Using Management Center for Firewalls 1.3 - Troubleshooting [CiscoWorks Management Center for Firewalls]

Table Of Contents

Troubleshooting

Support Information

Collecting Troubleshooting Information

How do I provide the TAC with support information?

Using the mdcsupport utility

Installation and Upgrade Issues

What operating systems are supported?

Is Windows 2000 or Windows 2000 Advanced Server Supported?

Does the system require a valid DNS entry?

What other Cisco software is required for me to run Firewall MC?

Are there any known problems when installing on a system that has Terminal Services running in Remote Administration mode?

Are there any known problems when installing on a system that has Terminal Services running in Application Server mode?

What are the known issues with installing on a system that has Microsoft IIS running?

What are the known issues with installing on a system that has any other type of server software running?

Can I upgrade to Firewall MC 1.2 from a previous version?

What happens to my AAA roles during an upgrade from a previous version of Firewall MC?

Why must the user who is installing the Common Services software enter a password?

What users may install Firewall MC, and why?

Authentication Issues

What should I do if I receive a blank screen after switching between AAA services?

How do I determine what username and password are used to perform the different operations?

Firewall MC authenticating with an AUS

Firewall MC/AUS authenticating with a PIX Firewall

Changing the enable password

Changing to AAA authentication

PIX Firewall authenticating with an AUS

How can I verify my login role privileges?

Why am I having trouble switching between CiscoWorks Server and TACACS+?

Device Import Issues

Why does the error message "No version found in the text" appear when I try to import a configuration file?

How do I set up a CSV file from which to import multiple configuration files?

After importing an AUS-enabled device, I try to deploy and get the following error: "Incomplete Auto Update Server contact info." Why can't I deploy to AUS?

Activity and Job Management Issues

How do I unlock an activity?

Why do I get the error message "Scope already locked by activity name" even though my activity is in the Edit_Open state?

Why am I unable to open an activity I previously added and opened?

How do I stop a job from being deployed?

How do I remove activities from Firewall MC?

Generation and Deployment Issues

If a deployment fails, what must I do to deploy the remaining devices?

How can I deploy a configuration file that uses conduits?

How do I know what rules will apply for a firewall device when I am ready to generate a configuration file?

Why did I get a credential error when I tried to deploy a device to the AUS?

Why isn't Firewall MC communicating with the AUS?

Why doesn't my device get updated when I deploy to the AUS?

How do I determine device deployment status after canceling a deployment to an AUS?

Why am I getting "Failed to contact host: 0.0.0.0" when deploying?

Web Client Issues

Why does Internet Explorer hang after trying to close a dialog box?

Why do other applications hijack my Internet Explorer windows?

What should I do if the Firewall MC server won't respond?

What should I do if some services fail to start?

Why isn't Firewall MC available during a checkpoint and how can I control when a checkpoint occurs?

What do I do after I get a logout error message number 500?

Why am I getting the "Error 404: Page not found" message?

Policy Rule Definition Issues

How can I see my global and default rules while I am defining rules on my devices?

The default setting ensures that global settings are inherited by all children. How do I change this?

How are my rules ordered?

Can I move rules after they are inserted in a rule table?

Why aren't certain rules in the rule table mapping to rules in the generated command sets?

How can I see all rules that will be deployed to a device?

I changed a global rule and need to regenerate all of my device configurations before they can be deployed. Can I select devices to deploy instead of deploying all of them at once?

How can I use Firewall MC and a firewall device to keep common worms from accessing my network?

SSL Issues

The access rules applet does not load after enabling SSL for CiscoWorks2000 desktop.

Why do I get the error message "SSL: No encryption support" when I try to start PDM?

How do I change the SSL certificate?

Troubleshooting

These following categories organize topics that will help you troubleshoot Firewall MC:

• Support Information

• Installation and Upgrade Issues

• Authentication Issues

• Device Import Issues

• Activity and Job Management Issues

• Generation and Deployment Issues

• Web Client Issues

• Policy Rule Definition Issues

• SSL Issues

Support Information

This section organizes those topics that help you gather troubleshooting information and determine general points of failure.

• Collecting Troubleshooting Information

• How do I provide the TAC with support information?

• Using the mdcsupport utility

Collecting Troubleshooting Information

Cisco Technical Assistance Center (TAC) personnel might ask you to submit system configuration information when you submit a problem report. This information assists them with diagnosing the reported problem. You can collect this troubleshooting information in one of two ways:

•By selecting Admin > Support in the Firewall MC user interface.

•By using MDCSupport.exe command-line utility.

Both options collect configuration and system information in a .zip file, called MDCSupportInformation.zip.

Note Generate this file only if it is requested.

By default, the MDCSupportInformation.zip file is placed in the <installation_location>/CSCSpx/MDC/etc directory, where <installation_location> is the drive and directory in which you installed CiscoWorks Common Services (for example, c:\Program Files).

The MDCSupportInformation.zip file consists of:

•Database files.

•Configuration files.

•Apache configuration and log files.

•Tomcat configuration and log files.

•Installation, audit, and operation log files.

•The CiscoWorks Common Services Registry subtree ([HKEY_LOCAL_MACHINE][SOFTWARE][Cisco][MDC]).

•Windows System Event and Application Event log files.

•Host environment information (operating system version and installed service packs, amount of RAM, disk space on all volumes, computer name, and virtual memory size).

Because this file collects information only about the CiscoWorks Server on which Firewall MC is running, it cannot help if a browser fails on a client computer.

Caution Do not run either support utility while others are using Firewall MC. The support utility uses the backup client to take a snap shot of the database. If other users are actively entering data, the contents of the support file might not reflect the latest changes. Make sure no other users are using Firewall MC before using either support utility.

How do I provide the TAC with support information?

You can generate the MDCSupportInformation.zip (or .tar) file from the Firewall MC GUI. This method is recommended; however, if you cannot access the GUI, use the mdcsupport command line utility. The default locations of the utility are:

•For Windows 2000: c:\Program_Files\CSCOpx\MDC\bin

•For Solaris: /opt/CSCOpx/MDC/bin

Step 1 Select Admin > Support.

The Support page appears.

Step 2 Enter the path to the directory in which to store the support file you generate. You can click Browse to navigate to the directory.

Step 3 Click Execute.

The Support Tools window opens and prompts you that the file is being generated. You can click Refresh to update the display. You are prompted when the process is complete.

•For Windows 2000: the filename is MDCSupportInformation.zip.

•For Solaris: the filename is MDCSupportInformation.tar.

Caution We recommend that you rename the file for your own purposes. If you generate another support file in the same directory, you will overwrite the previously generated file.

Using the mdcsupport utility

Each time you run the mdcsupport utility, the previous MDCSupportInformation file is overwritten. You can change the output location for the file by supplying the desired drive and path as an argument to the mdcsupport utility.

•For Windows 2000: the filename is MDCSupportInformation.zip.

•For Solaris: the filename is MDCSupportInformation.tar.

Additionally, the utility runs any support utilities that were installed and registered by client applications. The output from the client application support utilities is included in the file.

Step 1 From the CiscoWorks Common Services server, enter mdcsupport at the command prompt. To change the location in which to create the MDCSupportInformation file, enter mdcsupport <drive and path information> at the prompt.

Caution After you receive the message Database backup completed, the prompt does not return for approximately 10 seconds. Do not close the command prompt window before the prompt returns. If you close the window before the prompt returns, the mdcsupport utility fails and will not operate properly until you uninstall and reinstall the product.

Step 2 If you are asked do so, submit the resulting .zip or .tar file to TAC. The TAC representative provides the method and location.

Installation and Upgrade Issues

The following topics contain helpful information for troubleshooting installation and upgrade issues in Firewall MC.

• What operating systems are supported?

• Is Windows 2000 or Windows 2000 Advanced Server Supported?

• Does the system require a valid DNS entry?

• What other Cisco software is required for me to run Firewall MC?

• Are there any known problems when installing on a system that has Terminal Services running in Remote Administration mode?

• Are there any known problems when installing on a system that has Terminal Services running in Application Server mode?

• What are the known issues with installing on a system that has Microsoft IIS running?

• What are the known issues with installing on a system that has any other type of server software running?

• Can I upgrade to Firewall MC 1.2 from a previous version?

• What happens to my AAA roles during an upgrade from a previous version of Firewall MC?

• Why must the user who is installing the Common Services software enter a password?

• What users may install Firewall MC, and why?

What operating systems are supported?

The operating systems supported in VMS 2.2 are Windows 2000 Professional and Windows 200 Server. The full list of prerequisites are documented on this page:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/5steditn/jg_win/prereq.htm

Is Windows 2000 or Windows 2000 Advanced Server Supported?

Neither is supported. We have done some basic testing on these platforms, however, because they have not undergone complete testing throughout product development, we do not recommend that you install Firewall MC or VMS on these platforms.

Does the system require a valid DNS entry?

A valid DNS entry is required for optimum performance. Remote access might be slow when connecting to Firewall MC without the appropriate DNS entry. To work around this problem, verify that a DNS entry has been created.

What other Cisco software is required for me to run Firewall MC?

Some version of Common Management Foundation 2.1 (CMF 2.1) or Common Services 1.0 must be installed. This can come from installing Common Services by itself or by installing the VMS 2.1 bundle from CD One5th edition. The software can be found at:

http://www.cisco.com/public/sw-center/sw-cw2000.shtml

Are there any known problems when installing on a system that has Terminal Services running in Remote Administration mode?

There is a known problem when installing Common Services on a system that has Terminal Services enabled in Remote Administrator mode. The current workaround is to go to Start > Settings > Control Panel > Administrative Tools > Services and manually stop or disable Terminal Services before you install Common Services. After finishing your installation, you can restart Terminal Services.

Are there any known problems when installing on a system that has Terminal Services running in Application Server mode?

There are existing problems with the Sybase SQL Anywhere database running as a service on a machine that has Terminal Services enabled on Application Server mode. These problems are outside of the control of Cisco, and are documented on Microsoft's website.

Under the Terminal Services Application Server Mode there is an entry for Sybase SQL Anywhere on Page 16 which reads:

Sybase SQL Anywhere

-------------------------------

When SQL Anywhere is run as a service, compatibility problems with Terminal Services may result. To avoid such problems, Sybase is currently working on a solution for this problem.

What are the known issues with installing on a system that has Microsoft IIS running?

We do not officially support Microsoft IIS because we have not tested systems running Microsoft IIS in various configurations. Some obvious problems that could occur deal with resource contention. IIS tends to have an SSL-enabled server running on the default https port (443). Because Common Services and Firewall MC use this port for their webserver, a race condition is caused every time the system is rebooted. In cases where Microsoft IIS wins, any application that is using the Common Services' webserver is not operational.

What are the known issues with installing on a system that has any other type of server software running?

VMS and Firewall MC are not tested in every possible combination of software and services. Any problems resulting from other programs should only be in relation to resource contention, which either results in degraded performance (CPU/Memory related), or error messages and a broken VMS installation (port related).

For the port problems, the VMS installation script contains dialog boxes that allow you to change the various ports. The dialog boxes display the initial default value, which is used if you do not make changes. Other ports that are used, which you are not allowed to change, are:

•443 - SSL port for Common Services webserver.

•1751 - Normal port for Common Services webserver.

•1741 - Normal port for CMF webserver.

•1742 - SSL port for CMF webserver (only used if the desktop itself is in SSL mode)

Other ports that are related to VMS and Firewall MC are:

•42343 - JRun servlet engine.

•57860 - JRun administration.

•42340 - Cisco Works 2000 Daemon Manager.

•10032 - Tibco port for Common Services.

•8007 - Tomcat communications port to Apache webserver.

•8009 - Tomcat communications port to Apache webserver.

A list of ports used by Common Services and Firewall MC is located in the installation guides located at:

http://cisco.com/en/US/products/sw/cscowork/ps3992/prod_installation_guides_list.html

Can I upgrade to Firewall MC 1.2 from a previous version?

To upgrade from a previous version, install version 1.2 on the system that has the older version. The upgrading procedure automatically detects the previous version. You are prompted to reinitialize your database or retain the existing database. If you choose to keep your existing data, the upgrade framework converts the data to be compatible with the new version. The same happens if you back up your previous Firewall MC database and restore it in Firewall MC 1.2.

What happens to my AAA roles during an upgrade from a previous version of Firewall MC?

If you do not unregister Firewall MC from ACS before you upgrade, your ACS role settings are retained and you will be required to make changes directly through the ACS user interface. If you do unregister Firewall MC and then upgrade, you must reregister with ACS and Firewall MCwill use the new settings as its default.

The changed files are pixmdc_cmfrolemap.xml and acsroles.xml.

Why must the user who is installing the Common Services software enter a password?

The FMS and LM services that Common Services installs encrypt some information in a way that requires administrator access to operate. This also means that the Tomcat and Device Agent Framework processes must be logged on as the same user to allow correct communication between all four services. You can see this setting in the Services > control panel under the Log On As column.

What users may install Firewall MC, and why?

The same user who installed Common Services must install Firewall MC. Firewall MC uses the FMS and LM services that are tied to the user and password. If another user installs Firewall MC, or the original user's password changes between installing Common Services and Firewall MC, then the database fails to initialize correctly and the user gets the following error message when trying to use Firewall MC:
"Error: The scope is set back to Global"
To fix this, the original user must reinstall Firewall MC, and then reinitialize the database.

Authentication Issues

The following topics contain helpful information for troubleshooting authentication issues in Firewall MC.

• What should I do if I receive a blank screen after switching between AAA services?

• How do I determine what username and password are used to perform the different operations?

• Firewall MC authenticating with an AUS

• Firewall MC/AUS authenticating with a PIX Firewall

• Changing the enable password

• Changing to AAA authentication

• PIX Firewall authenticating with an AUS

• How can I verify my login role privileges?

• Why am I having trouble switching between CiscoWorks Server and TACACS+?

What should I do if I receive a blank screen after switching between AAA services?

Restart the CiscoWorks Daemon Manager by selecting Start > Control Panel > Services.

How do I determine what username and password are used to perform the different operations?

A username and password are needed for:

•Firewall MC to authenticate with an AUS (shown as deploy to AUS in the Firewall MC user interface).

•Firewall MC to authenticate with a PIX Firewall (shown as direct to device in the Firewall MC user interface and also used for the Immediate Auto Update feature).

•PIX Firewall to authenticate with an AUS (to support the Auto Update feature).

Firewall MC authenticating with an AUS

Before Firewall MC can deploy to an AUS, Firewall MC must authenticate itself to the AUS with a username and password. The username is based on authentication type (CiscoWorks or ACS), and the password is the one assigned for that username. The username and password used for this purpose are excluded from the configuration file.

•For CiscoWorks—Username must be assigned the roles of system administrator or network administrator.

•For ACS—Username must be assigned the role of API_Writer.

To check AUS username and password settings on Firewall MC, select Configuration > Device Settings > Auto Update Server > Device AUS Settings.

Tip Although the password is not visible when you are viewing the page, you can reenter the password to make sure it is set correctly.

Firewall MC/AUS authenticating with a PIX Firewall

Before Firewall MC can deploy to a PIX Firewall, Firewall MC must authenticate itself to the device. When Firewall MC deploys directly to a device, you can use the enable password with an empty username (username field is blank) or a AAA authentication username and password, depending on the setting on the target PIX Firewall.

Note For Firewall MC and a PIX Firewall to communicate, you must configure https in Firewall MC. See the Configuring HTTPS (SSL), page 8-32.

To check for the PIX Firewall username and password settings on Firewall MC, select Configuration > Device Settings > Firewall Device Administration  > Firewall Device Contact Info.

The device contact information might change when you deploy a new configuration file; for example, the configuration file being deployed sets a new enable password. To allow for this, the Firewall MC user interface supports current and future contact information.

Note•If you are using AAA for authentication, you must complete the username and password fields. If you are using the enable password for authentication, you enter only the password. Leave the username blank.

•If the PIX Firewall configuration file was imported directly from a device or a CSV file, the current username and password are entered automatically.

Changing the enable password

To change the enable password, select Configuration  > Device Settings > Firewall Device Administration > Password. If the target configuration file uses the enable password to authenticate HTTP communication, make sure you set the current password and future password. To set the current and future password, select Configuration  > Device Settings  > Firewall Device Administration  > Firewall Device Contact Info.

Changing to AAA authentication

You can change from an enable-based HTTP authentication to AAA HTTP authentication. Make sure the HTTP console setting is enabled and one AAA server is configured. To check the console setting in Firewall MC, select Configuration > Device  Settings > Firewall Device Administration > AAA Admin Authentication.

Next, set the AAA future username and future password settings. To set the future username and password, select Configuration > Device Settings  > Firewall Device Administration  > Firewall Device Contact Info.

Note To configure a AAA server, you must use the building blocks feature.

PIX Firewall authenticating with an AUS

Before an AUS can communicate with a PIX Firewall, you must bootstrap the PIX Firewall, which sets up the firewall with the minimum configuration needed. For the PIX Firewall to contact the AUS initially, settings on the AUS must match those used to bootstrap the PIX Firewall.

You can check for PIX Firewall username and password settings that an AUS uses to enable auto update; Select Configuration  > Device Settings  > Auto Update Server > Server and Contact Information.

The username and password settings are applied to the PIX Firewall configuration file. The configuration file is updated at the time of deployment and auto update becomes enabled.

Note Be sure that you are at the specified device level before making any authentication changes.

How can I verify my login role privileges?

If you receive an authentication error when trying to perform a task, verify your login role privileges.

Note This procedure assumes you are using CiscoWorks Server as your method for user authorization. You must have Administrator privileges to perform the following task.

Step 1 Select Server Configuration > Setup > Security  > Permissions Report from the CiscoWorks Server desktop.

Step 2 Scroll to Firewall MC to view login roles.

Step 3 Change the user role if needed. After changing a user role, you must log out, then log in to CiscoWorks Server.

For more information regarding login roles, see "Understanding User Roles and Permissions."

Why am I having trouble switching between CiscoWorks Server and TACACS+?

When you change between the CiscoWorks Server and TACACS+ authentication, you might not be able to manage the same activities and jobs. This occurs when you have different privileges in two authorization systems. Some affected operations are opening, closing, submitting, approving, and deploying, as well as the screens a user can view can also be affected.

To work around this problem, approve or undo activities that are not in the approved or discarded state before changing the authentication scheme. Also, approve and deploy or undo jobs that are not complete.

Device Import Issues

The following topics contain helpful information for troubleshooting import issues in Firewall MC.

• Why does the error message "No version found in the text" appear when I try to import a configuration file?

• How do I set up a CSV file from which to import multiple configuration files?

• After importing an AUS-enabled device, I try to deploy and get the following error: "Incomplete Auto Update Server contact info." Why can't I deploy to AUS?

Why does the error message "No version found in the text" appear when I try to import a configuration file?

When you import config files, you must make sure the imported file references an image version at the beginning of the file with either of the following syntax examples:

:! PIX Version 6.n(n) (a comment immediately following an exclamation point)

or

PIX Version 6.n(n)

How do I set up a CSV file from which to import multiple configuration files?

You can create a CSV file with device credentials. The CSV format has one table of data with several columns. A CSV-formatted import file must contain each device's full name or IP address and read-only community string. Other information is optional. You can omit empty trailing columns and the separating commas. For more information, see the Importing Multiple Firewall Configurations from a CSV File, page 7-12.

After importing an AUS-enabled device, I try to deploy and get the following error: "Incomplete Auto Update Server contact info." Why can't I deploy to AUS?

When you import a device that is configured to use an Auto Update Server, the contact information for the Firewall MC-to-AUS communication is overridden, as are all settings. Therefore, you must provide the correct information on the Configuration > Device Settings > Auto Update Server > Server and Contact Information page before you try to deploy.

You can avoid this error by defining the settings for this page at the group level, importing AUS-enabled devices into that group, and at the device level, selecting the Inherit settings from parent checkbox.

Activity and Job Management Issues

The following topics contain helpful information for troubleshooting activity and job management issues in Firewall MC.

• How do I unlock an activity?

• Why do I get the error message "Scope already locked by activity name" even though my activity is in the Edit_Open state?

• Why am I unable to open an activity I previously added and opened?

• How do I stop a job from being deployed?

• How do I remove activities from Firewall MC?

How do I unlock an activity?

To release the lock from an activity, you must either submit and approve the activity or undo the activity, which discards it from further use.

Why do I get the error message "Scope already locked by activity name" even though my activity is in the Edit_Open state?

Although the activity is in the Edit_Open state, the devices or device groups associated with that activity are overlapping into another activity that is locked by other users. After the other activity unlocks the devices or device groups, you can then save your changes. For a detailed explanation about the locking system, see Using Activity Management.

Why am I unable to open an activity I previously added and opened?

You might not be able to open an activity if the following situations occur:

•If an activity was left in the Edit_Open state (possibly due to a browser crash), the next time you log on, the Activity Management table displays the activity in the same state as before; however, the activity bar shows no activity opened (none) when you view the activity bar from the Devices or Configuration tabs. You must close the activity, then reopen it to update the activity bar state.

•Another user has opened your activity and still has it open. The activity must be closed by the person who opened it or by a superuser before you can open the activity.

•Another user has opened your activity and has made changes to the activity that involves other devices. If you lack the needed privileges to modify the newly added devices, you no longer have access to your activity.

How do I stop a job from being deployed?

If a job is being deployed, you can select the job in the Job Management table, then click Cancel. If a job has completed deployment, you can select the job in the Job Management table, then click Rollback. The rollback feature allows you to select the device(s) for which you want to roll back to the last previously deployed configuration file. For more information, see Configuring Rollback.

How do I remove activities from Firewall MC?

A pruning thread is run on demand or at midnight after a specified number of days to remove any terminal (approved or discarded) activities.

Step 1 Select Admin > Maintenance.

Step 2 Do one of the following:

•To purge all terminal activities, click Purge Now.

All terminal activities are removed from the activities page.

•To set a time for the Firewall MC to purge all terminal activities, enter the number of days in the Purge approved/discarded activities older than field, and then click Apply.

Note If you set the number of days to 0, then, that night, any activity that is terminal and has its approved changes deployed will be deleted.

All terminal activities that meet the requirements are removed from the activities page.

Generation and Deployment Issues

The following topics contain helpful information for troubleshooting deployment issues in Firewall MC.

• If a deployment fails, what must I do to deploy the remaining devices?

• How can I deploy a configuration file that uses conduits?

• How do I know what rules will apply for a firewall device when I am ready to generate a configuration file?

• Why did I get a credential error when I tried to deploy a device to the AUS?

• Why isn't Firewall MC communicating with the AUS?

• Why doesn't my device get updated when I deploy to the AUS?

• How do I determine device deployment status after canceling a deployment to an AUS?

• Why am I getting "Failed to contact host: 0.0.0.0" when deploying?

If a deployment fails, what must I do to deploy the remaining devices?

If a deployment fails, you can create a new job and select only the subset of devices that did not deploy successfully. For more information, see Using Job Management.

How can I deploy a configuration file that uses conduits?

Firewall MC supports only configuration files that use access control lists (ACLs). Therefore, you must convert files using conduits to ACLs. A conversion tool (conv.exe) that ships with Firewall MC is provided for this purpose. For more information about the conversion tool, see the Using the PIX Outbound/Conduit Conversion Tool, page 7-8.

How do I know what rules will apply for a firewall device when I am ready to generate a configuration file?

You can define access rules at the PIX Firewall and with Firewall MC. To understand how access rules are ordered and recognized, review Chapter 11, "Configuring Access Rules."

Why did I get a credential error when I tried to deploy a device to the AUS?

The username and password set during the bootstrap process for a device might be different from the username and password set on Firewall MC. To check the AUS contact information set on Firewall MC, select Configuration > Device Settings > Auto Update Server > Server and Contact Information.

After you verify that you have set the AUS contact information correctly, you can create a new activity and job to deploy to the AUS.

Why isn't Firewall MC communicating with the AUS?

The problem might relate to an incorrect username and password or the use of an incorrect port number.

•When Firewall MC deploys to an AUS, Firewall MC must first authenticate itself. Authentication is based on username and password settings that are set on the AUS. Username is based on authentication type (CiscoWorks or ACS) and the password is the one assigned for that username.

–For CiscoWorks—The username and password must correspond to a system administrator or network administrator role.

–For ACS—The username and password must correspond to the role of API_Writer.

To configure the AUS username and password on Firewall MC, select Configuration > Device Settings > Auto Update Server > Server and Contact Information.

•It is possible that the default port (443) assigned to the AUS was changed during installation. Check the port number in the URL for the AUS and make sure the port setting matches the one configured on the Firewall MC Auto Update Server Contact page.

Note Use the Auto Update Server Contact page to check username, password, and port.

See the Representing Auto Update Servers, page 7-45 for more information.

Why doesn't my device get updated when I deploy to the AUS?

After you verify that the AUS is configured correctly in Firewall MC:

•Make sure your device is using PIX version 6.2 or later.

•Make sure the PIX Firewall was bootstrapped correctly.

•Check the log in AUS ($NMSROOT\MDC\log\autoupdate date).

Note $NMSROOT is the directory in which AUS is installed.

How do I determine device deployment status after canceling a deployment to an AUS?

If you cancel a job that deploys to AUS, the status might show the deployment of some devices was canceled even though deployment was completed. To work around this problem, select VPN/Security Management Solution > Administration > Logging > Audit Log to determine which devices were deployed.

Why am I getting "Failed to contact host: 0.0.0.0" when deploying?

When you import or create a device from a file, you must provide the device contact IP address and password in order for Firewall MC to administer that device. If you do not provide the required contact information, configuration deployments fail because the firewall prevents Firewall MC from obtaining administrative access to the device.

Web Client Issues

The following topics contain helpful information for troubleshooting client issues in Firewall MC.

• Why does Internet Explorer hang after trying to close a dialog box?

• Why do other applications hijack my Internet Explorer windows?

• What should I do if the Firewall MC server won't respond?

• What should I do if some services fail to start?

• Why isn't Firewall MC available during a checkpoint and how can I control when a checkpoint occurs?

• What do I do after I get a logout error message number 500?

• Why am I getting the "Error 404: Page not found" message?

Why does Internet Explorer hang after trying to close a dialog box?

Because the sessions between the web client and the CiscoWorks Server are canceled after a user-defined period of inactivity, any open dialog boxes can hang when you interact with them. For example, if you restore the database, a dialog box appears stating that the restoration is complete. If you do not click OK before the session times out, the web client can hang and cannot be closed.

To workaround this issue, select the iexplore.exe process and then click End Process on the Process tab of the Windows Task Manager window.

Why do other applications hijack my Internet Explorer windows?

Internet Explorer provides an option that allows existing Internet Explorer browser instances to be used when a shortcut is selected or when a URL is entered in the Start > Run dialog box or in at command prompt. You can change the default settings so as to prevent this level of reuse.

Step 1 In Internet Explorer, select Tools > Internet Options.

Step 2 Click the Advanced tab.

Step 3 Under Browsing, clear the Reuse windows for launching shortcuts checkbox.

What should I do if the Firewall MC server won't respond?

Stopping and restarting the CiscoWorks daemon manager might solve this problem.

Step 1 Log in as administrator.

Step 2 To stop the Daemon Manager, select Start  > Control Panel  > Services, or enter net stop crmdmgtd at the command prompt.

Step 3 To restart the Daemon Manager, select Start  > Control Panel  > Services, or enter net start crmdmgtd at the command prompt.

Step 4 Check the log file ($NMSROOT\log\error.log) for error messages.

Note $NMSROOT is the directory in which Firewall MC is installed. Use the Services tab to make sure that all the services were started successfully.

What should I do if some services fail to start?

Try to restart the service from the Services control panel. If the services still does not start, try to cycle the system by restarting the CW2000 Daemon Manager service (select Start > Control Panel > Services). Let the service stop completely before trying to restart the Daemon Manager. If the service still fails to start, try a hard reboot. If that fails, run the MDCSupport utility, save the .zip file, and engage your TAC representative. See How do I provide the TAC with support information?.

Why isn't Firewall MC available during a checkpoint and how can I control when a checkpoint occurs?

Checkpoint is routine maintenance that is performed on the Firewall MC database. A checkpoint is performed periodically by Common Services. During a checkpoint, a message is displayed that checkpoint is performing routine maintenance and Firewall MC is unavailable for use. You must retry your operation after a checkpoint is complete.

The frequency and timing of checkpoints are user-defined. To define checkpoint settings, select VPN/Security Management Solution > Administration  > Configuration > Database Credentials. You can also set a checkpoint by limiting the size of the log file. The default limit is 150 MB. We do not recommend exceeding this size. Firewall MC performance will be degraded when the log file begins to exceed the default setting.

Configuring the system for smaller, more frequent checkpoints can reduce the length of time to perform a checkpoint; however, overall system performance is reduced. Larger checkpoint settings that are checked less frequently improve system performance but lengthen the time to perform a checkpoint.

Setting checkpoints to occur during off-hours might hide the checkpoints; however, any data that has not had a checkpoint before a system shutdown must be processed when the system is rebooted. Rebooting might take some time to checkpoint all data processed since the last checkpoint was performed, particularly if a checkpoint is set to happen infrequently during off-hours.

See the online help for the checkpoint process for more information.

What do I do after I get a logout error message number 500?

This message means that your session timed out and your Firewall MC window was left open. You must close all browser windows and then log in again.

Note This error does not occur on a system with Firewall MC installed directly on it.

Why am I getting the "Error 404: Page not found" message?

If you changed the IP address but you did not restart the services, the services are listening to the wrong address/port pairs on the local network stack.

If you changed the hostname but you did not restart the services, the services cannot authenticate user requests to the local machine because the they are providing incorrect credentials to the server.

Policy Rule Definition Issues

The following topics contain helpful information for troubleshooting rule definition issues in Firewall MC.

• How can I see my global and default rules while I am defining rules on my devices?

• The default setting ensures that global settings are inherited by all children. How do I change this?

• How are my rules ordered?

• Can I move rules after they are inserted in a rule table?

• Why aren't certain rules in the rule table mapping to rules in the generated command sets?

• How can I see all rules that will be deployed to a device?

• I changed a global rule and need to regenerate all of my device configurations before they can be deployed. Can I select devices to deploy instead of deploying all of them at once?

• How can I use Firewall MC and a firewall device to keep common worms from accessing my network?

How can I see my global and default rules while I am defining rules on my devices?

To see all rules that apply to a device, select Configuration > Access Rules. Select the rule table from the TOC, then navigate to the device for which you want to see the rules. Click View All. A popup window displays all rules defined at all scopes that pertain to the selected device.

The default setting ensures that global settings are inherited by all children. How do I change this?

Default configuration settings are set at the global level, but you can override them for a subgroup or device. A setting is designated as default for a subgroup or device(s) when you select Inherit settings in the user interface. When you select Inherit settings, the subgroup or device defers the definition of any setting to a higher-level, enclosing group. You can override a default setting by deselecting the Inherit settings check box and specifying other values completely for that scope. For more information, see What Is Inheritance? and How Settings Are Inherited.

How are my rules ordered?

Access rules are processed in first-matched order. Therefore, the first rule that satisfies the conditions of a session, regardless of how generally they are expressed in the rule, is the rule that is applied. You should organize the most explicit and narrowest defined rules first, then define the more general rules.

Dynamic and static translation rules are processed in best-matched order.

NAT 0 ACL rules are processed in first-matched order.

Can I move rules after they are inserted in a rule table?

You can cut, copy, and paste rules within a rule table by using the buttons at the bottom of each rule table or by right-clicking inside the rule table, which brings up a menu with the same button options listed.

Note•Because rules are applied to an interface, make sure the interface specified in a rule exists on the device to which you are pasting the rule. If the interface is not found on the device, an error results when the device configuration is generated.

•You cannot paste a rule before or after a rule created from an outbound rule. Outbound rules are sorted in the order that a firewall device applies them to traffic.

Make sure you understand the ramifications of moving a rule. For more information, see How Rules Are Evaluated, and How Rules Are Ordered and Inherited.

Why aren't certain rules in the rule table mapping to rules in the generated command sets?

Not every rule in the GUI translates to a line in the CLI. If optimization is enabled, some rules might be compressed. For more information, see Optimizing Your Policy Rules and Performance, page 11-40.

How can I see all rules that will be deployed to a device?

Select the device whose configurations you want to view, generate the command sets, select Deploy Later, and then use the Devices Settings report.

I changed a global rule and need to regenerate all of my device configurations before they can be deployed. Can I select devices to deploy instead of deploying all of them at once?

How you select devices depends on your workflow settings:

•If workflow is not enabled, select the Deploy Later button. This option saves your changes. You can then go to the Deployment tab and select one or more devices to deploy the changes.

•If workflow is enabled, you can select the devices to deploy in the Select Devices page of the Job Management wizard.

How can I use Firewall MC and a firewall device to keep common worms from accessing my network?

You can use Firewall MC to define the access rules that block the protocols and ports exploited by common worms. The following example focuses on mitigation techniques for the W32.Blaster worm using PIX Firewall.

The default behavior of the PIX Firewall is to block traffic from lower security level interfaces (OUTSIDE) to higher security level interfaces (INSIDE) unless the affected ports and protocols have been explicitly permitted by an access-list or conduit.

In addition, Cisco recommends blocking traffic from higher security level interfaces (INSIDE) to lower security level interfaces (OUTSIDE).

Customers should deny outbound attempts to these ports:
access-list acl_inside deny udp any any eq 69
access-list acl_inside deny tcp any any eq 135
access-list acl_inside deny udp any any eq 135
access-list acl_inside deny tcp any any eq 137
access-list acl_inside deny udp any any eq 137
access-list acl_inside deny tcp any any eq 138
access-list acl_inside deny udp any any eq 138
access-list acl_inside deny tcp any any eq 139
access-list acl_inside deny udp any any eq 139
access-list acl_inside deny tcp any any eq 445
access-list acl_inside deny tcp any any eq 593
access-list acl_inside deny tcp any any eq 4444
! --- insert previously configured acl statements here, 
! --- or permit all other traffic out
access-list acl_inside permit ip any any
access-group acl_inside in interface inside
The corresponding outbound lists may be applied, however, ACLs are strongly recommended in lieu of outbound lists.

SSL Issues

The following topics contain helpful information for troubleshooting SSL-related issues in Firewall MC.

• The access rules applet does not load after enabling SSL for CiscoWorks2000 desktop.

• Why do I get the error message "SSL: No encryption support" when I try to start PDM?

• How do I change the SSL certificate?

The access rules applet does not load after enabling SSL for CiscoWorks2000 desktop.

If you enable SSL for the CiscoWorks2000 Server desktop, the Firewall MC server must be synchronized with the CiscoWorks2000 Server so that they use the same certificate. Using a different certificate causes an error while the access rules applet is loading. The symptoms of this error are that the applet fails to load, the message Loading Java Applet appears, and the screen freezes.

To work around this problem, direct the Firewall MC server to use the CiscoWorks2000 Server certificate.

Why do I get the error message "SSL: No encryption support" when I try to start PDM?

Unless you have a license for Data Encryption Standard (DES), you cannot use Firewall MC or PDM, as they use Secure Socket Layer (SSL). SSL requires an activation key that enables DES or 3DES.

If your PIX Firewall is not enabled for DES, you can have a new activation key sent to you by completing the form at the following website:

https://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324

How do I change the SSL certificate?

CiscoWorks Common Services uses a self-signed certificate to secure communication between your web browser and the CiscoWorks Common Services server.

This certificate is different from the certificate used by CiscoWorks Server to secure web communications to the CiscoWorks Server components. CiscoWorks Server also uses a self-signed certificate when SSL is enabled. However, you can replace the CiscoWorks Server certificate with a third-party, signed certificate.

You can configure CiscoWorks Common Services to use the CiscoWorks Server certificate. The benefits of using the CiscoWorks Server certificate are:

• You can regenerate self-signed CiscoWorks Server certificates.

• You can replace the CiscoWorks Server certificate with a third-party certificate.

Refer to the CiscoWorks Server online help for information about regenerating self-signed certificates or replacing the self-signed certificate with a third-party certificate.

Note The CiscoWorks Server certificate options are available when CiscoWorks Common Services is installed as a standalone server or intergrated with CiscoWorks Server.

Before You Begin

If you are switching from the CiscoWorks Common Services certificate to the CiscoWorks Server certificate, you must create an SSL certificate for the CiscoWorks Server components. If you have not created the SSL certificate for the CiscoWorks Server components, you will receive an error that the selected certificate could not be found.

To change the SSL certificate used by CiscoWorks Common Services:

Step 1 Select VPN/Security Management Solution > Administration > Configuration > Certificate.

The Certificate Configuration dialog box appears. The certificate that is used by CiscoWorks Common Services to secure the SSL connection is selected.

Step 2 To change the selection, click the desired certificate.

Step 3 Click Finish.

Step 4 Click OK.

Step 5 Shut down and restart Common Services web server.

This restarts your session using the selected certificate.

If the browser still does not load the applet, you must re synchronize the JRE with the desktop:

Step 1 Select Settings > Control Panel > Add/Remove Programs.

Step 2 Select the JRE and remove it.

Step 3 In the browser, enter the URL for the CiscoWorks2000 Server.

You are prompted to install JRE.

Step 4 Reinstall the JRE.

The browser JRE and server JRE are synchronized.

	Using Management Center for Firewalls 1.3
	Troubleshooting
Using Management Center for Firewalls 1.3 Preface Getting Started with Firewall MC Task Flow Checklists Preparing the Firewall MC Environment Managing Activities Preparing Your Firewall Devices Creating an Inheritance and Grouping Strategy Representing Network Assets in Firewall MC Configuring Device-Level Settings Configuring Routing Rules Defining Your Policy Building Blocks Configuring Access Rules Configuring Translation Rules Defining Rules Manually Using CLI Syntax Generating and Verifying Configuration Files Deploying Configuration Files Monitoring and Reporting Configuring VPN Settings Configuring Failover Maintaining Your Firewall MC Server Troubleshooting Understanding User Roles and Permissions Index	Download this chapter Troubleshooting Download the complete book Using Management Center for Firewalls 1.3 - PDF Version (PDF - 7 MB) Table Of Contents Troubleshooting Support Information Collecting Troubleshooting Information How do I provide the TAC with support information? Using the mdcsupport utility Installation and Upgrade Issues What operating systems are supported? Is Windows 2000 or Windows 2000 Advanced Server Supported? Does the system require a valid DNS entry? What other Cisco software is required for me to run Firewall MC? Are there any known problems when installing on a system that has Terminal Services running in Remote Administration mode? Are there any known problems when installing on a system that has Terminal Services running in Application Server mode? What are the known issues with installing on a system that has Microsoft IIS running? What are the known issues with installing on a system that has any other type of server software running? Can I upgrade to Firewall MC 1.2 from a previous version? What happens to my AAA roles during an upgrade from a previous version of Firewall MC? Why must the user who is installing the Common Services software enter a password? What users may install Firewall MC, and why? Authentication Issues What should I do if I receive a blank screen after switching between AAA services? How do I determine what username and password are used to perform the different operations? Firewall MC authenticating with an AUS Firewall MC/AUS authenticating with a PIX Firewall Changing the enable password Changing to AAA authentication PIX Firewall authenticating with an AUS How can I verify my login role privileges? Why am I having trouble switching between CiscoWorks Server and TACACS+? Device Import Issues Why does the error message "No version found in the text" appear when I try to import a configuration file? How do I set up a CSV file from which to import multiple configuration files? After importing an AUS-enabled device, I try to deploy and get the following error: "Incomplete Auto Update Server contact info." Why can't I deploy to AUS? Activity and Job Management Issues How do I unlock an activity? Why do I get the error message "Scope already locked by activity name" even though my activity is in the Edit_Open state? Why am I unable to open an activity I previously added and opened? How do I stop a job from being deployed? How do I remove activities from Firewall MC? Generation and Deployment Issues If a deployment fails, what must I do to deploy the remaining devices? How can I deploy a configuration file that uses conduits? How do I know what rules will apply for a firewall device when I am ready to generate a configuration file? Why did I get a credential error when I tried to deploy a device to the AUS? Why isn't Firewall MC communicating with the AUS? Why doesn't my device get updated when I deploy to the AUS? How do I determine device deployment status after canceling a deployment to an AUS? Why am I getting "Failed to contact host: 0.0.0.0" when deploying? Web Client Issues Why does Internet Explorer hang after trying to close a dialog box? Why do other applications hijack my Internet Explorer windows? What should I do if the Firewall MC server won't respond? What should I do if some services fail to start? Why isn't Firewall MC available during a checkpoint and how can I control when a checkpoint occurs? What do I do after I get a logout error message number 500? Why am I getting the "Error 404: Page not found" message? Policy Rule Definition Issues How can I see my global and default rules while I am defining rules on my devices? The default setting ensures that global settings are inherited by all children. How do I change this? How are my rules ordered? Can I move rules after they are inserted in a rule table? Why aren't certain rules in the rule table mapping to rules in the generated command sets? How can I see all rules that will be deployed to a device? I changed a global rule and need to regenerate all of my device configurations before they can be deployed. Can I select devices to deploy instead of deploying all of them at once? How can I use Firewall MC and a firewall device to keep common worms from accessing my network? SSL Issues The access rules applet does not load after enabling SSL for CiscoWorks2000 desktop. Why do I get the error message "SSL: No encryption support" when I try to start PDM? How do I change the SSL certificate? Troubleshooting These following categories organize topics that will help you troubleshoot Firewall MC: • Support Information • Installation and Upgrade Issues • Authentication Issues • Device Import Issues • Activity and Job Management Issues • Generation and Deployment Issues • Web Client Issues • Policy Rule Definition Issues • SSL Issues Support Information This section organizes those topics that help you gather troubleshooting information and determine general points of failure. • Collecting Troubleshooting Information • How do I provide the TAC with support information? • Using the mdcsupport utility Collecting Troubleshooting Information Cisco Technical Assistance Center (TAC) personnel might ask you to submit system configuration information when you submit a problem report. This information assists them with diagnosing the reported problem. You can collect this troubleshooting information in one of two ways: •By selecting Admin > Support in the Firewall MC user interface. •By using MDCSupport.exe command-line utility. Both options collect configuration and system information in a .zip file, called MDCSupportInformation.zip. Note Generate this file only if it is requested. By default, the MDCSupportInformation.zip file is placed in the <installation_location>/CSCSpx/MDC/etc directory, where <installation_location> is the drive and directory in which you installed CiscoWorks Common Services (for example, `c:\Program Files`). The MDCSupportInformation.zip file consists of: •Database files. •Configuration files. •Apache configuration and log files. •Tomcat configuration and log files. •Installation, audit, and operation log files. •The CiscoWorks Common Services Registry subtree ([HKEY_LOCAL_MACHINE][SOFTWARE][Cisco][MDC]). •Windows System Event and Application Event log files. •Host environment information (operating system version and installed service packs, amount of RAM, disk space on all volumes, computer name, and virtual memory size). Because this file collects information only about the CiscoWorks Server on which Firewall MC is running, it cannot help if a browser fails on a client computer. Caution Do not run either support utility while others are using Firewall MC. The support utility uses the backup client to take a snap shot of the database. If other users are actively entering data, the contents of the support file might not reflect the latest changes. Make sure no other users are using Firewall MC before using either support utility. How do I provide the TAC with support information? You can generate the MDCSupportInformation.zip (or .tar) file from the Firewall MC GUI. This method is recommended; however, if you cannot access the GUI, use the mdcsupport command line utility. The default locations of the utility are: •For Windows 2000: c:\Program_Files\CSCOpx\MDC\bin •For Solaris: /opt/CSCOpx/MDC/bin Step 1 Select Admin > Support. The Support page appears. Step 2 Enter the path to the directory in which to store the support file you generate. You can click Browse to navigate to the directory. Step 3 Click Execute. The Support Tools window opens and prompts you that the file is being generated. You can click Refresh to update the display. You are prompted when the process is complete. •For Windows 2000: the filename is MDCSupportInformation.zip. •For Solaris: the filename is MDCSupportInformation.tar. Caution We recommend that you rename the file for your own purposes. If you generate another support file in the same directory, you will overwrite the previously generated file. Using the mdcsupport utility Each time you run the mdcsupport utility, the previous MDCSupportInformation file is overwritten. You can change the output location for the file by supplying the desired drive and path as an argument to the mdcsupport utility. •For Windows 2000: the filename is MDCSupportInformation.zip. •For Solaris: the filename is MDCSupportInformation.tar. Additionally, the utility runs any support utilities that were installed and registered by client applications. The output from the client application support utilities is included in the file. Step 1 From the CiscoWorks Common Services server, enter mdcsupport at the command prompt. To change the location in which to create the MDCSupportInformation file, enter mdcsupport <drive and path information> at the prompt. Caution After you receive the message `Database backup completed`, the prompt does not return for approximately 10 seconds. Do not close the command prompt window before the prompt returns. If you close the window before the prompt returns, the mdcsupport utility fails and will not operate properly until you uninstall and reinstall the product. Step 2 If you are asked do so, submit the resulting .zip or .tar file to TAC. The TAC representative provides the method and location. Installation and Upgrade Issues The following topics contain helpful information for troubleshooting installation and upgrade issues in Firewall MC. • What operating systems are supported? • Is Windows 2000 or Windows 2000 Advanced Server Supported? • Does the system require a valid DNS entry? • What other Cisco software is required for me to run Firewall MC? • Are there any known problems when installing on a system that has Terminal Services running in Remote Administration mode? • Are there any known problems when installing on a system that has Terminal Services running in Application Server mode? • What are the known issues with installing on a system that has Microsoft IIS running? • What are the known issues with installing on a system that has any other type of server software running? • Can I upgrade to Firewall MC 1.2 from a previous version? • What happens to my AAA roles during an upgrade from a previous version of Firewall MC? • Why must the user who is installing the Common Services software enter a password? • What users may install Firewall MC, and why? What operating systems are supported? The operating systems supported in VMS 2.2 are Windows 2000 Professional and Windows 200 Server. The full list of prerequisites are documented on this page: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/5steditn/jg_win/prereq.htm Is Windows 2000 or Windows 2000 Advanced Server Supported? Neither is supported. We have done some basic testing on these platforms, however, because they have not undergone complete testing throughout product development, we do not recommend that you install Firewall MC or VMS on these platforms. Does the system require a valid DNS entry? A valid DNS entry is required for optimum performance. Remote access might be slow when connecting to Firewall MC without the appropriate DNS entry. To work around this problem, verify that a DNS entry has been created. What other Cisco software is required for me to run Firewall MC? Some version of Common Management Foundation 2.1 (CMF 2.1) or Common Services 1.0 must be installed. This can come from installing Common Services by itself or by installing the VMS 2.1 bundle from CD One5th edition. The software can be found at: http://www.cisco.com/public/sw-center/sw-cw2000.shtml Are there any known problems when installing on a system that has Terminal Services running in Remote Administration mode? There is a known problem when installing Common Services on a system that has Terminal Services enabled in Remote Administrator mode. The current workaround is to go to Start > Settings > Control Panel > Administrative Tools > Services and manually stop or disable Terminal Services before you install Common Services. After finishing your installation, you can restart Terminal Services. Are there any known problems when installing on a system that has Terminal Services running in Application Server mode? There are existing problems with the Sybase SQL Anywhere database running as a service on a machine that has Terminal Services enabled on Application Server mode. These problems are outside of the control of Cisco, and are documented on Microsoft's website. Under the Terminal Services Application Server Mode there is an entry for Sybase SQL Anywhere on Page 16 which reads: `Sybase SQL Anywhere` `-------------------------------` `When SQL Anywhere is run as a service, compatibility problems with Terminal Services may result. To avoid such problems, Sybase is currently working on a solution for this problem.` What are the known issues with installing on a system that has Microsoft IIS running? We do not officially support Microsoft IIS because we have not tested systems running Microsoft IIS in various configurations. Some obvious problems that could occur deal with resource contention. IIS tends to have an SSL-enabled server running on the default https port (443). Because Common Services and Firewall MC use this port for their webserver, a race condition is caused every time the system is rebooted. In cases where Microsoft IIS wins, any application that is using the Common Services' webserver is not operational. What are the known issues with installing on a system that has any other type of server software running? VMS and Firewall MC are not tested in every possible combination of software and services. Any problems resulting from other programs should only be in relation to resource contention, which either results in degraded performance (CPU/Memory related), or error messages and a broken VMS installation (port related). For the port problems, the VMS installation script contains dialog boxes that allow you to change the various ports. The dialog boxes display the initial default value, which is used if you do not make changes. Other ports that are used, which you are not allowed to change, are: •443 - SSL port for Common Services webserver. •1751 - Normal port for Common Services webserver. •1741 - Normal port for CMF webserver. •1742 - SSL port for CMF webserver (only used if the desktop itself is in SSL mode) Other ports that are related to VMS and Firewall MC are: •42343 - JRun servlet engine. •57860 - JRun administration. •42340 - Cisco Works 2000 Daemon Manager. •10032 - Tibco port for Common Services. •8007 - Tomcat communications port to Apache webserver. •8009 - Tomcat communications port to Apache webserver. A list of ports used by Common Services and Firewall MC is located in the installation guides located at: http://cisco.com/en/US/products/sw/cscowork/ps3992/prod_installation_guides_list.html Can I upgrade to Firewall MC 1.2 from a previous version? To upgrade from a previous version, install version 1.2 on the system that has the older version. The upgrading procedure automatically detects the previous version. You are prompted to reinitialize your database or retain the existing database. If you choose to keep your existing data, the upgrade framework converts the data to be compatible with the new version. The same happens if you back up your previous Firewall MC database and restore it in Firewall MC 1.2. What happens to my AAA roles during an upgrade from a previous version of Firewall MC? If you do not unregister Firewall MC from ACS before you upgrade, your ACS role settings are retained and you will be required to make changes directly through the ACS user interface. If you do unregister Firewall MC and then upgrade, you must reregister with ACS and Firewall MCwill use the new settings as its default. The changed files are pixmdc_cmfrolemap.xml and acsroles.xml. Why must the user who is installing the Common Services software enter a password? The FMS and LM services that Common Services installs encrypt some information in a way that requires administrator access to operate. This also means that the Tomcat and Device Agent Framework processes must be logged on as the same user to allow correct communication between all four services. You can see this setting in the Services > control panel under the Log On As column. What users may install Firewall MC, and why? The same user who installed Common Services must install Firewall MC. Firewall MC uses the FMS and LM services that are tied to the user and password. If another user installs Firewall MC, or the original user's password changes between installing Common Services and Firewall MC, then the database fails to initialize correctly and the user gets the following error message when trying to use Firewall MC: "Error: The scope is set back to Global" To fix this, the original user must reinstall Firewall MC, and then reinitialize the database. Authentication Issues The following topics contain helpful information for troubleshooting authentication issues in Firewall MC. • What should I do if I receive a blank screen after switching between AAA services? • How do I determine what username and password are used to perform the different operations? • Firewall MC authenticating with an AUS • Firewall MC/AUS authenticating with a PIX Firewall • Changing the enable password • Changing to AAA authentication • PIX Firewall authenticating with an AUS • How can I verify my login role privileges? • Why am I having trouble switching between CiscoWorks Server and TACACS+? What should I do if I receive a blank screen after switching between AAA services? Restart the CiscoWorks Daemon Manager by selecting Start > Control Panel > Services. How do I determine what username and password are used to perform the different operations? A username and password are needed for: •Firewall MC to authenticate with an AUS (shown as deploy to AUS in the Firewall MC user interface). •Firewall MC to authenticate with a PIX Firewall (shown as direct to device in the Firewall MC user interface and also used for the Immediate Auto Update feature). •PIX Firewall to authenticate with an AUS (to support the Auto Update feature). Firewall MC authenticating with an AUS Before Firewall MC can deploy to an AUS, Firewall MC must authenticate itself to the AUS with a username and password. The username is based on authentication type (CiscoWorks or ACS), and the password is the one assigned for that username. The username and password used for this purpose are excluded from the configuration file. •For CiscoWorks—Username must be assigned the roles of system administrator or network administrator. •For ACS—Username must be assigned the role of API_Writer. To check AUS username and password settings on Firewall MC, select Configuration > Device Settings > Auto Update Server > Device AUS Settings. Tip Although the password is not visible when you are viewing the page, you can reenter the password to make sure it is set correctly. Firewall MC/AUS authenticating with a PIX Firewall Before Firewall MC can deploy to a PIX Firewall, Firewall MC must authenticate itself to the device. When Firewall MC deploys directly to a device, you can use the enable password with an empty username (username field is blank) or a AAA authentication username and password, depending on the setting on the target PIX Firewall. Note For Firewall MC and a PIX Firewall to communicate, you must configure https in Firewall MC. See the Configuring HTTPS (SSL), page 8-32. To check for the PIX Firewall username and password settings on Firewall MC, select Configuration > Device Settings > Firewall Device Administration > Firewall Device Contact Info. The device contact information might change when you deploy a new configuration file; for example, the configuration file being deployed sets a new enable password. To allow for this, the Firewall MC user interface supports current and future contact information. Note•If you are using AAA for authentication, you must complete the username and password fields. If you are using the enable password for authentication, you enter only the password. Leave the username blank. •If the PIX Firewall configuration file was imported directly from a device or a CSV file, the current username and password are entered automatically. Changing the enable password To change the enable password, select Configuration > Device Settings > Firewall Device Administration > Password. If the target configuration file uses the enable password to authenticate HTTP communication, make sure you set the current password and future password. To set the current and future password, select Configuration > Device Settings > Firewall Device Administration > Firewall Device Contact Info. Changing to AAA authentication You can change from an enable-based HTTP authentication to AAA HTTP authentication. Make sure the HTTP console setting is enabled and one AAA server is configured. To check the console setting in Firewall MC, select Configuration > Device Settings > Firewall Device Administration > AAA Admin Authentication. Next, set the AAA future username and future password settings. To set the future username and password, select Configuration > Device Settings > Firewall Device Administration > Firewall Device Contact Info. Note To configure a AAA server, you must use the building blocks feature. PIX Firewall authenticating with an AUS Before an AUS can communicate with a PIX Firewall, you must bootstrap the PIX Firewall, which sets up the firewall with the minimum configuration needed. For the PIX Firewall to contact the AUS initially, settings on the AUS must match those used to bootstrap the PIX Firewall. You can check for PIX Firewall username and password settings that an AUS uses to enable auto update; Select Configuration > Device Settings > Auto Update Server > Server and Contact Information. The username and password settings are applied to the PIX Firewall configuration file. The configuration file is updated at the time of deployment and auto update becomes enabled. Note Be sure that you are at the specified device level before making any authentication changes. How can I verify my login role privileges? If you receive an authentication error when trying to perform a task, verify your login role privileges. Note This procedure assumes you are using CiscoWorks Server as your method for user authorization. You must have Administrator privileges to perform the following task. Step 1 Select Server Configuration > Setup > Security > Permissions Report from the CiscoWorks Server desktop. Step 2 Scroll to Firewall MC to view login roles. Step 3 Change the user role if needed. After changing a user role, you must log out, then log in to CiscoWorks Server. For more information regarding login roles, see "Understanding User Roles and Permissions." Why am I having trouble switching between CiscoWorks Server and TACACS+? When you change between the CiscoWorks Server and TACACS+ authentication, you might not be able to manage the same activities and jobs. This occurs when you have different privileges in two authorization systems. Some affected operations are opening, closing, submitting, approving, and deploying, as well as the screens a user can view can also be affected. To work around this problem, approve or undo activities that are not in the approved or discarded state before changing the authentication scheme. Also, approve and deploy or undo jobs that are not complete. Device Import Issues The following topics contain helpful information for troubleshooting import issues in Firewall MC. • Why does the error message "No version found in the text" appear when I try to import a configuration file? • How do I set up a CSV file from which to import multiple configuration files? • After importing an AUS-enabled device, I try to deploy and get the following error: "Incomplete Auto Update Server contact info." Why can't I deploy to AUS? Why does the error message "No version found in the text" appear when I try to import a configuration file? When you import config files, you must make sure the imported file references an image version at the beginning of the file with either of the following syntax examples: :! PIX Version 6.n(n) (a comment immediately following an exclamation point) or PIX Version 6.n(n) How do I set up a CSV file from which to import multiple configuration files? You can create a CSV file with device credentials. The CSV format has one table of data with several columns. A CSV-formatted import file must contain each device's full name or IP address and read-only community string. Other information is optional. You can omit empty trailing columns and the separating commas. For more information, see the Importing Multiple Firewall Configurations from a CSV File, page 7-12. After importing an AUS-enabled device, I try to deploy and get the following error: "Incomplete Auto Update Server contact info." Why can't I deploy to AUS? When you import a device that is configured to use an Auto Update Server, the contact information for the Firewall MC-to-AUS communication is overridden, as are all settings. Therefore, you must provide the correct information on the Configuration > Device Settings > Auto Update Server > Server and Contact Information page before you try to deploy. You can avoid this error by defining the settings for this page at the group level, importing AUS-enabled devices into that group, and at the device level, selecting the Inherit settings from parent checkbox. Activity and Job Management Issues The following topics contain helpful information for troubleshooting activity and job management issues in Firewall MC. • How do I unlock an activity? • Why do I get the error message "Scope already locked by activity name" even though my activity is in the Edit_Open state? • Why am I unable to open an activity I previously added and opened? • How do I stop a job from being deployed? • How do I remove activities from Firewall MC? How do I unlock an activity? To release the lock from an activity, you must either submit and approve the activity or undo the activity, which discards it from further use. Why do I get the error message "Scope already locked by activity name" even though my activity is in the Edit_Open state? Although the activity is in the Edit_Open state, the devices or device groups associated with that activity are overlapping into another activity that is locked by other users. After the other activity unlocks the devices or device groups, you can then save your changes. For a detailed explanation about the locking system, see Using Activity Management. Why am I unable to open an activity I previously added and opened? You might not be able to open an activity if the following situations occur: •If an activity was left in the Edit_Open state (possibly due to a browser crash), the next time you log on, the Activity Management table displays the activity in the same state as before; however, the activity bar shows no activity opened (none) when you view the activity bar from the Devices or Configuration tabs. You must close the activity, then reopen it to update the activity bar state. •Another user has opened your activity and still has it open. The activity must be closed by the person who opened it or by a superuser before you can open the activity. •Another user has opened your activity and has made changes to the activity that involves other devices. If you lack the needed privileges to modify the newly added devices, you no longer have access to your activity. How do I stop a job from being deployed? If a job is being deployed, you can select the job in the Job Management table, then click Cancel. If a job has completed deployment, you can select the job in the Job Management table, then click Rollback. The rollback feature allows you to select the device(s) for which you want to roll back to the last previously deployed configuration file. For more information, see Configuring Rollback. How do I remove activities from Firewall MC? A pruning thread is run on demand or at midnight after a specified number of days to remove any terminal (approved or discarded) activities. Step 1 Select Admin > Maintenance. Step 2 Do one of the following: •To purge all terminal activities, click Purge Now. All terminal activities are removed from the activities page. •To set a time for the Firewall MC to purge all terminal activities, enter the number of days in the Purge approved/discarded activities older than field, and then click Apply. Note If you set the number of days to 0, then, that night, any activity that is terminal and has its approved changes deployed will be deleted. All terminal activities that meet the requirements are removed from the activities page. Generation and Deployment Issues The following topics contain helpful information for troubleshooting deployment issues in Firewall MC. • If a deployment fails, what must I do to deploy the remaining devices? • How can I deploy a configuration file that uses conduits? • How do I know what rules will apply for a firewall device when I am ready to generate a configuration file? • Why did I get a credential error when I tried to deploy a device to the AUS? • Why isn't Firewall MC communicating with the AUS? • Why doesn't my device get updated when I deploy to the AUS? • How do I determine device deployment status after canceling a deployment to an AUS? • Why am I getting "Failed to contact host: 0.0.0.0" when deploying? If a deployment fails, what must I do to deploy the remaining devices? If a deployment fails, you can create a new job and select only the subset of devices that did not deploy successfully. For more information, see Using Job Management. How can I deploy a configuration file that uses conduits? Firewall MC supports only configuration files that use access control lists (ACLs). Therefore, you must convert files using conduits to ACLs. A conversion tool (conv.exe) that ships with Firewall MC is provided for this purpose. For more information about the conversion tool, see the Using the PIX Outbound/Conduit Conversion Tool, page 7-8. How do I know what rules will apply for a firewall device when I am ready to generate a configuration file? You can define access rules at the PIX Firewall and with Firewall MC. To understand how access rules are ordered and recognized, review Chapter 11, "Configuring Access Rules." Why did I get a credential error when I tried to deploy a device to the AUS? The username and password set during the bootstrap process for a device might be different from the username and password set on Firewall MC. To check the AUS contact information set on Firewall MC, select Configuration > Device Settings > Auto Update Server > Server and Contact Information. After you verify that you have set the AUS contact information correctly, you can create a new activity and job to deploy to the AUS. Why isn't Firewall MC communicating with the AUS? The problem might relate to an incorrect username and password or the use of an incorrect port number. •When Firewall MC deploys to an AUS, Firewall MC must first authenticate itself. Authentication is based on username and password settings that are set on the AUS. Username is based on authentication type (CiscoWorks or ACS) and the password is the one assigned for that username. –For CiscoWorks—The username and password must correspond to a system administrator or network administrator role. –For ACS—The username and password must correspond to the role of API_Writer. To configure the AUS username and password on Firewall MC, select Configuration > Device Settings > Auto Update Server > Server and Contact Information. •It is possible that the default port (443) assigned to the AUS was changed during installation. Check the port number in the URL for the AUS and make sure the port setting matches the one configured on the Firewall MC Auto Update Server Contact page. Note Use the Auto Update Server Contact page to check username, password, and port. See the Representing Auto Update Servers, page 7-45 for more information. Why doesn't my device get updated when I deploy to the AUS? After you verify that the AUS is configured correctly in Firewall MC: •Make sure your device is using PIX version 6.2 or later. •Make sure the PIX Firewall was bootstrapped correctly. •Check the log in AUS ($NMSROOT\MDC\log\autoupdate date). Note $NMSROOT is the directory in which AUS is installed. How do I determine device deployment status after canceling a deployment to an AUS? If you cancel a job that deploys to AUS, the status might show the deployment of some devices was canceled even though deployment was completed. To work around this problem, select VPN/Security Management Solution > Administration > Logging > Audit Log to determine which devices were deployed. Why am I getting "Failed to contact host: 0.0.0.0" when deploying? When you import or create a device from a file, you must provide the device contact IP address and password in order for Firewall MC to administer that device. If you do not provide the required contact information, configuration deployments fail because the firewall prevents Firewall MC from obtaining administrative access to the device. Web Client Issues The following topics contain helpful information for troubleshooting client issues in Firewall MC. • Why does Internet Explorer hang after trying to close a dialog box? • Why do other applications hijack my Internet Explorer windows? • What should I do if the Firewall MC server won't respond? • What should I do if some services fail to start? • Why isn't Firewall MC available during a checkpoint and how can I control when a checkpoint occurs? • What do I do after I get a logout error message number 500? • Why am I getting the "Error 404: Page not found" message? Why does Internet Explorer hang after trying to close a dialog box? Because the sessions between the web client and the CiscoWorks Server are canceled after a user-defined period of inactivity, any open dialog boxes can hang when you interact with them. For example, if you restore the database, a dialog box appears stating that the restoration is complete. If you do not click OK before the session times out, the web client can hang and cannot be closed. To workaround this issue, select the iexplore.exe process and then click End Process on the Process tab of the Windows Task Manager window. Why do other applications hijack my Internet Explorer windows? Internet Explorer provides an option that allows existing Internet Explorer browser instances to be used when a shortcut is selected or when a URL is entered in the Start > Run dialog box or in at command prompt. You can change the default settings so as to prevent this level of reuse. Step 1 In Internet Explorer, select Tools > Internet Options. Step 2 Click the Advanced tab. Step 3 Under Browsing, clear the Reuse windows for launching shortcuts checkbox. What should I do if the Firewall MC server won't respond? Stopping and restarting the CiscoWorks daemon manager might solve this problem. Step 1 Log in as administrator. Step 2 To stop the Daemon Manager, select Start > Control Panel > Services, or enter net stop crmdmgtd at the command prompt. Step 3 To restart the Daemon Manager, select Start > Control Panel > Services, or enter net start crmdmgtd at the command prompt. Step 4 Check the log file ($NMSROOT\log\error.log) for error messages. Note $NMSROOT is the directory in which Firewall MC is installed. Use the Services tab to make sure that all the services were started successfully. What should I do if some services fail to start? Try to restart the service from the Services control panel. If the services still does not start, try to cycle the system by restarting the CW2000 Daemon Manager service (select Start > Control Panel > Services). Let the service stop completely before trying to restart the Daemon Manager. If the service still fails to start, try a hard reboot. If that fails, run the MDCSupport utility, save the .zip file, and engage your TAC representative. See How do I provide the TAC with support information?. Why isn't Firewall MC available during a checkpoint and how can I control when a checkpoint occurs? Checkpoint is routine maintenance that is performed on the Firewall MC database. A checkpoint is performed periodically by Common Services. During a checkpoint, a message is displayed that checkpoint is performing routine maintenance and Firewall MC is unavailable for use. You must retry your operation after a checkpoint is complete. The frequency and timing of checkpoints are user-defined. To define checkpoint settings, select VPN/Security Management Solution > Administration > Configuration > Database Credentials. You can also set a checkpoint by limiting the size of the log file. The default limit is 150 MB. We do not recommend exceeding this size. Firewall MC performance will be degraded when the log file begins to exceed the default setting. Configuring the system for smaller, more frequent checkpoints can reduce the length of time to perform a checkpoint; however, overall system performance is reduced. Larger checkpoint settings that are checked less frequently improve system performance but lengthen the time to perform a checkpoint. Setting checkpoints to occur during off-hours might hide the checkpoints; however, any data that has not had a checkpoint before a system shutdown must be processed when the system is rebooted. Rebooting might take some time to checkpoint all data processed since the last checkpoint was performed, particularly if a checkpoint is set to happen infrequently during off-hours. See the online help for the checkpoint process for more information. What do I do after I get a logout error message number 500? This message means that your session timed out and your Firewall MC window was left open. You must close all browser windows and then log in again. Note This error does not occur on a system with Firewall MC installed directly on it. Why am I getting the "Error 404: Page not found" message? If you changed the IP address but you did not restart the services, the services are listening to the wrong address/port pairs on the local network stack. If you changed the hostname but you did not restart the services, the services cannot authenticate user requests to the local machine because the they are providing incorrect credentials to the server. Policy Rule Definition Issues The following topics contain helpful information for troubleshooting rule definition issues in Firewall MC. • How can I see my global and default rules while I am defining rules on my devices? • The default setting ensures that global settings are inherited by all children. How do I change this? • How are my rules ordered? • Can I move rules after they are inserted in a rule table? • Why aren't certain rules in the rule table mapping to rules in the generated command sets? • How can I see all rules that will be deployed to a device? • I changed a global rule and need to regenerate all of my device configurations before they can be deployed. Can I select devices to deploy instead of deploying all of them at once? • How can I use Firewall MC and a firewall device to keep common worms from accessing my network? How can I see my global and default rules while I am defining rules on my devices? To see all rules that apply to a device, select Configuration > Access Rules. Select the rule table from the TOC, then navigate to the device for which you want to see the rules. Click View All. A popup window displays all rules defined at all scopes that pertain to the selected device. The default setting ensures that global settings are inherited by all children. How do I change this? Default configuration settings are set at the global level, but you can override them for a subgroup or device. A setting is designated as default for a subgroup or device(s) when you select Inherit settings in the user interface. When you select Inherit settings, the subgroup or device defers the definition of any setting to a higher-level, enclosing group. You can override a default setting by deselecting the Inherit settings check box and specifying other values completely for that scope. For more information, see What Is Inheritance? and How Settings Are Inherited. How are my rules ordered? Access rules are processed in first-matched order. Therefore, the first rule that satisfies the conditions of a session, regardless of how generally they are expressed in the rule, is the rule that is applied. You should organize the most explicit and narrowest defined rules first, then define the more general rules. Dynamic and static translation rules are processed in best-matched order. NAT 0 ACL rules are processed in first-matched order. Can I move rules after they are inserted in a rule table? You can cut, copy, and paste rules within a rule table by using the buttons at the bottom of each rule table or by right-clicking inside the rule table, which brings up a menu with the same button options listed. Note•Because rules are applied to an interface, make sure the interface specified in a rule exists on the device to which you are pasting the rule. If the interface is not found on the device, an error results when the device configuration is generated. •You cannot paste a rule before or after a rule created from an outbound rule. Outbound rules are sorted in the order that a firewall device applies them to traffic. Make sure you understand the ramifications of moving a rule. For more information, see How Rules Are Evaluated, and How Rules Are Ordered and Inherited. Why aren't certain rules in the rule table mapping to rules in the generated command sets? Not every rule in the GUI translates to a line in the CLI. If optimization is enabled, some rules might be compressed. For more information, see Optimizing Your Policy Rules and Performance, page 11-40. How can I see all rules that will be deployed to a device? Select the device whose configurations you want to view, generate the command sets, select Deploy Later, and then use the Devices Settings report. I changed a global rule and need to regenerate all of my device configurations before they can be deployed. Can I select devices to deploy instead of deploying all of them at once? How you select devices depends on your workflow settings: •If workflow is not enabled, select the Deploy Later button. This option saves your changes. You can then go to the Deployment tab and select one or more devices to deploy the changes. •If workflow is enabled, you can select the devices to deploy in the Select Devices page of the Job Management wizard. How can I use Firewall MC and a firewall device to keep common worms from accessing my network? You can use Firewall MC to define the access rules that block the protocols and ports exploited by common worms. The following example focuses on mitigation techniques for the W32.Blaster worm using PIX Firewall. The default behavior of the PIX Firewall is to block traffic from lower security level interfaces (OUTSIDE) to higher security level interfaces (INSIDE) unless the affected ports and protocols have been explicitly permitted by an access-list or conduit. In addition, Cisco recommends blocking traffic from higher security level interfaces (INSIDE) to lower security level interfaces (OUTSIDE). Customers should deny outbound attempts to these ports: access-list acl_inside deny udp any any eq 69 access-list acl_inside deny tcp any any eq 135 access-list acl_inside deny udp any any eq 135 access-list acl_inside deny tcp any any eq 137 access-list acl_inside deny udp any any eq 137 access-list acl_inside deny tcp any any eq 138 access-list acl_inside deny udp any any eq 138 access-list acl_inside deny tcp any any eq 139 access-list acl_inside deny udp any any eq 139 access-list acl_inside deny tcp any any eq 445 access-list acl_inside deny tcp any any eq 593 access-list acl_inside deny tcp any any eq 4444 ! --- insert previously configured acl statements here, ! --- or permit all other traffic out access-list acl_inside permit ip any any access-group acl_inside in interface inside The corresponding outbound lists may be applied, however, ACLs are strongly recommended in lieu of outbound lists. SSL Issues The following topics contain helpful information for troubleshooting SSL-related issues in Firewall MC. • The access rules applet does not load after enabling SSL for CiscoWorks2000 desktop. • Why do I get the error message "SSL: No encryption support" when I try to start PDM? • How do I change the SSL certificate? The access rules applet does not load after enabling SSL for CiscoWorks2000 desktop. If you enable SSL for the CiscoWorks2000 Server desktop, the Firewall MC server must be synchronized with the CiscoWorks2000 Server so that they use the same certificate. Using a different certificate causes an error while the access rules applet is loading. The symptoms of this error are that the applet fails to load, the message Loading Java Applet appears, and the screen freezes. To work around this problem, direct the Firewall MC server to use the CiscoWorks2000 Server certificate. Why do I get the error message "SSL: No encryption support" when I try to start PDM? Unless you have a license for Data Encryption Standard (DES), you cannot use Firewall MC or PDM, as they use Secure Socket Layer (SSL). SSL requires an activation key that enables DES or 3DES. If your PIX Firewall is not enabled for DES, you can have a new activation key sent to you by completing the form at the following website: https://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324 How do I change the SSL certificate? CiscoWorks Common Services uses a self-signed certificate to secure communication between your web browser and the CiscoWorks Common Services server. This certificate is different from the certificate used by CiscoWorks Server to secure web communications to the CiscoWorks Server components. CiscoWorks Server also uses a self-signed certificate when SSL is enabled. However, you can replace the CiscoWorks Server certificate with a third-party, signed certificate. You can configure CiscoWorks Common Services to use the CiscoWorks Server certificate. The benefits of using the CiscoWorks Server certificate are: • You can regenerate self-signed CiscoWorks Server certificates. • You can replace the CiscoWorks Server certificate with a third-party certificate. Refer to the CiscoWorks Server online help for information about regenerating self-signed certificates or replacing the self-signed certificate with a third-party certificate. Note The CiscoWorks Server certificate options are available when CiscoWorks Common Services is installed as a standalone server or intergrated with CiscoWorks Server. Before You Begin If you are switching from the CiscoWorks Common Services certificate to the CiscoWorks Server certificate, you must create an SSL certificate for the CiscoWorks Server components. If you have not created the SSL certificate for the CiscoWorks Server components, you will receive an error that the selected certificate could not be found. To change the SSL certificate used by CiscoWorks Common Services: Step 1 Select VPN/Security Management Solution > Administration > Configuration > Certificate. The Certificate Configuration dialog box appears. The certificate that is used by CiscoWorks Common Services to secure the SSL connection is selected. Step 2 To change the selection, click the desired certificate. Step 3 Click Finish. Step 4 Click OK. Step 5 Shut down and restart Common Services web server. This restarts your session using the selected certificate. If the browser still does not load the applet, you must re synchronize the JRE with the desktop: Step 1 Select Settings > Control Panel > Add/Remove Programs. Step 2 Select the JRE and remove it. Step 3 In the browser, enter the URL for the CiscoWorks2000 Server. You are prompted to install JRE. Step 4 Reinstall the JRE. The browser JRE and server JRE are synchronized.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.