Guest

Cisco VPN 5000 Series Concentrator Software

Release Notes for the Cisco VPN 5000 Concentrator Software Version 6.0.21.0003

 Feedback

Table Of Contents

Release Notes for the Cisco VPN 5000 Concentrator Software Version 6.0.21.0003

Contents

New Features

New Features in Version 6.0.21.0002

RADIUS Service Type Keyword

New Features in Version 6.0.21.0001

Scheduled Reload Command

Transfer Root Certificate and Private Key Between Certificate Generators

Usage Guidelines

Options

Examples

Exclusion of Networks from VPN 5000 Client Tunnels

New Features in Version 6.0.20

Improved Certificate Support

Default RADIUS Server Support for User Domains

New Features in Version 6.0.19

GRE-in-IPSec LAN-to-LAN Tunnel to a Cisco IOS Device

Standard IPSec Tunnel Reliability

TunnelType Keyword

L2TP PPP Address and Control Field Compression Keyword

VPN Client Timeout Keyword

New Features in Version 6.0.18

CVCs for the VPN 5001 Concentrator

Configurable NAT Transparency Port

New Features in Version 6.0.16

Auto Reconnection for VPN 5000 Clients

New Features in Version 6.0.15

Supported Hardware

Software Compatibility

Limitations

Important Notes

Caveats Fixed

Caveats Fixed in Version 6.0.21.0003

Caveats Fixed in Version 6.0.21.0002

Caveats Fixed in Version 6.0.21.0001

Caveats Fixed in Version 6.0.20

Caveats Fixed in Version 6.0.19

Caveats Fixed in Version 6.0.18

Caveats Fixed in Version 6.0.17

Caveats Fixed in Version 6.0.16

Caveats Fixed in Version 6.0.15

Closed Caveats

General System Caveats

ESP Card and Port Caveats

VPN Tunneling Caveats

User Authentication Caveats

Obtaining Documentation

World Wide Web

Documentation CD-ROM

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco.com

Technical Assistance Center

Cisco TAC Web Site

Cisco TAC Escalation Center


Release Notes for the Cisco VPN 5000 Concentrator Software Version 6.0.21.0003


August 6, 2002

These release notes provide information about the Cisco VPN 5000 Concentrator software Version 6.0.21.0003. These release notes are periodically updated to describe new features, caveats that were fixed from previous releases, closed caveats, and documentation updates.

Contents

This document contains the following sections:

New Features

Supported Hardware

Software Compatibility

Limitations

Important Notes

Caveats Fixed

Closed Caveats

Obtaining Documentation

Obtaining Technical Assistance

New Features

The following sections describe new features, including new keywords, for each release.

New Features in Version 6.0.21.0002

This section describes the new features in the Cisco VPN 5000 concentrator software Version 6.0.21.0002.

RADIUS Service Type Keyword

The following keyword was added to the Radius section:

ServiceType = {On | Off}

On—Includes service type 8 (Authenticate-Only) in Access-Request packets. Older Livingston RADIUS services required this service type when using passthrough mode with SecurID.

Note This setting was the default in previous releases. The default was changed to Off in this release because some newer RADIUS servers fail when the service type is set to Authenticate-Only.

Off (Default)—Does not include a service type in Access-Request packets. Most older RADIUS servers ignore the service type, but newer servers can fail if the service type is set to Authenticate-Only. These same servers succeed when no service type is included.


New Features in Version 6.0.21.0001

This section describes the new features in the Cisco VPN 5000 concentrator software Version 6.0.21.0001.

Scheduled Reload Command

The apply command is no longer available as of Version 6.0.21.0001. To minimize system disruption due to configuration changes, which require a reboot, we suggest you use one of the following methods of applying changes:

For a CVC in Flash memory, use the write command, and then use the reload command to schedule a reboot at a convenient time.

For a CVC on a file server, make changes to the CVC on the file server, and then use the reload command to schedule a reboot at a convenient time.

reload [in [hours:]minutes | at hour:minutes [month/day] | cancel]

show reload

Usage Guidelines

To use the reload in or reload at command, you must set the system clock using a time server (Time Server configuration section) or the sys clock command.

If you issue a reload command more than one time, the concentrator uses the last reload command.

Options

Option
Description

reload

Reboots the system immediately. This command is the same as the existing boot command. However, the boot command does not allow any other options.

reload in [hours:]minutes

Limitations: Time cannot exceed 24 days (576 hours or 34560 minutes).

Reboots the system in the specified amount of time.

hours—The number of hours before rebooting. You must also specify minutes. Specify hours:0 for zero minutes.

minutes—The number of minutes before rebooting. If you also specify hours, the minutes are added to the hours.

The following example shows how to reboot the system in 125 minutes:

reload in 125

The following example shows how to reboot the system in 2 hours and 25 minutes:

reload in 2:25

reload at hours:minutes [month/day]

Limitations: Time cannot be more than 24 days after the current time.

Reboots the system at the specified time and day.

hours:minutes—The time you want to reboot, using a 24-hour clock. If you do not specify the month and day, the current day is used. If the specified time has already passed on the current day, the reboot occurs on the next day.

month/day—The month and day you want to reboot. If the month and day are in the next calendar year (but within the 24-day limit), the concentrator automatically calculates the correct year.

The following example shows how to reboot the system at 12:15 on the current day:

reload at 12:15

The following example shows how to reboot the system at 4:15 on Dec. 1:

reload at 4:14 12/01

reload cancel

Cancels a scheduled reload.

show reload

Displays the schedule for the last reload command you entered.


Transfer Root Certificate and Private Key Between Certificate Generators

If you are using the VPN 5000 concentrator as a certificate generator (CG), and you need to replace the system, you can use the new certificate cg command to transfer the root certificate and private key bundle to a new CG or to a file server for archiving purposes. Generating server certificates can be time consuming, and this command allows you to keep any existing server certificates if the CG fails. Use the following syntax:

certificate cg {export | import} password

Usage Guidelines

We recommend running this command on a directly connected console. Because the input and output of the command contains a large amount of text, a Telnet session might not handle the text properly.

Options

export | import

export—Displays the encrypted (see the password below) root certificate and private key bundle in PKCS#12 format on the CG console. You can then copy the bundle to a new CG using the import option. When you select the text on the console, be sure to include a carriage return after the last line. Selecting the last carriage return might require you to select the area in front of the prompt that follows the text. The CG still has the root certificate and private key installed after you export a copy.

import—Allows you to paste a root certificate and private key bundle from the clipboard to the new CG. The system prompts you to paste the bundle. Paste the bundle at the prompt, add a period (.) on a separate line after the bundle, and press Enter. If the system already has a root certificate, it is overwritten by this new one.

password

Length: 50 characters

The password to encrypt the root certificate and private key bundle when you use the export option. The same password decrypts the bundle when you use the import option.


Examples

The following examples how how to export and import a root certificate and private key bundle.

Exporting a Cerificate Bundle

The following steps show how to use the certificate cg export command:

1. On the original CG, enter:

orig_cg: Main# certificate cg export kahuna

2. The console displays the root certificate and private key bundle in PKCS#12 format:

Successful

-----BEGIN PKCS12-----
MIID7QIBAzCABgkqhkiG9w0BBwGggASCA6QwggOgMIAGCSqGSIb3DQEHBqCAMIIB
rAIBADCCAaUGCSqGSIb3DQEHATAcBgoqhkiG9w0BDAEGMA4ECKmsDZ+H17J9AgII
AICCAXh2rRTQEg8507Af1I3n7JQ0sYOFSfZY8QjsxEJpG0CPC5/op7AeoOiOdxqt
j2WCBtKJldom1FDOLQYeHk9Y9RUo8BkVFs8r3ZWm/bhLDvuL3m1v2qe1Uvr4Ha6+
lCNUTaOWyJefAGgYbMYZFsBY3LWuGwzmXU3km1b/DVkcY+tPEERn0XaFgavgl2xH
kquBryxnrEBepoNfZJf7KLlcYT7lj3cAHYXPA0TJDTvLu9Za30cWtz53YHeUr7MU
QX9Unek2//halTB7frZYu2V8njoeqIQFNMcZmtb2xPFugAjNXgXkQHNziRYkuW5A
sj5EAweIcpgSrXEMX5fz3djZSytKjktmN0LU1WNVgt9csUGQPK3XDmLN4EojdBOJ
LtS0uR6GXduRbXNKCiwgzaDztvajacqgppzkc+MZ52+MftS3orE3ltk/A/3tSAlm
qYAbw/6IbnA4HkQ8IktFQryYf/5O04BbiRNOxApZyHD6vjHBP0vCo1GxYK1BAAAA
ADCABgkqhkiG9w0BBwGggASCAcYwggHCMIIBvgYLKoZIhvcNAQwKAQKgggGGMIIB
gjAcBgoqhkiG9w0BDAEDMA4ECJU6PZuUJtwzAgIIAASCAWB2XZvTeZ2jBfCvgTu+
DJgNm/rjt6TZV4Q7P5g3j2k2MitQYpPayeyqTMVCFWqSUH59eBc9HJ734aenkd2A
tbPf+/gm+ZQ4G4Qvpdtml/haxYgd5B8RgUGt/YEcyv0WdFdA+yuijYC3eqWfgaaa
lELHjFX7kAnUGdVtMpe2gTgN1W89thsCDbR7//Ff43BEemE81N4O9EpDbqpz4DP/
4fSIB9nv4rLpNQv6Q+DYozkpJ9flqpkzjR3HVTXwaOY2c+zpccCyLX4ys6aMSomS
JNeFQBhoGqtq9dVKnfwTcxHjKGo06hT7wNCoJNi9Lgt9VEWyPVLTEBI7gpMZyE8S
07A0f7GmVLNsaklAhaNoFJWhkbux2px7D593X+WHqIaGSWA5q+ILyww2zFuh1ANz
m5KDcHCI3m0RnooLCuGPIrP390oyFjlb9v763ApaF+guSMvfD4YGROHXg/PvIY2M
UZTRMSUwIwYJKoZIhvcNAQkVMRYEFH2Jol4uCF1co0XgcEAQ1zQT1pLmAAAAAAAA
AAAwLTAhMAkGBSsOAwIaBQAEFK8iq4HQUYmhGKZKimGIjY3+KzA5BAh9H5wSyh0g
Jg==
-----END PKCS12-----
orig_cg: Main# 

3. Copy the bundle to the clipboard or to a text editor. Make sure to include the last carriage return before the prompt.

Importing a Certificate Bundle

The following steps show how to use the certificate cg import command on the new CG:

1. Enable the CG feature on the new CG by setting the Certificates section CertificateGenerator keyword to On, and use the save command to write and apply the configuration change.

2. At the prompt, enter:

new_cg: Main# certificate cg import kahuna

3. You are prompted to paste the bundle:

Begin Pasting Certificate Now
To terminate input, enter a . on a line all by itself.

-----BEGIN PKCS12-----
MIID7QIBAzCABgkqhkiG9w0BBwGggASCA6QwggOgMIAGCSqGSIb3DQEHBqCAMIIB
rAIBADCCAaUGCSqGSIb3DQEHATAcBgoqhkiG9w0BDAEGMA4ECKmsDZ+H17J9AgII
AICCAXh2rRTQEg8507Af1I3n7JQ0sYOFSfZY8QjsxEJpG0CPC5/op7AeoOiOdxqt
j2WCBtKJldom1FDOLQYeHk9Y9RUo8BkVFs8r3ZWm/bhLDvuL3m1v2qe1Uvr4Ha6+
lCNUTaOWyJefAGgYbMYZFsBY3LWuGwzmXU3km1b/DVkcY+tPEERn0XaFgavgl2xH
kquBryxnrEBepoNfZJf7KLlcYT7lj3cAHYXPA0TJDTvLu9Za30cWtz53YHeUr7MU
QX9Unek2//halTB7frZYu2V8njoeqIQFNMcZmtb2xPFugAjNXgXkQHNziRYkuW5A
sj5EAweIcpgSrXEMX5fz3djZSytKjktmN0LU1WNVgt9csUGQPK3XDmLN4EojdBOJ
LtS0uR6GXduRbXNKCiwgzaDztvajacqgppzkc+MZ52+MftS3orE3ltk/A/3tSAlm
qYAbw/6IbnA4HkQ8IktFQryYf/5O04BbiRNOxApZyHD6vjHBP0vCo1GxYK1BAAAA
ADCABgkqhkiG9w0BBwGggASCAcYwggHCMIIBvgYLKoZIhvcNAQwKAQKgggGGMIIB
gjAcBgoqhkiG9w0BDAEDMA4ECJU6PZuUJtwzAgIIAASCAWB2XZvTeZ2jBfCvgTu+
DJgNm/rjt6TZV4Q7P5g3j2k2MitQYpPayeyqTMVCFWqSUH59eBc9HJ734aenkd2A
tbPf+/gm+ZQ4G4Qvpdtml/haxYgd5B8RgUGt/YEcyv0WdFdA+yuijYC3eqWfgaaa
lELHjFX7kAnUGdVtMpe2gTgN1W89thsCDbR7//Ff43BEemE81N4O9EpDbqpz4DP/
4fSIB9nv4rLpNQv6Q+DYozkpJ9flqpkzjR3HVTXwaOY2c+zpccCyLX4ys6aMSomS
JNeFQBhoGqtq9dVKnfwTcxHjKGo06hT7wNCoJNi9Lgt9VEWyPVLTEBI7gpMZyE8S
07A0f7GmVLNsaklAhaNoFJWhkbux2px7D593X+WHqIaGSWA5q+ILyww2zFuh1ANz
m5KDcHCI3m0RnooLCuGPIrP390oyFjlb9v763ApaF+guSMvfD4YGROHXg/PvIY2M
UZTRMSUwIwYJKoZIhvcNAQkVMRYEFH2Jol4uCF1co0XgcEAQ1zQT1pLmAAAAAAAA
AAAwLTAhMAkGBSsOAwIaBQAEFK8iq4HQUYmhGKZKimGIjY3+KzA5BAh9H5wSyh0g
Jg==
-----END PKCS12-----
.
PKCS12 Import Successful
new_cg: Main#

4. You can now generate a server certificate using the certificate generate server command.

Exclusion of Networks from VPN 5000 Client Tunnels

You can now exclude certain networks from being tunneled by VPN 5000 client Version 5.2 or later. Formerly, you identified the networks you wanted to tunnel on the concentrator using the VPN Group section IPNet keyword. Each IPNet is tunneled by the connected client. By using the new VPN Group section ExcludeIPNet keyword, you can specify networks you do not want to tunnel even though they are identified as part of an IPNet network. For example, you can tunnel all networks (IPNet = 0.0.0.0/0) except for 192.168.1.0/24 (ExcludeIPNet = 192.168.1.0/24). Without ExcludeIPNet, you must identify a large number of IPNet keywords to approximate the same functionality.

See the following information about the VPN Group section ExcludeIPNet keyword:

ExcludeIPNet = IP_Address/bits

Client Version: VPN 5000 client Version 5.2 and later
Multi-keyword: To exclude multiple networks, enter this keyword up to 32 times for 32 networks.

A network that you do not want remote clients to reach through the tunnel. Traffic to this network is managed by the local ISP (similar to the ExcludeLocalLAN keyword). Typically, this network is part of an IPNet network. ExcludeIPNet networks take precedence over IPNet networks when the client determines whether to tunnel a packet. To exclude tunneling to a single host, specify the bits as 32.

If you use client Version 5.1 or earlier with a concentrator on which you set the ExcludeIPNet keyword, the client displays an error.


ExcludeIPNet Examples

The following example tunnels all networks except 192.168.1.0/24:

[ VPN Group "isakmp" ]
Transform = esp(sha)
IPNet = 0.0.0.0/0
ExcludeIPNet = 192.168.1.0/24
MaxConnections = 4
StartIPAddress = 10.7.10.128

The following example tunnels all traffic to 10.1.0.0/16 except for 10.1.1.0/24:

[ VPN Group "isakmp" ]
Transform = esp(sha)
IPNet  = 10.1.0.0/16
ExcludeIPNet = 10.1.1.0/24
MaxConnections = 254
LocalIPNet = 10.2.1.0/24

New Features in Version 6.0.20

This section describes the new features in the Cisco VPN 5000 concentrator software Version 6.0.20.

Improved Certificate Support

The following sections describe new certificate features.

Baltimore UniCERT Certificate Authority Support

Version 6.0.20 supports:

Baltimore UniCERT certificate authority (CA) (Version 3.5 and later)

RSA Keon Certificate Server Version 5.5. and earlier

Entrust/PKI Version 5.0 with VPN/Connect

CRL Guidelines

Certificate revocation lists (CRLs) allow the concentrator to check if a certificate has been revoked by a CA. The VPN 5000 concentrator supports the following CRLs:

Simple CRLs—A simple CRL includes all users in one file. The concentrator retrieves a simple CRL at regular intervals.

Distribution point CRLs—Distribution point CRLs typically include a subset of users. When the user connects to the concentrator, the concentrator checks the certificate for a pointer to a distribution point CRL, and retrieves the CRL from the LDAP server.

The VPN 5000 concentrator does not support:

Delta CRLs—A delta CRL includes only the changes from the previous CRL.

A relative distinguished name (dn) or a domain name in an LDAP URL for a distribution point CRL—The VPN 5000 concentrator supports only absolute dns and LDAP URLs with IP addresses (ldap://IP_address[:port]/dn?attributes[?scope[?filter]]).

Limitations

The concentrator does not support:

Certificate chaining

Certificates larger than 1400 bytes

Multiple CAs per concentrator—Use only one root and server certificate per concentrator.

New and Modified Certificate Section Keywords

The following Certificate section keywords expand VPN 5000 compatibility with CRLs. LDAPBase is new, and CRLInterval is modified.

LDAPBase = dn

CRL Type: Simple

The distinguished name (dn) to retrieve a simple CRL from the LDAP server. If you do not enter a value here, the VPN 5000 concentrator uses the dn in the root certificate, if present.

CRLInterval = Minutes

Values: 0 to 9999 minutes
Default: 0 (Off)

The certificate revocation list (CRL) polling interval for simple CRLs. Use the default setting of 0 if you are using distribution point CRLs and do not need to poll the LDAP server. Entrust/PKI and Baltimore UniCERT support distribution point CRLs. RSA Keon Certificate Server Version 5.5 and earlier only supports simple CRLs.

Note The default value has changed from 15 to 0. If you are using simple CRLs and are upgrading from an earlier version, be sure to set this keyword to a value other than 0 to enable polling.


Displaying the CRL

To view the CRLs in the concentrator cache, use the certificate crl list command.

Default RADIUS Server Support for User Domains

The default RADIUS server defined in the Main CVC (the Radius section with no domain) now authenticates users whose domain does not match a Radius domain section in a CVC. Normally, when a user logs in as user@domain (such as tom@cisco.com), the concentrator searches for a Radius domain section (such as Radius cisco.com) that matches the domain in the login. Before this release, if the user domain did not match a Radius section, the user was not authenticated. In software Version 6.0.20, the concentrator checks the default RADIUS server for the user.

New Features in Version 6.0.19

This section describes the new features in Cisco VPN 5000 concentrator software Version 6.0.19.

GRE-in-IPSec LAN-to-LAN Tunnel to a Cisco IOS Device

A GRE-in-IPSec tunnel is a standard IPSec tunnel with a GRE tunnel within it. You can run routing protocols over the GRE tunnel so you do not need to create a separate tunnel for each network you want to connect. This type of tunnel is supported between the VPN 5000 concentrator and a Cisco IOS device. GRE might slow performance of the Cisco IOS tunnel peer, so you should determine if you want the easier configuration of a GRE-in-IPSec tunnel or the better performance of a standard IPSec tunnel.

Cisco IOS Configuration Guidelines

If you are using Cisco IOS Version 12.1.7 or later, you must configure a dynamic crypto map to interoperate with a VPN 5000 concentrator. Earlier Cisco IOS releases allow regular crypto maps.

To use OSPF over a GRE-in-IPSec tunnel, you must use Cisco IOS Version 12.1.9 or later.

Set the crypto ipsec security-association lifetime seconds to be greater than the VPN 5000 Tunnel Partner section KeyLifeSecs keyword (see the KeyLifeSecs description in the "Recommended Keyword Values" section).

The VPN 5000 concentrator must initiate all Phase 2 rekeys.

Set the crypto ipsec security-association lifetime kilobytes to be greater than the VPN 5000 Tunnel Partner section MaxKeyKBytes keyword (1048576 by default).

The VPN 5000 concentrator must initiate all Phase 2 rekeys.

GRE-in-IPSec Keywords

Configure a GRE-in-IPSec tunnel the same way as a proprietary IPSec tunnel, and enter the following additional keywords and specific keyword values:

InactivityTimeout = {120 (for <=500 tunnels) | 600 (for >=500 tunnels)} (New feature. See the "New Standard IPSec Keywords" section.)

KeepAliveInterval = {120 (for <=500 tunnels) | 600 (for >=500 tunnels)}

KeyLifeSecs = {10000 (for <=500 tunnels) | 50000 (for >=500 tunnels)}

Mode = Main

KeyManage = Reliable (New feature. See the "New Standard IPSec Keywords" section.)

TunnelType = GREinIPSec (New feature. See the "TunnelType Keyword" section.)

To route IP over the tunnel, configure an IP VPN [slot:]number section that matches the Tunnel Partner section identifier.

Standard IPSec Tunnel Reliability

Two new keywords substantially improve the reliability of standard IPSec and GRE-in-IPSec tunnels between the VPN 5000 concentrator and a third-party device.

Cisco IOS Configuration Guidelines

If you are using Cisco IOS Version 12.1.7 or later, you must configure a dynamic crypto map to interoperate with a VPN 5000 concentrator. Earlier Cisco IOS releases allow regular crypto maps.

Set the crypto ipsec security-association lifetime seconds to be greater than the VPN 5000 Tunnel Partner section KeyLifeSecs keyword (see the KeyLifeSecs description in the "Recommended Keyword Values" section).

The VPN 5000 concentrator must initiate all Phase 2 rekeys.

Set the crypto ipsec security-association lifetime kilobytes to be greater than the VPN 5000 Tunnel Partner section MaxKeyKBytes keyword (1048576 by default).

The VPN 5000 concentrator must initiate all Phase 2 rekeys.

New Standard IPSec Keywords

KeyManage = Reliable

Tunnel Type: Standard IPSec, GRE-in-IPSec

The concentrator initiates the tunnel at startup, but if the tunnel fails (the InactivityTimeout is triggered, or the peer deletes the tunnel to rekey it), the concentrator attempts to re-establish the tunnel every 60 seconds until it is successful.

InactivityTimeout = Seconds

Values: 0 to 3600 seconds
Default: 0 (off)
Tunnel Type: Standard IPSec, GRE-in-IPSec, dynamic responder
Prerequisites: Set this value to be >= KeepAliveInterval, and <= KeyLifeSecs. See Table 1 for recommended values.

If the VPN 5000 concentrator does not detect any traffic either to or from the peer within the specified InactivityTimeout, the VPN 5000 deletes the tunnel. If the concentrator initiated the tunnel, the concentrator makes one attempt to bring the tunnel back up (even if you do not set KeyManage to Reliable). If the concentrator is a responder, the remote device can successfully reinitiate the tunnel because the tunnel was cleanly deleted.

If you do not set an InactivityTimeout, and the tunnel fails (either because of a bad network connection, a system error, or a rekey by the peer), the concentrator continues to maintain the tunnel as active because the concentrator does not know the tunnel failed. If the tunnel still exists on the concentrator, the peer cannot re-establish the tunnel. You must manually delete the tunnel and re-establish it.


Recommended Keyword Values

Table 1 lists recommended keyword values for standard IPSec and GRE-in-IPSec tunnels.

Table 1 Recommended Keyword Values

Keyword
Value for < 500 Tunnels1
Value for >= 500 Tunnels2

KeepAliveInterval

120

600 (Default)

InactivityTimeout

120

600

KeyLifeSecs

10000

50000

1 Maximizes reliability.

2 Maximizes scalability.


TunnelType Keyword

This keyword identifies the tunnel type. It enables the GRE-in-IPSec feature, and also differentiates IPSec and GRE tunnels more effectively. The KeyManage = Manual keyword (used to identify a GRE tunnel) is now obsolete.

TunnelType = {IPSec | GREinIPSec | GRE}

IPSec—Sets the tunnel type to IPSec. The concentrator uses proprietary IPSec if the remote device is another VPN 5000 concentrator, and standard IPSec for a third-party device.

GREinIPSec—Sets the tunnel type to GRE-in-IPSec.

GRE—Sets the tunnel type to GRE.

If this keyword is not set:

If the KeyManage keyword is set to Manual, the tunnel is GRE.

If the Peer and LocalAccess keywords exist, the tunnel is standard IPSec.

If none of the keywords above are set, the tunnel is proprietary IPSec.


L2TP PPP Address and Control Field Compression Keyword

The following new keyword in the L2TP General section allows for better L2TP compatibility.

AddrCompress = {On | Off}

On (Default)—The concentrator proposes PPP Address and Control Field Compression (ACFC) to the peer, and accepts ACFC if the peer proposes it. ACFC is configured separately for each direction. If the peer rejects the concentrator's ACFC proposal, the concentrator disables ACFC for packets it transmits to the peer.

Off—The concentrator does not propose ACFC, and rejects the peer's ACFC proposal if present. Use this setting if your peer cannot process ACFC-compressed PPP packets.


VPN Client Timeout Keyword

The following new keyword in the VPN Group section times out a VPN client.

AbsoluteTimeout = Seconds

Values: 0 to 2,592,000 seconds (30 days)
Default: 0 (no timeout)

The maximum amount of time a client can stay connected, regardless of client activity. When the AbsoluteTimeout value is reached, the concentrator disconnects the client. The client must reconnect and begin a new session.


New Features in Version 6.0.18

This section describes the new features in software Version 6.0.18.

CVCs for the VPN 5001 Concentrator

This release includes support for up to 10 CVCs (including the Main CVC) on the VPN 5001 concentrator.

Configurable NAT Transparency Port

The following keyword in the General section allows you to configure one or more TCP ports for NAT transparency.

NATTransport = Number

Values: 0 to 65536
Default: 80
Limitations: Non-default values are only valid for VPN 5000 client Version 5.1 or above
Multi-keyword: You can enter this keyword multiple times to support multiple port numbers.

Sets the TCP port number used to encapsulate VPN packets. VPN packets consist of ESP packets and UDP packets. This keyword does not support the AH transform.

NAT devices that do not implement 1:1 IP address mapping cannot forward ESP packets successfully, because ESP packets do not include a unique port number. TCP packets can include a unique port number. If your firewall blocks ESP or UDP packets, this parameter allows you to successfully maintain a client connection by encapsulating the packets in a TCP packet.

If you are using clients earlier than Version 5.1, be sure to set one instance of this keyword to 80, which is the port supported by older clients.


New Features in Version 6.0.16

The following new feature was added to Version 6.0.16.

Auto Reconnection for VPN 5000 Clients

The following keyword in the VPN Group section allows VPN 5000 clients to automatically reconnect to the concentrator.

AutoReconnection = {On | Off}

Client Type: VPN 5000

On—If a connection is lost unexpectedly, allows the client to automatically attempt another connection. Depending on the client version, the connection comes up automatically, or you are prompted to reconnect.

Both the original connection and the reconnection must use the same passwords. These passwords are saved temporarily by the client so you do not need to reenter them. An authentication system that varies the password at every connection, such as SecurID, cannot use this feature.

Off (Default)—Does not allow the client to automatically reconnect.


New Features in Version 6.0.15

Table 2 lists VPN 5000 software features included in Version 6.0.15. For detailed information about new sections and keywords, see the Cisco VPN 5000 Concentrator Series Command Reference Guide.

Table 2 Cisco VPN 5000 Software Features 

Feature
Description

Customer virtual contexts (CVCs)

Supports up to 256 CVCs, which allow the coexistence of multiple virtual routers in the same concentrator. A virtual router maintains each company's network separate from other networks.

Supported on VPN 5002 and VPN 5008 concentrators only. VPN 5001 concentrator support starts in Version 6.0.18.

802.1Q virtual LAN (VLAN)

Supports VLAN on Ethernet ports.

Layer 2 Tunneling Protocol (L2TP)

Supports the concentrator as an L2TP Network Server (LNS) to terminate connections from L2TP Access Concentrators (LACs) and individual L2TP clients.

The L2TP tunnel uses one connection resource, and each PPP user session within the tunnel uses a connection resource.

The VPN 5002 and 5008 concentrators support 5000 resources per ESP card, combined IPSec client tunnels, LAN-to-LAN tunnels, L2TP tunnels, and L2TP sessions.

The VPN 5001 concentrator supports a minimum of 500 resources.

Public Key Infrastructure (PKI) certificates, including support for server-side, user, and LAN-to-LAN tunnel certificates.

Uses VPN 5000 Client Version 5.0.x or later for user certificates. Use VPN 5000 Client Version 4.2.x or later for server-side certificates.

The VPN 5000 concentrators support certificates from the following certificate authorities (CAs):

Entrust/PKI Version 5.0 with Entrust/VPNConnector

RSA Keon Certificate Server Version 5.5. and earlier

Note See the "New Features in Version 6.0.20" section and the "New Features in Version 6.0.21.0001" section for more information about certificate features.

CVC configurations from LDAP or TFTP

Reads CVC configurations from an LDAP or TFTP server or from Flash memory.

Multiple RADIUS servers

Uses multiple RADIUS servers for authentication.

Configurable VPN-only ports

Enables or disables VPN-only traffic on a per-interface or per-subinterface basis.


Supported Hardware

Table 3 lists the hardware and software builds supported for concentrator software Version 6.0.x.

Table 3 Supported Hardware for Software Version 6.0.x

Model
Software Build

Cisco VPN 5001

vpn-5001-x.x.x[.xxxx]1 -[3]2 des.dld

IntraPort Carrier and Enterprise3 , Cisco VPN 5002, and 5008

vpn-5002-5008-x.x.x[.xxxx]-[3]des.dld

1 x.x.x[.xxxx] is the software version (for example, 6.0.21 or 6.0.21.0002).

2 U.S. builds include 3DES; export builds include DES. The filename reflects the encryption level.

3 Compatible Systems legacy platforms.



Note The Compatible Systems IntraPort 2 or 2+ servers are not supported with Version 6.0.x software. Use Software Version 5.x with these products.


Software Compatibility

This section lists compatibility issues with concentrator software Version 6.0.x.

Do not use the VPN 5000 Manager software with a concentrator running Version 6.0.x software.

The VPN 5000 concentrator series can establish LAN-to-LAN tunnels with other Cisco products that support:

IPSec DES or 3DES

Cisco IOS Release 12.1

Limitations

Software Version 6.0.x does not support primary interfaces in non-Main CVCs. You must configure IP routing for each primary interface in the Main CVC, and then implement subinterfaces in CVCs. A subinterface requires that the primary interface be configured, so you must configure the primary interface in the Main CVC even if you are not using the Main CVC. You must also list the primary interface in the Main CVC file before listing any subinterfaces in the Main CVC.

Important Notes

Software Version 6.0.x no longer supports the following features:

IPX

AppleTalk

To use either of these features, use software Version 5.x.

The reset config command is no longer supported.

The General section IPSecGateway keyword is now called VPNGateway. IPSecGateway still works in your existing configurations.

The apply command was removed in Version 6.0.21.0001. Use the write command and reload command instead.

Only one user can enter enabled mode. Formerly, up to two Telnet users and one console user could enter enabled mode on the concentrator.

Caveats Fixed

The following sections list caveats fixed in each release.

Caveats Fixed in Version 6.0.21.0003

This section lists caveats fixed with VPN 5000 concentrator software Version 6.0.21.0003.

CSCdx82483

Formerly, if you used a RADIUS server to authenticate client connections using the PAP or Challenge (a hybrid of PAP) challenge type, and if validation failed the first time, then the validation retry request that the VPN 5000 concentrator sent to the RADIUS server did not encrypt the user password field; the concentrator sent the password as clear text. Connections using CHAP are not affected by this vulnerability. This problem is fixed in Version 6.0.21.0003. See http://www.cisco.com/warp/public/707/vpn5k-radius-pap-vuln-pub.shtml for more information.

Caveats Fixed in Version 6.0.21.0002

This section lists caveats fixed with VPN 5000 concentrator software Version 6.0.21.0002.

CSCdu78571

The concentrator now allows you to exclude the service type from RADIUS Access-Request packets when you use the Radius section ServiceType = {On | Off} keyword. Formerly, the concentrator always included service type 8 (Authenticate-Only) in Access-Request packets. Older Livingston RADIUS services required this service type when using passthrough mode with SecurID. Most older RADIUS servers ignore the service type, but newer servers can fail if the service type is set to Authenticate-Only. These same servers succeed when no service type is included.

CSCdx16385

If the concentrator loses connectivity to the RADIUS server, the concentrator now starts sending Access-Request packets when connectivity is restored. Formerly, in some heavy traffic situations, the concentrator did not resume RADIUS operations.

CSCdx03698

Traceroute now works through a Mac OS X or Solaris tunnel when you use NAT transparency. Formerly, the concentrator did not recalculate the ICMP checksum after NAT processing, and the traceroute would fail.

CSCdx07575

RADIUS passwords are no longer truncated to 15 characters when using PAP authentication. The limit is now 30 characters.

Caveats Fixed in Version 6.0.21.0001

This section lists caveats fixed with VPN 5000 concentrator software Version 6.0.21.0001.

CSCds37193, CSCdu66175

During high volumes of bidirectional traffic in a two ESP card system, the fiber channel no longer fails to transmit (or receive) packets correctly. Formerly, the concentrator had significant packet loss.

CSCdr87519

You can now exclude a network from a VPN client tunnel. See the "Exclusion of Networks from VPN 5000 Client Tunnels" section for more information.

CSCdt53706

The Certificates section LDAPServer keyword now accepts a fully qualified domain name.

CSCdt62717

The TCP implementation no longer uses predictable Initial Sequence Numbers. It now uses a true random hardware number.

CSCdt75921

When you use Aggressive mode tunnels, the IP VPN interface now appears when you use the show ip config command. Formerly, this command showed interfaces as disabled even though tunnels appear up, and directly connected routes appear installed.

CSCdt82564

The concentrator no longer restarts when two users are viewing the same output from a vpn trace dump all command, and both users simultaneously attempt to break the output using the Ctrl-C command.

CSCdt96436

The VPN 5000 concentrator now sends SNMP traps for Warm Start, Cold Start, or Authentication Failure.

CSCdt96440

The SNMP MIBs for RFC 1213 no longer include incorrect data types or missing OIDs, except for the following missing OID values:

ipForward—All values are missing except for forwarding=on.

ipForward values except for ip.ipForwarding.0 = forwarding(1) do not have any significance for the concentrator.

tcp

egp

The concentrator does not support EGP protocols in this release.

CSCdt96470

For the Compatible MIB, the object types now match the MIB definition.


Note No data for VPN tunnels is presented until a tunnel has been negotiated.


CSCdu34359

The concentrator no longer stops accepting connections after the first 200 connections. Formerly, if you entered the show vpn statistics command, it showed a large number of connections `in negotiation' and the concentrator no longer accepted VPN client connections.

CSCdu35695

When the DS3 interface goes down and up in quick succession, the concentrator no longer reboots.

CSCdu49603

A VPN client behind a router configured for NAT and IPSec passthrough can now pass IPSec traffic through the router.

CSCdu75270

The show vpn partner verbose command now displays complete P2 Key lifetime information when the Tunnel Partner section MaxKeyKBytes keyword is set to the maximum and the concentrator is the initiator. Formerly, the display only included the KeyLifeSecs information.

CSCdu85863

The concentrator no longer reboots if you use the show arp command after adding an ARP entry using the add arp command.

CSCdv08672

Proxy ARP now works correctly when you use StartIPAddress in the VPN Group section.

CSCdv08798

If you configure a LAN-to-LAN tunnel between a VPN 5002 and a 5008 concentrator, an "Invalid version sub-op code!" message no longer appears, and tunnel throughput does not drop to a fraction of the previous rate.

CSCdv12861

When a concentrator has a server certificate installed, and the Windows VPN 5000 client Version 5.0.x or 5.1.x connects using a root certificate (Hybrid mode), the RADIUS password prompt is no longer delayed (in excess of 9 seconds).

CSCdv12957

The LinkConfig section ConnectMode keyword now defaults to Dedicated on all slots. Formerly, slots other than 0 defaulted to DialUp, which is not supported. This keyword is not documented in the reference guide because the (now correct) default for Mode=PPP is the only supported connection mode.

CSCdv13211

When you attempt to connect to a VPN 5000 concentrator with an old Compatible Systems STAMP/STEP VPN client, the concentrator no longer restarts.

CSCdv26874

When you use the boot command on a concentrator with active LAN-to-LAN tunnels, the reboot process now lasts longer to successfully send delete packets to tunnel partners.

CSCdv28869

You can now archive the root certificate and private keys. See the "Transfer Root Certificate and Private Key Between Certificate Generators" section for more information.

CSCdv33693

The VPN Group section KeepAliveInterval keyword now defaults to 60 seconds for all concentrators. Formerly, the VPN 5002 and 5008 concentrators defaulted to 120.

CSCdv36910

You can now schedule a reboot. See the "Scheduled Reload Command" section for more information.

CSCdv40567

The concentrator no longer restarts when loading CVCs due to a memory error.

CSCdv43887

When a CVC has more than eight equal cost OSPF paths to a destination in its routing table, and you ping the destination, the concentrator no longer restarts.

CSCdv46111

When the VPN 5000 concentrator receives a UDP packet destined for the concentrator with an invalid length (such as an IKE negotiation packet), the concentrator no longer restarts.

CSCdv48080

When you request a certificate from a concentrator configured as a certificate generator, the subject name no longer contains "x01".

CSCdv50586

When you configure a CVC or edit a CVC in Flash memory, it no longer becomes corrupt, and the output of the show config full command no longer indicates that some text for the configuration is missing.

CSCdv55799

If you enter a value that is too large for the reset tcp socket command, the concentrator no longer reboots.

CSCdv56959

If you have primary and secondary SecurID servers configured, and a user enters a password that is too short, the connection between the concentrator and the SecurID server is now released correctly. Formerly, the connection to the primary server was released, but the secondary connection was not released. This error resulted in the maximum connections being reached too soon.

CSCdv57167

When the VPN 5000 concentrator is running low on memory (possibly due to a heavy load), the concentrator no longer reboots after it receives a PPP echo request packet in an L2TP session.

CSCdv59847

If you set the IP VPN section OSPFEnabled keyword to Passive for a GRE-in-IPSec tunnel, the concentrator no longer reboots. Passive is only a valid setting for a numbered interface.

CSCdv60217

The vpn tunnel down command, when entered on a responder connected to another VPN 5000 concentrator, now deletes the tunnel; the vpn tunnel down command formerly only deleted the tunnel when you entered it on an initiator or dynamic responder. A concentrator acts as a responder when you set the Tunnel Partner section KeyManage keyword to Respond or Auto; the Auto setting automatically sets one concentrator as a responder and one as an initiator. Previously, the VPN 5000 initiator automatically brought the tunnel back up within several minutes because the tunnel was not deleted. To bring the tunnel back up now, you must enter the vpn tunnel up command on the initiator. Tunnels to Cisco IOS devices are not affected by the tunnel deletion, because they use dynamic tunnel establishment and can re-establish the tunnel when traffic requires it.

CSCdv61356

If you create multiple subinterfaces on the same network, you can now successfully ping the subinterfaces. Formerly, you could only ping the primary interface; responses to other pings indicated the primary interface as the source address and displayed an out of sequence error.

CSCdv61395

OSPF no longer redistributes expired RIP entries.

CSCdv63091

On newer hardware, PCI devices (such as Ethernet and encryption cards) on the ESP card no longer fail to initialize.

CSCdv64988

For the certificate generate request command, the ou and challenge password options are now functional.

CSCdv65179

You can now ping a subinterface on a remote concentrator over a LAN-to-LAN tunnel.

CSCdv68285

When a VPN5002 or VPN5008 concentrator produces a restart event, the restart event now contains backtrace information.

CSCdv70753

The show ip route dynamic command no longer causes a restart after you enter the vpn tunnel down command.

CSCdv71366

The show os dump command no longer causes a restart if you enter too many characters for the address.

CSCdv71961

Proprietary IPSec tunnels no longer fail after one bad packet. Formerly, the concentrator set the timeout to 0 after a bad packet, causing no further packets to go across the tunnel.

CSCdv74044

The apply command was removed because of system instability.

CSCdv77790

The concentrator now queries for a new CRL when a client tries to connect and the cached CRL has expired. Formerly, the client could connect according to the expired CRL information.

CSCdv84562

OSPF route advertisements larger than 1717 bytes no longer prevent the concentrator from installing the routes, and the concentrator's routes are now propagated to the neighbor.

CSCdv91286

The show ip route command no longer shows duplicate route entries or, for OSPF routes, None in the Src/TTL field instead of route type (NET).

CSCdw02154

A restart event no longer occurs in the OSPF process shortly after you enter the tftp get config command.

CSCdw04995

The concentrator configured as a certificate generator can now consistently approve certificate requests.

CSCdw10833

OSPF authentication is now working.

CSCdw13431

The concentrator no longer locks up after approximately 25 days of up time.

CSCdw18918

The show ip route dynamic command no longer hangs the concentrator and causes a restart after you enter Ctrl-C.

CSCdw19628

When you use RADIUS to authenticate users, the NAS-Port attribute that is sent in both access-requests and accounting request packets is now the same value.

CSCdw23720

The VPN 5000 concentrator no longer crashes when you perform an SNMP walk.

CSCdw27640

The following message has been changed to better indicate an out of memory condition:

S_BAD_HASH_COUNT

The message is now:

Out of Memory

CSCdw29716

The concentrator no longer crashes the IKE process when the VPN memory is low.

CSCdw45324

The concentrator no longer restarts when passing a NATted FTP port command.

CSCdw54298

The concentrator now prevents you from using the unsupported VPN 5000 Manager with Version 6.0.21.0001 software. If you try to use the VPN 5000 Manager, an error message appears in the log.

CSCdw65891

VPN 5000 clients using NAT transparency and connected to a VPN 5002 or 5008 concentrator no longer intermittently stop tunneling traffic.

Caveats Fixed in Version 6.0.20

This section lists caveats fixed with VPN 5000 concentrator software Version 6.0.20.

CSCdr33950

The BackupServer keyword in the VPN Group section is no longer supported because it did not work correctly.

CSCds56557

The show ip config command no longer shows duplicate entries for subinterfaces.

CSCds57455

When a VPN client uses a user certificate and SecurID for authentication, and the VPN Group section SecurIDUserName keyword is set to Off, the concentrator now converts the username at sign (@) to a question mark (?) and truncates the name to 31 characters (the character limit required for SecurID).

CSCds59954

The concentrator now reports a value in the correct range for the RADIUS Authentication attribute number 5 (NAS-Port).

CSCds67617

The concentrator now checks that you entered a value within the acceptable range for the following IP section keywords:

RetransInterval

Transdelay

HelloInterval

RtrDeadInterval

VirtRetrans

VirtTransDelay

VirtHelloInt

VirtRtrDeadInt

CSCds75794

A VPN client that connects to a slot other than 0 can now be authenticated by the concentrator when the client uses a manual certificate and an entry in the VPN Users section. Previously, the client was always prompted for a (nonexistent) RADIUS password.

CSCds76867

Traffic now passes through the VPN tunnel when a VPN client using NAT Transparency connects to a concentrator.

CSCdt07584

Changes made to an existing GRE tunnel configuration now take effect when you issue the vpn tunnel up and vpn tunnel down commands.

CSCdu06651

The vpn tunnel up and vpn tunnel down commands now show the correct IP address for the initiator and the responder.

CSCdu09089

RADIUS authentication no longer times out if the first VPN client connection attempt is still in the RADIUS receive process while a subsequent VPN client connection is attempted.

CSCdu18675

Users in the internal VPN Users database who repeatedly enter incorrect shared secret passwords no longer cause all of the resources for their VPN Group to be used up by "ghost" connections. Previously, this condition occurred when the concentrator used a server certificate and RADIUS.

CSCdu25772

The concentrator no longer restarts when you attempt to add a 10th CVC to the Context List section on a VPN 5001 concentrator. Now, a message appears that states there are no free contexts available.

CSCdu26247

IP filters that are applied to a CVC now work correctly.

CSCdu34720

The VPN 5008 concentrator no longer restarts after a random amount of time with a reset event that contains an EXCEPTION: Data Access Memory Abort message.

CSCdu37955

You can now specify AH(MD5) in a list of transforms for the Tunnel Partner section Transform keyword and establish a tunnel with another concentrator that specifies only AH(MD5).

CSCdu39159

The concentrator no longer restarts when you issue the show frelay pvc command. Previously, this event occurred with a Frame Relay subinterface connecting a VPN 5008 concentrator and a Cisco IOS device.

CSCdu54087

The concentrator now posts both Accounting-On and Accounting-Off records to the RADIUS server when you restart the concentrator using the boot command.

CSCdu55630

RADIUS accounting information now reaches the secondary RADIUS server when the primary server is not available. Previously, only RADIUS authentication rolled over to the secondary server.

CSCdu56325

The concentrator now retrieves the CRL from the LDAP server and you can also configure variables in the LDAP search request packet.

CSCdu56665

The purge of the CRL cache is now propagated to all slots when you issue the certificate crl invalidate command on a VPN 5002 or 5008 concentrator.

CSCdu60909

RIP routing updates from the concentrator to a Cisco IOS device are now spread over a 30-second interval, and the routes no longer enter a hold-down state due to lack of routing updates.

CSCdu61110

The concentrator no longer restarts when you use the list cook mark all command in the configuration editor to view the configured and default values.

CSCdu61220

The VPN 5001 concentrator no longer restarts when you run an snmpwalk on a Solaris workstation using the vendor-specific CompatMIB file. Previously, this restart was triggered by the query for the Compatible.CompatVPN.LoginTable and Compatible.CompatVPN.VPNTunnelTable information.

CSCdu61937

You can now establish a connection with a VPN client for Windows if you use a Verisign PKI for certificates, and the concentrator uses CRL Version 2 for LDAP queries.

CSCdu62012

The default MaxConnections value in the VPN Group section no longer adds two extra users when you use LocalIPNet. Previously, the default MaxConnections value calculation incorrectly included the network address and the broadcast address.

CSCdu66078

When you use Entrust certificates to establish a connection between a VPN 5000 concentrator and a VPN client for Windows that is configured with more than one commonname, the concentrator now extracts all commonnames from the VPN client's root certificate.

CSCdu82565

The concentrator no longer restarts when a VPN client that has established an IPSec connection using RADIUS authentication successfully disconnects and reconnects.

CSCdu82667

The default value for the RIPVersion keyword in the IP section is now None.

CSCdu83209

A GRE tunnel between two VPN 5000 concentrators that was previously removed no longer appears in the show vpn partner output. Previously, this error occurred when you issued the vpn tunnel down command, removed the Tunnel Partner section, and applied the change.

CSCdu84321

A ping from a VPN 5002 console to an L2TP client connection that is terminated on slot 1 is no longer limited to 1432 bytes in size.

CSCdu84858

The default RADIUS server can now authenticate users with an "@" symbol in the username. See the "Default RADIUS Server Support for User Domains" section.

CSCdu87740

LDAP error messages no longer appear if the Certificate section does not include an address for the LDAP server.

CSCdv03155

An error message now appears if you attempt to configure a VPN Group name with more than 15 characters.

CSCdv04422, CSCdv15660

The concentrator no longer restarts when you make changes to the static route list or redistribute OSPF to static and the OSPF update is received.

CSCdv06398

The concentrator no longer accepts invalid values for the Transform keyword in the VPN Group section.

CSCdv06547

The concentrator console no longer repeats the message "Attempting to contact other IOPs..." when you start up the device.

CSCdv15501

The concentrator no longer restarts under certain high traffic conditions. Previously, this restart occurred when you sent an excess of 100 Mbps of 68-byte or 128-byte packets through the concentrator for performance limit testing.

CSCdv15507

The concentrator no longer restarts if you configure a static route without a metric value and enter the show ip route command.

CSCdv15542

OSPF route advertisements are now received through a proprietary IPSec tunnel.

CSCdv18302

The show os netif command no longer displays duplicate network interfaces for a VPN network after you use the write and apply commands.


Note The apply command is not supported in Version 6.0.21.0001 and later.


CSCdv18378

When you establish a LAN-to-LAN tunnel with a dynamic responder (the Tunnel Partner VPN Default section), the routing table information is now updated correctly when the tunnel partner either loses or changes its IP address and then reconnects to the concentrator.

CSCdv18392, CSCdv34804

The tunnel is now terminated when you use the vpn tunnel down command from the responder side of a tunnel that was created with Tunnel Partner VPN Default.

CSCdv20427

Ping packets to an L2TP client terminated on a slot other than 0 no longer time out. Previously, the negotiated MTU value for that network interface was not conveyed to slot 0, which is where the fragmentation takes place.

CSCdv21040

Multiple CRL distribution points are now processed properly by the concentrator.

CSCdv21546

The username is now parsed correctly when it is stored in the subject-alt name extension of a certificate and it is the first extension in the certificate.

CSCdv22791

A VPN 5002 concentrator now permits logins on slot 1.

CSCdv23254

When you configure the Peer keyword in the Tunnel Partner section, the static routes are now correctly redistributed into OSPF.

CSCdv23272

Static route and associated dynamic route redistribution no longer continues after the tunnel is down.

CSCdv25093

The concentrator correctly removes all dynamic routes from the routing table and relearns them when you issue the reset ip routing all command.

CSCdv28037

When you issue the save command from a CVC, the configuration is saved to a tftp server and the concentrator restarts as indicated by the command line interface.

CSCdv31732

If a GRE-in-IPSec tunnel is configured in a CVC and the interfaces are configured to use RIP or OSPF, the route is no longer redistributed to neighbor routers.

CSCdv31752

Route redistribution now works correctly if you configure the IP Route Redistribution section in a non-Main CVC.

CSCdv35010

The CRL Timer no longer runs on the ESP card.

CSCdv35076

The ESP cards no longer receive the incorrect date if an NTP server is configured but not reachable.

CSCdv35088, CSCdv38380

The certificate remove command now functions correctly.

CSCdv35140

A concentrator configured to have a tunnel terminate on a slot other than 0 no longer restarts when you issue the vpn tunnel down slot:number command and leave off the slot number from the tunnel number.

CSCdv35205

The concentrator no longer restarts when you issue the reset ip routing all command on a concentrator configured to use OSPF in the Main CVC.

CSCdv35266

The OSPF routing updates now function properly when an Aggressive mode tunnel terminates on a slot other than 0.

CSCdv37428

A concentrator configured as the initiator no longer restarts during IKE negotiations if an error occurs while checking the responder's certificate against a CRL.

CSCdv40637

The concentrator no longer restarts during an L2TP session negotiation when the LAC sends the concentrator an L2TP packet that contains a hidden AVP.

CSCdv41005

The concentrator now contacts the LDAP server for a new CRL if you try to establish a connection after the CRL expires.

CSCdv41023

VPN 5000 concentrators can now retrieve a CRL from a CDP if the path is a URL.

CSCdv41915

An error message now appears if you attempt to configure an Ethernet subinterface without a VLAN ID.

CSCdv41934

The static route for a tunnel established between a VPN 5000 concentrator and a Cisco IOS device no longer becomes unusable during tunnel renegotiations.

CSCdv43047

A VPN 5002 or 5008 concentrator no longer restarts if a VPN client attempts to connect during the initialization process.

CSCdv43130

The concentrator now correctly shows a restart event and debug error if the VPN client pings its own IP address assigned by the concentrator.

CSCdv43846

A VPN 5001 concentrator no longer restarts when a ninth CVC is loaded.

Caveats Fixed in Version 6.0.19

CSCdt20701

A VPN tunnel that is assigned to a slot other than 0 on the concentrator can now pass traffic after it has established a connection.

CSCdt32186, CSCdt51152

A traceroute performed to an IP address represented by a static route no longer causes an occasional restart on the concentrator.

CSCdt33141

The VPN 5001 concentrator can now install more than 140 static routes from the IP STATIC configuration section.

CSCdt46387

You can now use active mode when you connect a VPN client for Linux to a VPN 5000 concentrator.

CSCdt81839

The concentrator no longer displays a "WRONG PACKET HERE PAYLOAD=5" message and an "error 256" when a VPN client for Solaris tries to establish a connection using PPP and a certificate.

CSCdt92013

The ASSERT message "signal()/home/release/src6.0/rrsrc/sys/semaphor.c:167" no longer appears after you load software on a VPN 5002 concentrator.

CSCdu23028

The concentrator no longer restarts due to an effect the fastsend function had on the packet buffer queue.

CSCdu39788

OSPF routing updates now pass across GRE tunnels. Previously, the concentrator indicated that the tunnel was up but no routing updates were entered in the tables.

CSCdu42159

The bandwidth aggregation function for OSPF multipath now works correctly when the fastswitch entry for a VPN 5008 concentrator does not have a local transmit function.

CSCdu47160

The concentrator now passes IP traffic when a VPN client is terminated on slot 1.

CSCdu47886

The concentrator no longer restarts during attempts to send ICMP packets back to the VPN client. Previously, this restart occurred if you set the PreTunnelFragment keyword in the General section to On for a VPN 5002 or 5008 concentrator and the VPN client terminated on a slot other than 0.

CSCdu50622

Keepalive packets now work correctly across proprietary IPSec LAN-to-LAN tunnels with multiple CVCs.

CSCdu53905

When the concentrator has more than 1 Mbps load, pings originating from the internet router are no longer lost.

CSCdu54956

Routes configured in the IP Static section now install correctly when the gateway IP address specifies a VPN client assigned address and the VPN client is already connected.

CSCdu54980

The concentrator is no longer exposed to programming errors because the first 1 MB of memory was previously unprotected from accidental overwrites.

CSCdu56188

The last character of the configuration is no longer dropped if you download a CVC from a TFTP server, edit the configuration, and implement the new configuration using the apply save command.


Note The apply command is not supported in Version 6.0.21.0001 and later.


CSCdu60341

The concentrator no longer restarts when you issue the show l2tp user command, specifying a particular user.

CSCdu69195

If a user connects to a VPN 5000 concentrator through a GRE tunnel first, and the subsequent connection is through an L2TP tunnel using the same IP address, the concentrator no longer continues to send the traffic through the GRE tunnel instead of the L2TP tunnel.

CSCdu69353

The concentrator no longer restarts during a traceroute on a VPN 5002 or 5008 that is configured for DNS.

CSCdu73536

The concentrator no longer restarts when you issue the vpn tunnel up tunnel command to specify a particular tunnel number for a GRE tunnel.

CSCdu75329

The OSPF protocol now works correctly for GRE-in-IPSec tunnels between a VPN 5000 concentrator and a Cisco IOS device.

CSCdu76540

Dynamic routing updates (such as OSPF or RIP) are now distributed to neighboring devices correctly for proprietary IPSec LAN-to-LAN tunnels that terminate on a slot other than 0.

Caveats Fixed in Version 6.0.18

CSCdr52146

In VPN 5000 client Versions 5.1.x, or later, you now have the capability to set the TCP port number used to encapsulate VPN packets. Use the NATTransport keyword in the General section. See the "Configurable NAT Transparency Port" section.

CSCds69551, CSCdt86585, CSCdu01981

When a VPN client configured to use Entrust certificates tries to establish a connection to a concentrator, the LDAP query for the CRL no longer fails. Previously, this failure caused the connection to be denied.

CSCds52787, CSCdt14207

The client is now able to pass traffic across the VPN tunnel if the PFS keyword in the VPN Group section is set to a mode other than Off. The PFS keyword is not supported on the concentrator even though it appears in the command line.

CSCds67787

The tftp command now supports a directory path as part of the filename.

CSCds86563

VPN clients are no longer assigned to VPN ports that still have resources tied to a previous client connection.

CSCdt12362

A query for the Compatible.CompatVPN.LoginTable or Compatible.Compat.VPNTunnelTable in the vendor-specific CompatMIB file no longer causes a restart loop.

CSCdt25612

Authentication using AXENT Defender and CiscoSecure ACS Version 2.4 RADIUS server for Windows NT now works correctly.

CSCdt21203

If a LAN-to-LAN tunnel is established between a VPN 5000 concentrator and a Cisco IOS device, the connection now correctly rekeys with a time-based rekey variable.

CSCdt28673

The concentrator no longer restarts occasionally when it closes VPN sessions.

CSCdt36092

The concentrator no longer restarts during a client connection attempt if it is configured with no users in the VPN Users section.

CSCdt46196

If you use the show vpn hardware verbose command on a VPN 5002 or 5008 concentrator, the concentrator no longer shows statistics and then restarts.

CSCdt53391

If you use the show snmp config command, the concentrator no longer restarts.

CSCdt68972

The VPN client now communicates with a network through the concentrator if the VPN Group section StartIPAddress keyword specifies an address on a subnet other than the subnet assigned to Ethernet 0:0.

CSCdt72431

If you configure a static route through a VPN tunnel interface other than VPN 0:number, it is now correctly installed on the concentrator.

CSCdt75210

Static IP routes installed by the Peer keyword in the Tunnel Partner section are no longer removed when you use the apply command.


Note The apply command is not supported in Version 6.0.21.0001 and later.


CSCdt85210

The concentrator no longer restarts if you use the certificate remove command.

CSCdt87331

When an L2TP client sends LCP echo requests to a VPN 5000 concentrator, and the concentrator responds, the L2TP client now accepts the responses, and the tunnel no longer disconnects.

CSCdt92155

You no longer get a failure message if you edit an existing Context List section entry and then save the configuration using the write and apply commands.


Note The apply command is not supported in Version 6.0.21.0001 and later.


CSCdu01407

The concentrator no longer restarts if an L2TP connection enters a bad state and you use the show l2tp statistics command.

CSCdu01495

A Frame Relay connection can now pass ping traffic.

CSCdu04670

OSPF no longer fails to initialize in the CVC if you configure multiple OSPF areas and define Area 0 on the IPSec tunnel.

CSCdu06964

The concentrator no longer restarts if you use the reset statistics radius command.

CSCdu08295

The concentrator no longer drops packets due to a large amount of traffic. Previously, when VPN traffic reached a level that the device could not match, the traffic in one direction began to drop until all traffic in that direction was lost.

CSCdu08312

It is now possible to create an L2TP tunnel between the Cisco VPN 5000 concentrator and the Nortel GGSN router. Previously, the concentrator terminated the session negotiation and closed the L2TP session.

CSCdu08325

If you configure multiple GRE tunnels on a concentrator, subsequent tunnels from the same interface on the remote device now pass traffic. Previously, only the first GRE tunnel passed traffic.

CSCdu09940

A slow certificate authentication process in the concentrator no longer causes the client to time out if you have a VPN client configured to use certificates and you are trying to connect to a VPN 5001 concentrator.

CSCdu17682

A VPN client configured to use certificates is no longer rejected if it is received by a VPN 5002 or 5008 concentrator on a slot other than 0 and needs to retrieve a CRL from the LDAP server.

CSCdu20627

The VPN 5000 concentrator now correctly sequences L2TP data packets and allows PPP negotiations to complete.

CSCdu22995, CSCdu22998

The concentrator now successfully completes a connection with an L2TP client configured to use PAP authentication.

CSCdu26765

The information now displays correctly when you use the show ip route command.

CSCdu28944

After restarting a concentrator configured as a responder for a LAN-to-LAN tunnel, the tunnel now comes up. Formerly, only tunnels initiated by the concentrator came up after a restart.

CSCdu33044

The BindTo keyword now works correctly when you configure a LAN-to-LAN tunnel in a CVC.

CSCdu34705

The concentrator no longer restarts when a LAN-to-LAN tunnel is initiated by a VPN device using a CheckPoint firewall.

CSCdu48350, CSCdu48385

The concentrator no longer rejects the search reply when it sends a search request for a CRL to an LDAP server using LDAPv2.

CSCdu58841

The concentrator no longer restarts when it tries to clear an invalid or nonexistent client security association (SA).

Caveats Fixed in Version 6.0.17

CSCdr88761

A large number of client connections no longer cause the concentrator to reboot.

CSCds58446

The concentrator no longer restarts if you press the Return key at a specific point in the startup process.

CSCdt10533

When OSPF external routes are installed on a network in which a static route is configured, the dynamic routes now apply correctly.

CSCdt19774

The concentrator no longer shows an LDAP error if there is no configuration for LDAP queries.

CSCdt20812

The concentrator no longer restarts if you download a CVC from a TFTP server into Flash memory, and the CVC exceeds the remaining available Flash memory of the device.

CSCdt25414, CSCdt48400

VPN 5002 or 5008 concentrators using a PPP connection now pass NetBIOS traffic through an L2TP tunnel.

CSCdt25647, CSCdt48437

The concentrator no longer restarts and logs an event if you use the context new command in normal or enable mode, or immediately following a reboot.

CSCdt40876

When you edit a CVC by adding new lines, you no longer lose lines in the configuration when you save using the write command.

CSCdt44349

Subsequent PPP sessions through L2TP tunnels are no longer rejected by the concentrator.

CSCdt47815

If a VPN client using NAT transparency disconnects from the concentrator and then reconnects before the NAT session times out, subsequent client connections using NAT transparency are now able to establish a connection.

CSCdt48399, CSCdt60714

The MTU/MRU size is now correctly negotiated when a PPP session is established with a concentrator. Previously, this incorrect negotiation caused large packet transfers to fail.

CSCdt48520

When you configure the BindTo keyword in the RADIUS server, the server now routes traffic back to a CVC other than Main.

CSCdt54461

There is no longer an intermittent restart event with L2TP users connecting to a concentrator using RADIUS authentication.

CSCdt56872

When you use Windows dialup networking with LCP extensions enabled to connect to a concentrator using L2TP, the connection no longer fails.

CSCdt63509

L2TP users that connect to a concentrator are now authenticated by the RADIUS configuration in their CVC, and not by the Main CVC RADIUS server.

CSCdt63534

The RADIUS server now receives accounting information for L2TP users that are connected to a concentrator.

CSCdt67922

The concentrator no longer restarts when a large number of LT2P tunnels are closed and then reinitiated.

CSCdt69027

If you have an L2TP connection using RADIUS authentication with CHAP, large file uploads using Microsoft Drag and Drop no longer cause the tunnel to stop passing traffic.

CSCdt73652

With OSPF enabled on all CVCs, including Main, it is now possible to transfer more than one configuration from a tftp server to a VPN 5001 concentrator.

CSCdt73678

A CVC in a VPN 5001 concentrator can now pass traffic over a tunnel to a CVC in a VPN 5002 concentrator.

CSCdt76402

When saving a modified configuration, the concentrator no longer hangs in the middle of the save.

CSCdt76894

A VPN client using L2TP now receives its IP address assignment by the RADIUS server.

CSCdt77428

The concentrator no longer restarts if you use OSPF over LAN-to-LAN tunnels.

CSCdt89630

The VPN statistics tunnel array has been corrected so that show vpn stats v and RADIUS accounting commands can be used.

CSCdt97890

The concentrator no longer drops its end of the tunnel due to an inactivity timeout after a dialup connection has been established with a VPN client.

Caveats Fixed in Version 6.0.16

CSCdr95270

LAN-to-LAN tunnels using G1 protection no longer fail phase 1 negotiation if tunnel connections using G2 protection are already established.

CSCds32527

If you set the L2TPAuth keyword to Both, this now allows both PAP and CHAP connections.

CSCds52175

The concentrator no longer restarts when it is overcome by a large number of invalid tunnel requests and extraneous traffic.

CSCds54583

The show l2tp users verbose command now displays the correct number of connections to CVCs other than Main.

CSCds58271

When a local user logs in to the concentrator, the RADIUS accounting log now registers the user and the Assigned IP and Real IP of the local user.

CSCds61315

VPN clients using NAT transparency can now successfully connect to concentrators which use multiple CVCs and VLANs in a CVC.

CSCds65165

If you make changes to the concentrator configuration using the apply command before a VPN client connects, this command no longer affects future client connections.


Note The apply command is not supported in Version 6.0.21.0001 and later.


CSCds66315

The unallocated concentrator memory listed in the show os memory verbose command no longer grows with each simultaneous Windows connection.

CSCds69875

The modify config command no longer causes the concentrator to lose the configuration.

CSCds69520

When you connect an L2TP tunnel to the Main CVC, the concentrator can now ping a PPP client through the tunnel.

CSCds71588

The concentrator no longer restarts when you use the vpn tunnel down command for a VPN tunnel number configured for an IOP that is not present.

CSCds74575

You can now specify the slot number (slot#:vpn#) on a CVC tunnel. Previously, if you specified the slot number instead of using the default, this caused the concentrator to restart.

CSCds75624

The concentrator no longer restarts when it passes traffic through a GRE tunnel to a Cisco IOS device.

CSCds75698

The add ip route command now applies changes correctly for WAN subinterface routes.

CSCds77940, CSCds79097

You can now use an interface defined in the CVC to establish a tunnel session using L2TP. Previously, using an interface defined in a CVC other than Main caused the concentrator to restart.

CSCds78359, CSCds78374

If you use the write and apply commands to perform multiple configuration changes, this action no longer causes the concentrator to restart.


Note The apply command is not supported in Version 6.0.21.0001 and later.


CSCds81829

You can now use the Context New command while another configuration section is being edited and the configurations do not overwrite each other.

CSCds87483

The concentrator now passes traffic back to a VPN client user that belongs to a VPN Group bound to a subinterface in the Main CVC.

CSCdt09256

If you edit a configuration in the Main CVC, this no longer deletes the context = "name" line in the General section.

CSCdt43831

The VPN 5000 concentrator no longer crashes when it pings another host because of an EXCEPTION: Data Access Memory Abort.

Caveats Fixed in Version 6.0.15

CSCco00582

When a user connects to a VPN 5002 or 5008 concentrator using RADIUS, statistics for the connection on slots other than slot 0 are now logged in the log file correctly.

CSCco00749

If you configure multiple VPN-only ports on a VPN 5008 concentrator, all traffic to or from a given VPN-only port is no longer only sent to or from Ethernet 0:0.

CSCco00938

When the VPN 5000 concentrator is placed behind a device performing Network Address Translation (NAT), the VPN connections are no longer dropped in approximately 200 seconds due to Keep Alive Packets that do not pass through properly.

CSCco00999

For cases in which not all slots in a VPN 5002 or 5008 are filled, the show version command no longer prints an erroneous message on the console similar to the following message:

Bad value read from iop 1  -2/536878260

CSCco01065

Accounting now works with the Livingston Version 2.1 RADIUS server. The Radius section keyword defaults were updated to match the RFC: AcctPort = 1813 and AuthPort = 1812.

CSCdr53664

When you use RADIUS to authenticate users, the show vpn users command no longer shows incorrect information such as the VPN group name as a number, incorrect client and local addresses, and the incorrect connect time.

CSCdr95812

LAN-to-LAN tunnels established using the Tunnel Partner VPN Default section now terminate correctly.

CSCds03718

The command line interface no longer allows you to enter an incorrect value for the OSPF Area section NetRange keyword.

Closed Caveats

This section describes known issues related to the Cisco VPN 5000 concentrator software Version 6.0.21.0001. A closed caveat is one that Cisco does not intend to fix. They are included here for reference and for the valuable workarounds (when available).

General System Caveats

CSCds17529

When you use the VPN 5000 MIB for the VPN 5001 concentrator, several variables return values of zero. The variables are:

CPU utilization

Tunnel Latency

Tunnel Bandwidth Out

Tunnel Bandwidth Return

Workaround: Set the Tunnel Partner section SlaEnablePartner keyword to On for the tunnels in question.

CSCds44253

The following entries are present while a VPN 5002 or 5008 concentrator starts up, even if no configuration is present. These messages do not indicate an error, and require no workaround.

Initializing TBM Default Parse Table...
Cfg Buffer: 8: Invalid section name: 'IP Ethernet 3:0'
Cfg Buffer: 14: Invalid section name: 'IP Ethernet 5:0'
Cfg Buffer: 20: Invalid section name: 'IP Ethernet 7:0'

CSCds47374

The IP section DirectedBroadcast keyword appears as a valid keyword for an IP VPN section, but this keyword is not supported for IP VPN.

Workaround: Do not configure the DirectedBroadcast keyword.

CSCds54958

The Up arrow fails to repeat the last command and instead prints either "A" or "[[A" to the screen. This condition occurs when the concentrator is under heavy load, for example with a few thousand L2TP connections.

Workaround: Use the Up arrow again until the command repeats, or type the command you want.

CSCds72463

When two Telnet sessions are active on the concentrator, if one session uses the show config command, the second session is unable to use the show config command.

Workaround: Use the show os tcp (to get your Telnet session's socket), and reset tcp socket commands, and Telnet back in to the concentrator.

CSCdt08378

If you downgrade from Version 6.0 to 5.2 and you have CVCs in flash memory, the 5.2 code attempts to parse the CVCs and shows error messages on the console. These messages do not affect the operation of the concentrator.

No workaround after downgrading to 5.2. While in 6.0, you can use the context delete command to remove CVCs.

CSCdt19654

If you enter an IP Route Filter section, this causes the concentrator to lose RIP information even if the filter name is not called out in the General section.

No workaround.

CSCdt72335

The General section ConfiguredFrom keyword displays an incorrect value for the TFTP server address. This error does not affect system operation.

No workaround.

CSCdu03578

A concentrator with over 200 CVCs cannot use the tftp command to put a Main CVC on the concentrator.

No workaround.

CSCdu55514

If you Telnet from the concentrator to a remote device through a GRE tunnel, the connection fails and displays the error: "telnet: Connection refused". This occurs because the concentrator does not always choose the correct source address and source interface for originating the Telnet (TCP) packets.

Workaround: Specify the source address for the Telnet on the command line as shown in the following example:

telnet 10.1.2.3 sourceaddress 10.4.5.6

Where 10.1.2.3 is the device you want to Telnet to, and 10.4.5.6 is the address of an interface on the concentrator in your current context.

CSCdu56724

When you import a certificate into the concentrator, the concentrator does not display an error message if the import fails.

Workaround: Enter the show certificate installed command to see if the certificate installed properly.

CSCdu62161

The show ip config command does not display filters applied to subinterfaces.

No workaround.

CSCdu71391

VPN 5001 concentrators reboot spontaneously without saving a restart trace in software releases prior to 5.2.22 and 6.0.20. In software releases 5.2.22 and 6.0.20 and later, a restart event is saved, similar to the following example. If the EXCEPTION field has the word Reset next to it, and the Control Register under the StrongARM MMU Registers heading has a value ending with 70, then your device has a hardware problem.

Workaround: Please contact the Cisco Technical Assistance Center to replace your unit.

Restart Information:
    System Uptime:    1 day 17 hours 33 minutes 47 secs
    Time:             9/21/01 9:06:35
    OS Version:       IntraPort2+ V5.2.21.0005 (dalecki) US
    Panic Code:       0x00006ff9
    Panic Info:       0x00000000 0x00000000 0x00000000
 EXCEPTION: Reset
 Registers:
      R0   0x003d9430   R1   0xffff66af
      R2   0x002bdb04   R3   0x0000ffff
      R4   0xf03d9444   R5   0x00000000
      R6   0x0004994c   R7   0x000065af
      R8   0x00000000   R9   0x0000007f
      R10  0x00000000   FP   0x00212a54
      R12  0x00000000   SP   0x003fec88
      LR   0x41000d98   PC   0x41000d98
      CPSR 0x600000d3 (13)
 StrongARM MMU Registers:
       ID Register            4401a103
       Control Register       00264070  <   ending with the value of "70" means that 
the MMU was turned off and the processor reseted.
       TLB Register           00264070
       Domain Register        11111110
       Fault Status Register  00264054
       Fault Address Register 00000000
       Saved CPSR             000000d3
 Process Info:
      name -> 'prnull',  priority/state -> 6/0x3
      plimit/pbase/size  -> 0x00215c04/0x00216c00/4096
 Backtrace:
      fp 0x00212a54, rtn 0x00169e70, args: <not available>
      fp 0x00212a8c, rtn 0x00385158, args: <not available>
      fp 0x003851fe, rtn 0x88b8b0e2, args: <not available>
 Stack:  0x003fec54
 003fec54  0000 0005 2e7c 3762  ac88 242c 43ba 9e41  *.....|7b..$,C..A*
 003fec64  0def 07ac 6558 7a3f  f03d 9444 0000 0000  *....eXz?.=.D....*

CSCdv08543

The concentrator restarts when you exit from the console port while in edit mode for a Main CVC.

No workaround.

CSCdv18010

If you run an snmpwalk on a VPN 5002 or 5008 concentrator, only information regarding slot 0 is displayed.

No workaround.

CSCdv19088

If you issue the edit config command, but exit without making changes, the concentrator does not allow you to TFTP a new configuration to replace the current one because the concentrator indicates that the configuration is being edited. You also cannot write the configuration to make the concentrator believe that the editing session has ended because the concentrator indicates that no changes were made.

Workaround: Edit the configuration by appending a comment, then write the configuration. The concentrator then allows you to TFTP a new configuration.

CSCdv26350

When you use an LDAP URL in the Context List section, if you do not include the ?attributes attribute in the URL (ldap://IP_address[:port]/dn[?attributes[?scope[?filter]]]), the concentrator enters a boot loop.

Workaround: If you are already in a boot loop, set the test switch to 8 and add the ?attributes option to the URL. Attributes could be the CVC file name, for example.

CSCdv32461

The SNMP manager is unable to acquire CPU utilization for a VPN 5000 concentrator using the vendor-specific CompatMIB file.

No workaround.

CSCdv34871

If an IP subinterface section is listed in the CVC before the primary interface, the subinterface will not install.

Workaround: List primary interface first, then subinterfaces.

CSCdv34975

A VPN 5002 concentrator experiences intermittent restarts and several _step_lock SA errors appear in the restart log.

No workaround.

CSCdv52055

If you upgrade a VPN 5002 or 5008 concentrator from Version 6.0.17 or earlier to a later version, the Ethernet interface might stop transmitting packets.

Workaround: Turn the power off and on, and this problem does not reappear. This caveat does not apply if you upgrade from Version 6.0.18 or later.

CSCdv54877

The output of the show ip route command shows an incorrect association between the destination address and the CVC subinterface.

No workaround.

CSCdv56471

The concentrator takes a long time to load a large number of CVCs, approximately 3 to 5 seconds per CVC.

No workaround.

CSCdv64992

CRL Distribution points containing a DC (domain component) or an email address result in an improper CRL query and the connection fails.

No workaround.

ESP Card and Port Caveats

CSCco00572

When you unplug and then reconnect the 10/100BASE-T Ethernet port from the network, the port does not correctly renegotiate its speed or duplex setting in autodetect mode.

Workaround: Set the Ethernet interfaces speed and duplex in the Ethernet Interface section, or connect the Ethernet cable to the hub or switch. Turn off the concentrator and then turn it on.

CSCds87290

On a VPN 5002 or 5008 concentrator, the show sys hardware command only shows statistics for slot 0.

VPN Tunneling Caveats

CSCco00914

If you configure a WINSPrimaryServer or WINSSecondaryServer in the VPN Group section, this configuration does not forward WINS traffic from the client correctly. Normally, if you specify a WINS server on the concentrator, this redirects any client WINS traffic over the tunnel, regardless of the WINS server configured on the client PC. However, while the client can see hosts in Network Neighborhood, the client receives an error message when it attempts to connect.

Workaround: Configure the remote WINS servers in the Network Control Panel or in the dialup profile on the client PC, and do not specify a WINS server on the concentrator.

CSCds23170

The concentrator allows you to set the IP section VPNOnly keyword to On on a VPN port, which only allows tunneling through a tunnel. VPNOnly = Off is the default.

Workaround: Do not set VPNOnly = On in the IP VPN section.

CSCds54302

The High Water value shown by the show vpn statistics command is artificially inflated when a large number of LAN-to-LAN tunnels are terminated abruptly and then reconnected.

No workaround.

CSCds69425

If you use an L2TP interface defined in a CVC other than Main to establish tunnel sessions, PPP users cannot connect.

Workaround: Use an interface defined in the Main CVC.

CSCds70630

If you have many tunnels in multiple CVCs that attempt an IKE Phase 2 rekey in the same time period, the concentrator might not be able to complete the rekeys in a timely manner, and some tunnels might go down and need to be brought back up manually.

Workaround: Set the Tunnel Partner section KeyLifeSecs and MaxKeyKBytes keywords for each tunnel so that the rekey times are staggered.

CSCdt19725

The show vpn statistics command shows device-wide statistics, and not the statistics for each ESP card.

No workaround.

CSCdu29584

If you attempt to send an instant message using Microsoft Instant Messenger from inside a private network to a VPN client user, the message does not go through the tunnel.

No workaround.

CSCdv22801

If a GRE tunnel is established between a VPN 5000 concentrator and a Cisco IOS device, the OSPF routing updates are not passed correctly because of a mismatch in the default MTU sizes. The default MTU size is 1476 for the Cisco IOS device, and 1500 for the Cisco VPN 5000 concentrator.

Workaround: Configure the tunnel interface on the Cisco IOS device to have the same default MTU size as the VPN 5000 concentrator.

CSCdv22824

When an internal interface that is connected to a RADIUS server fails, the failover to a secondary server can take up to 70 seconds.

No workaround.

CSCdv28923

If a proprietary tunnel is established between two VPN 5000 concentrators and they are configured for aggressive mode IPSec tunnels, the time-based rekey may not occur at the configured time. For example, if you have the Keylifesecs keyword in the Tunnel Partner section set to 600, the rekey does not occur for approximately 1000 seconds.

Workaround: No workaround needed. The rekey eventually takes place.

CSCdv32748

If the Tunnel Partner section SharedKey keyword is longer than 40 characters, RIP fails on the tunnel between two VPN 5000 concentrators.

Workaround: Set the SharedKey to be less than 40 characters.

CSCdv34747

The show ip config command shows VPN interfaces as disabled even if a tunnel is active. Also, the VPN number (VPN 0:0) does not match the configured number.

No workaround.

CSCdv48929

A VPN 5000 concentrator takes two times as long as the value set in the VPN Group section InactivityTimeout keyword value before it terminates a VPN client connection. For example, if the InactivityTimeout value is set for 30 seconds, the concentrator does not terminate the tunnel with the VPN client until 60 seconds has passed.

No workaround.

CSCdv56797

While PPP sessions and L2TP tunnels are coming up, the show l2tp tunnels command produces this error:

L2TP Tunnel Information for slotSlot 1 >>>
Error bringing up VPN1:146.  rmt_if_up returned -1
  0:  Total tunnels 5 sessions 195

CSCdv59031

The VPN 5000 concentrator stops sending RIP routing updates to its tunnel partner over a GRE-over-IPSec tunnel.

No workaround.

CSCdv74472

For a GRE tunnel, the concentrator advertises the Tunnel Partner section BindTo IP address through the tunnel to the partner. The partner then installs the BindTo IP address in its routing table showing the address as reachable through the tunnel, and overwrites the original (correct) static route that showed the BindTo address as reachable through the local interface. This routing entry causes traffic to stop going over the tunnel.

Workaround: Set the IP Protocol Precedence section Precedence keyword to static ospf rip. The default is ospf rip static.

CSCdv88433

If you reset L2TP tunnels using the reset l2tp tunnel all command, and you use the show l2tp users command to see how many users have reconnected, the L2TP Call Session Summary shows more users than are actually connected.

Workaround: The information for each ESP card is correct.

CSCdw39372

If the SNMP administrator issues a get on the SNMPv2 MIB II UDP group, no information is returned for the UDP table.

No workaround.

CSCdw60656

When a LAN-to-LAN tunnel is configured between two VPN 5000 concentrators, restarting the tunnel initiator causes the responder to restart when the initiator's CVC initializes. The tunnel comes up when the responder finishes rebooting.

No workaround.

User Authentication Caveats

CSCds34591

If multiple clients attempt to connect to the VPN 5000 concentrator simultaneously using SecurID, and the concentrator has not yet established the password between itself and the ACE/Server (usually established on the first connection), then the ACE/Server reports, "ACCESS DENIED, Can't lock client," and fails to authenticate the clients.

Workaround: To connect to the concentrator for the first SecurID authentication, use only one client. This allows the concentrator to establish the password correctly. After the password is set, clients can connect normally.

CSCds54302

When you use the show vpn statistics command, the high water mark (the highest number of concurrent active connections since the last reboot) for LAN-to-LAN tunnels might be inflated after several tunnels crash and other tunnels get online.

No workaround.

CSCds56570

The default value for the Radius section VPNGroupInfo keyword is 77. This setting is in violation of RFC 2869, which states that attribute 77 should be used for data from the concentrator to the RADIUS server, and not the other way around.

Workaround: Set this value to another number, such as 88.

CSCdu31506

The Radius section SecAddress keyword does not work properly when set to a domain name.

Workaround: Set an IP address.

CSCdu80950

A tunnel between a Cisco IOS device and a VPN 5000 concentrator might stop responding for an extended period of time after an attempted Phase 2 rekey negotiation, even if the Tunnel Partner section KeyManage keyword is set to Reliable.

Workaround: Set the KeyLifeSecs keyword on the VPN 5000 and the crypto ipsec security association lifetime seconds on the Cisco IOS device to 86400 (24 hours).

CSCdv28101

The concentrator does not interoperate with the Cisco Access Registrar RADIUS server.

No workaround.

Obtaining Documentation

The following sections explain how to obtain documentation from Cisco Systems.

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at the following URL:

http://www.cisco.com

Translated documentation is available at the following URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.

Ordering Documentation

Cisco documentation is available in the following ways:

Registered Cisco Direct Customers can order Cisco product documentation from the Networking Products MarketPlace:

http://www.cisco.com/public/ordsum.html

Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store:

http://www.cisco.com/go/subscription

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

If you are reading Cisco product documentation on Cisco.com, you can submit technical comments electronically. Click Leave Feedback at the bottom of the Cisco Documentation home page. After you complete the form, print it out and fax it to Cisco at 408 527-0730.

You can e-mail your comments to bug-doc@cisco.com.

To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address:

Cisco Systems
Attn: Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.

Cisco.com

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.

Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you to

Streamline business processes and improve productivity

Resolve technical issues with online support

Download and test software packages

Order Cisco learning materials and merchandise

Register for online skill assessment, training, and certification programs

You can self-register on Cisco.com to obtain customized information and service. To access Cisco.com, go to the following URL:

http://www.cisco.com

Technical Assistance Center

The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two types of support are available through the Cisco TAC: the Cisco TAC Web Site and the Cisco TAC Escalation Center.

Inquiries to Cisco TAC are categorized according to the urgency of the issue:

Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.

Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.

Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.

Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.

Which Cisco TAC resource you choose is based on the priority of the problem and the conditions of service contracts, when applicable.

Cisco TAC Web Site

The Cisco TAC Web Site allows you to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to the following URL:

http://www.cisco.com/tac

All customers, partners, and resellers who have a valid Cisco services contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to the following URL to register:

http://www.cisco.com/register/

If you cannot resolve your technical issues by using the Cisco TAC Web Site, and you are a Cisco.com registered user, you can open a case online by using the TAC Case Open tool at the following URL:

http://www.cisco.com/tac/caseopen

If you have Internet access, it is recommended that you open P3 and P4 cases through the Cisco TAC Web Site.

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses issues that are classified as priority level 1 or priority level 2; these classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer will automatically open a case.

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to the following URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled; for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). In addition, please have available your service agreement number and your product serial number.