Release Notes for the Cisco VPN 5000 Client Version 5.1.2 for Mac OS

These release notes provide information about the Cisco VPN 5000 Client Version 5.1.2 for the Macintosh operating system. These release notes are updated as needed to describe new and changed information, caveats, and documentation updates.

The 5.1.2 release of the VPN client adds support for a configurable NAT port. This feature allows you to set the destination TCP port for outgoing VPN packets.

This document applies to the VPN client for the Macintosh operating system, Version 7.6 to 9.x.

Note The Cisco VPN 5000 Version 5.1.x for Mac OS is tested using Mac OS Version 8.5 or later. We recommend that users upgrade to the latest versions of Mac OS.

This document contains the following sections:

New Feature

In software Version 5.1.2, you can set the destination port for outgoing VPN packets.

VPN packets consist of ESP packets and UDP packets. NAT devices that are not doing one-to-one IP address mapping cannot forward ESP packets successfully, because ESP packets do not include a unique port number. If your firewall blocks ESP or UDP packets, this parameter allows you to maintain a client connection by encapsulating the packets in a TCP packet.

Note VPN clients using software versions prior to 5.1.2 only support the default value of 80.

You can change the NAT port number for one session only by entering a specific NAT port number in the Login Properties dialog box, or you can change the NAT port number for a user permanently in the configuration file.

To configure a different NAT port for this session only:

Step 1 Highlight your login on the Configuration tab of the VPN Client window.

Step 2 Click the Edit button. The Login Properties dialog box opens.

Figure 1: Login Properties Dialog Box

Step 3 Check the Use NAT Transparency Mode box.

Step 4 In the NAT Port box, enter the NAT port number you want to use.

Note The NAT port on the VPN 5000 client must match the port number that is configured in NATTransport keyword in the General section on the concentrator.

Any port that is configured in the Login Properties dialog box overrides the port number that is specified in the configuration file for that session only.

When you exit the VPN client, the configuration file is not updated.

To configure a different NAT port in the configuration file:

Step 1 Set the UsefTCP keyword to True in the configuration file.

Step 2 Add a new keyword FTCPDestinationPort to the configuration file and set the NAT port you want to use. Use the syntax in the following example:

FTCPDestinationPort = 90

The value can be between 0 and 65536. The default is 80. If you leave this value blank or specify a value outside the valid range, the value of 80 is assumed by the VPN client.

When you exit the VPN client, the configuration file is updated to the last configured NAT port.

Caveats Fixed in This Release

This section lists caveats fixed with Version 5.1.2 of the VPN client for Mac OS.

CSCdt09734

: When an invalid certificate is imported using the Import button on the Certificates tab of the VPN Client window, the client no longer stops working.

CSCdt73875

: The VPN client no longer drops its end of a tunnel after a period of inactivity when connected to a concentrator.

CSCdu01657

: The maximum segment size value for the VPN client has been reduced to 0x0550 (1360) bytes to allow a safety margin for web servers that do not reduce the MTU of outgoing traffic.

CSCdu61150

: The VPN client now passes packets bigger than 1300 bytes when establishing a connection using a Mac PoET PPPoE client from Windriver.

Caveats Fixed in Previous Releases

The following sections list caveats fixed in previous releases of the VPN client for Mac OS.

Caveats Fixed in Version 5.0.3

This section lists caveats fixed with Version 5.0.3 of the VPN client for Mac OS.

CSCdr64115, CSCdt29242

: The VPN client now manages the TCP MSS value and requires the server to send properly sized packets which can be tunneled from the concentrator to the VPN client.

CSCds85478

: The VPN client now correctly displays the VPN Client window after it has been closed and reopened.

CSCds86954

: When a workstation with a VPN client is connected through a tunnel, other local workstations on the network are able to ping it successfully. Although a ping from a local workstation will reach the workstation, any other type of traffic from the local network is silently discarded. There are no IP security issues and it is not detrimental to the IP security or reliability of the VPN client connection.

CSCds87962

: The VPN client will now properly time out a connection attempt to the primary server and roll over to the secondary server when the primary server does not respond.

CSCds90236

: The VPN client no longer attempts to prepare or write debug statements to a file at an improper time of operating system function.

CSCdt09163

: During the installation process, the message which tells the user to quit all other applications has been reworded.

CSCdt09209, CSCdt09221, CSCdt10158

: The readme file has been changed from a text file, which can be modified by the user, to a ttro file, which cannot be modified. The release notes in the readme file have also been updated and corrected to remove grammatical errors.

CSCdt20750

: The version number will now be included as the first line in the message window of all install programs of the VPN client.

CSCdt36366

: The VPN client Timestamp functions are no longer being called at improper times causing the VPN client to become inoperable in rare occurrences.

CSCdt70396

: The Mac OS no longer becomes inoperable when the concentrator sends a reset packet back to the VPN client after you have disconnected.

CSCdt71767

: The VPN client now sends the correct minimum version information to the concentrator so that the concentrator can disallow any VPN client that does not meet the MinimumVersion variable specified by the VPN Group in the concentrator.

Caveats Fixed in Version 5.0.0

This section lists caveats fixed with Version 5.0.0 of the VPN client for Mac OS.

CSCdr64115

: If you use an Apple Directory DA with the VPN client for Mac OS with NAT transparency turned on, this no longer requires that packets be fragmented before you send the packets through the VPN tunnel.

CSCdr99253

: The Macintosh is now able to be placed into Sleep mode so that the VPN client can stay connected to a concentrator.

CSCdr78540

: The RADIUS authentication password dialog box now correctly asks for the password instead of the username.

CSCds11351

: The login dialog window is no longer positioned beyond the visible portion on multiple-monitor configurations. The coordinates of the main window are now checked and adjusted.

CSCds90274

: The VPN client no longer conflicts with the Mac OS due to debug facilities that remained from previous versions. Previously, this conflict caused the operating system to crash, and Macsbug could not write a standard log when the Mac OS crashed.

Caveats Fixed in Version 4.2.x

This section lists caveats fixed with Version 4.2.x of the VPN client for Mac OS.

CSCco01093

: The VPN client now allows duplicate login names on the Configuration tab of the VPN Client window if the primary servers are different.

CSCco01132

: The shared key entered by a user no longer remains in the VPN client after a failed connection attempt. Each subsequent user is now prompted for a shared key.

CSCdr30594

: An Apple laptop awakening from sleep mode no longer loses its tunnel connection from the concentrator. The VPN client now reestablishes its connections, or quits if it fails to reestablish.

CSCds11319

: The preferences you select in the VPN Client window, such as the window position and column widths, are now saved after a reinstallation of the VPN client.

The following caveats fixed in Version 4.2.x are not assigned corresponding caveat numbers in the Cisco DDTs.

The user is now able to select a login from the list on the Configuration tab of the VPN Client window without having the horizontal slide bar in the zero position.
The vpnsession.log file is now formatted so that it can be easily read by a simple text application.
User certificates can now be validated against the list of root certificates imported into the VPN client.

Caveats Fixed in Version 3.8.x

This section lists caveats fixed with Version 3.8.x of the VPN client for Mac OS.

The following caveats fixed in Version 3.8.x are not assigned corresponding caveat numbers in the Cisco DDTs.

When a SecurID login attempt fails or is canceled and there is a secondary server in the login configuration, you now have the option to reconnect, attempt a connection to the secondary server, or cancel.
You can now store the VPN client files in the Preferences or Extension folders as long as they are located in the System Folder. Also, you are no longer required to keep the System Folder at the root level of the System disk.

Caveats Fixed in Version 3.7.x

This section lists caveats fixed with Version 3.7.x of the VPN client for Mac OS.

The following caveats fixed in Version 3.7.x are not assigned corresponding caveat numbers in the Cisco DDTs.

You will no longer lose the saved shared secret if the VPN client must fail over to the secondary server in your configuration.
If the primary server in your login configuration does not respond within the allotted time period, you now have a choice to attempt to reconnect or to attempt a connection with a secondary server.
A default login configuration always exists unless the list is empty, or unless no default entry is specified in the preferences file created by an earlier version of the VPN client.
The VPN client no longer allows either of the Auto-Connect check boxes on the Configuration tab of the VPN Client window to be enabled if there is no default login configuration specified.
The VPN client now times out properly and terminates a connection if the concentrator is no longer passing traffic or not responding to the tunnel initiation requests.
Statistics now properly appear when you use the VPN client with Mac OS Version 9.
The Tunnel Appletalk check box has been removed from the Configuration tab of the VPN Client window.

Caveats Fixed in Version 3.6.x

This section lists caveats fixed with Version 3.6.x of the VPN client for Mac OS.

The following caveats fixed in Version 3.6.x are not assigned corresponding caveat numbers in the Cisco DDTs.

The ability to save secrets now works correctly even if the user disconnects in the middle of a connection attempt.
The VPN 5000 Client Preferences file is now correctly created, accessed, read, and written as long as the folder exists on the Macintosh computer that is running the VPN client.
If you shut down your computer during an established tunnel connection, the VPN client now closes the tunnel properly.
A write-to-nil error no longer appears in the Macsbug or Even Better Bus Error applications while attempting to establish a VPN tunnel with a concentrator.
The VPN client now tunnels DNS packets even when the Exclude Local LAN option is enabled.
You can now use blank spaces in keywords in the VPN User section of the VPN 5000 Client Preferences file.

Caveats Fixed in Version 3.3.x

This section lists caveats fixed with Version 3.3.x of the VPN client for Mac OS.

The following caveats fixed in Version 3.3.x are not assigned corresponding caveat numbers in the Cisco DDTs.

Problems with editing or adding a new login configuration are resolved.
The CSC IPA INIT file no longer causes an error at startup.
The VPN client now presents a message window to notify you if you lose an established tunnel with the server.

Open Caveats

This section lists open caveats for the VPN client Version 5.1.2 release for Mac OS.

CSCdt34065

: The VPN client for Mac OS sometimes stops working when the OS reawakens from sleep mode. This condition occurs in Mac OS Version 9.x, and causes a Macsbug debug output.
: Workaround: Disconnect the VPN tunnel before placing the OS into sleep mode.

Obtaining Documentation

The following sections provide sources for obtaining documentation from Cisco Systems.

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at the following sites:

Documentation CD-ROM

Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.

Ordering Documentation

Cisco documentation is available in the following ways:

Registered Cisco Direct Customers can order Cisco Product documentation from the Networking Products MarketPlace:

: http://www.cisco.com/cgi-bin/order/order_root.pl

Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store:

: http://www.cisco.com/go/subscription

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, in North America, by calling 800 553-NETS (6387).

Documentation Feedback

If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.

You can e-mail your comments to bug-doc@cisco.com.

To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address:

Attn Document Resource Connection
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC website.

Cisco.com

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.

Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online technical support, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.

Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.

To access Cisco.com, go to the following website:

http://www.cisco.com

Technical Assistance Center

The Cisco TAC website is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.

Contacting TAC by Using the Cisco TAC Website

If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC website:

http://www.cisco.com/tac

P3 and P4 level problems are defined as follows:

P3—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.
P4—You need information or assistance on Cisco product capabilities, product installation, or basic product configuration.

In each of the above cases, use the Cisco TAC website to quickly find answers to your questions.

To register for Cisco.com, go to the following website:

http://www.cisco.com/register/

If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following website:

http://www.cisco.com/tac/caseopen

Contacting TAC by Telephone

If you have a priority level 1 (P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following website:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtm l

P1 and P2 level problems are defined as follows:

P1—Your production network is down, causing a critical impact to business operations if service is not restored quickly. No workaround is available.
P2—Your production network is severely degraded, affecting significant aspects of your business operations. No workaround is available.

AccessPath, AtmDirector, Browse with Me, CCIP, CCSI, CD-PAC, CiscoLink, the Cisco Powered Network logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, Fast Step, Follow Me Browsing, FormShare, FrameShare, GigaStack, IGX, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, MGX, the Networkers logo, Packet, RateMUX, ScriptBuilder, ScriptShare, SlideCast, SMARTnet, TransPath, Unity, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That's Possible, and Empowering the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastSwitch, IOS, IP/TV, LightStream, MICA, Network Registrar, PIX, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0106R)

Table of Contents

Release Notes for the Cisco VPN 5000 Client Version 5.1.2 for Mac OS