 Feedback
|
Table Of Contents
Release Notes for the Cisco VPN 5000 Concentrator Software Version 6.0.21.0003
New Features in Version 6.0.21.0002
New Features in Version 6.0.21.0001
Transfer Root Certificate and Private Key Between Certificate Generators
Exclusion of Networks from VPN 5000 Client Tunnels
New Features in Version 6.0.20
Default RADIUS Server Support for User Domains
New Features in Version 6.0.19
GRE-in-IPSec LAN-to-LAN Tunnel to a Cisco IOS Device
Standard IPSec Tunnel Reliability
L2TP PPP Address and Control Field Compression Keyword
New Features in Version 6.0.18
CVCs for the VPN 5001 Concentrator
Configurable NAT Transparency Port
New Features in Version 6.0.16
Auto Reconnection for VPN 5000 Clients
New Features in Version 6.0.15
Caveats Fixed in Version 6.0.21.0003
Caveats Fixed in Version 6.0.21.0002
Caveats Fixed in Version 6.0.21.0001
Caveats Fixed in Version 6.0.20
Caveats Fixed in Version 6.0.19
Caveats Fixed in Version 6.0.18
Caveats Fixed in Version 6.0.17
Caveats Fixed in Version 6.0.16
Caveats Fixed in Version 6.0.15
Obtaining Technical Assistance
Release Notes for the Cisco VPN 5000 Concentrator Software Version 6.0.21.0003
August 6, 2002
These release notes provide information about the Cisco VPN 5000 Concentrator software Version 6.0.21.0003. These release notes are periodically updated to describe new features, caveats that were fixed from previous releases, closed caveats, and documentation updates.
Contents
This document contains the following sections:
•
Obtaining Technical Assistance
New Features
The following sections describe new features, including new keywords, for each release.
New Features in Version 6.0.21.0002
This section describes the new features in the Cisco VPN 5000 concentrator software Version 6.0.21.0002.
RADIUS Service Type Keyword
The following keyword was added to the Radius section:
New Features in Version 6.0.21.0001
This section describes the new features in the Cisco VPN 5000 concentrator software Version 6.0.21.0001.
Scheduled Reload Command
The apply command is no longer available as of Version 6.0.21.0001. To minimize system disruption due to configuration changes, which require a reboot, we suggest you use one of the following methods of applying changes:
•
•
reload [in [hours:]minutes | at hour:minutes [month/day] | cancel]
show reload
Usage Guidelines
To use the reload in or reload at command, you must set the system clock using a time server (Time Server configuration section) or the sys clock command.
If you issue a reload command more than one time, the concentrator uses the last reload command.
Options
Transfer Root Certificate and Private Key Between Certificate Generators
If you are using the VPN 5000 concentrator as a certificate generator (CG), and you need to replace the system, you can use the new certificate cg command to transfer the root certificate and private key bundle to a new CG or to a file server for archiving purposes. Generating server certificates can be time consuming, and this command allows you to keep any existing server certificates if the CG fails. Use the following syntax:
certificate cg {export | import} password
Usage Guidelines
We recommend running this command on a directly connected console. Because the input and output of the command contains a large amount of text, a Telnet session might not handle the text properly.
Options
Examples
The following examples how how to export and import a root certificate and private key bundle.
Exporting a Cerificate Bundle
The following steps show how to use the certificate cg export command:
1.
orig_cg: Main# certificate cg export kahuna2.
Successful-----BEGIN PKCS12-----MIID7QIBAzCABgkqhkiG9w0BBwGggASCA6QwggOgMIAGCSqGSIb3DQEHBqCAMIIBrAIBADCCAaUGCSqGSIb3DQEHATAcBgoqhkiG9w0BDAEGMA4ECKmsDZ+H17J9AgIIAICCAXh2rRTQEg8507Af1I3n7JQ0sYOFSfZY8QjsxEJpG0CPC5/op7AeoOiOdxqtj2WCBtKJldom1FDOLQYeHk9Y9RUo8BkVFs8r3ZWm/bhLDvuL3m1v2qe1Uvr4Ha6+lCNUTaOWyJefAGgYbMYZFsBY3LWuGwzmXU3km1b/DVkcY+tPEERn0XaFgavgl2xHkquBryxnrEBepoNfZJf7KLlcYT7lj3cAHYXPA0TJDTvLu9Za30cWtz53YHeUr7MUQX9Unek2//halTB7frZYu2V8njoeqIQFNMcZmtb2xPFugAjNXgXkQHNziRYkuW5Asj5EAweIcpgSrXEMX5fz3djZSytKjktmN0LU1WNVgt9csUGQPK3XDmLN4EojdBOJLtS0uR6GXduRbXNKCiwgzaDztvajacqgppzkc+MZ52+MftS3orE3ltk/A/3tSAlmqYAbw/6IbnA4HkQ8IktFQryYf/5O04BbiRNOxApZyHD6vjHBP0vCo1GxYK1BAAAAADCABgkqhkiG9w0BBwGggASCAcYwggHCMIIBvgYLKoZIhvcNAQwKAQKgggGGMIIBgjAcBgoqhkiG9w0BDAEDMA4ECJU6PZuUJtwzAgIIAASCAWB2XZvTeZ2jBfCvgTu+DJgNm/rjt6TZV4Q7P5g3j2k2MitQYpPayeyqTMVCFWqSUH59eBc9HJ734aenkd2AtbPf+/gm+ZQ4G4Qvpdtml/haxYgd5B8RgUGt/YEcyv0WdFdA+yuijYC3eqWfgaaalELHjFX7kAnUGdVtMpe2gTgN1W89thsCDbR7//Ff43BEemE81N4O9EpDbqpz4DP/4fSIB9nv4rLpNQv6Q+DYozkpJ9flqpkzjR3HVTXwaOY2c+zpccCyLX4ys6aMSomSJNeFQBhoGqtq9dVKnfwTcxHjKGo06hT7wNCoJNi9Lgt9VEWyPVLTEBI7gpMZyE8S07A0f7GmVLNsaklAhaNoFJWhkbux2px7D593X+WHqIaGSWA5q+ILyww2zFuh1ANzm5KDcHCI3m0RnooLCuGPIrP390oyFjlb9v763ApaF+guSMvfD4YGROHXg/PvIY2MUZTRMSUwIwYJKoZIhvcNAQkVMRYEFH2Jol4uCF1co0XgcEAQ1zQT1pLmAAAAAAAAAAAwLTAhMAkGBSsOAwIaBQAEFK8iq4HQUYmhGKZKimGIjY3+KzA5BAh9H5wSyh0gJg==-----END PKCS12-----orig_cg: Main#3.
Importing a Certificate Bundle
The following steps show how to use the certificate cg import command on the new CG:
1.
2.
new_cg: Main# certificate cg import kahuna3.
Begin Pasting Certificate NowTo terminate input, enter a . on a line all by itself.-----BEGIN PKCS12-----MIID7QIBAzCABgkqhkiG9w0BBwGggASCA6QwggOgMIAGCSqGSIb3DQEHBqCAMIIBrAIBADCCAaUGCSqGSIb3DQEHATAcBgoqhkiG9w0BDAEGMA4ECKmsDZ+H17J9AgIIAICCAXh2rRTQEg8507Af1I3n7JQ0sYOFSfZY8QjsxEJpG0CPC5/op7AeoOiOdxqtj2WCBtKJldom1FDOLQYeHk9Y9RUo8BkVFs8r3ZWm/bhLDvuL3m1v2qe1Uvr4Ha6+lCNUTaOWyJefAGgYbMYZFsBY3LWuGwzmXU3km1b/DVkcY+tPEERn0XaFgavgl2xHkquBryxnrEBepoNfZJf7KLlcYT7lj3cAHYXPA0TJDTvLu9Za30cWtz53YHeUr7MUQX9Unek2//halTB7frZYu2V8njoeqIQFNMcZmtb2xPFugAjNXgXkQHNziRYkuW5Asj5EAweIcpgSrXEMX5fz3djZSytKjktmN0LU1WNVgt9csUGQPK3XDmLN4EojdBOJLtS0uR6GXduRbXNKCiwgzaDztvajacqgppzkc+MZ52+MftS3orE3ltk/A/3tSAlmqYAbw/6IbnA4HkQ8IktFQryYf/5O04BbiRNOxApZyHD6vjHBP0vCo1GxYK1BAAAAADCABgkqhkiG9w0BBwGggASCAcYwggHCMIIBvgYLKoZIhvcNAQwKAQKgggGGMIIBgjAcBgoqhkiG9w0BDAEDMA4ECJU6PZuUJtwzAgIIAASCAWB2XZvTeZ2jBfCvgTu+DJgNm/rjt6TZV4Q7P5g3j2k2MitQYpPayeyqTMVCFWqSUH59eBc9HJ734aenkd2AtbPf+/gm+ZQ4G4Qvpdtml/haxYgd5B8RgUGt/YEcyv0WdFdA+yuijYC3eqWfgaaalELHjFX7kAnUGdVtMpe2gTgN1W89thsCDbR7//Ff43BEemE81N4O9EpDbqpz4DP/4fSIB9nv4rLpNQv6Q+DYozkpJ9flqpkzjR3HVTXwaOY2c+zpccCyLX4ys6aMSomSJNeFQBhoGqtq9dVKnfwTcxHjKGo06hT7wNCoJNi9Lgt9VEWyPVLTEBI7gpMZyE8S07A0f7GmVLNsaklAhaNoFJWhkbux2px7D593X+WHqIaGSWA5q+ILyww2zFuh1ANzm5KDcHCI3m0RnooLCuGPIrP390oyFjlb9v763ApaF+guSMvfD4YGROHXg/PvIY2MUZTRMSUwIwYJKoZIhvcNAQkVMRYEFH2Jol4uCF1co0XgcEAQ1zQT1pLmAAAAAAAAAAAwLTAhMAkGBSsOAwIaBQAEFK8iq4HQUYmhGKZKimGIjY3+KzA5BAh9H5wSyh0gJg==-----END PKCS12-----.PKCS12 Import Successfulnew_cg: Main#4.
Exclusion of Networks from VPN 5000 Client Tunnels
You can now exclude certain networks from being tunneled by VPN 5000 client Version 5.2 or later. Formerly, you identified the networks you wanted to tunnel on the concentrator using the VPN Group section IPNet keyword. Each IPNet is tunneled by the connected client. By using the new VPN Group section ExcludeIPNet keyword, you can specify networks you do not want to tunnel even though they are identified as part of an IPNet network. For example, you can tunnel all networks (IPNet = 0.0.0.0/0) except for 192.168.1.0/24 (ExcludeIPNet = 192.168.1.0/24). Without ExcludeIPNet, you must identify a large number of IPNet keywords to approximate the same functionality.
See the following information about the VPN Group section ExcludeIPNet keyword:
ExcludeIPNet Examples
The following example tunnels all networks except 192.168.1.0/24:
[ VPN Group "isakmp" ]Transform = esp(sha)IPNet = 0.0.0.0/0ExcludeIPNet = 192.168.1.0/24MaxConnections = 4StartIPAddress = 10.7.10.128The following example tunnels all traffic to 10.1.0.0/16 except for 10.1.1.0/24:
[ VPN Group "isakmp" ]Transform = esp(sha)IPNet = 10.1.0.0/16ExcludeIPNet = 10.1.1.0/24MaxConnections = 254LocalIPNet = 10.2.1.0/24New Features in Version 6.0.20
This section describes the new features in the Cisco VPN 5000 concentrator software Version 6.0.20.
Improved Certificate Support
The following sections describe new certificate features.
Baltimore UniCERT Certificate Authority Support
Version 6.0.20 supports:
•
•
•
CRL Guidelines
Certificate revocation lists (CRLs) allow the concentrator to check if a certificate has been revoked by a CA. The VPN 5000 concentrator supports the following CRLs:
•
•
The VPN 5000 concentrator does not support:
•
•
Limitations
The concentrator does not support:
•
•
•
New and Modified Certificate Section Keywords
The following Certificate section keywords expand VPN 5000 compatibility with CRLs. LDAPBase is new, and CRLInterval is modified.
Displaying the CRL
To view the CRLs in the concentrator cache, use the certificate crl list command.
Default RADIUS Server Support for User Domains
The default RADIUS server defined in the Main CVC (the Radius section with no domain) now authenticates users whose domain does not match a Radius domain section in a CVC. Normally, when a user logs in as user@domain (such as tom@cisco.com), the concentrator searches for a Radius domain section (such as Radius cisco.com) that matches the domain in the login. Before this release, if the user domain did not match a Radius section, the user was not authenticated. In software Version 6.0.20, the concentrator checks the default RADIUS server for the user.
New Features in Version 6.0.19
This section describes the new features in Cisco VPN 5000 concentrator software Version 6.0.19.
GRE-in-IPSec LAN-to-LAN Tunnel to a Cisco IOS Device
A GRE-in-IPSec tunnel is a standard IPSec tunnel with a GRE tunnel within it. You can run routing protocols over the GRE tunnel so you do not need to create a separate tunnel for each network you want to connect. This type of tunnel is supported between the VPN 5000 concentrator and a Cisco IOS device. GRE might slow performance of the Cisco IOS tunnel peer, so you should determine if you want the easier configuration of a GRE-in-IPSec tunnel or the better performance of a standard IPSec tunnel.
Cisco IOS Configuration Guidelines
•
•
•
The VPN 5000 concentrator must initiate all Phase 2 rekeys.
•
The VPN 5000 concentrator must initiate all Phase 2 rekeys.
GRE-in-IPSec Keywords
Configure a GRE-in-IPSec tunnel the same way as a proprietary IPSec tunnel, and enter the following additional keywords and specific keyword values:
•
•
•
•
•
•
To route IP over the tunnel, configure an IP VPN [slot:]number section that matches the Tunnel Partner section identifier.
Standard IPSec Tunnel Reliability
Two new keywords substantially improve the reliability of standard IPSec and GRE-in-IPSec tunnels between the VPN 5000 concentrator and a third-party device.
Cisco IOS Configuration Guidelines
•
•
The VPN 5000 concentrator must initiate all Phase 2 rekeys.
•
The VPN 5000 concentrator must initiate all Phase 2 rekeys.
New Standard IPSec Keywords
KeyManage = Reliable
Tunnel Type: Standard IPSec, GRE-in-IPSec
The concentrator initiates the tunnel at startup, but if the tunnel fails (the InactivityTimeout is triggered, or the peer deletes the tunnel to rekey it), the concentrator attempts to re-establish the tunnel every 60 seconds until it is successful.
InactivityTimeout = Seconds
Values: 0 to 3600 seconds
Default: 0 (off)
Tunnel Type: Standard IPSec, GRE-in-IPSec, dynamic responder
Prerequisites: Set this value to be >= KeepAliveInterval, and <= KeyLifeSecs. See Table 1 for recommended values.If the VPN 5000 concentrator does not detect any traffic either to or from the peer within the specified InactivityTimeout, the VPN 5000 deletes the tunnel. If the concentrator initiated the tunnel, the concentrator makes one attempt to bring the tunnel back up (even if you do not set KeyManage to Reliable). If the concentrator is a responder, the remote device can successfully reinitiate the tunnel because the tunnel was cleanly deleted.
If you do not set an InactivityTimeout, and the tunnel fails (either because of a bad network connection, a system error, or a rekey by the peer), the concentrator continues to maintain the tunnel as active because the concentrator does not know the tunnel failed. If the tunnel still exists on the concentrator, the peer cannot re-establish the tunnel. You must manually delete the tunnel and re-establish it.
Recommended Keyword Values
Table 1 lists recommended keyword values for standard IPSec and GRE-in-IPSec tunnels.
Table 1 Recommended Keyword Values
KeepAliveInterval
120
600 (Default)
InactivityTimeout
120
600
KeyLifeSecs
10000
50000
1 Maximizes reliability.
2 Maximizes scalability.
TunnelType Keyword
This keyword identifies the tunnel type. It enables the GRE-in-IPSec feature, and also differentiates IPSec and GRE tunnels more effectively. The KeyManage = Manual keyword (used to identify a GRE tunnel) is now obsolete.
L2TP PPP Address and Control Field Compression Keyword
The following new keyword in the L2TP General section allows for better L2TP compatibility.
VPN Client Timeout Keyword
The following new keyword in the VPN Group section times out a VPN client.
New Features in Version 6.0.18
This section describes the new features in software Version 6.0.18.
CVCs for the VPN 5001 Concentrator
This release includes support for up to 10 CVCs (including the Main CVC) on the VPN 5001 concentrator.
Configurable NAT Transparency Port
The following keyword in the General section allows you to configure one or more TCP ports for NAT transparency.
New Features in Version 6.0.16
The following new feature was added to Version 6.0.16.
Auto Reconnection for VPN 5000 Clients
The following keyword in the VPN Group section allows VPN 5000 clients to automatically reconnect to the concentrator.
New Features in Version 6.0.15
Table 2 lists VPN 5000 software features included in Version 6.0.15. For detailed information about new sections and keywords, see the Cisco VPN 5000 Concentrator Series Command Reference Guide.
Table 2 Cisco VPN 5000 Software Features
Customer virtual contexts (CVCs)
Supports up to 256 CVCs, which allow the coexistence of multiple virtual routers in the same concentrator. A virtual router maintains each company's network separate from other networks.
Supported on VPN 5002 and VPN 5008 concentrators only. VPN 5001 concentrator support starts in Version 6.0.18.
802.1Q virtual LAN (VLAN)
Supports VLAN on Ethernet ports.
Layer 2 Tunneling Protocol (L2TP)
Supports the concentrator as an L2TP Network Server (LNS) to terminate connections from L2TP Access Concentrators (LACs) and individual L2TP clients.
The L2TP tunnel uses one connection resource, and each PPP user session within the tunnel uses a connection resource.
The VPN 5002 and 5008 concentrators support 5000 resources per ESP card, combined IPSec client tunnels, LAN-to-LAN tunnels, L2TP tunnels, and L2TP sessions.
The VPN 5001 concentrator supports a minimum of 500 resources.
Public Key Infrastructure (PKI) certificates, including support for server-side, user, and LAN-to-LAN tunnel certificates.
Uses VPN 5000 Client Version 5.0.x or later for user certificates. Use VPN 5000 Client Version 4.2.x or later for server-side certificates.
The VPN 5000 concentrators support certificates from the following certificate authorities (CAs):
•
•
Note
CVC configurations from LDAP or TFTP
Reads CVC configurations from an LDAP or TFTP server or from Flash memory.
Multiple RADIUS servers
Uses multiple RADIUS servers for authentication.
Configurable VPN-only ports
Enables or disables VPN-only traffic on a per-interface or per-subinterface basis.
Supported Hardware
Table 3 lists the hardware and software builds supported for concentrator software Version 6.0.x.
Table 3 Supported Hardware for Software Version 6.0.x
Cisco VPN 5001
IntraPort Carrier and Enterprise3 , Cisco VPN 5002, and 5008
vpn-5002-5008-x.x.x[.xxxx]-[3]des.dld
1 x.x.x[.xxxx] is the software version (for example, 6.0.21 or 6.0.21.0002).
2 U.S. builds include 3DES; export builds include DES. The filename reflects the encryption level.
3 Compatible Systems legacy platforms.
Note
Software Compatibility
This section lists compatibility issues with concentrator software Version 6.0.x.
•
•
–
–
Limitations
Software Version 6.0.x does not support primary interfaces in non-Main CVCs. You must configure IP routing for each primary interface in the Main CVC, and then implement subinterfaces in CVCs. A subinterface requires that the primary interface be configured, so you must configure the primary interface in the Main CVC even if you are not using the Main CVC. You must also list the primary interface in the Main CVC file before listing any subinterfaces in the Main CVC.
Important Notes
•
–
–
To use either of these features, use software Version 5.x.
•
•
•
•
Caveats Fixed
The following sections list caveats fixed in each release.
Caveats Fixed in Version 6.0.21.0003
This section lists caveats fixed with VPN 5000 concentrator software Version 6.0.21.0003.
•
Formerly, if you used a RADIUS server to authenticate client connections using the PAP or Challenge (a hybrid of PAP) challenge type, and if validation failed the first time, then the validation retry request that the VPN 5000 concentrator sent to the RADIUS server did not encrypt the user password field; the concentrator sent the password as clear text. Connections using CHAP are not affected by this vulnerability. This problem is fixed in Version 6.0.21.0003. See http://www.cisco.com/warp/public/707/vpn5k-radius-pap-vuln-pub.shtml for more information.
Caveats Fixed in Version 6.0.21.0002
This section lists caveats fixed with VPN 5000 concentrator software Version 6.0.21.0002.
•
The concentrator now allows you to exclude the service type from RADIUS Access-Request packets when you use the Radius section ServiceType = {On | Off} keyword. Formerly, the concentrator always included service type 8 (Authenticate-Only) in Access-Request packets. Older Livingston RADIUS services required this service type when using passthrough mode with SecurID. Most older RADIUS servers ignore the service type, but newer servers can fail if the service type is set to Authenticate-Only. These same servers succeed when no service type is included.
•
If the concentrator loses connectivity to the RADIUS server, the concentrator now starts sending Access-Request packets when connectivity is restored. Formerly, in some heavy traffic situations, the concentrator did not resume RADIUS operations.
•
Traceroute now works through a Mac OS X or Solaris tunnel when you use NAT transparency. Formerly, the concentrator did not recalculate the ICMP checksum after NAT processing, and the traceroute would fail.
•
RADIUS passwords are no longer truncated to 15 characters when using PAP authentication. The limit is now 30 characters.
Caveats Fixed in Version 6.0.21.0001
This section lists caveats fixed with VPN 5000 concentrator software Version 6.0.21.0001.
•
During high volumes of bidirectional traffic in a two ESP card system, the fiber channel no longer fails to transmit (or receive) packets correctly. Formerly, the concentrator had significant packet loss.
•
You can now exclude a network from a VPN client tunnel. See the "Exclusion of Networks from VPN 5000 Client Tunnels" section for more information.
•
The Certificates section LDAPServer keyword now accepts a fully qualified domain name.
•
The TCP implementation no longer uses predictable Initial Sequence Numbers. It now uses a true random hardware number.
•
When you use Aggressive mode tunnels, the IP VPN interface now appears when you use the show ip config command. Formerly, this command showed interfaces as disabled even though tunnels appear up, and directly connected routes appear installed.
•
The concentrator no longer restarts when two users are viewing the same output from a vpn trace dump all command, and both users simultaneously attempt to break the output using the Ctrl-C command.
•
The VPN 5000 concentrator now sends SNMP traps for Warm Start, Cold Start, or Authentication Failure.
•
The SNMP MIBs for RFC 1213 no longer include incorrect data types or missing OIDs, except for the following missing OID values:
–
ipForward values except for ip.ipForwarding.0 = forwarding(1) do not have any significance for the concentrator.
–
–
The concentrator does not support EGP protocols in this release.
•
For the Compatible MIB, the object types now match the MIB definition.
Note
•
The concentrator no longer stops accepting connections after the first 200 connections. Formerly, if you entered the show vpn statistics command, it showed a large number of connections `in negotiation' and the concentrator no longer accepted VPN client connections.
•
When the DS3 interface goes down and up in quick succession, the concentrator no longer reboots.
•
A VPN client behind a router configured for NAT and IPSec passthrough can now pass IPSec traffic through the router.
•
The show vpn partner verbose command now displays complete P2 Key lifetime information when the Tunnel Partner section MaxKeyKBytes keyword is set to the maximum and the concentrator is the initiator. Formerly, the display only included the KeyLifeSecs information.
•
The concentrator no longer reboots if you use the show arp command after adding an ARP entry using the add arp command.
•
Proxy ARP now works correctly when you use StartIPAddress in the VPN Group section.
•
If you configure a LAN-to-LAN tunnel between a VPN 5002 and a 5008 concentrator, an "Invalid version sub-op code!" message no longer appears, and tunnel throughput does not drop to a fraction of the previous rate.
•
When a concentrator has a server certificate installed, and the Windows VPN 5000 client Version 5.0.x or 5.1.x connects using a root certificate (Hybrid mode), the RADIUS password prompt is no longer delayed (in excess of 9 seconds).
•
The LinkConfig section ConnectMode keyword now defaults to Dedicated on all slots. Formerly, slots other than 0 defaulted to DialUp, which is not supported. This keyword is not documented in the reference guide because the (now correct) default for Mode=PPP is the only supported connection mode.
•
When you attempt to connect to a VPN 5000 concentrator with an old Compatible Systems STAMP/STEP VPN client, the concentrator no longer restarts.
•
When you use the boot command on a concentrator with active LAN-to-LAN tunnels, the reboot process now lasts longer to successfully send delete packets to tunnel partners.
•
You can now archive the root certificate and private keys. See the "Transfer Root Certificate and Private Key Between Certificate Generators" section for more information.
•
The VPN Group section KeepAliveInterval keyword now defaults to 60 seconds for all concentrators. Formerly, the VPN 5002 and 5008 concentrators defaulted to 120.
•
You can now schedule a reboot. See the "Scheduled Reload Command" section for more information.
•
The concentrator no longer restarts when loading CVCs due to a memory error.
•
When a CVC has more than eight equal cost OSPF paths to a destination in its routing table, and you ping the destination, the concentrator no longer restarts.
•
When the VPN 5000 concentrator receives a UDP packet destined for the concentrator with an invalid length (such as an IKE negotiation packet), the concentrator no longer restarts.
•
When you request a certificate from a concentrator configured as a certificate generator, the subject name no longer contains "x01".
•
When you configure a CVC or edit a CVC in Flash memory, it no longer becomes corrupt, and the output of the show config full command no longer indicates that some text for the configuration is missing.
•
If you enter a value that is too large for the reset tcp socket command, the concentrator no longer reboots.
•
If you have primary and secondary SecurID servers configured, and a user enters a password that is too short, the connection between the concentrator and the SecurID server is now released correctly. Formerly, the connection to the primary server was released, but the secondary connection was not released. This error resulted in the maximum connections being reached too soon.
•
When the VPN 5000 concentrator is running low on memory (possibly due to a heavy load), the concentrator no longer reboots after it receives a PPP echo request packet in an L2TP session.
•
If you set the IP VPN section OSPFEnabled keyword to Passive for a GRE-in-IPSec tunnel, the concentrator no longer reboots. Passive is only a valid setting for a numbered interface.
•
The vpn tunnel down command, when entered on a responder connected to another VPN 5000 concentrator, now deletes the tunnel; the vpn tunnel down command formerly only deleted the tunnel when you entered it on an initiator or dynamic responder. A concentrator acts as a responder when you set the Tunnel Partner section KeyManage keyword to Respond or Auto; the Auto setting automatically sets one concentrator as a responder and one as an initiator. Previously, the VPN 5000 initiator automatically brought the tunnel back up within several minutes because the tunnel was not deleted. To bring the tunnel back up now, you must enter the vpn tunnel up command on the initiator. Tunnels to Cisco IOS devices are not affected by the tunnel deletion, because they use dynamic tunnel establishment and can re-establish the tunnel when traffic requires it.
•
If you create multiple subinterfaces on the same network, you can now successfully ping the subinterfaces. Formerly, you could only ping the primary interface; responses to other pings indicated the primary interface as the source address and displayed an out of sequence error.
•
OSPF no longer redistributes expired RIP entries.
•
On newer hardware, PCI devices (such as Ethernet and encryption cards) on the ESP card no longer fail to initialize.
•
For the certificate generate request command, the ou and challenge password options are now functional.
•
You can now ping a subinterface on a remote concentrator over a LAN-to-LAN tunnel.
•
When a VPN5002 or VPN5008 concentrator produces a restart event, the restart event now contains backtrace information.
•
The show ip route dynamic command no longer causes a restart after you enter the vpn tunnel down command.
•
The show os dump command no longer causes a restart if you enter too many characters for the address.
•
Proprietary IPSec tunnels no longer fail after one bad packet. Formerly, the concentrator set the timeout to 0 after a bad packet, causing no further packets to go across the tunnel.
•
The apply command was removed because of system instability.
•
The concentrator now queries for a new CRL when a client tries to connect and the cached CRL has expired. Formerly, the client could connect according to the expired CRL information.
•
OSPF route advertisements larger than 1717 bytes no longer prevent the concentrator from installing the routes, and the concentrator's routes are now propagated to the neighbor.
•
The show ip route command no longer shows duplicate route entries or, for OSPF routes, None in the Src/TTL field instead of route type (NET).
•
A restart event no longer occurs in the OSPF process shortly after you enter the tftp get config command.
•
The concentrator configured as a certificate generator can now consistently approve certificate requests.
•
OSPF authentication is now working.
•
The concentrator no longer locks up after approximately 25 days of up time.
•
The show ip route dynamic command no longer hangs the concentrator and causes a restart after you enter Ctrl-C.
•
When you use RADIUS to authenticate users, the NAS-Port attribute that is sent in both access-requests and accounting request packets is now the same value.
•
The VPN 5000 concentrator no longer crashes when you perform an SNMP walk.
•
The following message has been changed to better indicate an out of memory condition:
S_BAD_HASH_COUNTThe message is now:
Out of Memory•
The concentrator no longer crashes the IKE process when the VPN memory is low.
•
The concentrator no longer restarts when passing a NATted FTP port command.
•
The concentrator now prevents you from using the unsupported VPN 5000 Manager with Version 6.0.21.0001 software. If you try to use the VPN 5000 Manager, an error message appears in the log.
•
VPN 5000 clients using NAT transparency and connected to a VPN 5002 or 5008 concentrator no longer intermittently stop tunneling traffic.
Caveats Fixed in Version 6.0.20
This section lists caveats fixed with VPN 5000 concentrator software Version 6.0.20.
•
The BackupServer keyword in the VPN Group section is no longer supported because it did not work correctly.
•
The show ip config command no longer shows duplicate entries for subinterfaces.
•
When a VPN client uses a user certificate and SecurID for authentication, and the VPN Group section SecurIDUserName keyword is set to Off, the concentrator now converts the username at sign (@) to a question mark (?) and truncates the name to 31 characters (the character limit required for SecurID).
•
The concentrator now reports a value in the correct range for the RADIUS Authentication attribute number 5 (NAS-Port).
•
The concentrator now checks that you entered a value within the acceptable range for the following IP section keywords:
•
•
•
•
•
•
•
•
•
A VPN client that connects to a slot other than 0 can now be authenticated by the concentrator when the client uses a manual certificate and an entry in the VPN Users section. Previously, the client was always prompted for a (nonexistent) RADIUS password.
•
Traffic now passes through the VPN tunnel when a VPN client using NAT Transparency connects to a concentrator.
•
Changes made to an existing GRE tunnel configuration now take effect when you issue the vpn tunnel up and vpn tunnel down commands.
•
The vpn tunnel up and vpn tunnel down commands now show the correct IP address for the initiator and the responder.
•
RADIUS authentication no longer times out if the first VPN client connection attempt is still in the RADIUS receive process while a subsequent VPN client connection is attempted.
•
Users in the internal VPN Users database who repeatedly enter incorrect shared secret passwords no longer cause all of the resources for their VPN Group to be used up by "ghost" connections. Previously, this condition occurred when the concentrator used a server certificate and RADIUS.
•
The concentrator no longer restarts when you attempt to add a 10th CVC to the Context List section on a VPN 5001 concentrator. Now, a message appears that states there are no free contexts available.
•
IP filters that are applied to a CVC now work correctly.
•
The VPN 5008 concentrator no longer restarts after a random amount of time with a reset event that contains an EXCEPTION: Data Access Memory Abort message.
•
You can now specify AH(MD5) in a list of transforms for the Tunnel Partner section Transform keyword and establish a tunnel with another concentrator that specifies only AH(MD5).
•
The concentrator no longer restarts when you issue the show frelay pvc command. Previously, this event occurred with a Frame Relay subinterface connecting a VPN 5008 concentrator and a Cisco IOS device.
•
The concentrator now posts both Accounting-On and Accounting-Off records to the RADIUS server when you restart the concentrator using the boot command.
•
RADIUS accounting information now reaches the secondary RADIUS server when the primary server is not available. Previously, only RADIUS authentication rolled over to the secondary server.
•
The concentrator now retrieves the CRL from the LDAP server and you can also configure variables in the LDAP search request packet.
•
The purge of the CRL cache is now propagated to all slots when you issue the certificate crl invalidate command on a VPN 5002 or 5008 concentrator.
•
RIP routing updates from the concentrator to a Cisco IOS device are now spread over a 30-second interval, and the routes no longer enter a hold-down state due to lack of routing updates.
•
The concentrator no longer restarts when you use the list cook mark all command in the configuration editor to view the configured and default values.
•
The VPN 5001 concentrator no longer restarts when you run an snmpwalk on a Solaris workstation using the vendor-specific CompatMIB file. Previously, this restart was triggered by the query for the Compatible.CompatVPN.LoginTable and Compatible.CompatVPN.VPNTunnelTable information.
•
You can now establish a connection with a VPN client for Windows if you use a Verisign PKI for certificates, and the concentrator uses CRL Version 2 for LDAP queries.
•
The default MaxConnections value in the VPN Group section no longer adds two extra users when you use LocalIPNet. Previously, the default MaxConnections value calculation incorrectly included the network address and the broadcast address.
•
When you use Entrust certificates to establish a connection between a VPN 5000 concentrator and a VPN client for Windows that is configured with more than one commonname, the concentrator now extracts all commonnames from the VPN client's root certificate.
•
The concentrator no longer restarts when a VPN client that has established an IPSec connection using RADIUS authentication successfully disconnects and reconnects.
•
The default value for the RIPVersion keyword in the IP section is now None.
•
A GRE tunnel between two VPN 5000 concentrators that was previously removed no longer appears in the show vpn partner output. Previously, this error occurred when you issued the vpn tunnel down command, removed the Tunnel Partner section, and applied the change.
•
A ping from a VPN 5002 console to an L2TP client connection that is terminated on slot 1 is no longer limited to 1432 bytes in size.
•
The default RADIUS server can now authenticate users with an "@" symbol in the username. See the "Default RADIUS Server Support for User Domains" section.
•
LDAP error messages no longer appear if the Certificate section does not include an address for the LDAP server.
•
An error message now appears if you attempt to configure a VPN Group name with more than 15 characters.
•
The concentrator no longer restarts when you make changes to the static route list or redistribute OSPF to static and the OSPF update is received.
•
The concentrator no longer accepts invalid values for the Transform keyword in the VPN Group section.
•
The concentrator console no longer repeats the message "Attempting to contact other IOPs..." when you start up the device.
•
The concentrator no longer restarts under certain high traffic conditions. Previously, this restart occurred when you sent an excess of 100 Mbps of 68-byte or 128-byte packets through the concentrator for performance limit testing.
•
The concentrator no longer restarts if you configure a static route without a metric value and enter the show ip route command.
•
OSPF route advertisements are now received through a proprietary IPSec tunnel.
•
The show os netif command no longer displays duplicate network interfaces for a VPN network after you use the write and apply commands.
Note
•
When you establish a LAN-to-LAN tunnel with a dynamic responder (the Tunnel Partner VPN Default section), the routing table information is now updated correctly when the tunnel partner either loses or changes its IP address and then reconnects to the concentrator.
•
The tunnel is now terminated when you use the vpn tunnel down command from the responder side of a tunnel that was created with Tunnel Partner VPN Default.
•
Ping packets to an L2TP client terminated on a slot other than 0 no longer time out. Previously, the negotiated MTU value for that network interface was not conveyed to slot 0, which is where the fragmentation takes place.
•
Multiple CRL distribution points are now processed properly by the concentrator.
•
The username is now parsed correctly when it is stored in the subject-alt name extension of a certificate and it is the first extension in the certificate.
•
A VPN 5002 concentrator now permits logins on slot 1.
•
When you configure the Peer keyword in the Tunnel Partner section, the static routes are now correctly redistributed into OSPF.
•
Static route and associated dynamic route redistribution no longer continues after the tunnel is down.
•
The concentrator correctly removes all dynamic routes from the routing table and relearns them when you issue the reset ip routing all command.
•
When you issue the save command from a CVC, the configuration is saved to a tftp server and the concentrator restarts as indicated by the command line interface.
•
If a GRE-in-IPSec tunnel is configured in a CVC and the interfaces are configured to use RIP or OSPF, the route is no longer redistributed to neighbor routers.
•
Route redistribution now works correctly if you configure the IP Route Redistribution section in a non-Main CVC.
•
The CRL Timer no longer runs on the ESP card.
•
The ESP cards no longer receive the incorrect date if an NTP server is configured but not reachable.
•
The certificate remove command now functions correctly.
•
A concentrator configured to have a tunnel terminate on a slot other than 0 no longer restarts when you issue the vpn tunnel down slot:number command and leave off the slot number from the tunnel number.
•
The concentrator no longer restarts when you issue the reset ip routing all command on a concentrator configured to use OSPF in the Main CVC.
•
The OSPF routing updates now function properly when an Aggressive mode tunnel terminates on a slot other than 0.
•
A concentrator configured as the initiator no longer restarts during IKE negotiations if an error occurs while checking the responder's certificate against a CRL.
•
The concentrator no longer restarts during an L2TP session negotiation when the LAC sends the concentrator an L2TP packet that contains a hidden AVP.
•
The concentrator now contacts the LDAP server for a new CRL if you try to establish a connection after the CRL expires.
•
VPN 5000 concentrators can now retrieve a CRL from a CDP if the path is a URL.
•
An error message now appears if you attempt to configure an Ethernet subinterface without a VLAN ID.
•
The static route for a tunnel established between a VPN 5000 concentrator and a Cisco IOS device no longer becomes unusable during tunnel renegotiations.
•
A VPN 5002 or 5008 concentrator no longer restarts if a VPN client attempts to connect during the initialization process.
•
The concentrator now correctly shows a restart event and debug error if the VPN client pings its own IP address assigned by the concentrator.
•
A VPN 5001 concentrator no longer restarts when a ninth CVC is loaded.
Caveats Fixed in Version 6.0.19
•
A VPN tunnel that is assigned to a slot other than 0 on the concentrator can now pass traffic after it has established a connection.
•
A traceroute performed to an IP address represented by a static route no longer causes an occasional restart on the concentrator.
•
The VPN 5001 concentrator can now install more than 140 static routes from the IP STATIC configuration section.
•
You can now use active mode when you connect a VPN client for Linux to a VPN 5000 concentrator.
•
The concentrator no longer displays a "WRONG PACKET HERE PAYLOAD=5" message and an "error 256" when a VPN client for Solaris tries to establish a connection using PPP and a certificate.
•
The ASSERT message "signal()/home/release/src6.0/rrsrc/sys/semaphor.c:167" no longer appears after you load software on a VPN 5002 concentrator.
•
The concentrator no longer restarts due to an effect the fastsend function had on the packet buffer queue.
•
OSPF routing updates now pass across GRE tunnels. Previously, the concentrator indicated that the tunnel was up but no routing updates were entered in the tables.
•
The bandwidth aggregation function for OSPF multipath now works correctly when the fastswitch entry for a VPN 5008 concentrator does not have a local transmit function.
•
The concentrator now passes IP traffic when a VPN client is terminated on slot 1.
•
The concentrator no longer restarts during attempts to send ICMP packets back to the VPN client. Previously, this restart occurred if you set the PreTunnelFragment keyword in the General section to On for a VPN 5002 or 5008 concentrator and the VPN client terminated on a slot other than 0.
•
Keepalive packets now work correctly across proprietary IPSec LAN-to-LAN tunnels with multiple CVCs.
•
When the concentrator has more than 1 Mbps load, pings originating from the internet router are no longer lost.
•
Routes configured in the IP Static section now install correctly when the gateway IP address specifies a VPN client assigned address and the VPN client is already connected.
•
The concentrator is no longer exposed to programming errors because the first 1 MB of memory was previously unprotected from accidental overwrites.
•
The last character of the configuration is no longer dropped if you download a CVC from a TFTP server, edit the configuration, and implement the new configuration using the apply save command.
Note
•
The concentrator no longer restarts when you issue the show l2tp user command, specifying a particular user.
•
If a user connects to a VPN 5000 concentrator through a GRE tunnel first, and the subsequent connection is through an L2TP tunnel using the same IP address, the concentrator no longer continues to send the traffic through the GRE tunnel instead of the L2TP tunnel.
•
The concentrator no longer restarts during a traceroute on a VPN 5002 or 5008 that is configured for DNS.
•
The concentrator no longer restarts when you issue the vpn tunnel up tunnel command to specify a particular tunnel number for a GRE tunnel.
•
The OSPF protocol now works correctly for GRE-in-IPSec tunnels between a VPN 5000 concentrator and a Cisco IOS device.
•
Dynamic routing updates (such as OSPF or RIP) are now distributed to neighboring devices correctly for proprietary IPSec LAN-to-LAN tunnels that terminate on a slot other than 0.
Caveats Fixed in Version 6.0.18
•
In VPN 5000 client Versions 5.1.x, or later, you now have the capability to set the TCP port number used to encapsulate VPN packets. Use the NATTransport keyword in the General section. See the "Configurable NAT Transparency Port" section.
•
When a VPN client configured to use Entrust certificates tries to establish a connection to a concentrator, the LDAP query for the CRL no longer fails. Previously, this failure caused the connection to be denied.
•
The client is now able to pass traffic across the VPN tunnel if the PFS keyword in the VPN Group section is set to a mode other than Off. The PFS keyword is not supported on the concentrator even though it appears in the command line.
•
The tftp command now supports a directory path as part of the filename.
•
VPN clients are no longer assigned to VPN ports that still have resources tied to a previous client connection.
•
A query for the Compatible.CompatVPN.LoginTable or Compatible.Compat.VPNTunnelTable in the vendor-specific CompatMIB file no longer causes a restart loop.
•
Authentication using AXENT Defender and CiscoSecure ACS Version 2.4 RADIUS server for Windows NT now works correctly.
•
If a LAN-to-LAN tunnel is established between a VPN 5000 concentrator and a Cisco IOS device, the connection now correctly rekeys with a time-based rekey variable.
•
The concentrator no longer restarts occasionally when it closes VPN sessions.
•
The concentrator no longer restarts during a client connection attempt if it is configured with no users in the VPN Users section.
•
If you use the show vpn hardware verbose command on a VPN 5002 or 5008 concentrator, the concentrator no longer shows statistics and then restarts.
•
If you use the show snmp config command, the concentrator no longer restarts.
•
The VPN client now communicates with a network through the concentrator if the VPN Group section StartIPAddress keyword specifies an address on a subnet other than the subnet assigned to Ethernet 0:0.
•
If you configure a static route through a VPN tunnel interface other than VPN 0:number, it is now correctly installed on the concentrator.
•
Static IP routes installed by the Peer keyword in the Tunnel Partner section are no longer removed when you use the apply command.
Note
•
The concentrator no longer restarts if you use the certificate remove command.
•
When an L2TP client sends LCP echo requests to a VPN 5000 concentrator, and the concentrator responds, the L2TP client now accepts the responses, and the tunnel no longer disconnects.
•
You no longer get a failure message if you edit an existing Context List section entry and then save the configuration using the write and apply commands.
Note
•
The concentrator no longer restarts if an L2TP connection enters a bad state and you use the show l2tp statistics command.
•
A Frame Relay connection can now pass ping traffic.
•
OSPF no longer fails to initialize in the CVC if you configure multiple OSPF areas and define Area 0 on the IPSec tunnel.
•
The concentrator no longer restarts if you use the reset statistics radius command.
•
The concentrator no longer drops packets due to a large amount of traffic. Previously, when VPN traffic reached a level that the device could not match, the traffic in one direction began to drop until all traffic in that direction was lost.
•
It is now possible to create an L2TP tunnel between the Cisco VPN 5000 concentrator and the Nortel GGSN router. Previously, the concentrator terminated the session negotiation and closed the L2TP session.
•
If you configure multiple GRE tunnels on a concentrator, subsequent tunnels from the same interface on the remote device now pass traffic. Previously, only the first GRE tunnel passed traffic.
•
A slow certificate authentication process in the concentrator no longer causes the client to time out if you have a VPN client configured to use certificates and you are trying to connect to a VPN 5001 concentrator.
•
A VPN client configured to use certificates is no longer rejected if it is received by a VPN 5002 or 5008 concentrator on a slot other than 0 and needs to retrieve a CRL from the LDAP server.
•
The VPN 5000 concentrator now correctly sequences L2TP data packets and allows PPP negotiations to complete.
•
The concentrator now successfully completes a connection with an L2TP client configured to use PAP authentication.
•
The information now displays correctly when you use the show ip route command.
•
After restarting a concentrator configured as a responder for a LAN-to-LAN tunnel, the tunnel now comes up. Formerly, only tunnels initiated by the concentrator came up after a restart.
•
The BindTo keyword now works correctly when you configure a LAN-to-LAN tunnel in a CVC.
•
The concentrator no longer restarts when a LAN-to-LAN tunnel is initiated by a VPN device using a CheckPoint firewall.
•
The concentrator no longer rejects the search reply when it sends a search request for a CRL to an LDAP server using LDAPv2.
•
The concentrator no longer restarts when it tries to clear an invalid or nonexistent client security association (SA).
Caveats Fixed in Version 6.0.17
•
A large number of client connections no longer cause the concentrator to reboot.
•
The concentrator no longer restarts if you press the Return key at a specific point in the startup process.
•
When OSPF external routes are installed on a network in which a static route is configured, the dynamic routes now apply correctly.
•
The concentrator no longer shows an LDAP error if there is no configuration for LDAP queries.
•
The concentrator no longer restarts if you download a CVC from a TFTP server into Flash memory, and the CVC exceeds the remaining available Flash memory of the device.
•
VPN 5002 or 5008 concentrators using a PPP connection now pass NetBIOS traffic through an L2TP tunnel.
•
The concentrator no longer restarts and logs an event if you use the context new command in normal or enable mode, or immediately following a reboot.
•
When you edit a CVC by adding new lines, you no longer lose lines in the configuration when you save using the write command.
•
Subsequent PPP sessions through L2TP tunnels are no longer rejected by the concentrator.
•
If a VPN client using NAT transparency disconnects from the concentrator and then reconnects before the NAT session times out, subsequent client connections using NAT transparency are now able to establish a connection.
•
The MTU/MRU size is now correctly negotiated when a PPP session is established with a concentrator. Previously, this incorrect negotiation caused large packet transfers to fail.
•
When you configure the BindTo keyword in the RADIUS server, the server now routes traffic back to a CVC other than Main.
•
There is no longer an intermittent restart event with L2TP users connecting to a concentrator using RADIUS authentication.
•
When you use Windows dialup networking with LCP extensions enabled to connect to a concentrator using L2TP, the connection no longer fails.
•
L2TP users that connect to a concentrator are now authenticated by the RADIUS configuration in their CVC, and not by the Main CVC RADIUS server.
•
The RADIUS server now receives accounting information for L2TP users that are connected to a concentrator.
•
The concentrator no longer restarts when a large number of LT2P tunnels are closed and then reinitiated.
•
If you have an L2TP connection using RADIUS authentication with CHAP, large file uploads using Microsoft Drag and Drop no longer cause the tunnel to stop passing traffic.
•
With OSPF enabled on all CVCs, including Main, it is now possible to transfer more than one configuration from a tftp server to a VPN 5001 concentrator.
•
A CVC in a VPN 5001 concentrator can now pass traffic over a tunnel to a CVC in a VPN 5002 concentrator.
•
When saving a modified configuration, the concentrator no longer hangs in the middle of the save.
•
A VPN client using L2TP now receives its IP address assignment by the RADIUS server.
•
The concentrator no longer restarts if you use OSPF over LAN-to-LAN tunnels.
•
The VPN statistics tunnel array has been corrected so that show vpn stats v and RADIUS accounting commands can be used.
•
The concentrator no longer drops its end of the tunnel due to an inactivity timeout after a dialup connection has been established with a VPN client.
Caveats Fixed in Version 6.0.16
•
LAN-to-LAN tunnels using G1 protection no longer fail phase 1 negotiation if tunnel connections using G2 protection are already established.
•
If you set the L2TPAuth keyword to Both, this now allows both PAP and CHAP connections.
•
The concentrator no longer restarts when it is overcome by a large number of invalid tunnel requests and extraneous traffic.
•
The show l2tp users verbose command now displays the correct number of connections to CVCs other than Main.
•
When a local user logs in to the concentrator, the RADIUS accounting log now registers the user and the Assigned IP and Real IP of the local user.
•
VPN clients using NAT transparency can now successfully connect to concentrators which use multiple CVCs and VLANs in a CVC.
•
If you make changes to the concentrator configuration using the apply command before a VPN client connects, this command no longer affects future client connections.
Note
•
The unallocated concentrator memory listed in the show os memory verbose command no longer grows with each simultaneous Windows connection.
•
The modify config command no longer causes the concentrator to lose the configuration.
•
When you connect an L2TP tunnel to the Main CVC, the concentrator can now ping a PPP client through the tunnel.
•
The concentrator no longer restarts when you use the vpn tunnel down command for a VPN tunnel number configured for an IOP that is not present.
•
You can now specify the slot number (slot#:vpn#) on a CVC tunnel. Previously, if you specified the slot number instead of using the default, this caused the concentrator to restart.
•
The concentrator no longer restarts when it passes traffic through a GRE tunnel to a Cisco IOS device.
•
The add ip route command now applies changes correctly for WAN subinterface routes.
•
You can now use an interface defined in the CVC to establish a tunnel session using L2TP. Previously, using an interface defined in a CVC other than Main caused the concentrator to restart.
•
If you use the write and apply commands to perform multiple configuration changes, this action no longer causes the concentrator to restart.
Note
•
You can now use the Context New command while another configuration section is being edited and the configurations do not overwrite each other.
•
The concentrator now passes traffic back to a VPN client user that belongs to a VPN Group bound to a subinterface in the Main CVC.
•
If you edit a configuration in the Main CVC, this no longer deletes the context = "name" line in the General section.
•
The VPN 5000 concentrator no longer crashes when it pings another host because of an EXCEPTION: Data Access Memory Abort.
Caveats Fixed in Version 6.0.15
•
When a user connects to a VPN 5002 or 5008 concentrator using RADIUS, statistics for the connection on slots other than slot 0 are now logged in the log file correctly.
•
If you configure multiple VPN-only ports on a VPN 5008 concentrator, all traffic to or from a given VPN-only port is no longer only sent to or from Ethernet 0:0.
•
When the VPN 5000 concentrator is placed behind a device performing Network Address Translation (NAT), the VPN connections are no longer dropped in approximately 200 seconds due to Keep Alive Packets that do not pass through properly.
•
For cases in which not all slots in a VPN 5002 or 5008 are filled, the show version command no longer prints an erroneous message on the console similar to the following message:
Bad value read from iop 1 -2/536878260•
Accounting now works with the Livingston Version 2.1 RADIUS server. The Radius section keyword defaults were updated to match the RFC: AcctPort = 1813 and AuthPort = 1812.
•
When you use RADIUS to authenticate users, the show vpn users command no longer shows incorrect information such as the VPN group name as a number, incorrect client and local addresses, and the incorrect connect time.
•
LAN-to-LAN tunnels established using the Tunnel Partner VPN Default section now terminate correctly.
•
The command line interface no longer allows you to enter an incorrect value for the OSPF Area section NetRange keyword.
Closed Caveats
This section describes known issues related to the Cisco VPN 5000 concentrator software Version 6.0.21.0001. A closed caveat is one that Cisco does not intend to fix. They are included here for reference and for the valuable workarounds (when available).
General System Caveats
•
When you use the VPN 5000 MIB for the VPN 5001 concentrator, several variables return values of zero. The variables are:
–
–
–
–
Workaround: Set the Tunnel Partner section SlaEnablePartner keyword to On for the tunnels in question.
•
The following entries are present while a VPN 5002 or 5008 concentrator starts up, even if no configuration is present. These messages do not indicate an error, and require no workaround.
Initializing TBM Default Parse Table...Cfg Buffer: 8: Invalid section name: 'IP Ethernet 3:0'Cfg Buffer: 14: Invalid section name: 'IP Ethernet 5:0'Cfg Buffer: 20: Invalid section name: 'IP Ethernet 7:0'•
The IP section DirectedBroadcast keyword appears as a valid keyword for an IP VPN section, but this keyword is not supported for IP VPN.
Workaround: Do not configure the DirectedBroadcast keyword.
•
The Up arrow fails to repeat the last command and instead prints either "A" or "[[A" to the screen. This condition occurs when the concentrator is under heavy load, for example with a few thousand L2TP connections.
Workaround: Use the Up arrow again until the command repeats, or type the command you want.
•
When two Telnet sessions are active on the concentrator, if one session uses the show config command, the second session is unable to use the show config command.
Workaround: Use the show os tcp (to get your Telnet session's socket), and reset tcp socket commands, and Telnet back in to the concentrator.
•
If you downgrade from Version 6.0 to 5.2 and you have CVCs in flash memory, the 5.2 code attempts to parse the CVCs and shows error messages on the console. These messages do not affect the operation of the concentrator.
No workaround after downgrading to 5.2. While in 6.0, you can use the context delete command to remove CVCs.
•
If you enter an IP Route Filter section, this causes the concentrator to lose RIP information even if the filter name is not called out in the General section.
No workaround.
•
The General section ConfiguredFrom keyword displays an incorrect value for the TFTP server address. This error does not affect system operation.
No workaround.
•
A concentrator with over 200 CVCs cannot use the tftp command to put a Main CVC on the concentrator.
No workaround.
•
If you Telnet from the concentrator to a remote device through a GRE tunnel, the connection fails and displays the error: "telnet: Connection refused". This occurs because the concentrator does not always choose the correct source address and source interface for originating the Telnet (TCP) packets.
Workaround: Specify the source address for the Telnet on the command line as shown in the following example:
telnet 10.1.2.3 sourceaddress 10.4.5.6Where 10.1.2.3 is the device you want to Telnet to, and 10.4.5.6 is the address of an interface on the concentrator in your current context.
•
When you import a certificate into the concentrator, the concentrator does not display an error message if the import fails.
Workaround: Enter the show certificate installed command to see if the certificate installed properly.
•
The show ip config command does not display filters applied to subinterfaces.
No workaround.
•
VPN 5001 concentrators reboot spontaneously without saving a restart trace in software releases prior to 5.2.22 and 6.0.20. In software releases 5.2.22 and 6.0.20 and later, a restart event is saved, similar to the following example. If the EXCEPTION field has the word Reset next to it, and the Control Register under the StrongARM MMU Registers heading has a value ending with 70, then your device has a hardware problem.
Workaround: Please contact the Cisco Technical Assistance Center to replace your unit.
Restart Information:System Uptime: 1 day 17 hours 33 minutes 47 secsTime: 9/21/01 9:06:35OS Version: IntraPort2+ V5.2.21.0005 (dalecki) USPanic Code: 0x00006ff9Panic Info: 0x00000000 0x00000000 0x00000000EXCEPTION: ResetRegisters:R0 0x003d9430 R1 0xffff66afR2 0x002bdb04 R3 0x0000ffffR4 0xf03d9444 R5 0x00000000R6 0x0004994c R7 0x000065afR8 0x00000000 R9 0x0000007fR10 0x00000000 FP 0x00212a54R12 0x00000000 SP 0x003fec88LR 0x41000d98 PC 0x41000d98CPSR 0x600000d3 (13)StrongARM MMU Registers:ID Register 4401a103Control Register 00264070 < ending with the value of "70" means that the MMU was turned off and the processor reseted.TLB Register 00264070Domain Register 11111110Fault Status Register 00264054Fault Address Register 00000000Saved CPSR 000000d3Process Info:name -> 'prnull', priority/state -> 6/0x3plimit/pbase/size -> 0x00215c04/0x00216c00/4096Backtrace:fp 0x00212a54, rtn 0x00169e70, args: <not available>fp 0x00212a8c, rtn 0x00385158, args: <not available>fp 0x003851fe, rtn 0x88b8b0e2, args: <not available>Stack: 0x003fec54003fec54 0000 0005 2e7c 3762 ac88 242c 43ba 9e41 *.....|7b..$,C..A*003fec64 0def 07ac 6558 7a3f f03d 9444 0000 0000 *....eXz?.=.D....*•
The concentrator restarts when you exit from the console port while in edit mode for a Main CVC.
No workaround.
•
If you run an snmpwalk on a VPN 5002 or 5008 concentrator, only information regarding slot 0 is displayed.
No workaround.
•
If you issue the edit config command, but exit without making changes, the concentrator does not allow you to TFTP a new configuration to replace the current one because the concentrator indicates that the configuration is being edited. You also cannot write the configuration to make the concentrator believe that the editing session has ended because the concentrator indicates that no changes were made.
Workaround: Edit the configuration by appending a comment, then write the configuration. The concentrator then allows you to TFTP a new configuration.
•
When you use an LDAP URL in the Context List section, if you do not include the ?attributes attribute in the URL (ldap://IP_address[:port]/dn[?attributes[?scope[?filter]]]), the concentrator enters a boot loop.
Workaround: If you are already in a boot loop, set the test switch to 8 and add the ?attributes option to the URL. Attributes could be the CVC file name, for example.
•
The SNMP manager is unable to acquire CPU utilization for a VPN 5000 concentrator using the vendor-specific CompatMIB file.
No workaround.
•
If an IP subinterface section is listed in the CVC before the primary interface, the subinterface will not install.
Workaround: List primary interface first, then subinterfaces.
•
A VPN 5002 concentrator experiences intermittent restarts and several _step_lock SA errors appear in the restart log.
No workaround.
•
If you upgrade a VPN 5002 or 5008 concentrator from Version 6.0.17 or earlier to a later version, the Ethernet interface might stop transmitting packets.
Workaround: Turn the power off and on, and this problem does not reappear. This caveat does not apply if you upgrade from Version 6.0.18 or later.
•
The output of the show ip route command shows an incorrect association between the destination address and the CVC subinterface.
No workaround.
•
The concentrator takes a long time to load a large number of CVCs, approximately 3 to 5 seconds per CVC.
No workaround.
•
CRL Distribution points containing a DC (domain component) or an email address result in an improper CRL query and the connection fails.
No workaround.
ESP Card and Port Caveats
•
When you unplug and then reconnect the 10/100BASE-T Ethernet port from the network, the port does not correctly renegotiate its speed or duplex setting in autodetect mode.
Workaround: Set the Ethernet interfaces speed and duplex in the Ethernet Interface section, or connect the Ethernet cable to the hub or switch. Turn off the concentrator and then turn it on.
•
On a VPN 5002 or 5008 concentrator, the show sys hardware command only shows statistics for slot 0.
VPN Tunneling Caveats
•
If you configure a WINSPrimaryServer or WINSSecondaryServer in the VPN Group section, this configuration does not forward WINS traffic from the client correctly. Normally, if you specify a WINS server on the concentrator, this redirects any client WINS traffic over the tunnel, regardless of the WINS server configured on the client PC. However, while the client can see hosts in Network Neighborhood, the client receives an error message when it attempts to connect.
Workaround: Configure the remote WINS servers in the Network Control Panel or in the dialup profile on the client PC, and do not specify a WINS server on the concentrator.
•
The concentrator allows you to set the IP section VPNOnly keyword to On on a VPN port, which only allows tunneling through a tunnel. VPNOnly = Off is the default.
Workaround: Do not set VPNOnly = On in the IP VPN section.
•
The High Water value shown by the show vpn statistics command is artificially inflated when a large number of LAN-to-LAN tunnels are terminated abruptly and then reconnected.
No workaround.
•
If you use an L2TP interface defined in a CVC other than Main to establish tunnel sessions, PPP users cannot connect.
Workaround: Use an interface defined in the Main CVC.
•
If you have many tunnels in multiple CVCs that attempt an IKE Phase 2 rekey in the same time period, the concentrator might not be able to complete the rekeys in a timely manner, and some tunnels might go down and need to be brought back up manually.
Workaround: Set the Tunnel Partner section KeyLifeSecs and MaxKeyKBytes keywords for each tunnel so that the rekey times are staggered.
•
The show vpn statistics command shows device-wide statistics, and not the statistics for each ESP card.
No workaround.
•
If you attempt to send an instant message using Microsoft Instant Messenger from inside a private network to a VPN client user, the message does not go through the tunnel.
No workaround.
•
If a GRE tunnel is established between a VPN 5000 concentrator and a Cisco IOS device, the OSPF routing updates are not passed correctly because of a mismatch in the default MTU sizes. The default MTU size is 1476 for the Cisco IOS device, and 1500 for the Cisco VPN 5000 concentrator.
Workaround: Configure the tunnel interface on the Cisco IOS device to have the same default MTU size as the VPN 5000 concentrator.
•
When an internal interface that is connected to a RADIUS server fails, the failover to a secondary server can take up to 70 seconds.
No workaround.
•
If a proprietary tunnel is established between two VPN 5000 concentrators and they are configured for aggressive mode IPSec tunnels, the time-based rekey may not occur at the configured time. For example, if you have the Keylifesecs keyword in the Tunnel Partner section set to 600, the rekey does not occur for approximately 1000 seconds.
Workaround: No workaround needed. The rekey eventually takes place.
•
If the Tunnel Partner section SharedKey keyword is longer than 40 characters, RIP fails on the tunnel between two VPN 5000 concentrators.
Workaround: Set the SharedKey to be less than 40 characters.
•
The show ip config command shows VPN interfaces as disabled even if a tunnel is active. Also, the VPN number (VPN 0:0) does not match the configured number.
No workaround.
•
A VPN 5000 concentrator takes two times as long as the value set in the VPN Group section InactivityTimeout keyword value before it terminates a VPN client connection. For example, if the InactivityTimeout value is set for 30 seconds, the concentrator does not terminate the tunnel with the VPN client until 60 seconds has passed.
No workaround.
•
While PPP sessions and L2TP tunnels are coming up, the show l2tp tunnels command produces this error:
L2TP Tunnel Information for slotSlot 1 >>>Error bringing up VPN1:146. rmt_if_up returned -10: Total tunnels 5 sessions 195•
The VPN 5000 concentrator stops sending RIP routing updates to its tunnel partner over a GRE-over-IPSec tunnel.
No workaround.
•
For a GRE tunnel, the concentrator advertises the Tunnel Partner section BindTo IP address through the tunnel to the partner. The partner then installs the BindTo IP address in its routing table showing the address as reachable through the tunnel, and overwrites the original (correct) static route that showed the BindTo address as reachable through the local interface. This routing entry causes traffic to stop going over the tunnel.
Workaround: Set the IP Protocol Precedence section Precedence keyword to static ospf rip. The default is ospf rip static.
•
If you reset L2TP tunnels using the reset l2tp tunnel all command, and you use the show l2tp users command to see how many users have reconnected, the L2TP Call Session Summary shows more users than are actually connected.
Workaround: The information for each ESP card is correct.
•
If the SNMP administrator issues a get on the SNMPv2 MIB II UDP group, no information is returned for the UDP table.
No workaround.
•
When a LAN-to-LAN tunnel is configured between two VPN 5000 concentrators, restarting the tunnel initiator causes the responder to restart when the initiator's CVC initializes. The tunnel comes up when the responder finishes rebooting.
No workaround.
User Authentication Caveats
•
If multiple clients attempt to connect to the VPN 5000 concentrator simultaneously using SecurID, and the concentrator has not yet established the password between itself and the ACE/Server (usually established on the first connection), then the ACE/Server reports, "ACCESS DENIED, Can't lock client," and fails to authenticate the clients.
Workaround: To connect to the concentrator for the first SecurID authentication, use only one client. This allows the concentrator to establish the password correctly. After the password is set, clients can connect normally.
•
When you use the show vpn statistics command, the high water mark (the highest number of concurrent active connections since the last reboot) for LAN-to-LAN tunnels might be inflated after several tunnels crash and other tunnels get online.
No workaround.
•
The default value for the Radius section VPNGroupInfo keyword is 77. This setting is in violation of RFC 2869, which states that attribute 77 should be used for data from the concentrator to the RADIUS server, and not the other way around.
Workaround: Set this value to another number, such as 88.
•
The Radius section SecAddress keyword does not work properly when set to a domain name.
Workaround: Set an IP address.
•
A tunnel between a Cisco IOS device and a VPN 5000 concentrator might stop responding for an extended period of time after an attempted Phase 2 rekey negotiation, even if the Tunnel Partner section KeyManage keyword is set to Reliable.
Workaround: Set the KeyLifeSecs keyword on the VPN 5000 and the crypto ipsec security association lifetime seconds on the Cisco IOS device to 86400 (24 hours).
•
The concentrator does not interoperate with the Cisco Access Registrar RADIUS server.
No workaround.
Obtaining Documentation
The following sections explain how to obtain documentation from Cisco Systems.
World Wide Web
You can access the most current Cisco documentation on the World Wide Web at the following URL:
Translated documentation is available at the following URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.
Ordering Documentation
Cisco documentation is available in the following ways:
•
http://www.cisco.com/public/ordsum.html
•
http://www.cisco.com/go/subscription
•
Documentation Feedback
If you are reading Cisco product documentation on Cisco.com, you can submit technical comments electronically. Click Leave Feedback at the bottom of the Cisco Documentation home page. After you complete the form, print it out and fax it to Cisco at 408 527-0730.
You can e-mail your comments to bug-doc@cisco.com.
To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address:
Cisco Systems
Attn: Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883We appreciate your comments.
Obtaining Technical Assistance
Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.
Cisco.com
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.
Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you to
•
•
•
•
•
You can self-register on Cisco.com to obtain customized information and service. To access Cisco.com, go to the following URL:
Technical Assistance Center
The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two types of support are available through the Cisco TAC: the Cisco TAC Web Site and the Cisco TAC Escalation Center.
Inquiries to Cisco TAC are categorized according to the urgency of the issue:
•
•
•
•
Which Cisco TAC resource you choose is based on the priority of the problem and the conditions of service contracts, when applicable.
Cisco TAC Web Site
The Cisco TAC Web Site allows you to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to the following URL:
All customers, partners, and resellers who have a valid Cisco services contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to the following URL to register:
http://www.cisco.com/register/
If you cannot resolve your technical issues by using the Cisco TAC Web Site, and you are a Cisco.com registered user, you can open a case online by using the TAC Case Open tool at the following URL:
http://www.cisco.com/tac/caseopen
If you have Internet access, it is recommended that you open P3 and P4 cases through the Cisco TAC Web Site.
Cisco TAC Escalation Center
The Cisco TAC Escalation Center addresses issues that are classified as priority level 1 or priority level 2; these classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer will automatically open a case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to the following URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled; for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). In addition, please have available your service agreement number and your product serial number.
