Table Of Contents
Release Notes for Cisco
VPN 3000 Series Concentrator, Release 4.1.7.DBacking Up the Existing Configuration to the Flash
Backing Up the Existing Configuration to an External Server
Enable Client Password Storage at VPN 3000 to Save VPN 3002 Password
HTTP/HTTPS Management Configuration after Upgrading to Release 4.1.x
Repairing the CompactFlash in the VPN 3005 Series Concentrator
Downgrading from Release 4.1.x
About Externally In Use Addresses
Outlook Web Access (OWA) 2003 Support
Browser Proxy Support for Internet Explorer on Windows
Cisco VPN Client Release 4.6 Support
Mutual Group Authentication Support
Outlook Web Access through WebVPN
Outlook/Exchange Proxy Support (MAPI)
RADIUS-IETF Attributes Enforced via LDAP Authorization
Client OS/Version Type Access Control
LAN-to-LAN Enhancements for Network Lists
VPN 3002 Password Storage Enhancement
SSL Certificate for Each Interface
VPN Concentrator Login Change (Release 4.1 and higher)
Zone Labs Integrity: Permit/Deny on Failure and Support for Multiple Servers
Maximum Active Sessions: WebVPN or IPSec, PPTP, and L2TP/IPSec
Maximum Active WebVPN Sessions
Ratios of WebVPN to IPSec, PPTP and L2TP/IPSec Sessions
VPN 3005 Concentrator with 64 MB Memory Supports 200 IPSec or PPTP Sessions
WebVPN: Browser Caching and Security Implications
WebVPN: File Sharing Requires Both Username and Password
WebVPN: Hostname Cannot Contain Underscore ( _ )
WebVPN: HTTP and HTTPS on the Public and External Interfaces Are Disabled by Default
WebVPN: MeetingMaker and SofTracker Applications
WebVPN: Microsoft Distributed Files
WebVPN: Network Printers Located Behind VPN Concentrator
WebVPN: Port Forwarding (Application Access) Java Issues
WebVPN: Port Forwarding Impaired by Some Pop-Up/Ad Blockers
WebVPN: Port Forwarding Might Cause High CPU Use on Client PC
WebVPN: Port Forwarding Requires Windows XP SP2 Update
WebVPN: Refresh/Reload Page Using the Refresh Icon
WebVPN: Set Low Idle Timeout for WebVPN Users
WebVPN: Solaris Port Forwarding Port Always Listening
WebVPN: Stopping Application Access Correctly
WebVPN: Uses VPN Concentrator Global Settings
WebVPN: Websites That Exhibit Problems Using WebVPN Web Browsing
Browser Interoperability Issues
Internet Explorer Displays Security Information Warning When Launching Port Forwarding
Cisco Security Agent Blocks MAPI Proxy and Port Forwarding
Disable Group Lock When Using SDI or NT Domain Authentication
File Sharing Displays up to 2520 Servers/Domain or Workgroup
File Sharing Share Names Can Be up to 12 Characters Long
"Group Strip" and "Strip Realm" Changes
IMAPS Proxy Opens Multiple Mail Server Sessions without Closing Them
Japanese Operating System Support
Native Kerberos Authentication
Outlook/Exchange Proxy E-Mail Considerations
Password Expiry Does Not Change User Profile for LAN
Share Names Ending in $ Are Hidden Shares
Windows ME with Norton Antivirus Blocks Port Forwarding
Large Configurations Can Cause Memory Allocation Errors
Open Caveats for VPN 3000 Series Concentrator
Open Caveats Specific to Release 4.1
Open Caveats from Earlier Releases
Caveats Resolved in Release 4.1.7.D
Caveats Resolved in Release 4.1.7.C
Caveats Resolved in Release 4.1.7.B
Caveats Resolved in Release 4.1.7.A
Caveats Resolved in Release 4.1.7
Caveats Resolved in Release 4.1.6
Caveats Resolved in Release 4.1.5.B
Caveats Resolved in Release 4.1.5.A
Caveats Resolved in Release 4.1.5
Caveats Resolved in Release 4.1.4
Caveats Resolved in Release 4.1.3
Caveats Resolved in Release 4.1.2
Caveats Resolved in Release 4.1.1
Caveats Resolved in Release 4.1
WebVPN E-Mail Proxy with Certificate Authentication
RADIUS Group Assignment Behavior
Updated VPN Concentrator Documentation
Software Configuration Tips on Cisco Technical Support Website
Obtaining Technical Assistance
Cisco Technical Support Website
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for Cisco
VPN 3000 Series Concentrator, Release 4.1.7.D
CCO Date: December 30, 2004
Part Number OL-5447-14
Introduction
Note
You can find the most current documentation for released Cisco VPN 3000 Series Concentrator products at http://www.cisco.com. These electronic documents might contain updates and changes made after the hard-copy documents were printed.
These release notes are for Cisco VPN 3000 Series Concentrator Release 4.1 through Release 4.1.7.D software. These release notes describe new features, changes to existing features, limitations and restrictions ("caveats"), fixes, and related documentation. They also list issues you should be aware of and the procedures you should follow before loading this release. The section, "Usage Notes," describes interoperability considerations and other issues you should be aware of when installing and using the VPN 3000 Series Concentrator. Read these release notes carefully prior to installing this release.
Contents
These release notes describe the following topics:
Open Caveats for VPN 3000 Series Concentrator
Caveats Resolved in Release 4.1.7.D
Caveats Resolved in Release 4.1.7.C
Caveats Resolved in Release 4.1.7.B
Caveats Resolved in Release 4.1.7.A
Caveats Resolved in Release 4.1.7
Caveats Resolved in Release 4.1.5.B
Caveats Resolved in Release 4.1.5.A
Caveats Resolved in Release 4.1.5
Caveats Resolved in Release 4.1.4
Caveats Resolved in Release 4.1.3
Caveats Resolved in Release 4.1.2
Caveats Resolved in Release 4.1.1
Caveats Resolved in Release 4.1
Obtaining Technical Assistance
System Requirements
This section describes the system requirements for Release 4.1.
Hardware Supported
Cisco VPN 3000 Series Concentrator software Release 4.1 supports the following hardware platforms:
•
•
•
The following table lists the minimum and recommended memory amounts for each VPN Concentrator platform.
Note
32
64
128
256
256
256
128
512
256
512
256
512
Note
After configuring and rebooting the CVPN3005 concentrator, it may continuously reboot displaying a Malloc() failed assert error on the console port. Below is an example of the error:
>> Malloc() failed - CPC = 0x00543518 TID = 0x00020000 Buffer = 0x00000020
Size = 984
Platform Files
Release 4.1.x contains three binary files, one for each of the following platforms:
vpn3000
VPN Concentrator 3015 through 3080 platforms
vpn3005
VPN Concentrator 3005 platform (only)
vpn3002
VPN 3002 Hardware Client (only)
•
•
•
Caution
Upgrading to Release 4.1.x
This section contains information about upgrading from earlier releases to Release 4.1.x.
When upgrading VPN Concentrator releases, you must clear the cache in your browser to ensure that all new screens display correctly when you are managing the VPN Concentrator.
Note
Upgrading to a new version of the VPN Concentrator software does not automatically overwrite the existing configuration file. Configuration options for new features (for example, IKE proposals) are not automatically saved to the configuration file on an upgrade. The HTML Manager displays "Save Needed" (rather than "Save") to indicate that the configuration needs to be saved. If the configuration is not saved, then on the next reboot, the new configuration options are added again. If you need to send the configuration file to the TAC, save the running configuration to the configuration file first.
Before You Begin
Before you upgrade to this release, back up your existing configuration to the flash and to an external server. This ensures that you can return to the previous configuration and software if you need to.
Be aware of the following considerations before you upgrade. These are known product behaviors, and your knowing about them at the beginning of the process should expedite your product upgrade experience. Where appropriate, the number of the caveat documenting the issue appears at the end of the item. See Open Caveats for VPN 3000 Series Concentrator for a description of using this number to locate a particular caveat.
Release 4.1.x of the VPN Concentrator software contains several features that interact with corresponding new features in the Release 4.6 and Release 4.0.x versions of the VPN Client and Release 4.0.x of the VPN 3002 Hardware Client software. To get the full benefit of this Concentrator release you should upgrade your client software to the latest release.
The VPN Concentrator software, Release 4.1, does operate with VPN Client and VPN 3002 Hardware Client versions 3.6, 4.0, and 4.6. If you are using a VPN 3002 or VPN Client version earlier than Release 3.6, you should upgrade to one of these newer versions to take full advantage of the new features.
•
•
•
Use the following backup procedure to ensure that you have a ready backup configuration.
Backing Up the Existing Configuration to the Flash
1.
2.
3.
You have now backed up the existing configuration to the flash.
Backing Up the Existing Configuration to an External Server
You should also back up the configuration to a server. You can do this in many ways, one of which is to download the file using your web browser from the HTML interface (VPN Concentrator).
You can now upgrade the software with assurance that you can return to your previous firmware using your previous configuration.
Note
Enable Client Password Storage at VPN 3000 to Save VPN 3002 Password
VPN 3002 Hardware Client now abides by the VPN 3000 Concentrator setting for Allow Password Storage on Client sent during the last connection attempt. If this checkbox is cleared in VPN 3000 Concentrator configuration, associated VPN 3002 Hardware Clients running Release 4.1 or higher delete the user password when they are powered down. Previously, this setting applied only to software clients. See VPN 3002 Password Storage Enhancement, for more information.
If you want to preserve the current behavior of VPN 3002 Hardware Clients, that is, retain passwords between reboots, do the following steps while running your current software release before you upgrade a VPN 3002 Hardware Client to Release 4.1.x:
Step 1
Step 2
Step 3
HTTP/HTTPS Management Configuration after Upgrading to Release 4.1.x
By default, HTTP(S) management is enabled on the private interface.To manage the VPN Concentrator through the public/external interfaces after upgrading to Release 4.1.1 or later, you must explicitly enable HTTPS/HTTP management in the Configuration | Interfaces | Ethernet screen, WebVPN tab of the public/external interfaces.
Configure this by using Telnet or HTTP(S) access via the private interface or through console CLI. Configure the parameter "Allow Management HTTPS sessions" under Configuration | Interfaces | Ethernet screen, WebVPN tab (CSCec37514).
Repairing the CompactFlash in the VPN 3005 Series Concentrator
Because of a manufacturing process problem, some VPN 3005 Concentrators might have corrupted file systems. This defect might result in failure to save certificates and configuration files. The affected VPN 3005 Concentrators include, but are not limited to, those with serial numbers in the range CAM0708xxxx through CAM0750xxxx, where xxxx is unique suffix for each Concentrator (CSCed68739, CSCed72955).
Release 4.1.x automatically detects this problem if it exists on your VPN 3005 Concentrator, but you must do the following procedure to repair the underlying file corruption on the corrupted CompactFlash on a VPN 3005 Concentrator that is running Release 4.1.x:
Step 1
Step 2
Step 3
Administration > File Management > Reformat FilesystemStep 4
Step 5
Step 6
Note
Downgrading from Release 4.1.x
If you need to return to a release prior to Release 4.1.x, do the following:
Step 1
Step 2
Step 3
Step 4
Step 5
Your prior firmware and image are restored.
Note
Downgrading to Release 3.6 from a Release 4.0, 4.1, or 4.1.x Configuration Deletes Information from LAN-to-LAN Groups
A VPN Concentrator with more than 125 users and groups combined fails to terminate tunnels if the SEPs are not active. This is because a VPN Concentrator with no active SEPs is considered to be a model 3015, and model 3015 supports only 125 users and groups combined (CSCea51435).
This condition could unexpectedly arise if a VPN Concentrator with a SEP-E, running Release 4.0, 4.1, or 4.1.x is downgraded to Release 3.6. This would result in the problem, because the Release 3.6 does not support the SEP-E module. The SEP-Es are detected as unknown cards if present when running Release 3.6 code.
If you encounter a situation, for whatever reason, where you are trying to load a configuration with more users than are supported by the model, the following event appears on the console after a reboot:
*************************************************************
3 08/20/2004 14:03:16.260 SEV=3 CONFIG/32 RPT=1
SERVE Too Many Entries Error. Delete an entry before adding a new one.
*************************************************************
New Features in Release 4.1.7
This section describes the new features in Release 4.1.7 of the VPN 3000 Series Concentrator.
IP Address Re-Use Control
This release introduces the capability to control the length of time between when an assigned IP address for Remote Access VPN has been released and when the address becomes available in the address pool.
Configure the IP Reuse Delay timer on the Configuration | System | Address Management | Assignment screen. This field has a valid range of 0 to 480 minutes. The default is 0, which disables the delay feature. If you change the value to 0, all currently held IP addresses are released.
You should increase the size of your IP address pool before you configure the IP Reuse Delay timer, because activating this feature will increase the number of unavailable IP addresses at any given time.
Do not change this value very frequently or during periods of peak use ; unexpected results could occur. Choose a value that matches settings for your Cisco PIX Security Appliance. Too high a value may deplete your IP address pool.
You can view the number of addresses subject to delay at any particular time on the Monitoring | Statistics | Address Pools screen. A column labelled, "Held" shows the total number of IP addresses being held for either Reuse Delay or Externally In Use status. Click on a group name to view a detail page that shows a list of held internal IP addresses, the length of time remaining for each IP address to be held, and the reason each address is being held. Externally In Use addresses are held for 30 minutes.
About Externally In Use Addresses
When the VPN 3000 Concentrator assigns IP addresses from address pools on the local subnet, it sends an ARP message to see if the address it wants to assign is already being used. If the Concentrator receives an ARP reply, it sets a flag that marks that address as Externally In Use. After 30 minutes, Externally In Use settings for an address expire, and the address returns to the address pool. If the Concentrator again attempts to use the address, it sends another ARP request to re-check availability.
Outlook Web Access (OWA) 2003 Support
The initial release of WebVPN provided support for Outlook Web Access (OWA) 2000. OWA 2003 introduced new tags, attributes, and objects, which are now supported with Release 4.1.7.
You can now use Outlook Web Access (OWA) through WebVPN to a Microsoft Exchange 2003 server.
You must use Internet Explorer version 6.0 or higher with this feature. Netscape and Mozilla browsers are not supported.
Note
New Features in Release 4.1.6
This section describes the new features in Release 4.1.6 of the VPN 3000 Series Concentrator.
Browser Proxy Support for Internet Explorer on Windows
The VPN Concentrator supports configuration of a Web browser proxy for Internet Explorer on Windows platforms. This feature can automatically configure the corporate network Web proxy settings for Cisco VPN Client users, thus eliminating the need for manual adjustment by end-users. These settings also revert automatically.
If your corporate network requires Web browser proxies, you can configure how Cisco VPN Clients are automatically adjusted. Navigate to the Client Config tab of the Configuration | User Management | [Base] Group screen to make changes.
On this tab, you can configure IE Proxy Server Policy (whether and how to use a proxy setting), IE Proxy Server (the server name or address and port), IE Proxy Server Exception List (specific sites that are not accessed through a proxy server), and whether to Bypass Proxy Server for Local Addresses.
•
–
–
–
–
•
•
•
Cisco VPN Client Release 4.6 Support
This release supports the Cisco VPN Client, Release 4.6. Release 4.1.6 of the VPN 3000 Series Concentrator is required to use the new features in the Cisco VPN Client Release 4.6 software.
VPN Client Automatic Update
One of the new features of the Cisco VPN Client is automatic updating of the VPN Client software from the VPN Concentrator. No changes were made to the VPN Concentrator interface for this capability; configure this feature on the Configuration | User Management | Groups | Client Update screen. For more information, refer to the VPN Client Administrator's Guide, Chapter 3, and the Release Notes for VPN Client, Release 4.6.00.
Mutual Group Authentication Support
The VPN 3000 Series Concentrator supports mutual group (hybrid) authentication. You can configure RSA Digital Certificate (HYBRID) or DSA Digital Certificate (HYBRID) as the Authentication Mode for an IKE proposal on the Configuration | Tunneling and Security | IPSec | IKE Proposals | Add, Modify, or Copy screen. In addition, the following default IKE proposals are now available:
•
•
•
•
•
•
•
•
The minimum VPN Client required to use this feature is VPN Client Release 4.0.5. This support first appeared in Concentrator Release 4.1.4.
New Features in Release 4.1.5
This section describes the new features in Release 4.1.5 of the VPN 3000 Series Concentrator.
Lotus iNotes Support
In this release, WebVPN supports the Lotus iNotes application. Cisco tested iNotes with Lotus Domino Server version 6.0.3.
Note
Outlook Web Access through WebVPN
You can now use Outlook Web Access (OWA) through WebVPN. OWA 5.5 and Exchange 5.5 are supported. All browsers that are compatible with both WebVPN and OWA are supported.
WebVPN Pages
New options are available for customizing the WebVPN login and logout pages. The following fields appear on the Configuration | Tunneling and Security | WebVPN | Home Page screen:
•
–
–
•
•
Default Home Page
You can now configure a default homepage to display to a group, rather than the default WebVPN page, if desired. The Homepage field is available on the Configuration | User Management | Base Group/Group | WebVPN tab. Enter a default web page to display to members of the group when they first connect. WebVPN displays this page instead of the default WebVPN page to the group.
WebVPN Toolbar
A floating toolbar is now available to simplify the use of WebVPN. The toolbar lets you enter URLs, browse file locations, and choose pre-configured web connections without interfering with your main browser window. A sample screen is shown below.
Note
New Features in Release 4.1.4
This section describes the new features in Release 4.1.4 of the VPN 3000 Series Concentrator.
Outlook/Exchange Proxy Support (MAPI)
Release 4.1.4 supports the Outlook/Exchange (MAPI) Proxy for Microsoft Exchange e-mail, with specific versions of Outlook and Exchange. The following are supported:
•
•
•
•
The following are not supported:
•
•
To enable Outlook/Exchange Proxy, navigate to Configuration | User Management | Base Group or Groups, click the WebVPN tab, and check the box marked Enable Outlook/Exchange Proxy.
To use Outlook/Exchange Proxy, the client machine must make a connection to the Exchange server before making one through WebVPN.
New Features in Release 4.1.3
This section describes the new features in Release 4.1.3 of the VPN 3000 Series Concentrator.
RADIUS-IETF Attributes Enforced via LDAP Authorization
The following LDAP attributes and their types have been implemented (CSCed51764):
New Features in Release 4.1
This section describes the new features in Release 4.1 of the VPN 3000 Series Concentrator. For detailed instructions about how to configure and use these features, see VPN 3000 Series Concentrator Reference Volume I: Configuration and VPN 3000 Series Concentrator Reference Volume II: Administration and Management.
Client OS/Version Type Access Control
For connections other than WebVPN connections, an administrator can restrict remote access connections to supported client types and software versions. This applies to all EZ-VPN clients. For example, an administrator might permit only Windows 2000 users to connect into the network using Internet Explorer 6.0, Service Pack 1, while denying other platforms or versions.
LAN-to-LAN Enhancements for Network Lists
Administrators can create a network list for a LAN-to-LAN connection from the Configuration | IPSec | LAN-to-LAN | Add/Modify pages.
PING Enhanced
By default, issuing the PING command now sends five 100-byte ICMP echo requests with the ICMP data set to the pattern of 0xABCD and a timeout of 2 seconds. Both the Manager and the CLI display status with characters repeated equal to the number of ICMP requests as follows:
•
•
•
•
The VPN Concentrator also calculates and displays the minimum, average, and maximum round-trip time for responses.
Traceroute
The VPN 3000 Concentrator and VPN 3002 Hardware Client now support the traceroute command. This command maps the route that packets take to reach a destination IP address; it helps troubleshoot network connectivity problems. The traceroute command requires Sun Microsystems Java Runtime Environment (JRE) version 1.4.1 or higher.
Caution
VPN 3002 Password Storage Enhancement
Previously, VPN 3002 Hardware Clients always stored password information locally. With Release 4.1, hardware clients follow the setting for Allow Password Storage On Client that previously applied only to software clients.
With this enhancement, central-site administrators can now control whether passwords are stored on VPN 3002 Hardware Clients upon power-down of those clients. This feature provides additional security if a device is physically removed from its location.
Note
To take advantage of this enhancement, install Release 4.1.x software on the VPN 3002 Hardware Client. On the central-site VPN 3000 Concentrator (Release 3.5 or higher), clear the Allow Password Storage On Client checkbox on the Client Config tab of the Configuration | User management | Groups | Modify screen (this checkbox is clear by default). Reboot the VPN 3002 Hardware Client to make the change take effect.
Note
If you want to allow stored passwords on VPN 3002 Hardware Clients, check the checkbox on the VPN 3000 Concentrator (Release 3.5 or higher) configuration screen and enter the password on the IPSec tab of the VPN 3002 Hardware Client Configuration | System | Tunneling Protocols screen. See also the "Enable Client Password Storage at VPN 3000 to Save VPN 3002 Password" section of this document.
VPN 3020 Concentrator
The VPN Concentrator Series now includes the VPN 3020 Concentrator, which has these specifications:
•
•
•
•
•
–
–
The VPN 3020 Concentrator is not upgradable to a 3030, 3060, or 3080 model.
WebVPN
WebVPN lets users establish a secure, remote-access VPN tunnel to a VPN Concentrator using a web browser. There is no need for either a software or hardware client (IPSec or PPTP-based). WebVPN provides easy access to a broad range of enterprise applications, including web resources, web-enabled applications, NT/Active Directory (AD) file shares (web enabled), e-mail, and other TCP-based applications from any computer connected to the Internet that can reach HTTP(S) Internet sites.
WebVPN uses Secure Socket Layer (SSL) protocol and its successor, Transport Layer Security (SSL/TLS) to provide a secure connection between remote users and specific, supported internal resources at a central site. The VPN Concentrator recognizes connections that need to be proxied, and the HTTP server interacts with the authentication subsystem to authenticate users.
Note
The network administrator provides access to WebVPN resources to users on a group basis. For Release 4.1 these features include:
•
•
•
•
Note
For more information about WebVPN, refer to the "WebVPN Considerations" section under the "Usage Notes" section of these Release Notes.
Configuring WebVPN
For information about how to set up WebVPN, refer to VPN 3000 Series Concentrator Reference Volume I: Configuration, Appendix A, "Configuring WebVPN."
For information about the maximum number of sessions available when using WebVPN, refer to the "Maximum Sessions" section of these Release Notes.
SSL Certificate for Each Interface
As of Release 4.1, each interface has an SSL certificate associated with it for HTTPS management and WebVPN purposes. The interface SSL certificates, if non-existent, are automatically generated when the VPN Concentrator reboots.
In addition, a load balancing SSL certificate is automatically generated when load balancing is enabled, and likewise is automatically deleted if load balancing is disabled.
Note
VPN Concentrator Login Change (Release 4.1 and higher)
To log in to the VPN Concentrator Manager using an interface on which WebVPN is enabled, administrators must now enter the interface IP address, followed by the string "/admin"; for example, 192.168.1.1/admin.
WebVPN end users log in by entering just the IP address of the VPN Concentrator; for example, 192.168.1.1.
Zone Labs Integrity: Permit/Deny on Failure and Support for Multiple Servers
For IPSec connections only, Release 4.1 adds the option to open the private network (Fail Open) or terminate the tunnel (Fail Closed) when the Integrity server is unavailable during a connection attempt. Previously if the Zone Labs Integrity server was unavailable when a user connects, the user was given access to the network.
Administrators can now configure a list of up to five Integrity Servers from which the VPN Concentrator will accept a connection. If the active one becomes unavailable, another Integrity server can initiate a connection. If that server is on the configured list, the Concentrator authenticates users to that server.
Changes in Release 4.1
The following sections list functions that behave differently in Release 4.1 from the way they did in earlier releases.
HTTPS Filter Rule Changes
Upgrading to Release 4.1 affects enforcement of previously configured filter rules for HTTPS. When you enable the Allow Management HTTPS sessions or Allow WebVPN HTTPS sessions parameters on an interface, you might create conflicts with previously configured filter settings.
For example, in Release 4.0 a VPN Concentrator has two HTTPS rules (HTTPS In/Out) on the public interface that allow HTTPS traffic to and from PC 1 on the public network.
The Release 4.0 VPN Concentrator enforces these filter rules as follows:
Rule 1. Allow HTTPS In/Out for PC 1.
Rule 2. Drop all other HTTPS traffic (the default action).
When you upgrade to Release 4.1 and enable the Allow Management HTTPS sessions or Allow WebVPN HTTPS sessions parameters on the public interface, enforcement changes. The VPN Concentrator now enforces filter rules in the following order:
Rule 1. Allow HTTPS in/out for PC 1.
Rule 2. Allow HTTPS Management sessions and Allow WebVPN HTTPS sessions in/out of an interface.
Rule 3. Drop all other HTTPS traffic (the default action).
Rule 2 prevents Rule 3 from ever being enforced. Any PC on the public network can use HTTPS in or out of the VPN Concentrator.
With Release 4.1, you must explicitly define rules to disallow HTTPS traffic from specific PCs. In the following example, you must define Rule 2:
Rule 1. Allow HTTPS In/Out for PC 1.
Rule 2. Disallow every other PC (0.0.0.0/255.255.255.255).
Rule 3. Allow HTTPS Management sessions and Allow WebVPN HTTPS sessions in/out of an interface.
Rule 4. Drop all other HTTPS traffic (the default action) (CSCec72348).
Maximum Sessions
The VPN Concentrator supports IPSec, PPTP, L2TP/IPSec, and WebVPN sessions, either singly or in combination. You can limit the number of simultaneous active sessions to fewer sessions than the VPN Concentrator could potentially support. For session limits, the VPN Concentrator groups IPSec, PPTP, and L2TP/IPSec sessions together. On the Configuration | System | General | Sessions screen, the Maximum Active Sessions parameter applies to the former, and the Maximum Active WebVPN Sessions parameter applies to WebVPN sessions.
While it might seem intuitive that lowering the maximum number of one type of session would let the VPN Concentrator support more of the other, that is not how the VPN Concentrator works. Artificially lowering the number of active sessions of either type in fact reduces the number of sessions of both types that the VPN Concentrator supports. The sections that follow provide examples.
Note
Maximum Active Sessions: WebVPN or IPSec, PPTP, and L2TP/IPSec
WebVPN sessions require significantly more VPN Concentrator resources than the other types; therefore, the table below lists them separately. It is important to recognize this difference when you configure a mixture of WebVPN and other types of secure sessions.
The VPN Concentrator hardware determines the maximum number of sessions supported, which therefore depends on the model. The table lists the maximum number of concurrently active WebVPN sessions or IPSec, PPTP, and L2TP/IPSec sessions that each model of the VPN Concentrator permits.
(No Other Sessions)(Default = Maximum)3005
32
100
3005
64
50
200
1
3015
128
75
100
1.5
3020 with SEP-E
256
200
750
9
3020 with SEP-E
512
200
9
3030 with SEP-E
128
100
1,500
9
3030 with SEP-E
256
200
9
3030 with SEP-E
512
500
9
3060 with SEP-E
256
200
5,000
10.3
3060 with SEP-E
512
500
10.3
3080 with SEP-E
256
200
10,000
10.3
3080 with SEP-E
512
500
10.3
1 These throughput numbers reflect performance measured with web-pages that force the VPN Concentrator to do a lot of processing. Throughput rate with binary data files or files that require less inspection and processing is approximately twice the throughput listed in this column,
The WebVPN numbers are based on standard capacity and performance tests that measure the VPN Concentrator's retrieval of web pages using WebVPN. Cisco used the following criteria to conduct these performance tests:
•
•
•
•
•
Maximum Active Sessions
You can limit the number of simultaneous IPSec, PPTP, and LT2P/IPSec active sessions to fewer sessions than the VPN Concentrator could potentially support.
A value of zero (0) in this field means that there is no artificial limit below the maximum number of sessions supported by the hardware. In other words, for a VPN Concentrator 3030, a 0 in this field (the default value) means that the maximum number of sessions is 1500.
Be aware that when the number of sessions reaches the value set, the VPN Concentrator permits no further sessions of any type. For example, if you set the maximum number of IPSec sessions on a VPN 3005 at 50, with 50 active IPSec sessions, the VPN Concentrator cannot accept even one WebVPN session, or any additional IPSec, PPTP or L2TP/IPSec sessions.
Maximum Active WebVPN Sessions
This specifies the maximum number of concurrently active WebVPN sessions permitted on this VPN Concentrator. Cisco recommends that you accept the default value.
Be aware that when the number of sessions reaches the value set, the VPN Concentrator permits no further sessions of any type. For example, if you set the maximum number of WebVPN sessions on a VPN 3060 to 95, with 95 active WebVPN sessions, the VPN Concentrator cannot accept even one IPSec session, or any additional WebVPN sessions.
Ratios of WebVPN to IPSec, PPTP and L2TP/IPSec Sessions
The values for maximum active sessions in the previous table imply a ratio of WebVPN to IPSec, PPTP and L2TP/IPSec sessions for each platform. You can use these ratios to plan and administer your network for VPN use.
Be aware that if you change the values for either of the Maximum Sessions parameters, you change the ratio for your WebVPN to other sessions on the VPN Concentrator.
The table below provides examples of how the Maximum Session and Maximum WebVPN Sessions parameters interact for a VPN 3030 Concentrator with maximum memory and SEP-Es.
When the number of active sessions reaches the configured value, the VPN Concentrator permits no further sessions of any type.
Telnet Over SSL Changes
Release 4.1 removes the functionality that allows you to make a Telnet over SSL connection to a VPN Concentrator. For a management session, we recommend using SSH instead of Telnet over SSL. While WebVPN port forwarding includes support for Telnet, you cannot use Telnet over SSL to a VPN Concentrator.
VPN 3005 Concentrator with 64 MB Memory Supports 200 IPSec or PPTP Sessions
In Release 4.1, a VPN 3005 Concentrator with 64 MB of memory supports up to 200 simultaneous remote access IPSec sessions.
To achieve this number, VPN Client must either:
•
•
VPN 3002 Hardware Client must refrain from split tunneling.
Note
Usage Notes
This section lists interoperability considerations and other issues to consider before installing and using Release 4.1 of the VPN 3000 Series Concentrator software.
WebVPN Considerations
WebVPN: Browser Caching and Security Implications
If you use WebVPN through a public or shared Internet system, such as at an Internet cafe or kiosk, to ensure the security of your information after terminating or logging out of the WebVPN session, delete all files that you saved on the PC during the WebVPN session. These files are not removed automatically upon disconnect. After logging out, you should also clear the browser's cache (CSCec78671).
Note
WebVPN: Capture Tool
The WebVPN command-line interface (CLI) includes a capture tool that lets you log information about websites that do not display properly over WebVPN connections. The output of this tool helps your Cisco customer support representative troubleshoot problems.
To use this tool, you must have enabled WebVPN logging. (See "Monitoring | Event Log | Configure WebVPN Logging" in VPN 3000 Series Concentrator Reference Volume I: Configuration.) Use this tool to retrieve information about websites that do not display properly.
The output of the WebVPN capture tool consists of two files:
•
•
Once the capture is done, it is important that you turn the capture tool off. To view these files, go to Administration | File Management.
For a complete description of how to use the WebVPN capture tool, see the Appendix, "Configuring the VPN Concentrator for WebVPN," in VPN 3000 Series Concentrator Reference Volume I: Configuration.
WebVPN: File Sharing Requires Both Username and Password
Windows 98 workgroups with password-protected shares are not accessible if access control for shared resources is configured at the share-level (CSCec23335).
WebVPN: Hostname Cannot Contain Underscore ( _ )
If the hostname of a VPN Concentrator contains an underscore ( _ ), and an Internet Explorer 6.0 SP1 web browser tries to establish a WebVPN connection to the VPN Concentrator, the subsequent login attempt fails.
The login page can be accessed even if there is an underscore in the FQDN (Fully Qualified Domain Name) but when the username and password is submitted, the following error is returned:
Cookies must be enabled to log in.
Although this same setup works if Mozilla is used, this behavior is not a problem on the part of the VPN Concentrator.
According to RFC 952, it might not even be a Microsoft problem but a misuse (illegal usage) of the character underscore as part of a hostname. The use of an underscore as part of the name of a host is not allowed (CSCed34985).
The following is an excerpt from the RFC:
A "name" (Net, Host, Gateway, or Domain name) is a text string up to 24 characters drawn from the alphabet (A-Z), digits (0-9), minus sigh (-), and period (.). Note that periods are allowed only when they serve to delimit components of "domain style names". (See RFC 921, "Domain Name System Implementation Schedule", for background.) No blank or space characters are permitted as part of a name. No distinction is made between upper and lower case. The first character must be an alpha character. The last character must not be a minus sign or period. A host that serves as a GATEWAY should have "-GATEWAY" or "-GW" as part of its name.
See also the following links in the Microsoft Knowledge base:
http://support.microsoft.com/default.aspx?scid=kb;en-us;149044
http://support.microsoft.com/default.aspx?scid=kb;en-us;294217
WebVPN: HTTP and HTTPS on the Public and External Interfaces Are Disabled by Default
By default, HTTP and HTTPS on the public and external interfaces are disabled.
To enable both HTTP and HTTPS, you can access the CLI, use Telnet, or go through the private interface. Both are enabled or both are disabled.
On the HTML (GUI) interface, go to Configuration | Interfaces | WebVPN tab, "Allow Management HTTPS Sessions," and check the check box.
In addition, you can allow or disallow access from certain IP addresses through Administration | Access Rights | Access Control List | Add or Modify (CSCec37514).
WebVPN: MeetingMaker and SofTracker Applications
MeetingMaker and SofTracker applications not supported over WebVPN (CSCeb81114). More generally, WebVPN does not support via Port Forwarding any application that uses UDP.
WebVPN: Microsoft Distributed Files
WebVPN does support CIFS, but not Microsoft Distributed Files (CSCed86246).
WebVPN: Network Printers Located Behind VPN Concentrator
WebVPN does not support printing to a network printer located behind the VPN Concentrator. Printing over WebVPN is supported to all printers that the host/PC can reach outside of WebVPN. (CSCec50393).
WebVPN: Port Forwarding (Application Access) Java Issues
Note
The following issues exist with Port Forwarding (Application Access):
•
Tip
–
–
•
•
WebVPN: Port Forwarding Impaired by Some Pop-Up/Ad Blockers
With many pop up/ad blocking software packages, the Port Forwarding and Outlook/Exchange Mail window fails to pop up. Such ad blockers require adding the WebVPN portal page as a trusted site to allow the Port Forwarding and Outlook/Exchange Mail window to pop up when selected (CSCeb35674).
WebVPN: Port Forwarding Might Cause High CPU Use on Client PC
When using the Port Forwarding feature to transmit files at broadband and Ethernet throughput speeds, the downloaded Java Applet might use a high amount of system processing power on the Remote PC (CSCeb38638).
WebVPN: Port Forwarding Requires Windows XP SP2 Update
Windows XP users who install Service Pack 2 from Microsoft must also install a patch from Microsoft, or port forwarding will fail. The patch is available at the following address:
http://support.microsoft.com/?kbid=884020
This is a known Microsoft issue (CSCef61005).
WebVPN: Recommended Browsers
The following browsers are recommended for WebVPN URL browsing in the current release:
Windows
Internet Explorer, Version 6.0, Service Pack 1
Netscape, Version 7.1
Mozilla, Version 1.4 and 1.51
Linux
Mozilla, Version1.4 and 1.51
Netscape, Version 7.1
Solaris
Netscape, Version 7.1
Mac OS X2
Safari, Version 1.0
1 The Mozilla Browser version 1.6 does not allow Application Access with WebVPN. Mozilla Browser versions 1.5 and 1.4 successfully start and interoperate with Application Access (CSCed62309).
2 On Mac OS X, only Safari 1.0 supports all WebVPN features.
•
•
WebVPN: Refresh/Reload Page Using the Refresh Icon
Use the Refresh icon on the WebVPN toolbar to refresh/reload the page. Do not use the browser's Refresh/Reload button during a WebVPN session. Doing so causes the WebVPN session to drop to the home page if using Internet Explorer 6.0 SP1, and logout the WebVPN session if using Netscape 7.x and Mozilla 1.4 and above (CSCed01739).
WebVPN: Requires Cookies
When cookies are disabled, WebVPN cannot operate properly. WebVPN requires the use of cookies (CSCeb58578).
If you delete the browser cookie named webvpn (all lowercase) during a WebVPN session, the WebVPN session will log out (CSCed55624).
WebVPN: Set Low Idle Timeout for WebVPN Users
If a browser is set to disable cookies or prompts for cookie usage and denies them, from the client side, the user does not connect; but the users show up in the Admin | Admin session | RAS database. If max logins is set to one, the user can't log back in due to max connections being exceeded. We recommend that the administrator set a low idle timeout for WebVPN users (CSCeb77581).
WebVPN: Solaris Port Forwarding Port Always Listening
On the Solaris platform, after using the WebVPN Port Forwarding feature, if the WebVPN connection is terminated or the Port Forwarding window closed, the workstation continues to listen on those ports. In addition, a new WebVPN connection with the same browser does not allow traffic through the forwarded ports. This occurs only on the Solaris platform.
Closing the browser entirely stops the opened ports from listening and allows new WebVPN connections to pass port forwarded traffic (CSCeb58582).
WebVPN: Stopping Application Access Correctly
Caution
If you shut down the computer without quitting this window, you might later have problems running these applications. You might be unable to access the application's host (such as your mail server). Starting Application Access modifies your hosts file, adding WebVPN-specific entries; quitting the Application Access window returns the file to its original state. For details, refer to VPN 3000 Series Concentrator Reference Vol. I: Configuration, Appendix B, "WebVPN End User Setup."
WebVPN: Uses VPN Concentrator Global Settings
WebVPN uses global authentication and authorization settings (Base Group), not the ones configured in the group.
Note
In general, for Release 4.1 of WebVPN, most of the Group-based (and Base Group) parameters now available for IPSec/PPTP do not apply for WebVPN. The exceptions to this are the following:
•
•
WebVPN does not use the DNS settings of the group with which it has connected. WebVPN follows the VPN Concentrator global DNS settings.
•
The following table shows what WebVPN supports:
No
Yes 1
No
Yes
Yes
Yes2
No
Yes
Yes3
Yes
Yes3
Yes
Yes
Yes
1 In this release, WebVPN does not support RADIUS with Expiry authentication (CSCec38676).
2 If no accounting servers are defined in the group, the global/system servers are used, as they are for IPsec/PPTP.
3 Requires RADIUS Authentication and RADIUS server sending back the Class attribute value set to "OU=Group_name ;"(including the semicolon, but without the quotes) to enforce these policy settings.
Note
WebVPN: Websites That Exhibit Problems Using WebVPN Web Browsing
Some internal/corporate Web sites or applications launched through a URL do not function properly with WebVPN. If the site uses a static TCP port number, however, you can work around this issue by using the WebVPN Port Forwarding (Application Access) feature. Dynamic TCP ports are not supported.
The following is a sample configuration for a site, with its Port Forwarding parameters:
Name: My_Web_Site
Local Port: 3456 (for example, http(s)://127.0.0.x:3456 or http(s)://FQDN:3456), if using, for example, TCP port 3000 (for example, http://FQDN or http://127.0.0.x:3000)
Remote Server: 10.1.1.2 or fully-qualified domain name (FQDN)
Remote TCP Port: 3456 ((for example, http(s)://127.0.0.x:3456 or http(s)://FQDN:3456), if using, for example, TCP port 80 (for example, http://FQDN or http://127.0.0.x:3000)
To use WebVPN to access this Web site, do the following:
Step 1
Step 2
•
•
Alternatively, for Internet or external Web sites that do not function properly, use a web browser and avoid using SSL VPN (WebVPN).
Web Sites with Java or HTML Incompatibilities
The VPN 3000 WebVPN solution does not support web sites that use Macromedia Flash. Some even log out the WebVPN user when they encounter flash introductory screens. Other sites might exhibit problems, but only selected websites have been tested.
Some sites do not work because of incompatibilities with their current JavaScript, Java, HTML, or Macromedia Flash content implementations (CSCeb78900, CSCec25478, CSCec49393, CSCec74334, CSCed05714). Such sites include the following:
www.avega.com, www.coors.com, www.hotmail.com, www.pwc.com, www.remax.com, and www.windowsupdate.microsoft.com.
Some Java Applets verify that the server used to download the Applet matches a list of pre-defined servers before allowing applet execution. When you try to access (proxy) such sites via the VPN 3000 WebVPN, you cannot download such applets. This results in those sites not displaying correctly or having missing information.
Web Sites with Application Issues
Other sites have application issues. Applications that have Java applets that generate HTTP requests do not function over WebVPN. For example, you cannot log in to the CiscoSecure ACS application for this reason (CSC78536).
Browser Interoperability Issues
The following describe known behaviors and issues with web browsers.
•
•
•
•
Microsoft has confirmed this problem with the Internet Explorer 5.5. For more information, refer to the Microsoft Knowledge Base article in the following link.
http://support.microsoft.com/default.aspx?scid=kb;en-us;275290&
Product=ieTo work around this problem, use Save Target As (CSCec51902).
Internet Explorer Displays Security Information Warning When Launching Port Forwarding
Every time Port Forwarding (Application Access) is launched from Internet Explorer 6.0, an error occurs that manifests itself in a "Security Information" window to the user stating:
This page contains both secure and nonsecure items.
Do you want to display the nonsecure items?This does not happen with Netscape 7.1 (CSCed25138).
Cisco Security Agent Blocks MAPI Proxy and Port Forwarding
When the Cisco Security Agent, Version 4.0, build 119, is installed on a PC system that is attempting to use port forwarding, in this case MAPI Proxy, the Cisco Security Agent blocks access to the TCP connection on port 80. If you are using the Cisco Security Agent, you must create a policy to allow access to 127.0.0.1 on the specified ports (CSCec06741).
Disable Group Lock When Using SDI or NT Domain Authentication
File Sharing Displays up to 2520 Servers/Domain or Workgroup
File Sharing currently displays only 2520 servers per domain or workgroup. For those that are not displayed, you can browse for a server by entering the name of the server in the Network Path entry box (CSCec73349).
File Sharing Share Names Can Be up to 12 Characters Long
With File Sharing, share names can be up to 12 characters in length. Share names longer than12 characters are not displayed. This is a limitation of the CIFS protocol (CSCed21075).
"Group Strip" and "Strip Realm" Changes
The Group Lookup capability (for IPSec users) now has a switch called "Group Strip". This switch specifies whether to strip the group from the username when authenticating the username. The default behavior is to "Strip" the groupname.
In previous releases, internal authentication always stripped the groupname and external authentication relied on the "Strip Realm" setting with a group delimiter of '@' (! and # groups were not stripped).
If you are using group lookup with external user authentication and user authentication is now failing (following an upgrade), check your "Group Strip" and "Strip Realm" settings (CSCec20818).
IMAPS Proxy Opens Multiple Mail Server Sessions without Closing Them
Because of the way IMAP Clients function, VPN Concentrator Administrators and Mail Server Administrators can expect to see multiple sessions from the same source or client (for example, you might see that an IMAP Session is opened when checking mail and an IMAP Session is opened when synchronizing folders). This would result in two IMAPS Sessions listed in the session table on the VPN Concentrator from the same source and two IMAP Sessions on the Mail Server with a source IP address of the VPN Concentrator and the same mail user (CSCec18358).
Japanese Operating System Support
On Japanese Windows Operating Systems, WebVPN does not support the following applications:
•
•
WebVPN does not support Japanese versions of Linux, Solaris, Mac OS. The rest of the VPN Concentrator Release 4.1 features, including those available since 4.0, are available on Japanese systems.
Native Kerberos Authentication
Beginning with Release 4.0, the VPN 3000 Series Concentrator supports authentication to Kerberos/Active directory, which is the default authentication mechanism in Windows 2000 and Windows XP. Kerberos is an authentication protocol for use on untrusted networks. The protocol comprises two stages of authentication--the first level is to a key distribution center (KDC), and the second level is between each client and server.
To configure this feature, you must add a Kerberos authentication server on a group basis or add the server to the global authentication servers list and configure such parameters as server IP address, server port, number of retries, and so on. The IPSec group tab includes Kerberos as an authentication type, and statistical displays also include Kerberos authentication statistics.
Before you use the VPN Concentrator to authenticate a user to a Linux or Unix server running a Kerberos server, follow these steps:
Step 1
kadmin.local -q "getprinc username"
Step 2
[realms]
MYCOMPANY.COM = {master_key_type = des-cbc-crc
supported_enctypes = des-cbc-md5:normal des-cbc-md5:norealm des-cbc-md5:onlyrealm
Step 3
a.
kadmin.local -q "cpw -pw newpassword username"
Now you should be able to authenticate that user to your Linux/Unix Kerberos 5 server (CSCea20236).
Outlook/Exchange Proxy E-Mail Considerations
On the Client side:
•
•
In the VPN 3000 Concentrator configuration:
•
It is no longer required that the Com Internet Proxy service be installed on the Exchange Server.
Password Expiry Does Not Change User Profile for LAN
To use Password Expiry (which is only for IPSec users), you must enable Start Before Logon on the VPN Client and possibly may need to make sure that DNS and WINS servers are properly configured (CSCdv73252).
Share Names Ending in $ Are Hidden Shares
With File Sharing, if a dollar sign ($) is used at the end of the share name, the shared folder is not displayed. Users also cannot browse this shared resource. This is the proper behavior. According to Microsoft, shares whose names end in the dollar-sign character (share$) are hidden shares. Users cannot browse these hidden shares (CSCed09634).
Windows ME with Norton Antivirus Blocks Port Forwarding
Port Forwarding (Application Access) does not work on a Windows ME PC that has Norton Antivirus loaded on it. When you attempt to load the Port Forwarding menu, Norton Antivirus prevents the Forwarded TCP Ports from being opened or might cause the PC to fail. This is a Norton Antivirus issue (CSCec18162).
Large Configurations Can Cause Memory Allocation Errors
With larger configurations that exceed the default memory (32MB), a memory allocation error might occur. After configuring and rebooting the VPN 3005 Concentrator, it may continuously reboot displaying a Malloc() failed assert error to the console port (CSCeh27648).
The field notice at the following URL has more information about this problem:
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2284/products_
field_notice09186a008010565e.shtmlOpen Caveats for VPN 3000 Series Concentrator
Caveats describe unexpected behavior or defects in Cisco software releases. For your convenience, the open caveats specific to Release 4.1 appear first in this list. The second section lists open caveats that predate Release 4.1. Each list is sorted by identifier number. Both lists include any workarounds that are available. If no workaround is included, none exists.
Note
Open Caveats Specific to Release 4.1
The following problems are new with Release 4.1.
•
When using the Port Forwarding feature, under very high data transfer rates, the JAVA applet might run at greater than 50% CPU utilization. The faster the client PC's CPU, the less of an impact JAVA has on CPU utilization.
•
Groups defined with a large list (greater than 10) of WebVPN ACL entries that are erroneous or not DNS-resolvable cause the VPN Concentrator to consume all the CPU cycles as it tries to parse the ACLs entries. As a result, other tunnel establishment and HTTP(S) management sessions are denied.
Workaround:
Verify that the URLs used in the WebVPN ACL definitions are valid.
•
RC4-128 SSL encryption, although supported, is not recommended for WebVPN connections due to its very high CPU utilization rate. We recommend that customers use DES-56 or 3DES-168 for encryption, because these methods are hardware-based encryption, unlike RC4-128, which is software based.
•
If the group drop-down tab is selected on the Monitoring Sessions page, when a monitoring refresh occurs, the main frame goes blank and stays blank even if the administrator selects different links in the left or top frames.
Workaround:
Do one of the following:
–
–
This behavior occurs only with IE 6.0. It has not been seen with IE 5.0, Netscape 4.78 or Netscape 6.2.
•
The Master Browser Server option in NBNS is not functional. Name resolution currently works only when using a WINS server.
•
In some cases, when an Outlook Web Access user is inviting attendees to a new calendar object, selecting the invite attendees button causes the page to reset. This occurs because the page has not loaded completely. To be sure the page has loaded completely when inviting attendees into a new calendar object, check that the calendar object's start and end time dropdowns have been populated with the current date and time.
•
When using File Sharing and copying files, there is no confirmation prompt when the file being copied would overwrite an existing file. You must ensure that the file name being added (copied) does not already exist.
•
Selecting the "View" option on certain files in the Admin | File Management table with known windows extensions like ".grp" always fails to display these files.
Workaround:
Make a copy of the file with a new file name and then view the newly renamed copy.
•
The VPN 3002, with user authentication enabled, fails to redirect web browser sessions bound to an HTTP redirected interface to a VPN 3002 user login prompt.
If you enter the private IP address of the VPN Concentrator into a web browser located on the PC that is authenticating itself with the VPN 3002, then the prefix https:// is appended to the first IP address in the browser drop-down list. When an https is present, the VPN 3002 fails to direct the browser to the login prompt.
Workaround:
Delete the "s" from https in the address bar on the browser that is attempting to authenticate with the VPN 3002. Ultimately, the connection is made using https, but eliminating the "s" during the step described above allows you to work around the VPN 3002's failure to offer the login prompt if the "s" is present initially.
•
In the WebVPN end user Logout screen, the link, "Click here to close the browser window", does not work with Mozilla 1.4 and Netscape 7.x.
•
Using Internet Explorer with File Sharing, users can to do only two simultaneous downloads. Icons or action buttons seem to not respond to clicks while the two downloads are in progress. The WebVPN File Share resumes responding when one of the downloads completes.
•
WebVPN does not support Radius with Expiry authentication method in this release.
•
When using Outlook Web Access/WebDAV over WebVPN, clicking Change Password causes a connection error. It appears that this is an insecure practice on MS Exchange Servers, and MS no longer supports its use.
Workaround:
Change your password when directly connected to the Exchange Server.
•
When clicking on a link (for instance, one that is contained in an e-mail message), that link may use the browser window that is running the Application Access JAVA applet, rendering Application Access useless. The implication of this redirect is that WebVPN Port Forwarding terminates if this window is redirected.
Microsoft Internet Explorer prevents this. Netscape and Mozilla browsers have this problem and do not provide an option to prevent this.
•
Using Domino Web Access, a user attempting to forward an existing e-mail message is logged out of the WebVPN session.
•
The VPN Concentrator does not support Outlook Web Access on Microsoft Outlook Exchange 2003 because of WebDAV issues.
•
With File Sharing, download of filenames that contain 2 dots will be renamed. For example, the file filename.v1.zip when downloaded will be renamed to filename[1].v1.zip.
Workaround:
Manually rename the file in the Save As dialog box.
•
After loading Release 4.1, the following error events might be generated.
–
–
These events are harmless, and if the configuration is saved, then these messages do not appear upon subsequent reboots.
•
Using the Mozilla browser, after you log out as a WebVPN user, the link to close the browser window fails to close the browser window.
Workaround:
Manually close the browser window.
•
WebVPN does not support Java applets that generate http requests. For example, you cannot login to the CiscoSecure ACS application because of this.
•
Some sites' HTTP responses incorrectly identify JavaScript content as regular HTTP data. This causes WebVPN to malfunction when interacting with these sites.
One such site is www.pwc.com. Selecting any option from the Site Navigation drop-down menu causes Javascript errors, and the WebVPN session terminates.
•
Web pages that generate responses where the content between a set of HTML tags exceeds 9K bytes are dropped by WebVPN. As a result, web pages might not be displayed correctly.
•
With File Sharing, browsing workgroups at times does not display the member servers. The failure is due to slow response from the servers.
Workaround:
To reach the server, enter its name in the Enter Network Path entry box.
•
When entering an absolute path to a folder within a share, ensure that the folder name has the correct case. Otherwise, the user cannot view the contents of the folder. For example, if SharedFolder is a sub-folder within a share, the absolute path to this folder in the Network Path entry field must be: \\server\share\SharedFolder.
•
Using Netscape 4.79 with File Share, downloading of text files fails. You can view text files, but right-clicking on the file, selecting Save Target As... never completes.
Workaround:
To avoid this problem, upgrade to the latest version of Netscape, which handles downloads correctly.
If you must stay with your current Netscape version, view the file. After the text file is displayed, select Edit on the File menu, click Select All, then copy and paste it to Notepad.
•
With File Sharing, a VPN 3005 requires 64MB of memory. With less memory, network browse does not properly display all the available domains/workgroups and servers. It also does not reliably display the number of folders and files if there are more than 1,000 objects.
•
The following line appears below the WebVPN frame:
Via: 1.1 VPN3000 Cache-Control: no-cache Transfer-Encoding: chunked 58F
Certain pages return a mixture of CRLF and LF terminated headers where the WebVPN expects only one or the other. This causes a header field to appear on the page when it should not.
•
The Janus.com site does not display correctly.
•
With File Sharing, using Netscape 4.7, sharenames with spaces are not accessible. Netscape fails to open the shared resource and gives no indication of the failure. This does not occur with the latest version of Netscape.
Workaround:
Upgrade to the Netscape 7.1 or higher.
•
Some sites create many cookie transfers. Exiting and re-entering these sites might result in the site not working properly. Some sites affected are 401k.com, quicken.com, hotmail.com. Other sites that use a lot of cookies also do this.
Workaround:
If you exit from a site and log in again after you have extensively navigated a site, you might have to log out of WebVPN and log back in to WebVPN.
•
While using Netscape and WebVPN, the user is unable to reestablish a WebVPN session until they've closed and reopened the browser.
WebVPN does not support Netscape versions earlier than 7.1. If the user improperly logs out of a WebVPN session (for example, by switching directly to another web site, the cookies from the previous session are not removed, and they block the establishment of a new WebVPN session.
Workarounds:
–
–
–
•
Each Fleet Bank Home Link tab launches a separate window.
•
In a WebVPN session, within a PDF document, clicking the Acrobat icon in the document's toolbar pops up the warning that proceeding will result in a session logout.
•
Regenerating the SSH Host Key sometimes requires a VPN Concentrator reset to resume SSH management.
•
Attempting to save the configuration of VPN Concentrator #2, while using a WebVPN connection to VPN Concentrator #1, fails with a javascript error.
•
The Mozilla Browser version 1.6 does not allow Application Access with WebVPN. Mozilla Browser versions 1.5 and 1.4 successfully start and interoperate with Application Access.
•
Due to a manufacturing procedure error, VPN 3005 Concentrators produced between March 2003 and December 2003 might have corrupted flash file systems. The affected serial number range is CAM0708xxxx through CAM0750xxxx.
Symptoms of this corruption can be failure to generate and save certificates or inconsistent volume errors from the file system.
•
You can not add nor read an e-mail attachment when the Active-X control is loaded.
Workaround:
Remove the iNotes Active-X control from the C:\winnt\DownloadedProgramFiles directory (it appears as an iNotes Class). If you have never run iNotes, do not download the Active-X control when prompted to do so upon first running iNotes.
•
The contents of a Javascript window.setTimeout() call are not being properly converted. Note that setTimeout() by itself is properly converted.
•
Configuring a Task with Outlook Web Access 2003 fails if you attempt to "Save and Close" without filling in the Task page fields. This is not an error in the VPN Concentrator software.
Workaround:
Be sure to fill in all required fields on the Task page before choosing "Save and Close."
Open Caveats from Earlier Releases
The following problems existed prior to Release 4.1 and are not resolved by the VPN 3000 Series Concentrator, Release 4.1.
•
L2TP over IPSec connections fail if going through a NAT device. During the connection establishment, the VPN Client and the VPN Concentrator exchange IP addresses. When the client sends what it believes to be the VPN Concentrator's address (really the NATed address), the VPN Concentrator releases the connection.
This is because the address assigned to the interface does not match the address coming in from the client. The same issue exists on the client side. This will not be resolved until the Windows 2000 MS client supports UDP encapsulation.
•
When configuring a LAN-to-LAN connection with IOS or PIX, it is important to match the keepalive configuration (both "ON" or both "OFF"). If the keepalive configuration is OFF for the VPN Concentrator and ON for the IOS device, the tunnel will be established with data.
IOS tears down the tunnel because the VPN Concentrator does not respond to IOS style keepalives if keepalives are configured to be OFF for the VPN Concentrator.
•
In some cases, the Zone Labs Integrity Agent may not properly update on the Windows NT version 4.0 operating system while the VPN Client is connected, policy is changed and re-deployed, and the connection is up. Specifically, if you "Block Internet Servers" under the Firewall Security Rules in the Policy and then Deploy that new policy, a PC running Windows NT version 4.0 receives the updated policy, but it might not put the "Block Internet Servers" setting of that policy into effect.
Workaround:
Reboot the operating system.
•
Due to a Microsoft limitation, Windows XP PCs are not capable of receiving a large number of Classless Static Routes (CSR). The VPN Concentrator limits the number of CSRs that are inserted into a DHCP INFORM message response when configured to do so.
The VPN Concentrator limits the number of routes to 28-42, depending on the class.
•
The VPN Concentrator may display the following events during a VPN Client connection. These events are due to the Client being behind a Linksys Cable/DSL router that was incorrectly modifying the Client's packets, causing them to fail authentication when received by the VPN Concentrator. The problem is more prominent with LZS compression.
Events:
131500 06/20/2002 17:08:34.300 SEV=4 IPSEC/4 RPT=4632
IPSec ESP Tunnel Inb: Packet authentication failed, username: gray, SPI:
4e01db67, Seq Num: 0000850f. Dump of failed hash follows.
Linksys has been notified about the problem.
Workaround:
Although no workaround currently exists, disabling LZS compression on the VPN Concentrator helps reduce the number of events. To disable LZS compression on the VPN Concentrator set the "IPComp" setting on the IPSec tab of the group configuration to "none".
•
The Microsoft L2TP/IPSec client for Windows 98, Windows ME, and Windows NT does not connect to the VPN Concentrator using digital certificates.
Workaround:
Use Preshared keys.
•
Using Microsoft Internet Explorer version 5.0, you cannot create a detailed memory report from the Monitoring | System Status | Memory Status | Detailed Memory Report button. The file memory.txt is not created. The report does work if the file already exists. You can create the file initially if you run a detailed report from the CLI interface. Internet Explorer version 5.5 and Netscape work fine.
•
When switching between tabs under the interfaces section of the html-management page, the action may eventually fail.
If this happens, go back to the interface summary page and drill back down into the desired interface. Everything will resume working again.
•
The LDAP Authorization failure reasons depend on how the LDAP server implements these error codes. RFC 1777-LDAP states that the LDAP server might not return an error code, therefore in those situations the VPN Concentrator failure reason is "Invalid response received from server".
For the case in which the LDAP server does return a specific error diagnostic (for example, noSuchAttribute) the VPN Concentrator failure reason displays the appropriate string.
Caveats Resolved in Release 4.1.7.D
Release 4.1.7.D resolves the following issues:
•
When multiple SAs inject a single RRI route and one of these SAs times out, the route gets deleted even though there are still active SAs.
•
A VPN Concentrator configured for RIPv2 routing does not send a triggered update for new routes. However it does send triggered updates for deleted routes. Only periodic updates are sent for new routes.
•
A mis-configured EZ VPN NEM Client is allowed to connect and inject a 0.0.0.0/0.0.0.0 filter into the data flow. This results in unpredictable traffic flow.
Caveats Resolved in Release 4.1.7.C
Release 4.1.7.C resolves the following issues:
•
The VPN Concentrator is unable to differentiate between two root certificates from the same certificate authority with the same DN that have different keys.
•
Memory leak in VPN Concentrator software. Critical memory alerts triggered after approximately 78,000 cumulative sessions.
•
The VPN Concentrator supports a single L2TP over IPSec client, a single LAN-to-LAN connection, or multiple remote access IPSec clients from a single NAT/PAT device using NAT-T (NAT Traversal). If a new L2TP over IPSec session tries to connect, the VPN Concentrator disconnects the current running session. It should not accept the new connection.
•
When the WebVPN Enable URL entry option is disabled in Group settings, the "Go" button is still available to allow entering an URL entry. In this case the action should be prevented and an error displayed:
"You are not authorized to enter a URL/Web Address."
•
When administrators log in using TACACS to authenticate, multiple 64 byte memory blocks are leaked for each log in.
Caveats Resolved in Release 4.1.7.B
Release 4.1.7.B resolves the following issues:
•
If a router is participating in OSPF with two VPN Concentrators that perform the reverse route injection (RRI) for the same networks, the router sees the networks as reachable via only one Concentrator. If this Concentrator is removed, the route via the other one never appears in the OSPF database.
•
If a client connects to the VPN Concentrator using PPTP and the VPN Concentrator assigns an IP address on the same subnet as the Concentrator's private interface, the client may be able to ping devices on the same subnet behind the private interface of the VPN Concentrator.
However, if the ARP data has been cleared from the device's cache, the Concentrator does not reply for subsequent ARP requests for the client's assigned IP.
(IPSec clients work even if the ARP cache is cleared on the target host. The Concentrator processes a proxy ARP request again for the IPSec client.)
•
If the IP address of a host connected to a WebVPN session changes (for example, due to a dial-up connection dropping out and being reconnected quickly), the WebVPN session continues to operate, but the WebVPN toolbar display is inconsistant and the padlock symbol disappears from the browser window.
•
In specific dynamic LAN to LAN configurations, dynamic filters that are intended to overide default filters are not reapplied after a phase 1 rekey initiated by the VPN Concentrator. As a result, if the default filter is "deny any," there are no overiding dynamic filters, and the traffic from the peer is denied.
This problem occurs with dynamic LAN to LAN peers that are authenticated based on fields on their certificates, with authentication and authorization done completely on a RADIUS server.
•
When building LAN-to-LAN tunnels with a third-party dynamic peer (Base Group pre-shared key) using reverse route injection, the VPN Concentrator does not remove the route for the remote network from the routing table when the tunnel is torn down.
•
WebVPN on a VPN Concentrator may fail if used with PKI and a client certificate generated on a USB eToken device.
Caveats Resolved in Release 4.1.7.A
Release 4.1.7.A resolves the following issues:
•
Client can not send the IPSec over UDP packet through the VPN Concentrator after VRRP switchover.
•
When using the IP address re-use control feature, any change you make to the related address pool frees all held addresses, which may create a security concern.
•
Error message, "Unable to activate IKE Proposal (Bad Value Error)" appears in the log when attempting to activate an inactive proposal. Repeatedly activating and deactivating proposals causes a problem with the priority value.
•
OWA 2000 experiences problems when PlusPack is installed on the Exchange 2000 server. When you create a new message or accept a meeting request, a response window is created. When you click the Send button, instead of sending the response or email message, a new window opens with a second copy of OWA. The OWA bar is on the left side, and the response with the Send button is on the right pane in this second window. If you close the second window, the original OWA window closes as well or crashes.
Caveats Resolved in Release 4.1.7
Release 4.1.7 resolves the following issues:
•
Once an address pool address has been marked in use due to an external device ARP response, that address is never entered back into the pool.
•
When a VPN Client is connecting using UDP encapsulation (not NAT-T), UDP traffic from the Concentrator to the VPN Client does not go through the correct port until some traffic is sent from the Client, which establishes the proper port.
•
The VPN Client cannot get an IP address from a DHCP server on external interface, and therefore not connect successfully.
•
EAP authentication fails if the L2TP connection times out.
Caveats Resolved in Release 4.1.6
Release 4.1.6 resolves no major caveats. This release supports the Cisco VPN Client Release 4.6.
Caveats Resolved in Release 4.1.5.B
Release 4.1.5.B resolves the following issues:
•
When OSPF is enabled on the private interface but disabled on the public interface there are instances that cause the public interface's network to be advertised via the private interface.
•
No online help for Enable Outlook Exchange Proxy.
•
The VPN 3000 Concentrator does not inject 32-bit mask routes using reverse route injection for LAN to LAN tunnels. Any other mask works.
•
Customer is using a client-based Java script to display information to the user browsing with Internet Explorer. It opens another IE window. When the user clicks on the Java-based button to view information, the IE browser crashes.
•
Erroneous externally-in-use addresses result in buffer leak. With a local address pool assigning addresses into the same subnet as the private interface, the ARP function that checks address availability is failing and marking free addresses as externally-in-use. A side effect of this is a buffer leak.
•
Using WebVPN and CIFS for file sharing, renaming a file to a certain name might cause the concentrator to reboot.
•
WebVPN may make modifications to web pages that result in syntax errors when the page is viewed in Internet Explorer.
•
The following files have wrong or missing end tags in the address statistics table. This could be an issue for some web browsers.
html_platform\html\client\monitor\stats\address.html
html_platform\html\concentrator\monitor\stats\address.htmlCaveats Resolved in Release 4.1.5.A
Release 4.1.5.A resolves the following issues:
•
After the public IP address and default gateway have been changed, the VPN Concentrator does not allow incoming data packets encapsulated by UDP (10000) even if an IPsec session is being established correctly. If you use TCP encapsulation or no encapsulation the problem does not occur.
•
When "clear log" is selected, the VPN Concentrator should save or FTP the event log if "Save Log on Wrap" or "FTP Log on Wrap" is configured (respectively).
•
On a VPN 3030 Concentrator (running Release 4.0.1) configured for "Save Log on Wrap," "FTP Saved Log on Wrap," and automatic deletion of files when flash space is less than 2.5MB, logging information is lost.
The contents of the neighboring files don't overlap (e.g. log00288.txt and log00290.txt), and so the logging information within this time period is lost, because the log00289.txt file is missing.
This happens only randomly.
•
Some sites cause the browser to hang . An example site is potterybarn.com when using Netscape 7.1. If you encounter this situation, close your browser, re-open it, and re-establish your WebVPN session.
•
On a new install of 4.1 (not upgrade), the SSH_KEY.PEM file is created with a blank key. This will prevent ssh access to the device. This only fails for the first boot-up. The SSH_KEY is fixed on subsequent boots.
•
On the Address Pools Stat page, the base pool table is missing </td> and </tr> tags.
•
For the backup server list, the maximum length of a hostname is limited to 25 characters. Customer needs it to support more characters. The overall limit for all entries combined still will not be able to exceed 255 characters.
•
Add an IP event indicating "Assigned IP address A.B.C.D already in use." This will help troubleshoot RADIUS and DHCP assigned address problems.
•
If FTP and Save Log on wrap are both enabled, the FTP log file will be empty if the Save Log file fails due to insufficient flash space. The FTP log file should still get created even if the flash log file can't be created.
•
There is no event class, logging level for PPTP L2TP to show what the IP address assigned to the client is.
•
VPN 3000 Series Concentrator may crash while doing URL mangling for a .net viewstate search.
Caveats Resolved in Release 4.1.5
Release 4.1.5 resolves the following issues:
•
After logging into the Concentrator using the WebVPN feature from a browser, the banner acceptance pop-up box appears more than once when using the Back button on the browser. Normally, the banner is displayed once, immediately after the user logs in.
Use of the [Back] and [Previous] buttons in Netscape 7.x and Mozilla 1.x always causes the page to be retrieved from the cache, regardless of the browser cache configuration and cache properties of the page sent from the Concentrator. This leads to the situation where the banner pop-up reappears if you click the [Back] button to return to the WebVPN home portal site.
•
3030 concentrator stops accepting new connections, memory status shows RED. The old connections seem to work without any issues.
This condition may occur with high volume of one-way traffic encapsulated with cTCP. cTCP will drop packets to prevent exceeding the TCP window size. The VPN3000 was not properly cleaning up this data flow and would result in a slow memory leak.
•
WebVPN puts sites into a frame. Some sites do not work well when they are enclosed in a frame, despite WebVPN's best efforts to contain them. Such sites require either that they are not in a frame or that a frame of their own is present at the top level. An example site is www.cutimes.com.
•
File Sharing prompts for authentication if the shared folder entered in the Network Path entry box does not exist. Even with valid credentials, authentication is never successful.
•
Downloadable ACLs with more than 10 entries from ACS are being applied on the VPN Concentrator in the wrong sequence.
•
Some sites cause the browser to hang; for example, potterybarn.com when using Netscape 7.1. If you encounter this situation, close your browser, re-open it, and re-establish your webvpn session.
•
RADIUS with Expiry fails with VPN 3000 Release 4.0.x code when Funk is used as the RADIUS server. Release 3.0.x code works fine, and Funk RADIUS supports MSCHAPv2 just fine.
•
If the target URL is in relative path format, web page redirection by <META HTTP-EQUIV="REFRESH" CONTENT="0;URL=target-url"> does not work.
•
UID does not show when viewing certificate details.
•
As per the VPN 3000 Concentrator documentation, the maximum length for the MD5 authentication password for OSPF is 8 characters.
•
This is a feature request to add a robots.txt file, for WebVPN, to tell search engines NOT to index it.
•
The VPN 3000 Concentrator lacks the configuration capabilty to set the MD5 Key ID for MD5 authentication. This needs to be incorporated into the code.
•
The VPN Concentrator has a problem when trying to export a large configuration into XML format. Although the export seems to be fine, the configuration is incomplete and there are error messages in the XML file.
•
The browser hangs when attempting to view iNotes contacts. After clicking on Contacts from the Main menu, the browser hangs with a "Fetching records..." message.
•
IPSEC Client user authentication fails to Windows NT when using a username in the format of username@domain.com. This worked on previous versions of code (i.e. 4.0.x and 3.x).
Cross-domain authentication also fails with 4.1.x code. It worked with 4.0.x code. The domains have been configured with two-way trust relationship.
For example, if concentrator sends the authentication request to a domain which is not local to it, it also fails.
•
When following a link from a web server that uses a non-standard port ("WebserverA/Page A") to another web server ("WebserverB/Page B"), the VPN 3000 Concentrator erroneously adds the non-standard port to the absolute URL of the second server's web page ("Page B").
•
When the Allow Password Storage on Client feature is disabled, the VPN 3002 Hardware Client should only clear the user password across power cycle reboots (not across all reboots; i.e., user-requested reboot). The current implementation clears the password on all reboots.
•
A memory exception/crash occurs when a VPN 3000 Concentrator connects to an Integrity Server. Release 4.1.2 does not have this problem. Release 4.1.3 and Release 4.1.4 do have this problem, however. Integrity Server Enterprise version 4.5.092 and 4.0.075 were used in this test.
•
Netmask is not sent to the VPN Client when the netmask is assigned from an internal user database or a RADIUS Framed-IP-Netmask attribute. If we use the group IP pool, it works fine.
•
VRRP hello msg indicates that authentication is enabled when it is not. This result in some devices reporting authentication errors as they are expecting the hello msg to have a password enabled.
•
Phase 1 rekey may fail when Phase 1 and Phase 2 are rekeying simultaneously. If the Phase 2 rekey is intiated while the Phase 1 rekey is waiting for Transaction Mode, the previous Phase 1 messages (Aggressive Mode message 3/Main Mode message 6 and Transaction Mode) are not resent.
•
Address Pool stats page has some bogus data.
•
Dynamic Filters stopped working in release 4.1.4. The VPN Concentrator downloads the access-lists for both cisco-av-pair and Downloadable ACLs. If I then click the Monitor/Dynamic Filters on the VPN Concentrator it looks fine, but no traffic is passing through the VPN Concentrator.
•
The VPN3000 concentrator may crash shortly (seconds) after the private interface's link comes up. The crash occurs during generation of the SSH server key. This crash may also occur in the SSL task.
The crashdump indicates that the failure occurs when the SSH1 is context switched back in. The SSH1 task is in the middle of determining whether a number is prime. The operation can take some time. In order to prevent over tasks from running, the SSH1 task will occasionally sleep for 50ms during this operation (ie, the SSH1 task is context switched out). When the task sleep, other tasks may execute. When it's time to resume the SSH1 task, SSH1 is context switched back in.
When a task is switched out, the OS stores various data on the task's stack. This includes the Program Counter, the Status register, the Link Register, and more. This data is needed in order to resume where the task left off when the context is switched back in.
The crashdump indicates that the SSH1 task is getting corrupted while the task is switched out.
•
Add the following data to Crashdump reports:
1.
2.
3.
4.
Caveats Resolved in Release 4.1.4
Release 4.1.4 resolves the following issues:
•
The VPN 3000 Concentrator should modify or reject inconsistent network and subnet mask combinations. In the LAN-to-LAN NAT rules, the concentrator accepts such network and subnet mask combinations as: 192.168.1.0 / 255.255.0.0.
•
VPN Client 4.0 running on Microsoft Windows 2000 or Windows XP — After connecting, a classfull route is installed in the routing table due to not receiving a subnet mask.
The VPN 3000 Concentrator should allow the user to define the subnet mask for each address pool and pass this to the client.
Downgrade issue with fix:
If you downgrade to a version without the new feature, the address ranges will get loaded without the subnet mask. If you save your configuration and upgrade again, the masks are reset to "0.0.0.0".
•
MAPI E-Mail Proxy requires that the Networking Service, Com Internet Services Proxy is installed on the Exchange Server. MAPI proxy should not require an RPC over HTTP on the server.
•
When SNMP polls 64-bit HC counters on VPN 30xx devices, for example ifXTable, the values do not increment. The counters always return zero and stay that way even when traffic is passing through that port.
•
VPN 3000 configuration doesn't allow use of discontiguous wildcard when configuring rules. In IOS an access-list can be configured with discontiguous wildcard.
•
In the logs, we're seeing multiple entries that correspond to each of the MM_DONE sessions. The entries look like this:
41052 03/09/2004 17:43:27.160 SEV=4 IKE/137 RPT=38603 nnn.nnn.nnn.nnnGroup [groupname] User [username] Reaper overriding refCnt [1] and tunnelCnt [0] -- deleting SA!41054 03/09/2004 17:43:27.160 SEV=6 IKE/0 RPT=22029 Received unexpected event EV_TERMINATE in state MM_DONEThe first event indicates that the IKE subsystem is attempting to bring down an IKE tunnel that has a tunnelCnt of zero, and so it sends an EV_TERMINATE message to the state machine. However, since the state machine doesn't expect a terminate event in the MM_DONE state, we get the second event. The next time the IKE subsystem tries to clean up, the process repeats.
•
IPSec Backup Server names are limited to 16 characters. When you configure a backup server name on the Client Config tab under Configuration | User Management | Groups, specifying a name with more than 16 characters returns the error, "Server entry cannot be more than 16 characters."
•
Adding identical static routes with different bit masks on each interface fails when entered via the CLI, but succeeds when entered via the Web interface.
•
Outlook 2002 Clients on Win XP are unable to use Outlook/Exchange (MAPI) Proxy to connect to an Exchange 2003 or an Exchange 2000 Server because of unknown commands.
•
Value 0x00 for attribute 25 (Class) is found in accounting request for WebVPN sessions, instead of the value sent by the RADIUS server in the Access-accept packet. Only accounting of WebVPN sessions is affected. IPSec sessions accounting work fine.
•
The VPN 3000 hangs after receiving a malformed "reject" packet from an external SECURE-IT 3000 RADIUS server.
•
An IPSec P2 race condition can cause an invalid SPI and rekey issue. The race condition may appear with short rekey intervals and network loss/latency. The condition may occur when the two sides attempt to rekey at the same time.
•
Concentrator reboots when authenticating users via a Kerberos server.
•
Improve the event message when importing a certificate with an unsupported key size. Currently, the message says, "Unable to install trusted certificate." It should say, "Unsupported Key Size."
•
The VPN 3000 Concentrator returns ACCT-DELAY-TIME values in tenths of a second, causing them to appear as tenfold that which is expected.
•
Can not save interface changes with HTTPS disabled even when Redirect HTTP to HTTPS is disabled.
•
When the VPN 3000 Concentrator obtains a client address via a DHCP server, the VPN 3000 Concentrator is not passing the subnet mask back to the client.
Caveats Resolved in Release 4.1.3
Release 4.1.3 resolves the following issues:
•
A VPN Concentrator with a LAN-to-LAN session to a PIX firewall in answer-only mode might fail if you are using network lists instead of defining the networks on the LAN-to-LAN configuration page.
•
The VPN Concentrator does not currently allow dynamic source ports during negotiation. The Mac OS X L2TP client defaults to dynamic source ports; therefore, it fails to connect.
•
When Renew DHCP Lease link is selected, the lease is released and a new lease is requested. This tears down any established VPN tunnel. Instead, perform a request for a lease for the same address; release the lease only upon a failure.
•
Memory corruption occurred on a VPN 3030 Concentrator running Release 3.6.7 software. The log contains the following messages:
SEV=3 SYSTEM/10 RPT=47 Freeing free memory block. Ptr=034ec494, CPC1=000218e8, CPC2=00025d2c, TID=00360000SEV=4 SYSTEM/0 RPT=185 0000: FACEDBAD 030CF9C8 031C4E40 00010000Despite these error messages, the VPN 3030 Concentrator does not fail, so there is no crashdump file.
•
WebVPN does not launch URLs that begin with, ". . /"
•
The VPN Concentrator software requires 1MB of of free flash for WRITE operations (Savelog + Config). Release 4.1.3 optimizes this operation, not based on reserving flash space, but by gracefully terminating the WRITE operation task and allowing the HTTP(S) task to continue operating.
•
The VPN Concentrator's LDAP authorization needs to support RADIUS IETF attributes (for example, Framed-IP-Address, Class).
•
If there are multiple users in same group login, when you check Administer Sessions | Detail, only the first session in each group shows ACLs associated to the session.
•
Add User ID (UID) as an option for DN Field authorization in the IPSec tab of Configuration | User Management | Groups | Modify.
•
If a rule is created for certificate group matching and set to Base Group, the VPN Concentrator succeeds in matching the rule; however, it fails to push the connection to the base group. Instead the VPN Concentrator looks for a group that is named as the "IP address" of the client attempting to make the connection, and failing to find such group, eventually fails the connection.
•
User ID (UID) was added as an option for DN Field authorization in the IPSec tab of Configuration | User Management | Groups | Modify. Therefore, UID has been added for the DN Field under Configuration | Policy Management | Certificate Group Matching | Rules | Add & Modify.
•
Improve the memory.txt file by adding System Name, RAM Size and Time/Date.
•
The VPN Concentrator does not properly handle a State attribute which contains a zero octet. The VPN Concentrator is incorrectly treating the zeroes as a string terminator.
•
The VPN Concentrator sends an Invalid SPI Notify message with protocol ID = 1 (IPSEC_DOI_PROTO_ISAKMP) when it receives ESP packets with unkown SPI from an authenticated peer. This may cause a black hole situation until lifetime expiration, if the peer device is IOS router.
•
When you use the FTP "mget" command from the VPN Concentrator, the filelist parameter is ignored and all files are downloaded instead of what you selected.
•
After successful login into a CIFS Server, WebVPN was sending an extraneous re-direct back to the browser instead of returning the information originally requested.
•
WebVPN cannot process a page with javascript of the form: "window.open(X)" where X is blank. This can cause an unexpected reload.
•
When the VPN Concentrator rekeys an SA and the peer device's IP address has changed, the old SA is torn down and the VPN Concentrator reports the reason for termination as, "User Requested." It would be more clear to report the reason for termination as "Peer Address Changed."
Caveats Resolved in Release 4.1.2
Release 4.1.2 resolves the following issues:
•
A more specific route cannot be entered in a VPN Concentrator if a route already exists in the VPN Concentrator with the same major net.
•
Two PIX501 (EZ VPN Clients) behind Linksys devices (with same DHCP pool) disconnect during IKE rekey. In this case, the PIXes keep trying to bring up public-to-public IPSec SA's (tearing down the others). The PIX establishes a new IPSec SA on the new IKE SA. The up and down causes the deletion of the IKE.
Note
•
The VPN Concentrator event IKE/124 is misleading for R_U_THERE failure. The VPN Concentrator expects the DPD sequence number to be greater than the previous sequence number. The initial sequence number is supposed to be a randomly generated number.
While interoperating with a Model 831 hardware client, the following event occurred when the Model 831 hardware client attempted to connect to the VPN Concentrator:
588 01/19/2004 20:17:41 SEV=5 IKE/124 RPT=98 address Group [group] Received DPD sequence number 0x0 in R_U_THERE, expected 0x0The Model 831 hardware client repeatedly sent a "random" number of 0 as the initial sequence number, and the VPN Concentrator correctly rejected the connection, but the event message is misleading. The event should say:
Received unexpected DPD sequence number %d in R_U_THERE. Next expected sequence number should be greater than %d.•
User setting of Maximum Connect Timeout (under General tab) is not saved after applying and saving. If the same user is edited, the settings made earlier are gone and the setting has reverted to the default of inheriting the Maximum Connect Timeout from the group settings.
•
SSH remote management connection to a VPN Concentrator is possible only once. It is then impossible to connect using SSH. The failure occurs when the SSH session is terminated cleanly with an exit command. If the SSH session is allowed to time out or is terminated via http management, then the failure does not occur. Furthermore, SSH statistics show that the VPN Concentrator fails.
Caveats Resolved in Release 4.1.1
Release 4.1.1 resolves the following issues:
•
After upgrading to 4.0.4.B, the VPN 3002 Hardware Client PPPoE client can no longer connect when LCP authentication is CHAP.
•
Large volumes of TCP data sent from the WebVPN user through the VPN Concentrator to a private network server might use all of the data buffer resources in the VPN Concentrator if the target server strictly flow-controls the traffic. When this occurs, the VPN Concentrator no longer accepts new WebVPN or HTTP/HTTPS management sessions. Existing sessions slow or cease to pass data.
•
A VPN 3002 Hardware Client upgraded to Release 4.1 is no longer manageable via HTTPS on the outside interface.
•
A VPN Concentrator using Release 4.0.4.B, sends a gratuitous ARP with the real MAC address and own IP address, which is also the VRRP address, after rebooting the VPN Concentrator.
•
A VPN 3002 Hardware Client upgraded to Release 4.1 fails when using PPPoE. This happens only with PPPoE.
•
On VERY rare occasions after upgrading a Cisco VPN 3000 Series Concentrator to Release 4.1, a user cannot save the active configuration.
The error displayed is:
Could not write to file, error 20 CERTS Error 0x2003Caveats Resolved in Release 4.1
Release 4.1 resolves the following issues:
•
The Assigned IP address for a PIX-501 in Network Extension Mode appears on the VPN Concentrator as 0.0.0.0 until the first IPSec/Phase 2 rekey takes place. After the Phase 2 rekey completes, the Assigned IP address is correctly set to the PIX-501's private interface network address.
•
HTTP Software Updates sometimes fail with "Software Update Error". Retrying the operation does not update the image.
•
The text from the Help page for the Monitoring | System Status | Memory Details page in HTML incorrectly refers to "Memory Detail Report". The page is labelled and called: "Detailed Memory Report".
•
The Help for the SEP-E in the Monitoring | System Status | SEP in-line SEP page is incomplete. In other sections, we make reference to the SEP-E. We should add:
"AES (SEP-E only)" to the Encryption and Decryption bullet.
This screen displays status and statistics for a VPN Concentrator SEP (Scalable Encryption Processing) or a SEP-E (Enhanced SEP) module, which performs hardware-based cryptographic functions:
–
–
–
The screen shows cumulative data since the system was last booted or reset.
•
In Release 4.0.1, denying certain PINs with RSA SecurID is not functioning (for example, denying alphanumeric PINs or denying access based on PIN length).
•
On VPN 3002-8E models, if the public interface's link is down upon boot up, the unit continuously reboots.
•
VPN Concentrator failed due to a malformed PPP IP Control Protocol message.
•
The VPN Concentrator passes blank username/password to an authentication server.
•
The VPN 3002 CLI, Administration | Access Rights | Administrators menu displays the ISP user instead of the monitor user. But the GUI displays the monitor user. Logon to the GUI using a monitor account fails. Logon to the GUI using an ISP account succeeds, but you can still change the config through the quick configuration. If the VPN 3002 has this problem, it's always there; if the VPN 3002 does not have this problem, it never happens, no matter which version of the code is in use.
•
A small amount of memory is not released each time you perform an authentication server test from the web (or xml) interface. This might eventually cause the VPN Concentrator to fail.
•
The VPN3k does not automatically add routes for more than one remote LAN. Static routes for each additional remote LAN must be entered on the VPN Concentrator.
•
Kerberos support for 3DES/SHA is not functioning.
•
The ifType (1.3.6.1.2.1.2.2.1.3) for the VPN Concentrator FastEthernet interfaces is reported as 7 (iso88023Csmacd). Per IANA, ifType 7 was deprecated via RFC-draft-ietf-hubmib-etherif-mib-v3. Use ifType 6 (ethernetCsmacd) instead.
See ianaiftype-mib and RFC 2665:
http://www.iana.org/assignments/ianaiftype-mib
http://www.ietf.org/rfc/rfc2665.txt?number=2665
The wrong ifType may confuse some NMS systems, as they are expecting ifType=6 for Ethernet interfaces.
•
Some cable modems, if they loose their broadband signal, issue the IP address 192.168.1.11 via DHCP. When this happens and the VPN 3002 Hardwrae Client accepts this address, the VPN 3002 Hardware Client uses the 192 address in its IKE negotiations.
The result is a tunnel that can not pass traffic. At the central-site concentrator, you see what looks like a functional tunnel with no RX bytes and no private-to-private SA.
•
Cisco VPN Concentrator implementation using RSA/Ace 5.0.3 Agent API does not work for cross realm authentications. The ACE/Server sends a downgrade request to the agent. This is meant to be interpreted by the agent to generate a v2 authentication request with a v5 header. The Cisco VPN Concentrator actually downgrades and sends a full v2 request. The ACE/Server then fails the request because it interprets this as a v2 agent, which needs an acting primary/secondary.
•
New pin mode for user authentication to an SDI server via RADIUS not working. This issue was introduced in release 4.0.3.REL.
•
The VPN Concentrator might fail while displaying Memory Statistics.
•
A VPN Concentrator accepts NEM PIX 501 connections with split tunneling enabled. After a period of time, the VPN Concentrator shows high cpu usage, eventually dropping connections due to dead-peer-detection (dpd) loss.
PIX NEM connections are more frequently affected than others due to their low default dpd interval. All others, however, are occasionally affected.
•
Using digital certificates, each IKE rekey for main mode fails to release a 64-byte block of memory.
•
The Filter Rule Copy from the HTML does not copy the network list from the old rule to the new rule.
•
The VPN Concentrator eventually fails because of unreleased memory blocks when processing a DCHP Inform message from an L2TP or PPTP client with Network Lists and DHCP Intercept enabled. The unreleased block size leaked varies, based on Network List size.
Documentation Updates
The Cisco VPN 3000 Series Concentrator documentation set has been revised for the 4.1 release and is available online through Cisco Connection Online (CCO) and www.cisco.com. This section contains any changes and corrections to the documentation that occurred after the documentation was published.
Note
Documentation Changes
The sections that follow list modifications to the documentation, reflecting product changes, documentation errata, or documentation omissions.
WebVPN E-Mail Proxy with Certificate Authentication
The documentation does not list unsupported clients for this feature.
On the Configuration | Tunneling and Security | WebVPN | E-mail Proxy screen, you can configure e-mail proxies for WebVPN. One of the available authentication options is Certificate.
Only Netscape 7.0 and Mozilla 1.2.1 support this function. Eudora, Outlook Express 6, Outlook 2000, and Outlook XP clients cannot send the VPN Concentrator the correct certificate length; therefore, the VPN Concentrator rejects connection attempts from these clients when configured for certificate authentication.
Tunnel Groups and Inheritance
The documentation does not explain how values are inherited between groups and the base group when a client changes groups due to authentication.
In certain cases, attributes are not inherited from the base group if the Inherit checkbox is selected. This occurs when users connect with the VPN Client using one particular group (referred to as a tunnel group), and an authentication server (such as a RADIUS server) assigns them to another group (referred to as a user group).
In this scenario, if the user group is set to inherit attributes, the attributes are inherited from the tunnel group first. If the tunnel group is also set to inherit attributes, it then inherits attributes from the base group.
If the tunnel group is not set to inherit attributes, the user group's inherited attributes will come from the tunnel group. This may not match expected behavior for the configured user group.
RADIUS Group Assignment Behavior
When the Concentrator receives a RADIUS assigned group value that is not defined on the Concentrator, the RADIUS assigned group is ignored and the user remains in the tunnel group that they used to connect.
To guarantee that users only connect via RADIUS-assigned groups, configure the tunnel groups to disallow protocol services. If a valid RADIUS group is not received, the user remains in their tunnel group and is disconnected since tunnel protocols are disabled. (CSCef45647)
Supported Browser Versions
The VPN Concentrator officially supports the following browser versions:
Table 1
Internet Explorer
6.0
Windows
Netscape
7.1
Windows, Linux
Mozilla
1.7
Linux
Safari
1.22
Mac OS
Note
Earlier versions of these browsers may work with the VPN Concentrator. Cisco has not tested them with this release.
This table replaces information found in the Release 4.1 VPN 3000 Series Concentrator Reference Volume I: Configuration, pages 1-2 and C-3.
Updated VPN Concentrator Documentation
These Release Notes are the only new documentation for Release 4.1.x. In addition to these Release Notes, the following documents were updated for Release 4.1:
•
•
•
•
Related Documentation
•
•
•
•
•
Service and Support
For service and support for a product purchased from a reseller, contact the reseller, who offers a wide variety of Cisco service and support programs described in "Service and Support" in Cisco Information Packet shipped with your product.
Note
For service and support for a product purchased directly from Cisco, use CCO.
Software Configuration Tips on Cisco Technical Support Website
The Cisco Technical Support home page includes technical tips and configuration information for the VPN Concentrator and client. Find this information at:
http://www.cisco.com/warp/public/707/#vpn3000.
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
•
http://www.cisco.com/en/US/partner/ordering/index.shtml
•
Documentation Feedback
You can send comments about technical documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883We appreciate your comments.
Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.
Cisco Technical Support Website
The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool automatically provides recommended solutions. If your issue is not resolved using the recommended resources, your service request will be assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553 2447For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.
Severity 1 (S1)—Your network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•
http://www.cisco.com/go/marketplace/
•
http://cisco.com/univercd/cc/td/doc/pcat/
•
•
•
http://www.cisco.com/go/iqmagazine
•
•
http://www.cisco.com/en/US/learning/index.html
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Copyright © 2005 Cisco Systems, Inc. All rights reserved.
Guest
