Table Of Contents
Release Notes for Cisco
VPN 3000 Series Concentrator, Release 4.0.5.BDowngrading from Release 4.0.x
VPN 3005 Concentrator Enhancement
Hardware Acceleration for Advanced Encryption Standard (AES)
Native Kerberos Authentication
Alerts (Delete with Reason Notifications)
Configurable giaddr for Group-Based DHCP
Memory Conservation Enhancements
Memory Statistics Display Enhancements
Enhanced Sygate Firewall AYT Support
Enhanced PING Command Features
LDAP Authorization Authenticated Bind (Login DN) Support
Disable Group Lock When Using SDI or NT Domain Authentication
Password Expiry Does Not Change User Profile for LAN
Browser Interoperability Issues
VPN Client Used with Zone Labs Integrity Agent Uses Port 5054
Administer Sessions Screen Shows Data for Wrong Group
Long Initialization for SNMP Traps in Releases 3.0, 3.5, and 3.5.1
Accessing Online Glossary Requires Connection to Cisco.com
SNMP Traps VRRP Notifications and cipSecMIBNotifications Are Not Supported
RSA Allows a CA to Issue Only One Certificate with any DN
Reauthentication on Rekey Interval
VPN 3000 Concentrator Ignores RADIUS Packets Longer Than 4096 Bytes
VPN Client Supports Elevated Privileges Using the MSI Installer
Change to Network List Creation for LAN-to-LAN Configuration
Open Caveats for VPN 3000 Series Concentrator
Caveats Resolved in Release 4.0.5.B
Caveats Resolved in Release 4.0.5.A
Caveats Resolved in Release 4.0.5
Caveats Resolved in Release 4.0.4.B
Caveats Resolved in Release 4.0.4.A
Caveats Resolved in Release 4.0.4
Caveat Resolved in Release 4.0.3
Caveats Resolved in Release 4.0.2
Caveats Resolved in Release 4.0.1
Caveat Resolved in Release 4.0
VPN 3000 Concentrator Documentation Updates
Software Configuration Tips on Cisco Technical Support Website
Obtaining Technical Assistance
Obtaining Additional Publications and Information
Release Notes for Cisco
VPN 3000 Series Concentrator, Release 4.0.5.B
CCO Date: August 27, 2004
Part Number OL-5914-03
Introduction
Note
You can find the most current documentation for released Cisco VPN 3000 products at http://www.cisco.com or http://cco.cisco.com. These electronic documents might contain updates and changes made after the hard-copy documents were printed.
These release notes are for Cisco VPN 3000 Series Concentrator Release 4.0 through Release 4.0.5.B software. These release notes describe new features, limitations and restrictions, and related documentation. They also list issues you should be aware of and the procedures you should follow before loading this release. The section, "Usage Notes," describes interoperability considerations and other issues you should be aware of when installing and using the VPN 3000 Series Concentrator. Read these release notes carefully prior to installing this release.
Contents
These release notes describe the following topics:
Open Caveats for VPN 3000 Series Concentrator
Caveats Resolved in Release 4.0.5.B
Caveats Resolved in Release 4.0.5.A
Caveats Resolved in Release 4.0.5
Caveats Resolved in Release 4.0.4.B
Caveats Resolved in Release 4.0.4.A
Caveats Resolved in Release 4.0.4
Caveat Resolved in Release 4.0.3
Caveats Resolved in Release 4.0.2
Caveats Resolved in Release 4.0.1
Caveat Resolved in Release 4.0
Obtaining Technical Assistance
System Requirements
This section describes the system requirements for Release 4.0.
Hardware Supported
Cisco VPN 3000 Series Concentrator software Release 4.0 supports the following hardware platforms:
•
•
Platform Files
Release 4.0 contains two binary files, one for each of two platforms:
•
•
Caution
Upgrading to Release 4.0
This section contains information about upgrading from earlier releases to Release 4.0.
When upgrading VPN 3000 Concentrator releases, you must clear the cache in your browser to ensure that all new screens display correctly when you are managing the VPN Concentrator.
Note
Upgrading to a new version of the VPN 3000 Concentrator software does not automatically overwrite the existing configuration file. Configuration options for new features (for example, IKE proposals) are not automatically saved to the configuration file on an upgrade. The HTML Manager displays "Save Needed" (rather than "Save") to indicate that the configuration needs to be saved. If the configuration is not saved, then on the next reboot, the new configuration options are added again. If you need to send the configuration file to the TAC, save the running configuration to the configuration file first.
Before You Begin
Before you upgrade to this release, back up your existing configuration to the flash and to an external server. This ensures that you can return to the previous configuration and software if you need to.
Be aware of the following considerations before you upgrade. These are known product behaviors, and your knowing about them at the beginning of the process should expedite your product upgrade experience. Where appropriate, the number of the caveat documenting the issue appears at the end of the item. See Open Caveats for VPN 3000 Series Concentrator for a description of using this number to locate a particular caveat.
Release 4.0 of the VPN 3000 Concentrator software contains several features that interact with corresponding features in the Release 3.6.x and 4.0.x versions of the VPN Client and VPN 3002 Hardware Client software. To get the full benefit of this release you should upgrade your client software to one of these versions.
Note
The VPN 3000 Concentrator software, Release 4.0, does operate with VPN Client and VPN 3002 Hardware Client versions 3.0 and higher, but you should upgrade these, too, to take full advantage of the new features.
•
•
•
Use the following backup procedure to ensure that you have a ready backup configuration.
Backing Up the Existing Configuration to the Flash
1.
2.
3.
You have now backed up the existing configuration to the flash.
Backing Up the Existing Configuration to an External Server
You should also back up the configuration to a server. You can do this in many ways, one of which is to download the file using your Web Browser from the HTML interface (VPN Manager).
You can now upgrade the software with assurance that you can return to your previous firmware using your previous configuration.
Note
Downgrading from Release 4.0.x
If you need to return to a release prior to Release 4.0.x, do the following:
Step 1
Step 2
Step 3
Step 4
Step 5
Your prior firmware and image are restored.
New Features in Release 4.0.4
Release 4.0.4 introduces the following features.
VPN 3020 Concentrator
The VPN 3000 Concentrator Series now includes the VPN 3020, which has these specifications:
•
•
•
•
•
–
–
–
The VPN3020 is not upgradable to a VPN 3030, 3060, or 3080.
VPN 3005 Concentrator Enhancement
Beginning with Release 4.04, the VPN 3005 Concentrator with 64 MB memory supports up to 200 simultaneous remote access IPSec sessions.
To achieve this number, VPN Client must either:
•
•
VPN 3002 Hardware Client must refrain from split tunneling.
Note
New Features in Release 4.0
This section describes the new features in Release 4.0 of the VPN 3000 Series Concentrator. For detailed instructions about how to configure and use these features, see VPN 3000 Series Concentrator Reference Volume I: Configuration and VPN 3000 Series Concentrator Reference Volume II: Administration and Management.
Hardware Acceleration for Advanced Encryption Standard (AES)
VPN 3000 Concentrator models 3015 and higher now offer an enhanced, scalable encryption processor (SEP-E), that provides hardware support for AES (software support was added in Release 3.6). This feature has no configuration implications. For installation information about the new SEP-E modules, see Installing SEP or SEP-E Modules in the VPN 3000 Series Concentrator.
Note
512 MB On-Board Memory
You can now upgrade your VPN 3060 or 3080 Concentrator memory to 512 MB.
Note
If your VPN 3000 Concentrator is running low on memory resources, upgrading to 512 MB will help. Symptoms that indicate low memory include the following:
•
•
•
To determine the amount of memory currently installed in your VPN Concentrator, use the Monitoring | Status screen. For information about installing memory upgrades and about updating the VPN Concentrator Manager and the VPN Concentrator Bootcode, see Upgrading Memory to 512 MB in the VPN 3000 Series Concentrator, included with your memory upgrade kit.
Note
RADIUS User Filters
With Release 4.0, administrators can define remote access user filters in Cisco Secure ACS as download PIX ACLs or as a Cisco vendor-specific RADIUS attribute AV-PAIR (26/9/1), rather than having to define them on each VPN Concentrator. This feature provides limited support for to download inbound access control lists or filters and apply them to a user or group, rather than defining the filters on the VPN Concentrator.
A network administrator can configure the filters on a RADIUS server, rather than on the VPN Concentrator. To provide information about the filter and filter rules, the VPN Concentrator's management system includes a new screen in the monitoring and administration sessions.
Backup LAN-to-LAN
The Backup LAN-to-LAN feature lets you establish redundancy for your LAN-to-LAN connection. Unlike VRRP, which provides a failover for the VPN Concentrator, Backup LAN-to-LAN provides a failover for the connection itself. Although VRRP and Backup LAN-to-LAN are both ways of establishing continuity of service should a VPN Concentrator fail, Backup LAN-to-LAN provides certain advantages that VRRP does not.
•
•
Note
Native Kerberos Authentication
Release 4.0 supports authentication to Kerberos/Active directory, which is the default authentication mechanism in Windows 2000 and Windows XP. Kerberos is an authentication protocol for use on untrusted networks. The protocol comprises two stages of authentication--the first level is to a key distribution center (KDC), and the second level is between each client and server.
To configure this feature, an administrator must add a Kerberos authentication server on a group basis or add the server to the global authentication servers list and configure such parameters as server IP address, server port, number of retries, and so on. The IPSec group tab includes Kerberos as an authentication type, and statistical displays also include Kerberos authentication statistics.
See the Open Caveats section for information about configuration issues with Active Directory (CSCdz62206) and Linux/UNIX (CSCea20236).
LDAP/RADIUS Authorization
This feature separates user authorization (permissions) from user authentication. It lets certificate users receive permissions by means of LDAP or RADIUS without secondary authentication via XAUTH. It also lets non-certificate users using any type of authentication scheme (Kerberos, NT Domain, SDI, Radius, and Internal) to retrieve these permissions/attributes.
The feature provides a way to configure RADIUS and LDAP authorization servers and event information. The network administrator configures authorization servers on a global system or group basis.
Alerts (Delete with Reason Notifications)
The VPN 3000 Concentrator and the VPN 3002 Hardware Client can send alerts with reasons for disconnects and reboots they initiate to either the VPN Client or Concentrator to which they connect. When a disconnect occurs, the VPN Client displays the disconnect notice and the reason (if available) in the Event log.
The VPN Client can also send alerts regarding disconnects that it initiates, but it does not send a reason.
SNMP Enhancements
With Release 4.0, you can configure a list of particular event identifiers to track, as well as tracking events by class and severity. For more information, see VPN 3000 Series Concentrator Reference Volume I: Configuration, Chapter 10, "Events."
Disable LAN-to-LAN Tunnels
With Release 4.0, an administrator can disable a LAN-to-LAN VPN connection without deleting its configuration. This feature can be useful for troubleshooting a connection.
Configurable giaddr for Group-Based DHCP
This feature lets an administrator define a network address on a group basis to be used in DHCP proxy address assignments. To use this feature, DHCP proxy must be enabled on the VPN 3000 Series Concentrator. The administrator enters a network address without a subnet mask under group and user configuration. This address indicates to the DHCP server the scope (that is, the range of available IP addresses on the DHCP server) within which to assign the address.
Memory Conservation Enhancements
Release 4.0 includes modifications to memory structures and allocation algorithms to limit unnecessary memory use.
Memory Statistics Display Enhancements
The VPN 3000 Concentrator and the VPN 3002 Hardware Client now monitor and display memory usage in terms of block size and free and used blocks. The display also includes a new page with detailed statistics.
Enhanced Sygate Firewall AYT Support
Release 4.0 includes support for Sygate Personal Firewall, Sygate Personal Firewall Pro, and Sygate Security Agent.
Enhanced PING Command Features
Admin users who have only read access can now do PING commands, using either the Monitor tab on the GUI or the command-line interface. The PING command also appears, as before, on the Admin tab, accessible to users who have full access privileges. The PING command now shows the reply time in milliseconds and not just "device is available."
Adjustable DPD Timeout
For dead-peer detection (DPD), this feature lets an administrator configure the interval that the Concentrator waits before beginning Keepalive monitoring. This feature applies only to Easy VPN Clients that are using IKE Keepalives.
LDAP Authorization Authenticated Bind (Login DN) Support
Release 4.0.1 adds support for LDAP Authorization Authenticated Binds by allowing you to configure the Login DN and Password fields. The field names and the order of fields on the LDAP Authentication Server configuration page have changed, as follows (CSCea73064):
•
•
The LDAP config fields are now in the following order:
•
•
•
•
•
•
•
•
•
•
•
The Login DN represents a user on the LDAP server with administrative privileges. For example, on the Microsoft Active Directory LDAP Server, the Login DN could be:
cn=Administrator,cn=Users,dc=mycompany,dc=com(CSCea69156)
Usage Notes
This section lists interoperability considerations and other issues to consider before installing and using Release 4.0 of the VPN 3000 Series Concentrator software.
Online Documentation
The online documentation might not be accessible when using Internet Explorer with Adobe Acrobat, Version 3.0.1. To resolve this issue, upgrade to Acrobat 4.0 or higher. The latest version of Adobe Acrobat is available at the Adobe web site: http://www.adobe.com.
Disable Group Lock When Using SDI or NT Domain Authentication
Password Expiry Does Not Change User Profile for LAN
You must enable Start Before Logon on the VPN Client and possibly may need to make sure that DNS and WINS servers are properly configured (CSCdv73252).
Browser Interoperability Issues
The following sections describe known behaviors and issues with the indicated Web browsers.
VPN 3000 Concentrator Fully Supports Only Netscape and Internet Explorer
Currently, the VPN 3000 Concentrator fully supports only Netscape and Internet Explorer. Using other browsers might cause unacceptable behavior; for example, if you attempt to use an unsupported Web Browser to manage the VPN 3000 Concentrator, clicking any of the links might return you to the login screen. (CSCdx87630).
Internet Explorer 4.x Browser Issues
The following are known issues with Internet Explorer 4.X and the VPN Concentrator Manager (the HTML management interface). To avoid these problems, use the latest version of Internet Explorer.
•
•
•
After adding a new SSL certificate, you might have to restart the browser to use the new certificate.
VPN Client Used with Zone Labs Integrity Agent Uses Port 5054
VPN Clients, when used with the Zone Labs Integrity Agent, are put into a "restricted state" upon connection to the Integrity Server if a port other than 5054 is used. The restricted state simply means the VPN Client is able to communicate only with the Integrity Server; all other traffic is blocked (CSCdw50994).
Workaround:
Do one of the following:
•
•
Administer Sessions Screen Shows Data for Wrong Group
When an L2TP/IPSec connection is established, authentication should behave as follows:
1.
2.
3.
This all works properly, but in the Administration | Administer Sessions screen, the Tunnel Group displays instead of the User's Group (CSCdy00360).
Long Initialization for SNMP Traps in Releases 3.0, 3.5, and 3.5.1
In Releases 3.0, 3.5, and 3.5.1 of the VPN 3000/3002 products, the SNMP task takes 3-5 minutes to complete initialization after a device reboot. Traps being processed during this interval are queued and sent to the SNMP Management station after SNMP task initialization completes.
However, the cold start trap, normally sent as a result of a device rebooting, is never sent.
In Release 2.5.X, the cold start trap is properly sent to the SNMP Manager after a device reboots (CSCdt01583).
Windows NT Authentication Servers Can't Follow Other Server Types in the a Prioritized Authentication Server List
If an Windows NT server follows a non-NT server in the prioritized authentication server list, and the non-NT server becomes unavailable for some reason, the VPN 3000 Concentrator detects this and falls back to the Windows NT server. If the tunnel being established is PPTP or L2TP, the authentication attempt to the Windows NT server also fails.
Therefore, when configuring PPTP or L2TP connections, do not place Windows NT authentication servers behind other types of servers in the applicable authentication server list (CSCdy07226).
Accessing Online Glossary Requires Connection to Cisco.com
The Glossary button at the top of all Help screens tries to contact univercd at www.cisco.com (the Cisco documentation site). This connection requires connectivity to Cisco's main web site. If your PC does not have a corporate Internet connection or your firewall blocks access, the following error appears when you attempt to access the Glossary:
"The page cannot be displayed."
To access the Glossary, you must be connected to www.cisco.com (CSCdy14238).
SNMP Traps VRRP Notifications and cipSecMIBNotifications Are Not Supported
The VPN 3000 Concentrator does not support the VRRPNotifications and cipSecMIBNotifications SNMP traps. You can configure VRRP for these SNMP traps without getting an error message, but the traps themselves are not supported, so no action occurs. The same is true of Cisco IPSec-flow MIB notifications (CSCdx44580).
RSA Allows a CA to Issue Only One Certificate with any DN
The rekey option to renew an SSL certificate from the RSA CA results in a rejection of the request.
The resubmit/renew feature does work with RSA as long as the certificate being rekeyed or renewed is first deleted from the CA database. RSA does not allow a CA to issue more than 1 certificate with any particular DN (CSCdv27743).
Reauthentication on Rekey Interval
If you have enabled the Reauthentication on Rekey feature, the VPN Concentrator prompts users to enter an ID and password during Phase 1 IKE negotiations and also prompts for user authentication whenever a rekey occurs. Reauthentication provides additional security.
If the configured rekey interval is very short, users might find repeated authorization requests inconvenient. In this case, disable reauthentication. To check your VPN Concentrator's configured rekey interval, see the Lifetime Measurement, Data Lifetime, and Time Lifetime fields on the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Add or Modify screen.
Note
VPN 3000 Concentrator Ignores RADIUS Packets Longer Than 4096 Bytes
Some RADIUS Servers exceed the Maximum RADIUS packet size of 4096 bytes. The VPN 3000 Series Concentrator ignores RADIUS packets that exceed this length (CSCdz90027).
Downgrading to Release 3.6 with a Release 4.0 Configuration Deletes Information from LAN-to-LAN Groups
A VPN Concentrator with more than 125 users and groups combined fails to terminate tunnels if the SEPs are not active. This is because a VPN Concentrator with no active SEPs is considered to be a model 3015, and model 3015 supports only 125 users and groups combined.
This condition could unexpectedly arise if a VPN Concentrator with a SEP-E, running Release 4.0, is downgraded to Release 3.6. This would result in the problem, because the Release 3.6 does not support the SEP-E module. The SEP-Es are detected as unknown cards if present when running Release 3.6 code.
If you encounter a situation, for whatever reason, where you are trying to load a configuration with more users than are supported by the model, the following event appears on the console after a reboot:
*************************************************************
3 03/20/2003 14:03:16.260 SEV=3 CONFIG/32 RPT=1
SERVE Too Many Entries Error. Delete an entry before adding a new one.
*************************************************************
(CSCea51435)
VPN Client Supports Elevated Privileges Using the MSI Installer
Windows Installer 2.0 must be installed on a Windows NT or Windows 2000 PC prior to configuring the PC for a Restricted User with Elevated Privileges When using elevated privileges, the VPN Client program files are created under the specific user, not "ALL" users. (CSCea37900).
Change to Network List Creation for LAN-to-LAN Configuration
The functionality that allows the administrator to create a network list from within a LAN-to-LAN configuration page has changed.
In previous releases, the administrator could create a network list from within the LAN-to-LAN configuration page. The new method for creating a network list uses a link on the LAN-to-LAN index page to the network list configuration page.
This change was resolves a problem with Reverse Route Injection when the network lists are added from within the LAN-to-LAN page. With the previous method, the routes, corresponding to the network lists that were added via the LAN-to-LAN page, were not present in the routing table (CSCea13002, CSCdz87573).
Open Caveats for VPN 3000 Series Concentrator
Caveats describe unexpected behavior or defects in Cisco software releases. The following list is sorted by identifier number.
Note
The following problems exist with the VPN 3000 Series Concentrator, Release 4.0.
•
L2TP over IPSec connections fail if going through a NAT device. During the connection establishment, the VPN Client and the VPN 3000 Concentrator exchange IP addresses. When the client sends what it believes to be the VPN 3000 Concentrator's address (really the NATed address), the VPN 3000 Concentrator releases the connection.
This is because the address assigned to the interface does not match the address coming in from the client. The same issue exists on the client side. This will not be resolved until the Windows 2000 MS client supports UDP encapsulation.
•
When configuring a LAN-to-LAN connection with IOS or PIX, it is important to match the keepalive configuration (both "ON" or both "OFF"). If the keepalive configuration is OFF for the VPN 3000 Concentrator and ON for the IOS device, the tunnel will be established with data.
IOS tears down the tunnel because the VPN 3000 Concentrator does not respond to IOS style keepalives if keepalives are configured to be OFF for the VPN 3000 Concentrator.
•
In some cases, the Zone Labs Integrity Agent may not properly update on the Windows NT version 4.0 operating system while the VPN Client is connected, policy is changed and re-deployed, and the connection is up. Specifically, if you "Block Internet Servers" under the Firewall Security Rules in the Policy and then Deploy that new policy, a PC running Windows NT version 4.0 receives the updated policy, but it might not put the "Block Internet Servers" setting of that policy into effect.
Workaround:
Reboot the operating system.
•
Due to a Microsoft limitation, Windows XP PCs are not capable of receiving a large number of Classless Static Routes (CSR). The VPN 3000 Concentrator limits the number of CSRs that are inserted into a DHCP INFORM message response when configured to do so.
The VPN 3000 Concentrator limits the number of routes to 28-42, depending on the class.
•
The Concentrator may display the following events during a VPN Client connection. These events were found to be due to the client being behind a Linksys Cable/DSL router that was incorrectly modifying the Client's packets, causing them to fail authentication when received by the VPN Concentrator. The problem is more prominent if LZS compression is used.
Events:
131500 06/20/2002 17:08:34.300 SEV=4 IPSEC/4 RPT=4632
IPSec ESP Tunnel Inb: Packet authentication failed, username: gray, SPI:
4e01db67, Seq Num: 0000850f. Dump of failed hash follows.
Linksys has been notified about the problem.
Workaround:
Although no workaround currently exists, disabling LZS compression on the Concentrator helps reduce the number of events. To disable LZS compression on the Concentrator set the "IPComp" setting on the IPSec tab of the group configuration to "none".
•
The Microsoft L2TP/IPSec client for Windows 98, Windows ME, and Windows NT does not connect to the VPN 3000 Concentrator using digital certificates.
Workaround:
Use Preshared keys.
•
The Assigned IP address for a PIX-501 in Network Extension Mode appears on the VPN 3000 Concentrator as 0.0.0.0 until the first IPSec/Phase 2 rekey takes place. After the Phase 2 rekey completes, the Assigned IP address is correctly set to the PIX-501's private interface network address.
•
Using Microsoft Internet Explorer version 5.0, you cannot create a detailed memory report from the Monitoring | System Status | Memory Status | Detailed Memory Report button. The file memory.txt is not created. The report does work if the file already exists. You can create the file initially if you run a detailed report from the CLI interface. Internet Explorer version 5.5 and Netscape work fine.
•
When switching between tabs under the interfaces section of the html-management page, the action may eventually fail.
If this happens simply go back to the interface summary page and drill back down into the desired interface. Everything will resume working again.
•
The LDAP Authorization failure reasons depend on how the LDAP server implements these error codes. RFC 1777-LDAP states that the LDAP server might not return an error code, therefore in those situations the VPN 3000 failure reason is "Invalid response received from server".
For the case in which the LDAP server does return a specific error diagnostic (for example, noSuchAttribute) the VPN 3000 failure reason displays the appropriate string.
•
Before you use the VPN Concentrator to authenticate a user to a Linux or Unix server running a Kerberos server, follow these steps:
a.
kadmin.local -q "getprinc username"
b.
[realms]
MYCOMPANY.COM = {
master_key_type = des-cbc-crc
supported_enctypes = des-cbc-md5:normal des-cbc-md5:norealm des-cbc-md5:onlyrealm
Save the file. Then, restart the krb5kdc, kadmin, and krb524 services.
c.
kadmin.local -q "cpw -pw newpassword username"
Now you should be able to authenticate that user to your Linux/Unix Kerberos 5 server.
•
HTTP Software Updates sometimes fail with "Software Update Error". Retrying the operation does not update the image.
•
The text from the Help page for the Monitoring | System Status | Memory Details page in HTML incorrectly refers to "Memory Detail Report". The page is labelled and called: "Detailed Memory Report".
•
The Help for the SEP-E in the Monitoring | System Status | SEP in-line SEP page is incomplete. In other sections, we make reference to the SEP-E. We should add:
"AES (SEP-E only)" to the Encryption and Decryption bullet.
This screen displays status and statistics for a VPN Concentrator SEP (Scalable Encryption Processing) or a SEP-E (Enhanced SEP) module, which performs hardware-based cryptographic functions:
–
–
–
The screen shows cumulative data since the system was last booted or reset.
Caveats Resolved in Release 4.0.5.B
Release 4.0.5.B resolves the following issues:
•
After the public IP address and default gateway have been changed, the VPN Concentrator does not allow incoming data packets encapsulated by UDP (10000) even if an IPsec session is being established correctly. If you use TCP encapsulation or no encapsulation the problem does not occur.
•
When "clear log" is selected, the VPN Concentrator should save or FTP the event log if "Save Log on Wrap" or "FTP Log on Wrap" is configured (respectively).
•
If FTP and Save Log on wrap are both enabled, the FTP log file will be empty if the Save Log file fails due to insufficient flash space. The FTP log file should still get created even if the flash log file can't be created.
Caveats Resolved in Release 4.0.5.A
Release 4.0.5.A resolves the following issues:
•
In the LAN-to-LAN NAT rules, the VPN Concentrator accepts such network/mask rules as, 192.168.1.0 / 255.255.0.0. It should consider this a typo and either modify it to be 192.168.0.0/255.255.0.0 or it should reject it and warn the user.
•
VPN Client 4.0 running on Microsoft Windows 2000 or Windows XP — After connecting, a classfull route is installed in the routing table due to not receiving a subnet mask.
The VPN 3000 Concentrator should allow the user to define the subnet mask for each address pool and pass this to the client.
Downgrade issue with fix:
If you downgrade to a version without the new feature, the address ranges will get loaded without the subnet mask. If you save your configuration and upgrade again, the masks are reset to "0.0.0.0".
•
The VPN 3030 Concentrator stops accepting new connections, and the memory status shows RED. The old connections seem to work without any issues.
This condition may occur with a high volume of one-way traffic encapsulated with cTCP. cTCP drops packets to prevent exceeding the TCP window size. The VPN 3000 was not properly cleaning up this data flow and would result in a slow memory leak.
•
SNMP v2 traps generated by the VPN Concentrator use UDP port '0' as the source port, which might not work if devices such as a firewall block any traffic which has '0' as source port.
•
Downloadable ACLs with more than 10 entries from ACS are applied on the VPN Concentrator in the wrong sequence.
•
RADIUS with expiry fails with VPN Concentrator 4.0.x code when Funk is being used as the RADIUS server. Release 3.0.x code works fine, and Funk RADIUS does support MSCHAPv2.
•
UID does not show up when viewing certificate details.
•
When the VPN 3000 Concentrator obtains a client address via a DHCP server, the VPN 3000 Concentrator is not passing the subnet mask back to the client.
•
Netmask is not sent to the VPN Client when the netmask is assigned from an internal user database or a RADIUS Framed-IP-Netmask attribute. If we use the group IP pool, it works fine.
•
Phase 1 rekey may fail when Phase 1 and Phase 2 are rekeying simultaneously. If the Phase 2 rekey is intiated while the Phase 1 rekey is waiting for Transaction Mode, the previous Phase 1 messages (Aggressive Mode message 3/Main Mode message 6 and Transaction Mode) are not resent.
•
The Address Pool stats page has some bogus data.
•
The VPN 3000 Concentrator may crash shortly (seconds) after the private interface's link comes up. The crash occurs during generation of the SSH server key. This crash may also occur in the SSL task.
•
Add the following data to Crashdump reports:
1) Serial Number
2) Size of RAM installed
3) Identify product (3015, 3020, 3030, 3060, 3080)
4) Identify if SEP or SEP-E installed in Hardware slots
•
Add an IP event indicating "Assigned IP address A.B.C.D already in use." This will help troubleshoot RADIUS and DHCP assigned address problems.
Caveats Resolved in Release 4.0.5
Release 4.0.5 resolves the following issues:
•
If you have an established DHCP client address on a VPN 3000 interface, and you click on Apply without changing any parameter on any of the tabs, a DHCP Release and a subsequent DHCP Discover are performed.
•
A more specific route cannot be entered in a VPN 3000 Concentrator if there a route already exists in the VPN 3000 Concentrator with the same major net.
•
A VPN 3000 Concentrator with a LAN-to-LAN session to a PIX firewall in answer-only mode might fail if you are using network lists instead of defining the networks on the LAN-to-LAN configuration page.
•
Using the built in L2TP Client on the Mac OS X 10.3 platform, the VPN 3000 Concentrator fails to connect. The VPN 3000 does not currently allow dynamic source ports during negotiation. The Mac L2TP client defaults to dynamic source ports.
•
When Renew DHCP Lease link is selected, the lease is released and a new lease is requested. This will tear down any established VPN tunnel. Instead, a request for a lease for the same address should be performed and only upon a failure should the lease be released.
•
If you configure a group with the value All the DN Fields in the DN Field drop-down list box on the IPSec tab for user authorization, the username is reversed or truncated for some IKE event messages.
•
The VPN 3000 Concentrator reset during the process of moving a SDI authentication server throughout the authentication server list.
•
Memory corruption occurred on a VPN 3030 Concentrator running Release 3.6.7 software. The log contains the following messages:
SEV=3 SYSTEM/10 RPT=47 Freeing free memory block. Ptr=034ec494, CPC1=000218e8, CPC2=00025d2c, TID=00360000
SEV=4 SYSTEM/0 RPT=185 0000: FACEDBAD 030CF9C8 031C4E40 00010000
Despite these error messages, the VPN 3030 Concentrator does not fail, so there is no crashdump file.
•
When the VPN 3000 Concentrator is in a Scheduled Reboot stage with the "Wait for sessions to terminate, don't allow new sessions" option set, the VPN 3000 still allows WebVPN sessions to be established. It should not. If WebVPN sessions are established, they prevent the reboot from taking place.
•
The VPN 3000 Concentrator event IKE/124 is misleading for R_U_THERE failure. The VPN Concentrator expects the DPD sequence number to be greater than the previous sequence number. The initial sequence number is supposed to be a randomly generated number.
While interoperating with a Model 831 hardware client, the following event occurred when the Model 831 hardware client attempted to connect to the VPN 3000 Concentrator:
588 01/19/2004 20:17:41.750 SEV=5 IKE/124 RPT=98 address
Group [group]
Received DPD sequence number 0x0 in R_U_THERE, expected 0x0The Model 831 hardware client repeatedly sent a "random" number of 0 as the initial sequence number, and the VPN 3000 Concentrator correctly rejected the connection, but the event message is misleading. The event should say:
Received unexpected DPD sequence number %d in R_U_THERE.
Next expected sequence number should be greater than %d.•
The VPN 3000 Concentrator software requires 1MB of of free flash for WRITE operations (Savelog + Config). Release 4.1.3 optimizes this operation, not based on reserving flash space, but by gracefully terminating the WRITE operation task and allowing the HTTP(S) task to continue operating.
•
When the first IKE proposal is configured to utilize XAUTH with certificates, the VPN 3000 prompts the client for login credentials even though authorization has failed. When the first IKE proposal is not configured to utilize XAUTH, the VPN 3000 does not present the client with a login prompt. However, this causes other clients who do use XAUTH to fail to connect.
•
The VPN 3000 Concentrator's LDAP authorization needs to support IETF and Microsoft RADIUS attributes (for example, Framed-IP-Address, Class).
•
After upgrading to 4.0.4.B, the VPN 3002 Hardware Client PPPoE client can no longer connect when LCP authentication is CHAP.
•
User setting of maximum connect timeout (under general tab) is not saved after applying and saving. If the same user is edited, the settings made earlier are gone and the setting has reverted to the default of inheriting the maximum connect timeout from the group settings.
•
A VPN 3000 using Release 4.0.4.B, sends a gratuitous ARP with the real MAC address and own IP address, which is also the VRRP address, after rebooting the VPN 3000 Concentrator.
•
Add User ID (UID) as an option for DN Field authorization in the IPSec tab of Configuration | User Management | Groups | Modify.
•
If a rule is created for certificate group matching and set to Base Group, the VPN 3000 Concentrator succeeds in matching the rule; however, it fails to push the connection to the base group. Instead the VPN 3000 Concentrator looks for a group that is named as the "IP address" of the client attempting to make the connection, and failing to find such group, eventually fails the connection.
•
User ID (UID) was added as an option for DN Field authorization in the IPSec tab of Configuration | User Management | Groups | Modify. Therefore, UID has been added for the DN Field under Configuration | Policy Management | Certificate Group Matching | Rules | Add & Modify.
•
Improve the memory.txt file by adding System Name, RAM Size and Time/Date.
•
The VPN 3000 Concentrator does not properly handle a State attribute which contains a zero octet. The VPN 3000 Concentrator is incorrectly treating the zeroes as a string terminator.
•
The VPN 3000 Concentrator sends an Invalid SPI Notify message with protocol ID = 1 (IPSEC_DOI_PROTO_ISAKMP) when it receives ESP packets with unkown SPI from an authenticated peer. This may cause a black hole situation until lifetime expiration, if the peer device is IOS router.
•
When you use the FTP "mget" command from the VPN 3000 Concentrator, the filelist parameter is ignored and all files are downloaded instead of what you selected.
•
When the VPN 3000 Concentrator rekeys an SA and the peer device's IP address has changed, the old SA is torn down and the VPN 3000 Concentrator reports the reason for termination as, "User Requested." It would be more clear to report the reason for termination as "Peer Address Changed."
•
The VPN 3000 hangs after receiving a malformed "reject" packet from an external SECURE-IT 3000 RADIUS server.
•
An IPSec P2 race condition can cause an invalid SPI and rekey issue. The race condition may appear with short rekey intervals and network loss/latency. The condition may occur when the two sides attempt to rekey at the same time.
•
Concentrator reboots when authenticating users via a Kerberos server.
•
Improve the event message when importing a certificate with an unsupported key size. Currently, the message says, "Unable to install trusted certificate." It should say, "Unsupported Key Size."
•
The VPN 3000 running Release 4.0.4.B software returns ACCT-DELAY-
TIME values in tenths of a second, causing them to appear as tenfold that which is expected.Caveats Resolved in Release 4.0.4.B
Release 4.0.4.B resolves the following issues:
•
The VPN 3002 CLI, Administration | Access Rights | Administrators menu displays the ISP user instead of the monitor user. But the GUI displays the monitor user. Logon to the GUI using a monitor account fails. Logon to the GUI using an ISP account succeeds, but you can still change the config through the quick configuration. If the VPN 3002 has this problem, it's always there; if the VPN 3002 does not have this problem, it never happens, no matter which version of the code is in use.
•
The VPN 3000 Concentrator does not automatically add routes for more than one remote LAN. You must enter static routes for each additional remote LAN on the VPN 3000 Concentrator.
•
Cisco VPN 3000 Concentrator implementation using RSA/Ace 5.0.3 Agent API does not work for cross realm authentications. The ACE/Server sends a downgrade request to the agent. This is meant to be interpreted by the agent to generate a v2 authentication request with a v5 header. The VPN Concentrator actually downgrades and sends a full v2 request. The ACE/Server then fails the request because it appears that this is a v2 agent, which needs acting primary/secondary.
•
Using Release 3.6.8 or 4.0.3, when we clear the check box for "Enable Telnet/SSL" at Configuration | System | Management Protocols | Telnet, the check box is filled after reloading the VPN 3000 configuration.
•
The Filter Rule Copy from the HTML does not copy the network list from the old rule to the new rule.
•
The VPN 3000 Concentrator slowly runs out of memory when processing a DCHP Inform message from an L2TP or PPTP client with Network Lists and DHCP Intercept enabled. The size of the memory block that is not released varies, based on Network List size.
•
Two PIX501 (EZ VPN Clients) behind Linksys devices (with same DHCP pool) disconnect during IKE rekey. In this case, the PIXes keep trying to bring up public-to-public IPSec SA's (tearing down the others). The PIX establishes a new IPSec SA on the new IKE SA. The up and down causes the deletion of the IKE.
Note
Caveats Resolved in Release 4.0.4.A
Release 4.0.4.A resolves the following issues:
•
Each IKE rekey for main mode (that is, using digital certificates) fails to release a 64-byte memory block, eventually causing the device to fail.
•
With Release 4.0.4 only, the VPN 3000 Concentrator removes RRI routes from NEM connections after a re-key.
Caveats Resolved in Release 4.0.4
Release 4.0.4 resolves the following issues:
•
In Release 4.0.1, denying certain PINs with RSA SecurID is not functioning (for example, denying alphanumeric PINs or those based on PIN length).
•
VPN 3000 Concentrator failed due to a malformed PPP IP Control Protocol message.
•
The VPN 3000 Concentrator passes a blank username/password to an authentication server.
•
The VPN 3000 Concentrator does not support ReadOnly community strings. All community strings are considered Read/Write.
For security reasons, the VPN 3000 should not support remote SNMP sets. If you rely on this feature, contact Cisco TAC.
•
Kerberos support for 3DES/SHA not functioning.
•
The ifType (1.3.6.1.2.1.2.2.1.3) for the VPN 3000 Concentrator FastEthernet interfaces is reported as 7 (iso88023Csmacd). Per IANA, ifType 7 was deprecated via RFC-draft-ietf-hubmib-etherif-mib-v3. IfType 6 (ethernetCsmacd) should be used instead.
(See ianaiftype-mib and RFC 2665):
http://www.iana.org/assignments/ianaiftype-mib
http://www.ietf.org/rfc/rfc2665.txt?number=2665
The wrong ifType might confuse some NMS systems, as they are expecting ifType=6 for Ethernet interfaces.
•
Master VPN 3000 Concentrator's interfaces are "Master" after a reboot, even though one of the interfaces is Down. This occurs on VPN 3030/VPN 3080 Concentrators using software revisions 3.6.8 and 4.0.1.C
•
The command snmpget to certain OIDs might cause the VPN 3000 Concentrator to fail. This happens only if the snmpget is sent to the private interface and the community string is correct.It has occurred for software versions 4.0.1 and 4.0.2.
•
The AUTH login message for SNMP says user "Unknown". This should be user "SNMP".
•
Some cable modems, if they loose their broadband signal, issue the IP address 192.168.1.11 address via DHCP. When this happens and the VPN 3002 accepts this address, the VPN 3002 uses the 192 address in its IKE negotiations.
The result is a tunnel that cannot pass traffic. You see from the central site Concentrator what looks like a functional tunnel with no RX bytes and no private-to-private SA.
•
New pin mode for user authentication to SDI server via RADIUS not working.This issue was introduced in Release 4.0.3.REL.
•
The VPN3000 might fail while displaying Memory Statistics.
•
A VPN 3000 Concentrator accepts NEM PIX 501 connections with split tunneling enabled. After a period of time, the VPN Concentrator shows high cpu usage, eventually dropping connections due to dead-peer-detection (dpd) loss.
PIX NEM connections are more frequently affected than others due to their low default dpd interval. All others, however, are occasionally affected.
Workaround:
Disable split tunneling or increase the dpd interval.
Caveat Resolved in Release 4.0.3
Release 4.0.3 resolves the following issue:
•
L2TP and PPTP connections to VPN 3000 Concentrator Release 4.0.2 causes the VPN 3000 Concentrator to fail.
Caveats Resolved in Release 4.0.2
Release 4.0.2 resolves the following issues:
•
Attempting to delete a file from an ftp session into the VPN 3000 Concentrator fails and terminates the ftp session.
•
When editing a LAN-to-LAN orig-only record by adding more peers to the list the following event appears in the event log:
23 10/23/2002 13:44:20.410 SEV=4 BMGT/29 RPT=1
Attempting to specify an Aggregate Group reservation [961150977 bps] on Group [group-name] Interface [2], which is outside the range of a minimum of [8000 bps] to a maximum of [100000000 bps]. (Note: The true maximum depends on the interface link rate to which the group is applied.)
Bandwidth management was not enabled at all on the interface or group.
•
A customer connects from a VPN 3002 Hardware Client configured as a PPPoE client to a VPN 3000 Concentrator using a service provider. According to the customer, this configuration was working fine until recently, when the provider changed on their side to use PAP instead of MS-CHAP v1 for PPPoE authentication. Debugs from the VPN 3002 show the following authentication error:
Conn Id 1 : PPP_AuthLogErr() illegal fsm event received.
The customer sees same behavior whether they use Release 3.6.3, 3.6.1, or 3.5.5.
•
In IP packets that have the TOS field set, such as in VoIP and QOS applications, the TOS field is not copied into the IPSec packet header when it is tunneled. The packet is then treated like other IP traffic while encapsulated.
•
The Ping command under "Actions" on the LAN-to-LAN sessions screen refreshes the screen instead of stating whether the tunnel is active.
•
On the Ethernet 2 (Public) interface, if the checkbox "Public Interface" is not selected, then all IPSec over TCP connections cannot be initiated to the VPN 3000 Concentrator, although all IPSec over UDP initiations work fine.
•
When using VPN 3000 Concentrator software Release 3.6.2, the CRL check bind request does not send the login ID/password combination. Anonymous login is successful, however.
•
When a backup SEP-E fails over to Software, the Activity LED and Status LED stay green, even though the SEP-E is no longer operational.
•
A VPN 3000 Concentrator, using the external interfaces on parallel VPN Concentrators with DHCP relay enabled, might fail to free message buffers. This could prevent new connections and possibly cause the device to fail.
•
VPN 3000 Concentrator SDI AUTH/64 events appear in the log when a backup server is not defined. This is a cosmetic message.
•
A VPN 3000 Concentrator running Release 3.6.7.C has a problem generating the XML file from the XML export if the VPN Concentrator has more than 15 LAN-to-LAN tunnels configured.
•
A third-party VPN client connects to a VPN 3000 Concentrator and proposes a shorter Ipsec SA lifetime than what is configured on the VPN Concentrator (proposed 1 hour; but the VPN Concentrator is configured for a lifetime of 8 hours). The display indicates that the VPN Concentrator uses the configured 8 hours instead of the proposed 1 hour. This is a display problem only. The rekey still occurs at 1 hour.
•
The User [user], Group [group] event log message for a client disconnect is separated by comma in Release 3.6.7 and later code. In the code before Release 3.6.7, this comma was not present and the User [user] Group [group] event log message was separated with a space tab format.
•
Under the Group IPSec tab, the Confidence Interval option shouldn't say Easy VPN Client only, because that option also exists for the Site-to-Site tunnels. The current text is confusing and seems to be a valid option only for Remote Access clients.
•
Configuration errors might occur when downgrading from Release 4.0 to 3.x. Be sure to backup your current configuration before upgrading to Release 4.0. Failure to do so might prevent you from being able to seamlessly revert back to Release 3.x.
•
When using multiple static CRL servers, if the first server fails without being taken off-line, the subsequent searches also fail.
•
A VPN 3000 Concentrator sends VRRP messages on the Public interface after system shutdown. This occurs with software Releases 3.6.7C, 3.6.7D, and 4.0.
•
NAT-T or UDP keepalive packets are sent out the Private interface if the Public interface checkbox is not checked on the Public interface.
•
On a VPN 3000 Series Concentrator running Release 3.x or 4.x, when you click on a LAN-to-LAN session to get more detailed information under Monitoring | Sessions (HTTP management console), there is a hyperlink on the top called "Back to Sessions". This link redirects you incorrectly to Administration | Administer Sessions and not back to the Monitoring | Sessions section.
•
With the VPN 3000 Concentrator running Release 3.6.7.C or 4.0, the VPN 3002 Hardware Client deletes the existing tunnel upon receiving a malformed IKE packet from an unknown source.
•
Clicking Cancel in the bandwidth policy and returning to the same screen from the same frame gives confusing output.
If the administrator goes into the group's bandwidth policy via the right frame after clicking Cancel while editing the same policy, the indicator None is displayed, although the running config contains some policy.
•
A VPN 3000 Concentrator running Release 3.6.7 and using L2TP over IPSec with EAP-TLS AND L2TP compression stops encrypting traffic after 2-3 hours, but the connection stays up.
•
VPN client can't connect using cTCP to the virtual address in the VPN 3000 Series Concentrator using load balancing following a reboot. This issue occurs only in Releases 3.6.7.F, 3.6.7.G, 4.0.1 and 4.0.1.A.
•
During the TFTP upgrade of a VPN 3000 Concentrator from Release 3.6.7 to Release 4.0, reboot occurs when the word "no" is typed instead of N for the question "Reboot now? (Y/N) [Y]".
•
The VPN 3000 Concentrator supports IPSec rekeys by time, volume, both, or none. The VPN 3000 Concentrator does not send a rekey attribute when it is not involved. This introduces the possibility of one side being configured for time and the other for data. In this case, the responder rekeys on both, but it does not inform its peer of its rekey requirements.
This is not a issue when interoperating with PIX or IOS, because they support only rekey on both. The VPN 3000 Concentrator should send its rekey requirement even if its peer does not have that requirement.The VPN Client software does not support rekey by data and ignores this requirement.
•
VRRP and IPSec over TCP might not work in 3.6.7F and 4.0.1. They work in Release 3.6.3.
•
With a VPN3002 using PPPoE, the TCP packets from behind the VPN3002 must have their MSS adjusted for split-tunneling. If the TCP MSS is not adjusted to the MTU, the MSS negotiated in the TCP session exceed the MTU for the PPPoE session. The problem occurs when the IP packets DF bit is set. This could prevent the packet from reaching the PC behind the VPN3002.
If the MSS is adjusted, the packet fixes in the PPPoE tunnel and does not require fragmentation.
•
VPN 3000 Concentrator software does not have a Time Zone for Adelaide and Darwin (GMT+9:30).
•
RRI support does not work properly for hardware clients in network extension mode that do not support sending an application version to the VPN 3000 Concentrator.
•
Using Release 4.0.1, the VPN 3000 Concentrator appends, as expected, the configured REALM when it sends the authentication request to the Windows 2000 Kerberos server when a user uses "joe" as a username.
However, when, for example, a username like "joe.blocks@domain.com" is used, the VPN 3000 Concentrator does not append the configured REALM. The VPN 3000 Concentrator assumes the string after the @ in the user name is a user specified Realm.
Depending on how you configure the username and on how the end user enters his or her username with a domain (for example, "joe.blocks@domain.com"), you might need to turn on "Strip Realm" within the group. If the user is defined in the Active Directory as username "Joe.Block" and principal name suffix as "@domain.com", then you should enable "Strip Realm". If the user is defined in the Active Directory as username "Joe.Block@blahblah.com" and the principal name suffix as "@domain.com", then you should disable "Strip Realm".
When testing the authentication server, the Strip Realm function works only if the server is defined under the group (that is, not globally).
•
Using a VPN 3060, running either Release 3.5.5 or 3.6.7.F, when we set VRRP and Master VPN's private interface fails, switchover delay happens at Backup VPN, so we cannot communicate end-to-end.
•
In Release 4.0.1.A, when configuring long static CRL Distribution Points, some of the text would truncate into the Login DN field. This could affect the LDAP Distribution Point authentication process.
•
Customer requests more than 200 routes to be supported with a 3005 w/ 64MB.
•
Issues related to freeing buffers in memory cause the VPN 3000 Concentrator to fail.
•
VPN Hardware Client 3002-8E models continuously reboot if the public interface's link is down when the unit boots.
•
When using Kerberos/Active directory authentication to a Windows 2000 Active Directory, If the user is defined in the Active Directory as username "user" and has the principal name suffix "@domain.com", then you should enable "Strip Realm" and make sure the authentication server is defined in a group.
•
Using release 4.0.1A or 4.0.1B, pinging from the VPN 3000 Concentrator under the Administration page of the management GUI to the peer's network does not initiate any IPSec tunnel negotiation. Using the same configuration, a ping from the VPN Concentrator builds the tunnel with the peer if we downgrade to Release 4.0.1 or 3.X. (the VPN Concentrator's private address is in the list of traffic to be encrypted, as defined in the IPSec LAN-to-LAN configuration).
•
A VPN 3000 Concentrator running Release 3.6.7 cannot decode the objects in the CA certificate or in the client certificate.
The VPN 3000 Concentrator accepts the CA certificate and the certificate for the Concentrator, but it shows the Subject and Issuer as Unknown. When the client connects, it always ends in the Base group, not in the group matching the OU or the group matching the configuration.
•
