Upgrade
|
CSCud78773
|
CSM 4.3 add-rule option adds an active acl directly to all interfaces
|
CSCud98874
|
CSM Issues with AAA Accounting between PIX 6.x and PIX/ASA 7.x+
|
CSCue51858
|
CSM doesnt support DHCP Relay per interface
|
Table 9 Health and Performance Monitor Caveats
Reference Number
|
Description
|
CSCtt95667
|
FW: Certificates should be displayed as part of Non VPN Views
|
CSCtx48130
|
VPN: SitetoSite VPN tunnel details not proper with dynamic cryptomap 8.4
|
CSCud53546
|
"Master" changes needs to be reflected in Cluster row
|
CSCue05800
|
CSM 4.3 SP1 - HPM does not start after scheduled DB backup.
|
CSCue50284
|
Tunnel Alerts: Traps Not Processed if the Remote Subnet is a Host
|
Table 10 Image Manager Caveats
Reference Number
|
Description
|
CSCue30032
|
Multicontext devices are not shown in IM in ACS setup
|
Table 11 Miscellaneous Caveats
Reference Number
|
Description
|
CSCtq99617
|
CSM UI unresponsive for a long period in MU testing
|
CSCtt97627
|
Flexconfigs modified/deleted not removed from preview and got deployed
|
CSCuc18629
|
CSM 4.3 Section lost after copying config
|
CSCud83531
|
CSM 4.3 add-rule lost focus when adding the rule
|
CSCue22968
|
CSM DOC: IPS Auto update for shared policies only for vs0
|
Table 12 Policy Management Caveats
Reference Number
|
Description
|
CSCud86519
|
CSM deployment error with an Object
|
Table 13 VPN Device and Configuration Support Caveats
Reference Number
|
Description
|
CSCth43310
|
GRE H&S-Default route is not discovered for Informer device
|
CSCtl82579
|
IKEv2 connection is down for default connection-type of CSM
|
CSCtq06818
|
Group Encryp Policy-unassigned from policyview not restoring default val
|
CSCtq15281
|
Config wizard-Auto-update client is not deployed properly
|
CSCtq29212
|
SSL-CSM is not generates proper URL when configuring bookmark
|
CSCtq67354
|
preview fails,rule name(SSLVPN->othersett->content rewrite) having space
|
CSCtq86149
|
deployment fails:existing Virtual Template int with type serial - Ezvpn
|
CSCtr06681
|
preview fails : if SSO name is given with spaces
|
CSCtr28222
|
IPSec Proposal is not discovered, if DVTI/VRF is configured in ISR
|
CSCtr40704
|
Double Quotes generation in Client Access rule in Group Policy
|
CSCtr64655
|
VPN discovery fails:using tunnel_3des as Ikev1 TS in ASA-ISR combination
|
CSCts30832
|
Preview failed due to FQDN acl BB used in group policy.
|
CSCtz47183
|
IPS 43xx: Standalone Transparent Mode Device Deployment Fails
|
CSCub28608
|
VPN policy discovery clears the existing crypto map ACL
|
CSCub82270
|
CSM deletes the existing ACL when changing protected nw/Spk2Spk connecti
|
CSCub89125
|
PKI node under Remote Access VPN to be enabled
|
CSCub97337
|
Deploy fails with large # devices in one job w/ ACL BB/VPN config
|
CSCuc08659
|
With anyconnect 3.1, not able to launch web security profile
|
CSCuc48221
|
CSD policy editor:- Secure vault checkbox is missing in prelogin policy
|
CSCuc60042
|
CSM wrongly generates the crypto ACL for speciifc Building blocks(BB)
|
CSCuc80471
|
CSM 4.3 Keys not getting synchronized across KS
|
CSCud61707
|
PKI deployment failed with trustpoint not enrolled error for ASA 9.0
|
CSCud80090
|
CSM requires CSD package when creating DAP
|
CSCud80123
|
OS operator in CSM is not present
|
CSCud91572
|
CSM 4.2: Missing option to modify "hide internal password"
|
CSCue13839
|
CSM removes "source interface" command from PKI trustpoint
|
CSCue53645
|
CSM 4.3 SP1 crl configure - policy value always set to both
|
CSCue53955
|
CSM 4.3 SP1 Adding "anyconnect ask none default webvpn" command
|
CSCue54248
|
CSM 4.3 SP1 Should support group-lock for ssl vpn group policies
|
CSCue54256
|
CSM 4.3 SP1 Adds "fqdn none" under trustpoint
|
CSCue72718
|
CSD 3.4.0373 is no longer Bundled with CSM installer - User Guide Defect
|
Resolved Caveats
This section describes the resolved caveats with respect to this release.
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
http://www.cisco.com/support/bugtools
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
This section contains the following topics:
•Resolved Caveats—Release 4.4 Service Pack 1
•Resolved Caveats—Release 4.4
•Resolved Caveats—Releases Prior to 4.4
Resolved Caveats—Release 4.4 Service Pack 1
The following customer found or previously release-noted caveats have been resolved in Cisco Security Manager 4.4 Service Pack 1.
Reference Number
|
Description
|
CSCts20427
|
Event UI: View specific columns are lost on switching to real time
|
CSCuc07823
|
Performance: MassagerException for IPv6 deployment to higher workloads
|
CSCuc10546
|
VPN: Generation of Trustpool CLI's after device import
|
CSCuc49859
|
Extranet:- Validation error for exceeding IPSec transform set for IKEv1
|
CSCuc72424
|
CSM 4.3 Global Search not able to cross correlate or drilldown w/objects
|
CSCud07652
|
CSM 4.3 - deployment fails as CSM generating the ACL in wrong sequence
|
CSCud63375
|
CSM to Support scansafe web security policy in 15.2(4) M2 release
|
CSCud87787
|
CSM removes the tunnel group lock config from SSL full vpn group policy
|
CSCud97755
|
CSM 4.3-SP1: CSM query window shows wrong matches
|
CSCue01509
|
VPN Summary: Other Details Tab Does not Show Certificates
|
CSCue01794
|
Drag and Drop is not working for the unified rules
|
CSCue02174
|
CSM 4.3 sometimes uses wrong user credentials to connect to device
|
CSCue05074
|
Incorrect messaging in "Find Usage" for local rule inherited from policy
|
CSCue13911
|
CSM 4.3 w/ASA 8.3+ - No error when interface IP's have overlapped subnet
|
CSCue17124
|
CSM allows duplicate static routes to different interfaces
|
CSCue22784
|
CSM 4.3 SP1 CP5 - CSM rule expiry notification not working
|
CSCue25304
|
Cannot change credentials in device properties page for IPS devices
|
CSCue33545
|
CSM 4.3 SP1 fails to deploy/discover with "isakmp enable inside"
|
CSCue45261
|
CSM 4.3 - Null authentication pushed by CSM to router
|
CSCue54768
|
Not able to apply Pro_M lic on top of stdtoproupgrade lic after upgrade
|
CSCue58429
|
TFW: CSM does not discover management-only and IP config, multi-ctx
|
CSCue65616
|
CSM auto-update cann't load asa86 image
|
CSCue78794
|
CSM Deployment failed due to MassagerPlugin
|
CSCuf08115
|
CSM: CsmReportServer.log file grows extremely large quickly
|
CSCuf34494
|
CSM ACL cannot filter by correct column names
|
CSCuf52614
|
CSM-API: Slow response on API calls
|
CSCuf89842
|
CSM: Increase Default Eventing Sleep Interval to Reasonable Value
|
CSCuf93435
|
CSM4.4: in Access-rules view, Destination column is shifted over User
|
CSCug21754
|
engine id filed made as optional
|
CSCug45741
|
CSM 4.4 Automatic backup fails due to compression error
|
CSCug54232
|
CSM 4.4 - CsmHPMServer.log grows up very fast until no disk space left
|
Resolved Caveats—Release 4.4
The following customer found or previously release noted caveats have been resolved in this release.
Reference Number
|
Description
|
CSCso17575
|
CSM: IPS Interfaces Policy Copy to Sensor with Diff Interfaces Error
|
CSCtg58541
|
CSM coexistence problem with Symantec Event Manager startup sequence
|
CSCtl82415
|
CSM creating multiple deployment job at a same time.
|
CSCtn22006
|
Discovery fails if Anyconnect image is present in disk1 of the device
|
CSCto26357
|
CSM: Deployment may fail due to internal error in plugin
|
CSCtq45738
|
CSM - Sybase SQL Anywhere listening on UDP broadcast
|
CSCtr25642
|
CSM adding CSM_STD as prefix to acl used in SNMP during each discovery
|
CSCtr61274
|
PCAP:Without change the packet parameter value Next tab is not enabled
|
CSCts04588
|
System Requirements fails, showing negative value in available space
|
CSCts81689
|
Auto update is not happen when major upd is done on the device inbetween
|
CSCts86256
|
CSM: Incorrect IDS/IPS Sensor Device Name Shown in Event Viewer
|
CSCtt34300
|
CSM adds ipv6 address to multiple interfaces
|
CSCtw58550
|
CSM IPS signature defined on hierarchic policy are not applied properly
|
CSCtw65753
|
CSM DB backup should stop and start daemon if daemon is running
|
CSCtw86862
|
Device inventory details are not shown in Image management after upgrade
|
CSCtw92122
|
Installer shows error when install path is not in C:
|
CSCty03766
|
CSM 3.3.1 autodeploy started despite it was suspended
|
CSCty24613
|
Cannot assign NAT shared policy if no-proxy-arp is configured
|
CSCty59588
|
HA: While assigning permissions for casusers on secnode, perm errors
|
CSCtz10703
|
CSM config Rollback with FWSM may result in network outage
|
CSCtz25896
|
Network Object : Duplicate Object (object-group) Creation in CSM
|
CSCtz26022
|
Preview message error for ips device
|
CSCtz31123
|
CSM changes access-list names of ZBF feature
|
CSCtz36471
|
CSM: importing IOS VPN devices makes changes to the crypto acl
|
CSCtz39799
|
IPS AAA Policy dialog throws a error message after patch upgrade
|
CSCtz39869
|
Inventory/policy alone discovery for ips with VS generates negate comman
|
CSCtz47322
|
CSM 4.2 -ASA Group Policies with standard ACLs not discovered correctly
|
CSCtz49988
|
Column based edit is not working for Sig fidelity in IPS update wizard
|
CSCtz51039
|
Security Manager CSM 4.2 removes logging config when policy not managed.
|
CSCtz61379
|
CSM 4.2 SP1 bad response time for viewing NAT table
|
CSCtz71944
|
IM not able to handle upgrade from ASA 7.x to 8.x in failover setup
|
CSCtz75708
|
HPM:Not able to enable VPN monitoring for devices added in wizard
|
CSCtz83960
|
Discovery of 7600 with MFR intfc fails with java.lang.NullPointerExcept.
|
CSCtz86049
|
No error/Warning if spaces present in IP address in POM
|
CSCtz86266
|
Security Manager Event Viewer does not purge files in \MDC\reports\temp
|
CSCtz88089
|
VPN: Summary Panel Includes Count even when RA / S2S is not Enabled
|
CSCtz91443
|
Modify Flex Config results-com-cisco-nm-vms-template-TemplateActyHandler
|
CSCtz91926
|
Discovery error on ASR with ATM sub-interfaces
|
CSCtz94281
|
Schedule Report Does Not Run if UnMonitored in Eventing
|
CSCua04310
|
Report manager is hitting Out of Memory for every 15/20 days period
|
CSCua07115
|
CSM 4.2: Pushes'no svc ask none' in DfltAccessPolicy during deployment
|
CSCua07289
|
CSM re-configure the auto summary for EIGRP
|
CSCua21128
|
Null pointer exception while filtering IPS events based on Event Type Id
|
CSCua25601
|
CSM AUS - JAVA error if using Update Now Button
|
CSCua31272
|
ACD: Slow with large number of objects
|
CSCua31440
|
CSM Event viewer does not show User & Group Name if it contains "#"
|
CSCua35862
|
IPS 7.1.5 version support for 32 bit legacy IPS platforms
|
CSCua38184
|
Deployment hung after management interface is shut
|
CSCua45351
|
CSM: UI slownes when loading IKE and IPSEC policies
|
CSCua48896
|
CSM 4.2 inconsistency in displaying static in Network Object NAT rules
|
CSCua49569
|
java.lang.IllegalArgumentException: Bad ip address demo! warning
|
CSCua53711
|
CSM won't disable WebVPN on ASA without removing all access policies
|
CSCua56653
|
Some passwords configured in Logging server policy not getting masked.
|
CSCua57973
|
CSM Policy 'submit & deploy' may fail when not applied to all devices
|
CSCua59991
|
CSM 4.2 - AAA Server Group object cannot be deleted
|
CSCua73760
|
CSM: ZBF zones with object overrides may fail validation
|
CSCua78021
|
CSM: Unable to disable Inspection for certain Traffic on ASA
|
CSCua86550
|
CSM tries accessing device without using configured username
|
CSCua89647
|
CSM: IPS Updates Downloads via HTTP GET with Basic Auth (Cleartext)
|
CSCua92543
|
scheduled deployment jobs fail if changing "Connect to device using"
|
CSCua99501
|
ASA uauth inactivity timeout not deployed properly
|
CSCub03972
|
CSM Web URL Filtering for ACL doesn't support /?RedirectPrinters=true
|
CSCub17120
|
Auto update fails due to lack of 2048-bit root certificates
|
CSCub18695
|
Security Manager CSM 4.3 does not show "no proxy-arp" option on ASASM
|
CSCub21282
|
internal error when performing query in CSM event viewer
|
CSCub24257
|
CSM: Class-map may be added in a different order than it was removed.
|
CSCub26117
|
CSM - error when deploying network objects with multiple IP's on ASA
|
CSCub26573
|
CSM 4.2&4.3 split 'ip local pool' in many lines after device discovering
|
CSCub28745
|
CSM does not discover all class map & improperly discovers shape average
|
CSCub37992
|
CSM 4.3 Failed to generate delta config for pix 6.3(5)
|
CSCub44499
|
CSM 4.3: Does not understand DAP attributes
|
CSCub50793
|
CSM renaming nameif on ASA interface causes policy association failure
|
CSCub54051
|
CSM: L2L VPN discovery changes the crypto ACL
|
CSCub54192
|
CSM does not properly populate mroute configuration on ASA
|
CSCub57791
|
CSM 4.3 failure when we use the default object groups configured in CSM
|
CSCub66476
|
CSM validate fails SSL VPN can't be enabled on Management Only interface
|
CSCub74198
|
CSM 4.2 Error: AAA Maximum number of Attempts - Unsupported Policy
|
CSCub74884
|
CSM 4.3 deploys standard access-list with sequence number
|
CSCub88466
|
Incorrect Range Enforced for TCP Connection Timeout on Firewall
|
CSCub95505
|
Validation errors for DAP for ASA 8.2.5 on CSM 4.2
|
CSCub99533
|
CSM should not accept single quote while creating activity
|
CSCuc10250
|
CSM cannot apply signature update in a specific condition
|
CSCuc11258
|
CSM forces to fill in the sustained burst/excess burst for QoS shaping
|
CSCuc18963
|
CSM 4.3 VPN External l2l do not discovery the protected network
|
CSCuc20035
|
CSMgrDeviceExport.pl script fails with error -no data to be displayed
|
CSCuc52121
|
IMGMT: Optimize the commands sent to device during IM inventory colln
|
CSCuc52877
|
CSM 4.3 may fail to discover ASA interfaces in system context
|
CSCuc59365
|
Process management page allows cross site script execution in URL
|
CSCuc61807
|
CSM 4.3 & 4.4 (QA 05) - StackOverflowError
|
CSCuc62975
|
CSM issue with secondary authentication server group based on interface
|
CSCuc68581
|
Add Device Fails - CSM 4.3/CS 4 using RBAC requires Daemon restart
|
CSCuc71502
|
Packet Capture does not recognize a manually input IP address
|
CSCuc71694
|
Race Condition, if 2 different users create capture, it overwrites on FW
|
CSCuc74127
|
'Bad Failover interface speed' warning thrown on CSM
|
CSCuc74129
|
CSM: Unable to approve activity after services restart
|
CSCuc76194
|
Hitcount not working if there is network singleton object in the policy
|
CSCuc76407
|
CSM 4.2/4.2 SP1 - Deploying a AAA policy doesn't work on 2921 router
|
CSCuc98169
|
CSM: Changes printer name capitals letters in web ACL for URL filtering
|
CSCud31022
|
CSM: Preview Configuration plus Deploy Sets IPS bypass-mode to 'auto'
|
CSCud38055
|
CSM 4.3 Image manager update fails due to lack of proxy user/pwd
|
CSCud52044
|
Event Manager clearing all data after stop/start.
|
CSCud52236
|
CSM: May not allow FQDN objects begining with a number.
|
CSCud57488
|
CSM not properly handling the "class" DAP attribute from ASA 8.4.x
|
CSCud80105
|
Unable to enter Certificate Authorization parameters in CSM
|
CSCud88506
|
CSM: Removing ACL tied to policy maynot create delta
|
CSCud92737
|
Allowed to create a Network Object NAT Rules from Device view in CSM.
|
CSCue00125
|
CSM: Uninstalling CSM 4.3 is not clearing Windows Registry properly
|
CSCue13895
|
CSM 4.3 w/ASA 8.3+ - No errors on interfaces with duplicate IP addresses
|
CSCue50608
|
CSM 4.2 Installation fails on server
|
Resolved Caveats—Releases Prior to 4.4
For the list of caveats resolved in releases prior to this one, see the following documents:
•http://www.cisco.com/en/US/products/ps6498/prod_release_notes_list.html
Where to Go Next
If you want to:
|
Do this:
|
Install Security Manager server or client software.
|
See Installation Guide for Cisco Security Manager 4.4.
|
Understand the basics.
|
See the interactive JumpStart guide that opens automatically when you start Security Manager.
|
Get up and running with the product quickly.
|
See "Getting Started with Security Manager" in the online help, or see Chapter 1 of User Guide for Cisco Security Manager 4.4.
|
Complete the product configuration.
|
See "Completing the Initial Security Manager Configuration" in the online help, or see Chapter 1 of User Guide for Cisco Security Manager 4.4.
|
Manage user authentication and authorization.
|
See the following topics in the online help, or see Chapter 7 of Installation Guide for Cisco Security Manager 4.4.
•Setting Up User Permissions
•Integrating Security Manager with Cisco Secure ACS
|
Bootstrap your devices.
|
See "Preparing Devices for Management" in the online help, or see Chapter 2 of User Guide for Cisco Security Manager 4.4.
|
Install entitlement applications.
|
Your Security Manager license grants you the right to install certain other applications—including specific releases of RME and Performance Monitor—that are not installed when you install Security Manager. You can install these applications at any time. See the Introduction to Component Applications section in Chapter 1 of Installation Guide for Cisco Security Manager 4.4.
|
Product Documentation
For the complete list of documents supporting this release, see the release-specific document roadmap:
•Guide to User Documentation for Cisco Security Manager
http://www.cisco.com/en/US/products/ps6498/products_documentation_roadmaps_list.html
Lists document set that supports the Security Manager release and summarizes contents of each document.
•For general product information, see:
http://www.cisco.com/go/csmanager
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see What's New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html.
Subscribe to What's New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
This document is to be used in conjunction with the documents listed in the "Product Documentation" section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2013 Cisco Systems, Inc. All rights reserved.
Feedback
