Table of Contents

CD Contents
Firmware and Software Version Notes

Product Version Information
Loading New Firmware
Serial Console CLI Instructions
Telnet CLI Instructions
Remote CLI Instructions

Remote Configuration Manager Replacement
Linux
Solaris
Windows NT and Windows 2000

GUI Instructions

What's New in 3.2.0.20
What's New in 3.2
Using New Features

Secure URL Rewrite
Additional SNTP Commands
Time and Date Commands
Connecting the Device to a Terminal Server
Upgrade Notes
Downgrading from 3.2 to 3.1

Serial Console CLI Instructions
Telnet CLI Instructions
Remote CLI Instructions

Remote Configuration Manager Replacement

Linux
Solaris
Windows NT and Windows 2000
GUI Instructions

Operational Notes for 3.2
Network Design and Command Notes for 3.2
Secure Server Notes for 3.1
GUI Notes for 3.2
CLI Notes for 3.2
SNMP Notes for 3.2
Syslog Usage Notes
Linux-Specific Issues for 3.2
Solaris-Specific Issues for 3.2
Windows NT 4.0-Specific Issues for 3.2
Windows 2000-Specific Issues for 3.2

Version 3.2 Command Changes
What's New in 3.1
Notes for 3.1

Upgrading from Previous Releases

Upgrade Notes

Downgrading to 3.0.6
Operational Notes for 3.1
Network Design and Command Notes for 3.1
Secure Server Notes for 3.1
GUI Notes for 3.1
CLI Notes for 3.1
SNMP Notes for 3.1
Linux-Specific Issues for 3.1
Solaris-Specific Issues for 3.1
Windows NT 4.0-Specific Issues for 3.1
Windows 2000-Specific Issues for 3.1

Version 3.1 Command Changes
What's New in 3.0
Known Issues in 3.0

Linux-Specific Notes for 3.0
Solaris-Specific Notes for 3.0
Windows 2000-Specific Notes for 3.0
Windows NT-Specific Notes for 3.0

Version 3.0 Command Changes

Release Note for the Cisco 11000 Series Secure Content Accelerator

This release note applies to software version 3.2.0.20 for Cisco 11000 Series Secure Content Accelerators. The note supplements information found in the Cisco 11000 Series Secure Content Accelerator Configuration Guide distributed with version 3.1 of the firmware.

The Cisco 11000 Series Secure Content Accelerator is compatible with all Cisco content switches—the Cisco LocalDirector, the Catalyst Content Switching Module, and the Cisco CSS 11000 Series Content Services Switches.

The following sections are presented in this note:

• CD Contents
  
  
• Firmware and Software Version Notes
  
  
• What's New in 3.2.0.20
  
  
• What's New in 3.2
  
  
• Using New Features
  
  
• Version 3.2 Command Changes
  
  
• What's New in 3.1
  
  
• Notes for 3.1
  
  
• Version 3.1 Command Changes
  
  
• What's New in 3.0
  
  
• Known Issues in 3.0
  
  
• Version 3.0 Command Changes
  
  

CD Contents

The CD-ROM contains the following resources:

• Configuration manager application
  
  
• Flash image
  
  
• Electronic versions of this document and the Cisco 11000 Series Secure Content Accelerator Configuration Guide
  
  

The table below shows the configuration manager software versions appropriate for each operating system.

Operating System	Software Version
Red Hat Linux	3.2
Windows NT 4	3.2
Windows 2000	3.2
Solaris Sparc	3.2

Firmware and Software Version Notes

The FW directory contains the firmware flash image for the Cisco 11000 Series Secure Content Accelerator. Use the flash image to update a 3.x version of the firmware.

Product Version Information

The CSS 11000 Secure Content Accelerator configuration utility, cscacfg, is only compatible with devices that have the same software version. Devices with a different firmware version must be configured using the configuration manager that matches the firmware on the device.

Release version refers to the CD software release and not to the firmware or configuration manager versions. Any reference to firmware or the configuration manager in these release notes or documentation is to CD software release version. The commands show version and show device display both the cscacfg (configuration manager) and firmware versions as well as the software release version. The end number of the text returned shows the build date and time stamp in the following format:

|Year|Month|Day|Time Stamp|

For example:

|2001|08|03|1046|

Loading New Firmware

The fw directory contains the firmware image of the Cisco 11000 Series Secure Content Accelerator. This file is described in the following table.

Filename	Description
css-sca-2fe-k9.phz	Image of the 3.2.0.20 software release. This image is used only to reflash the device and update previous versions of the device.

Use the following instructions to upgrade the firmware on the device and the remote configuration manager software. Please read the entire document before proceeding with the flash upgrade.

Serial Console CLI Instructions

1. Copy the firmware image to an HTTP, FTP, or TFTP server on the same LAN as the Secure Content Accelerator. An FTP URL is preferred.

2. Connect to the Secure Content Accelerator via a serial management session at 9600 baud.

3. Check the existing firmware version using the show device command. The returned text should contain "MaxOS 3.1.0".

4. Enter these commands to load the firmware image, where protocol is HTTP, FTP, or TFTP; serverip is the IP address of the server; and path is the path to the firmware image file. (If using a Windows operating system, use back slashes instead of forward slashes.)

enable

copy to flash protocol://serverip/path/css-sca-2fe-k9.phz

reload

 

5. Wait for several minutes for the device to reload and reboot.

6. Check the firmware version by using the show device command. The returned text should contain "MaxOS 3.2.0".

7. Continue with configuration as desired.

Telnet CLI Instructions

1. Copy the firmware image to an HTTP, FTP, or TFTP server on the same LAN as the Secure Content Accelerator. An FTP URL is preferred.

2. Connect to the Secure Content Accelerator using the IP address previously assigned to it.

3. Check the existing firmware version using the show device command. The returned text should contain "MaxOS 3.1.0".

4. Enter these commands to load the firmware image, where protocol is HTTP, FTP, or TFTP; serverip is the IP address of the server; and path is the path to the firmware image file. (If using a Windows operating system, use back slashes instead of forward slashes.)

enable

copy to flash protocol://serverip/path/css-sca-2fe-k9.phz

reload

5. You will see a status message stating the connection to the device was lost. Wait for several minutes for the device to reload and reboot. The telnet connection to the device is lost.

6. Reconnect to the device using a telnet management session.

7. Check the firmware version by using the show device command. The returned text should contain "MaxOS 3.2.0".

8. Continue with configuration as desired.

Remote CLI Instructions

Follow these instructions for downgrading using a remote CLI management session.

1. Copy the firmware image to the computer from which you configure the Secure Content Accelerator.

2. Open the existing configuration manager application (cscacfg) using the desktop shortcut or the Start button (Windows) or entering cscacfg at a Unix or Linux prompt.

3. Display all Secure Content Accelerators found by the configuration manager by entering the show device list command. If the device is not listed, use the discover command.

4. The following commands assume only one device has been discovered by the configuration manager. If more than one Secure Content Accelerator is listed, use the on form of the command to specify the desired device.

---

Note   You can set the on-prefix to direct commands to a single device.

---

Use these commands to attach to and enter Privileged mode:

attach

enable

 

5. If only one Secure Content Accelerator is listed, use the show device command. If more than one device is listed, use the command on devname show device, where devname is the name of the device. The returned text should contain "MaxOS 3.1.0".

6. Enter these commands to load the firmware image, where path is the path to the firmware image file. (If using a Windows operating system, use back slashes instead of forward slashes.)

copy to flash path/css-sca-2fe-k9.phz

reload

 

7. Quit the configuration manager. If you wish to continue with configuration via the remote configuration manager, you must remove the 3.1.0 version and install the 3.2.0 version as described in "Remote Configuration Manager Replacement" below. Make sure you upgrade all 3.1.0 devices before removing the 3.1 version of the configuration manager.

8. To continue configuring the device with the 3.2.0 remote configuration manager, open the application (cscacfg) using the desktop short cut or the Start button (Windows) or entering cscacfg at a Unix or Linux prompt.

9. Display all Secure Content Accelerators found by the configuration manager by entering the show device list command. If the device is not listed, use the discover command.

10. Attach to the device and check the firmware version using the show device command. The returned text should contain "MaxOS version 3.2.0".

11. Continue with configuration as desired.

Remote Configuration Manager Replacement

Note   Make sure you upgrade all 3.1.0 devices before removing the 3.1.0 version of the remote configuration manager. The remote configuration manager version must match that of the device.

Linux

Use these instructions for installing the 3.2.0 remote configuration manager in Linux. Installing the 3.2.0 remote configuration manager will replace the 3.1.0 installation. If the 3.1.0 distribution CD is not in the CD drive, insert it now. Alternatively, use the appropriate path and file names if the 3.2.0 distribution directory has been downloaded onto the local file system. Enter the following commands at a Linux prompt:

mount -o map=off /mnt/cdrom

cd /mnt/cdrom/fw/Linux/i386

./install_cscacfg

 

Solaris

Use these instructions for removing the 3.1.0 remote configuration manager and installing the 3.2.0 remote configuration manager in Solaris. If the 3.2.0 distribution CD is not in the CD drive, insert it now. Alternatively, use the appropriate path and file names if the 3.2.0 distribution directory has been downloaded onto the local file system.

1. Remove the previous installation with pkgrm.

2. Enter this command:

pkgadd -d /cdrom/cdrom0/fw/Solaris/Sparc

 

3. When the package is presented for installation, press Enter to install it.

4. Type q after installation to exit.

Windows NT and Windows 2000

Use these instructions for removing the 3.1.0 remote configuration manager and installing the 3.2.0 remote configuration manager in Windows NT or Windows 2000.

1. Remove the 3.1.0 Configuration manager using Add/Remove Programs in the Control Panel.When the Install Shield Wizard opens, select the Remove option button and click Next. Follow the screen prompts as they are displayed.

2. If the 3.2.0 distribution CD is not in the CD drive, insert it now. Alternatively, use the appropriate icon, path, and file names if the 3.0.6 distribution directory has been downloaded onto the local file system.

3. Double-click the CD icon.

4. Double-click the MSWin icon.

5. Double-click the WinNT icon (Windows NT) or Win2K icon. (Windows 2000).

6. Double-click the setup.exe application icon.

7. Follow the displayed Install Shield instructions.

GUI Instructions

Follow these instructions for upgrading the device using a GUI management session.

1. Open a Web browser and connect to the Secure Content Accelerator.

2. Ensure that the General>Status page is displayed.

3. The Release panel should contain "3.1.0.N", where N is any number.

4. Click Tools to activate the Tools tabs.

5. Click the Firmware tab.

6. Type the path and firmware image file name or URL in the Upload Firmware text box, or click Browse and navigate to and select the firmware image file from the local file system.

7. Click Upload to load the firmware image into the GUI.

8. Click Install Image next to the file information in the Installable Firmware Images panel.

9. After the new firmware has uploaded, click the Restart tab.

10. Click Reboot to reload the device. Wait several minutes for the device to reboot.

11. Reconnect to the device using the GUI and the IP address assigned to it.

12. Click General to activate the General tabs.

13. The Release panel should contain "3.2.0".

14. Continue with configuration as desired.

What's New in 3.2.0.20

• A 40-bit client step-up race condition has been fixed. A corner-case race condition for 40-bit client step-up in all prior versions of Cisco SCA firmware has been fixed. This bug was only present when all of the following conditions were met:
  
  
• A Microsoft Server Gated Cryptographic (SGC) certificate is used.
  
  
• A 40-bit cipher is negotiated first.
  
  
• Step-up happens on the same connection.
  
  
• The client sends an HTTP GET faster than the device connection to the backend server is made.
  
  
• The race condition would hang the client browser in which case the user could "reload" the page to get around the problem.
  
  
• All the OpenSSL vulnerabilities announced on July 30, 2002 were patched.
  
  
• The client master key in SSL2 could be oversized and overrun a buffer. This vulnerability was also independently discovered by consultants at Neohapsis (http://www.neohapsis.com/) who have also demonstrated that the vulnerability is exploitable. Exploit code is NOT available at this time. The Common Vulnerabilities and Exposures project (http://cve.mitre.org) has assigned the name CAN-2002-0656 to this issue.
  
  
• The session ID supplied to a client in SSL3 could be oversized and overrun a buffer. The Common Vulnerabilities and Exposures project (http://cve.mitre.org) has assigned the name CAN-2002-0656 to this issue.
  
  
• The master key supplied to an SSL3 server could be oversized and overrun a stack-based buffer. This issues only affects OpenSSL 0.9.7 before 0.9.7-beta3 with Kerberos enabled. The Common Vulnerabilities and Exposures project (http://cve.mitre.org) has assigned the name CAN-2002-0657 to this issue.
  
  
• Various buffers for ASCII representations of integers were too small on 64 bit platforms. The Common Vulnerabilities and Exposures project (http://cve.mitre.org) has assigned the name CAN-2002-0655 to this issue. (This issue is not applicable to the SCA.)
  
  
• The ASN1 parser can be confused by supplying it with certain invalid encodings. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0659 to this issue.
  
  
• In addition various potential buffer overflows not known to be exploitable have had assertions added to defend against them.
  
  
• Reverse-proxy support for any HTTP request has been enhanced. Prior versions only supported GET requests for Reverse-Proxy servers.
  
  
• Certificates now can contain fields with apostrophes. Previously these certificates might have caused errors while being uploaded or displayed.
  
  
• Increased the Web management buffer size to accommodate large configurations. This increases fixes an error condition in which the message "HTTP 404 File Not Found" error was returned when a large configuration was encountered.
  
  
• Fixed a condition sometimes encountered when the Web management is configured with an access control list (ACL). Previously attempts to access the device from an IP address restricted by the active ACL could cause the Web management subsystem to shut down abruptly.
  
  
• Unsupported telnet daemon options have been removed, resulting in alleviation of telnet loops.
  
  
• Syslog logs all requests of persistent connections.
  
  
• The SSL Server Log Server now handles the following items appropriately:
  
  
• All GET, HEAD, and POST requests (instead of just some GET requests)
  
  
• Multipart POSTs are properly supported (instead of logging empty messages)
  
  
• Querystring info is not logged (instead of logging querystring info)
  
  
• Client HTTP requests with syslog level of Info [6] (instead of Alert [1])
  
  
• URLs longer than 1024buffer are truncated with '...' (instead of ignored)
  
  
• A corner case in which searching for "http" across a packet when the cirq buffer is empty has been solved.
  
  
• Flow logging for the following generic protocol has been enhanced:
  flow# <#> src=IP:port dest:IP:port startTime endTime lifeTime
  
  
• Additionally, a global connection identifier has been added to correlate HTTP logs with generic logs. The HTTP format is the following:
  flow# <#> GET|HEAD|POST <URL> HTTP/1.0|1.1
  
  
• The following items have been fixed in the SNMP subsystem:
  
  
• The system correctly reports a sysObjectID for device for HSE Management Support.
  
  
• The Configuration Changed trap properly reports client IP addresses.
  
  
• Coldstart and authentication error generic traps have been improved.
  
  
• The GUI no longer starves the device of CPU cycles. Previously this had occurred under a high load with a nearly full memory.
  
  
• Fixed a condition in which certificate chains of certain types and depths of less than two were not supported.
  
  
• Improved the speed of completion of the write flash command at high load.
  
  
• Packet handling has been improved between the SCA and a backend server or content switch when using the httpheader feature, resulting in increased efficiency.
  
  

What's New in 3.2

• Secure URL rewrite feature has been added, preventing URL redirects and references from breaking or circumventing SSL sessions.
  
  
• Friendly SSL negotiation failure messages have been added to provide an information HTML page to clients with incomplete browsers. Previously, incompatible or incomplete browsers would have just failed to connect with no message to the user.
  
  
• Improved statistics and error reporting.
  
  
• Resource de-allocation time is reduced, decreasing memory usage and improving connection handling.
  
  
• SSL v.2 dynamic session handling is improved, resulting in reduced memory usage and a dramatic increase in the number of concurrent SSL v.2 sessions.
  
  
• The ephemeral RSA server option, ephrsa, is enabled by default.
  
  
• Additional SNTP features have been added, increasing the number of SNTP servers that can be polled by the device.
  
  
• The clock time and clock date commands have been added for consistency with other Cisco devices.
  
  
• The following changes to the SNMP subsystem have been made:
  
  
• Fixed SNMP vulnerabilities
  
  
• Fixed Denial of Service (DoS) problem with certain malformed packets
  
  
• Updated MIBs
  
  
• Improved trap functionality: TPS/second trap now using connections instead of RSA operations
  
  
• Improved OID Accuracy
  
  
• Removed the following non-functional traps: SSL Negotiation Failure Trap, SSL Certificate Expired Trap, SSL Certificate Invalid Trap, SSL Cert Validation Failure
  
  
• Removed non-functional OIDs: Transaction Failure IP Address, SSL Certificate Authentication Failure Code, SSL Certificate Authentication Failure IP Address
  
  
• Related Bugs Fixed: no snmp enable does not disable trap port, traps are queued if SNMP is disabled, SNMP access list can be set to a non-existent list
  
  

Using New Features

The following sections contain information for using the new and updated features in the 3.2 firmware release.

Secure URL Rewrite

The Secure URL Rewrite feature prevents URL redirects and references from breaking or circumventing SSL sessions. This example uses the CLI. The same options are available in the GUI.

Note   The command line in the examples reflects using a serial management session.

1. Open a management session with the device.

2. Enter Privileged, Configuration, and SSL Configuration modes:

SCA> enable

SCA# configure

(config[SCA])# ssl

(config-ssl[SCA])# 
 

3. Enter Server Configuration mode for the server you wish to configure URL rewrites.

(config-ssl[SCA])# server myServer

(config-ssl-server[myServer])# 
 

4. The urlrewrite command uses the following syntax:

urlrewrite <domainName> [sslport <portid>] [clearport <portid>] <redirectonly>

 

domainName	The domain or file identifier as a domain name, IP address, or path and file name. An * (asterisk) wild card character can be used to specify more than one server in a single domain, e.g., "*.company.com".
sslport	Keyword identifying the specified port to be used for SSL traffic.
portid	A port identification for SSL traffic.
clearport	Keyword identifying the specific port to be used for clear text traffic.
portid	A port identification for clear text traffic.
redirectonly	A keyword is used to indicate that only the "Location:" field in the HTTP 30x redirect header should be rewritten. This solves a common problem with Web servers using insecure HTTP 30x redirects.

Enter a URL rewrite rule for the www.mybusiness.com.

(config-ssl-server[myServer])# urlrewrite www.mybusiness1.com sslport 443 clearport 81

 

All references that pass through the device to http://www.mybusiness1.com:81 are rewritten to https://www.mybusiness1.com.

To securely rewrite only 30x-series redirects (i.e., 302 or 304) referencing http:// rather than all instances of https:// (such as those that appear intentionally in the application data), use the redirectonly option. (This command must be entered on a single line.)

(config-ssl-server[myServer])# urlrewrite www.mybusiness2.com sslport 443 clearport 81 
redirectonly

 

5. A wildcard can be used to specify multiple SSL hosts in the same domain.

(config-ssl-server[myServer])# urlrewrite *.mybusiness3.com sslport 443 clearport 81

 

---

Note   Do not use *.com as a filter. The definition is too broad.

---

Wildcards should be used with care to avoid any unwanted rewriting of references.

6. To see the results of these URL rewrite rules in the server configuration, enter the following command. The results are presented below it.

(config-ssl-server[myServer])# show ssl server myServer

 
...
URL Rewrite:
	Name	Clear Port	SSL Port	Redirect Only
	_________________________________________________________________________
	www.mybusiness1.com	443	81	No
	www.mybusiness2.com	443	81	Yes
	*.mybusiness3.com	443	81	No
 

For more information about URL rewriting, contact your Cisco representative for a copy of the white paper SSL Offloaders and Contextual Consistency.

Additional SNTP Commands

The 3.2 firmware upgrade offers additional SNTP capabilities, including allowing up to four SNTP servers.

Note   To provide increased security, we recommend using an SNTP server on the internal network. Using an external SNTP server might compromise network security.

1. Open a management session with the device.

2. Enter Privileged and Configuration modes:

SCA> enable

SCA# configure

(config[SCA])# 
 

3. Enter the IP addresses or host names of up to four SNTP servers. (Host names are resolved to IP addresses in the device configuration.)

(config[SCA])# sntp server 10.1.24.2

(config[SCA])# sntp server 10.1.24.4

(config[SCA])# sntp server 10.2.22.2

(config[SCA])# sntp server 10.2.22.6

(config[SCA])# 
 

4. The default polling interval is 86400 seconds (one day). To change this interval to 43200 seconds (12 hours), enter use the sntp interval command.

(config[SCA])# sntp interval 43200

(config[SCA])#
 

5. To view the results of these commands, you can use either the show sntp or show device command. The show sntp command and an example of returned information are below.

(config[SCA])# show sntp

SNTP server sources:
	10.1.24.2	(0/6 fails/tries, stratum 2)
	10.1.24.4	(0/0 fails/tries, stratum 2)
	10.2.22.2	(0/0 fails/tries, stratum 2)
	10.2.22.6	(0/0 fails/tries, stratum 2)
SNTP synchronization interval: 43200 (seconds)
(config[SCA])#
 

The show device command and an example of returned information are presented below.

(config[SCA])# show device

...
SNTP sync'ing	:	every 43200 (s) from 10.1.24.2, 10.1.24.4, 10.2.22.2, 10.2.22.6
		(0/6 fails/tries, stratum 2)
		(0/0 fails/tries, stratum 2)
		(0/0 fails/tries, stratum 2)
		(0/0 fails/tries, stratum 2)
...

Any errors resulting from polling and synchronization are written to the syslog messages.

Time and Date Commands

Time and date commands have been updated to be more consistent with other Cisco devices.

1. Open a serial or telnet management session with the device.

2. Enter Privileged and Configuration modes:

SCA> enable

SCA# configure

(config[SCA])# 
 

3. Set the time by entering the following command. Press ENTER to accept the displayed time or type the new time and press ENTER.

(config[SCA])# clock time

Enter time [10:28:54]:
 

4. Set the date by entering the following command. Press ENTER to accept the displayed date or type in the new date and press ENTER.

(config[SCA])# clock date

Enter date [02-15-2002]:
 

Use the show date command to display the device date and time settings.

Connecting the Device to a Terminal Server

The Secure Content Accelerator can be connected to a terminal server, such as the Cisco 2511 Access Server. You will need a standard RJ45-DB9F adapter (CAB-9AS-FDTE, part number 74-0495-01).

1. Attach the RJ45-DB9F adapter to the CONSOLE port of the Secure Content Accelerator.

2. Using an octal cable with RJ45 connectors, attach the terminal server to the Secure Content Accelerator via the RJ45-DB9F adapter.

3. Using the line interface on the terminal server, use these commands:

line 1
autocommand connect
transport input all
 

---

Note   If you are using firmware older than 3.0.5 on the Secure Content Accelerator, also use the command speed 115200.

---

Upgrade Notes

The 3.2 version can only be upgraded from 3.0 and later releases. Upgrading from other versions can fail or cause the loss of certain configuration parameters. The CD includes a 3.0.6 directory containing firmware images and remote configuration software necessary for the incremental update. Please see the section "Upgrading from Previous Releases" section.

Downgrading from 3.2 to 3.1

Be aware that configurations for features not supported in 3.1 firmware cannot be used after the device has been downgraded. When the device reboots after downgrade, error messages might be displayed, reflecting unsupported portions of the configuration. These can be ignored safely.

Serial Console CLI Instructions

We recommend using the serial console for downgrading the Secure Content Accelerator. Follow these instructions for downgrading using a serial management session.

1. Copy the firmware image to an HTTP, FTP, or TFTP server on the same LAN as the Secure Content Accelerator. An FTP URL is preferable.

2. Connect to the Secure Content Accelerator via a serial management session at 9,600 baud.

3. Check the existing firmware version using the show device command. The returned text should contain "MaxOS 3.2.0".

4. Enter these commands to load the firmware image, where protocol is HTTP, FTP, or TFTP; serverip is the IP address of the server; and path is the path to the firmware image file.

enable

copy to flash protocol://serverip/path/css-sca-2fe-k9.phz

reload

 

5. Wait for several minutes for the device to reload and reboot.

6. Reconnect to the Secure Content Accelerator.

7. Check the firmware version by using the show device command. The returned text should contain "MaxOS 3.1.0".

8. Continue with configuration as desired.

Telnet CLI Instructions

Follow these instructions for downgrading using a telnet management session.

1. Copy the firmware image to an HTTP, FTP, or TFTP server on the same LAN as the Secure Content Accelerator.

2. Connect to the Secure Content Accelerator using the IP address previously assigned to it.

3. If desired, save the running configuration for reloading following the downgrade using the copy running-configuration command. Enter the URL, including the protocol, for the configuration file when prompted. An FTP URL is preferable. An HTTP URL can only be used with a server that accept posts (PUT).

4. Check the existing firmware version using the show device command. The returned text should contain "MaxOS 3.2.0".

5. Enter these commands to load the firmware image, where prot is HTTP, FTP, or TFTP; serverip is the IP address of the server; and path is the path to the firmware image file.

enable

copy to flash prot://serverip/path/css-sca-2fe-k9.phz

reload

6. You will see a status message stating the connection to the device was lost. Wait for several minutes for the device to reload and reboot. The telnet connection to the device is lost.

7. Connect to the device using a serial or telnet management session.

8. Check the firmware version by using the show device command. The returned text should contain "MaxOS 3.1.0".

9. Continue with configuration as desired.

Remote CLI Instructions

Follow these instructions for downgrading using a remote CLI management session.

1. Copy the firmware image to the computer from which you configure the Secure Content Accelerator.

2. Open the existing configuration manager application (cscacfg) using the desktop shortcut or the Start button (Windows) or entering cscacfg at a Unix or Linux prompt.

3. Display all Secure Content Accelerators found by the configuration manager by entering the show device list command. If the device is not listed, use the discover command.

4. The following commands assume only one device has been discovered by the configuration manager. If more than one Secure Content Accelerator is listed, use the on form of the command to specify the desired device.

---

Note   You can set the on-prefix to direct commands to a single device.

---

Use these commands to attach to and enter Privileged mode:

attach

enable

 

5. If only one Secure Content Accelerator is listed, use the show device command. If more than one device is listed, use the command on devname show device, where devname is the name of the device. The returned text should contain "MaxOS 3.2.0".

6. If desired, save the running configuration for reloading following the downgrade using the write file command. Enter the path and file name for the configuration file when prompted.

7. Enter these commands to load the firmware image, where path is the path to the firmware image file.

copy to flash path/css-sca-2fe-k9.phz

reload

 

8. Quit the configuration manager. If you wish to continue with configuration via the remote configuration manager, you must remove the 3.2 version and install the 3.1.0 version as described in "Remote Configuration Manager Replacement" below. Make sure you downgrade all 3.2.0 devices before removing the 3.2 version of the configuration manager.

9. To continue configuring the device with the 3.1.0 remote configuration manager, open the application (cscacfg) using the desktop short cut or the Start button (Windows) or entering cscacfg at a Unix or Linux prompt.

10. Display all Secure Content Accelerators found by the configuration manager by entering the show device list command. If the device is not listed, use the discover command.

11. Attach to the device and check the firmware version using the show device command. The returned text should contain "MaxOS version 3.1.0".

12. Continue with configuration as desired.

Remote Configuration Manager Replacement

Note   Make sure you downgrade all 3.1.0 devices before removing the 3.1.0 version of the remote configuration manager.

Linux

Use these instructions for installing the 3.1.0 remote configuration manager in Linux. Installing the 3.1.0 remote configuration manager will replace the 3.2.0 installation. If the 3.2.0 distribution CD is not in the CD drive, insert it now. Alternatively, use the appropriate path and file names if the 3.1.0 distribution directory has been downloaded onto the local file system. Enter the following commands at a Linux prompt:

mount -o map=off /mnt/cdrom

cd /mnt/cdrom/310/Linux/i386

./install_cscacfg

 

Solaris

Use these instructions for removing the 3.2.0 remote configuration manager and installing the 3.1.0 remote configuration manager in Solaris. If the 3.2.0 distribution CD is not in the CD drive, insert it now. Alternatively, use the appropriate path and file names if the 3.1.0 distribution directory has been downloaded onto the local file system.

1. Remove the previous installation with pkgrm.

2. Enter this command:

pkgadd -d /cdrom/cdrom0/310/Solaris/Sparc

 

3. When the package is presented for installation, press Enter to install it.

4. Type q after installation to exit.

Windows NT and Windows 2000

Use these instructions for removing the 3.2.0 remote configuration manager and installing the 3.1.0 remote configuration manager in Windows NT or Windows 2000.

1. Remove the 3.2.0 Configuration manager using Add/Remove Programs in the Control Panel.When the Install Shield Wizard opens, select the Remove option button and click Next. Follow the screen prompts as they are displayed.

2. If the 3.2.0 distribution CD is not in the CD drive, insert it now. Alternatively, use the appropriate icon, path, and file names if the 3.1.0 distribution directory has been downloaded onto the local file system.

3. Double-click the CD icon.

4. Double-click the 310 icon.

5. Double-click the MSWin icon.

6. Double-click the WinNT icon (Windows NT) or Win2K icon. (Windows 2000).

7. Double-click the setup.exe application icon.

8. Follow the displayed Install Shield instructions.

GUI Instructions

Follow these instructions for downgrading using a GUI management session.

1. Open a Web browser and connect to the Secure Content Accelerator.

2. Ensure that the General>Status page is displayed.

3. The Release panel should contain "3.2.0.N", where N is any number.

4. If desired, save the running configuration for reloading following the downgrade using this procedure:

a. Click Tools to activate the Tools tabs.

b. Click the Preferences tab.

c. Right-click Download in the Running Configuration panel. Select either Save Target As... (Internet Explorer) or Save Link As... (Netscape) to save the configuration file.

5. Click Tools to activate the Tools tabs.

6. Click the Firmware tab.

7. Type the path and firmware image file name in the Upload Firmware text box, or click Browse and navigate to and select the firmware image file from the local file system.

8. Click Upload to load the firmware image into the GUI.

9. Click Install Image next to the file information in the Installable Firmware Images panel.

10. After the new firmware has uploaded, click the Restart tab.

11. Click Reboot to reload the device. Wait several minutes for the device to reboot.

12. Reconnect to the device using the GUI and the IP address assigned to it.

13. Click General to activate the General tabs.

14. The Release panel should contain "3.1.0".

15. Continue with configuration as desired.

Operational Notes for 3.2

• The Cisco CSS 11000 Series Secure Content Accelerator Configuration Guide states the AC voltage as 100-240 VAC, 50-60 KHz. The correct voltage is 100-240 VAC, 50-60 Hz.
  
  
• The following commands have been removed from the CLI and GUI:
  
  
• snmp trap-type enterprise ssl-neg-failure
  
  
• snmp trap-type enterprise ssl-cert-expire
  
  
• snmp trap-type enterprise ssl-cert-invalid
  
  
• snmp trap-type enterprise ssl-certify-fail
  
  
• redirect
  
  
• Configuring a device using multiple sessions or methods simultaneously can cause undesirable results. We recommend only one session be used at a time to make configuration changes.
  
  
• If you change the IP address of a device with the remote configuration manager, the connection is lost to that device and must be re-established by restarting the remote configuration manager or using the discover command to find the device.
  
  
• After changing a device from one-port to two-port mode, write the configuration to flash and reload (reboot) the device for proper functioning.
  
  
• Copying to a device a configuration that changes the IP address or resets the interface settings can have unexpected results. If a configuration file was saved using the remote configuration manager or the onboard CLI, we recommend the same configuration manager be used to copy the configuration back to the device.
  
  
• Changing terminal settings in variance with the actual window size can affect the readline capabilities of the device: the displayed cursor position might not be indicative of its actual position.
  
  
• No error message is displayed when deleting an access list that is referenced by certain subsystems. Access is denied.
  
  
• Although you can set the encryption method for the remote management using the GUI, the encryption is not enabled until a shared secret (passphrase) is set and remote management encryption is enabled. Use the serial console to set the shared secret; use any CLI to enable remote management encryption.
  
  
• When using the Secure Content Accelerator with a CSS, do not set the keep-alive monitor on the CSS to use TCP service port 2932. This port is reserved for communication with the SSL appliance using the remote configuration manager. If you set the remote management port to a different TCP service port, ensure that the CSS keep-alive monitor does not use that port.
  
  

Network Design and Command Notes for 3.2

• If your firewall or router filters traffic based upon MAC address, you must allow multiple MAC addresses per IP address on the interface connected to the device.
  
  
• Changing the interface speed and duplex from autonegotiation does not display forced configuration if open connections are present. Forced speed and duplex settings are displayed only if a non-autonegotiated speed is specified.
  
  
• Adding a static route entry for duplicating a previously RIP-discovered route is not supported.
  
  
• Deleting a RIP-discovered route is not supported.
  
  
• A RIP-discovered default route cannot be cleared with the command clear ip routes or by disabling RIP alone. To remove this type of route, disable RIP and reload the device.
  
  
• The command ip route does not allow a change to an existing entry. To change an entry, delete the old entry first and then add the new one.
  
  
• When changing TCP service ports in the remote management and Web management subsystems, the device must be reloaded (rebooted) for the change to take effect. When changing TCP service ports in the telnet subsystem, the reassignment is immediate. Subsequent telnet connections must be made with the newly assigned port.
  
  
• In two-port mode services such as syslog, RIP, RDATE server, SNTP server, and SNMP are available only through the "Server" port.
  
  
• There is no abort for the traceroute command. If the host cannot be reached, the procedure will take several minutes to timeout.
  
  
• The help system for completion of the traceroute command indicates a lookup option. This option is unavailable.
  
  
• Multiple subsystems can be set to use the same access port. However, this causes undesirable results. Please ensure each subsystem "listening" port is unique on the device.
  
  
• To use the syslog ability, the configured syslog server must be set to listen for remote entries.
  
  

Secure Server Notes for 3.1

• If you edit an object referenced by a server, the server must be restarted before the changes will take effect. To restart the server, enter Privileged and Configuration modes, and use the suspend and activate commands.
  
  
• Non-transparent server objects are not updated if the device IP address is changed. Reloading the device or accessing the configuration of each server object resets the IP address assignment.
  
  
• Older browsers do not support chained certificates. We recommend upgrading to a newer browser version if chained certificate support is desired.
  
  
• A saved configuration file does not contain private keys. Private keys must be loaded separately with names exactly matching those referenced by the secure server. Additionally, old private keys are not removed from the startup-configuration by copying a new configuration to the device. To remove the old private keys, delete each private key, and write the running-configuration to the startup configuration or erase the startup-configuration.
  
  
• When using client authentication, individual Web browsers behave very differently in the way they filter requests for client certificates and how they cache certain aspects of the session.
  
  

GUI Notes for 3.2

• When setting up the device with SSL client-side GUI access, do not configure a non-transparent secure server to use the same localport.
  
  
• Erasing the running-configuration of a device using the GUI disconnects the Web browser from the device. To continue configuration, reconnect to the device.
  
  
• Setting the localport in a secure server entry to the listening TCP port of the Web management subsystem renders the GUI is inaccessible. You must use a different listening TCP port for each entity.
  
  
• When pasting a configuration via the GUI, the existing configuration is erased first; therefore, all configurations pasted using the GUI should be complete configurations. Incremental configuration updates are only possible by adding the changes to a complete configuration, and then pasting this configuration. An option for overwriting or incrementally updating a configuration using a pasted configuration will be added at a future date.
  
  
• The administrative timeout in the GUI does not limit access from the same browser. Disconnect the browser when not at the workstation.
  
  
• In certain situations the GUI does not report errors when trying to delete an object referenced by another object. This situation usually results in silent failure. However, be aware that the GUI allows you to delete a certificate referenced by a certificate group.
  
  
• The GUI caches certain items and can misrepresent the state of the actual device in certain circumstances, such as if the device is rebooted without saving changes. To obtain the current device state, refresh the page. This can be accomplished by holding the SHIFT-clicking the Refresh button.
  
  
• Once Web management is enabled, it is always accessible via the "Server" port (two-port mode) or the "Network" port (one-port mode) even if SSL client-side access has been configured. Use an access list to prevent unwanted access.
  
  
• Assigning a Web management access list to the device completely prevents HTTPS access from the GUI. Setting the following access list allows HTTPS access to the GUI from any IP address:
  
  

access-list 10 permit 127.0.0.1 0.0.0.0
web-mgmt access-list 10
 

CLI Notes for 3.2

• The monitor command can take an interval. The updated syntax is monitor [seconds] <command>, where seconds is the number of seconds between display refreshes and command is the command to use for display.
  
  
• The write messages command is available during serial and telnet management sessions. Instead of a file name, specify a URL.
  
  
• The copy to startup-configuration command replaces the startup-configuration. The keys and shared-secret password still exist unless they have been deleted or erased.
  
  
• Erasing the running-configuration of a device using the CLI disconnects any remote configuration manager, GUI, or telnet sessions from the device. To continue configuration, reconnect to the device.
  
  
• We do not recommend pasting complete configurations using the CLI. The device can lock up. Pasting sections of the configuration alleviates this problem.
  
  
• The custom completer completes previously created objects with the word "create" if TAB is pressed after the full name is typed. To edit an existing object, ensure "create" is not part of the command.
  
  
• When writing configuration files to the running configuration, the new configuration file appends to the existing configuration rather than replacing it. In the process of recreating existing configuration information, some errors will be displayed. These can be ignored safely.
  
  
• When trying to clear a current management session, an appropriate error message is displayed. However, the message sent to the message buffer might be misleading and can be safely ignored.
  
  
• The on prefix will not change if you change the hostname of the referenced device. You must change the on prefix manually.
  
  
• The passphrase option in the password command documentation is misleading. A passphrase is not supplied on the command line, but requested after entering the password command.
  
  

SNMP Notes for 3.2

The factory-set default SNMP community is "public"; however, "public" is not listed in the configuration. The behavior of setting and resetting the SNMP community is demonstrated in the table below.

Command	SNMP community is set to...	SNMP community in configuration is...
snmp default community XYZ	XYZ	XYZ
no snmp default community	XYZ	No default community listed
snmp default community public	public	public

Syslog Usage Notes

The SSL device syslog implementation for firmware 3.2 and below supports only "kern" facility logging. A future release will offer "local" and custom facility support. The following are example syslogd.conf settings:

kern.debug;         /var/log/ssl-debug
kern.info;          /var/log/ssl-info
kern.none;          /var/log/ssl-none
kern.crit;          /var/log/ssl-crit
kern.warn;          /var/log/ssl-warn
 

Or you can use the settings displayed below:

*.debug;         /var/log/ssl-debug
*.info;          /var/log/ssl-info
*.none;          /var/log/ssl-none
*.crit;          /var/log/ssl-crit
*.warn;          /var/log/ssl-warn
 

Linux-Specific Issues for 3.2

• Using ^C to abort the QuickStart wizard may not work if the intr char is not set to ^C. Check the intr char using the command stty -a at the Linux prompt, and use this key combination to abort the QuickStart wizard.
  
  
• While using the monitor command only the Enter key will abort the display.
  
  

Solaris-Specific Issues for 3.2

• The remote configuration manager will not run using the sh shell.
  
  
• While using the monitor command only the Enter key will abort the display.
  
  

Windows NT 4.0-Specific Issues for 3.2

• The arrow keys on the Windows NT 4.0 default telnet client when accessing the CLI do not behave as expected. To scroll through the command history, use CTRL-N and CTRL-P.
  
  
• In rare instances when using the Windows version of the configuration manager, resizing the window while doing a continuous display of statistics can cause an exception in the configuration manager.
  
  
• Pasting certificates or keys using the default Windows NT telnet client may fail. This may be the result of the Return character at the end of each line in the file. If you open the file with Notepad and see black boxes at the end of each line, delete them and replace them with carriage returns using the Enter key. The file should load after this.
  
  

Windows 2000-Specific Issues for 3.2

In rare instances when using the Windows version of the configuration manager, resizing the window while doing a continuous display of statistics can cause an exception in the configuration manager.

Version 3.2 Command Changes

Table 1 and Table 2 list CLI commands and options that have been added to or changed in version 3.2, respectively. Changed commands are listed in their current 3.2 format. Table 3 lists commands have been removed in this release. The command descriptions are a summary.

Table 1: CLI Commands Added in 3.2

Mode	Command and Syntax	Description
Top Level Mode (Non-Privileged Mode)	show flows on <devname|groupname|all> show flows	Availability: Remote, Serial, Telnet Displays IP connection information for one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices. Replaces the previous show flow command.
Top Level Mode (Privileged Mode)	show diagnostic-report	Availability: Serial, Telnet Displays configuration and diagnostic information for a device. The reports shown are the following: SSL Device Configuration (show device) Startup Configuration (show startup-config) Running Configuration (show running-config) Processes (show processes) Network Status (show netstat) Memory Statistics (show memory) Memory Zones (show memory zones) SSL Statistics (show ssl statistics) SSL Session Statistics (show ssl session stats) SSL Errors (show ssl errors) Individual reports can be generated using the command following each report name.
	show sntp	Availability: Remote, Serial, Telnet Displays SNTP configuration information, including the SNTP servers configured and the polling interval.
Configuration Mode	clock [date|time]	Availability: Serial Allows the administrator to set the date or time, respectively. After entering the command, you are prompted to enter the appropriate date or time. The device date and time can be viewed by using the show date command.
	sntp interval [seconds]	Availability: Remote, Serial, Telnet Sets polling interval for all configured SNTP servers, where seconds is the number of seconds between polls. The default interval is 86400 seconds (one day), the minimum and maximum intervals are 60 and 2419200 (one month), respectively. The interval can be displayed using the commands show device, show snmp and write terminal.
	sntp server [ipaddr|hostname] no sntp server [ipaddr|hostname]	Availability: Remote, Serial, Telnet Sets or removes a specified SNTP server in the device configuration. You are prompted to enter and verify the password. Use the no form of the command to clear the SNTP server. If more than one SNTP server has been configured, you must specify the IP address or hostname of the one to delete. Up to four SNTP servers can be configured. If the first SNTP server returns an error, the next SNTP server is polled. After the fourth SNTP poll returns an error, the first server is polled again. SNTP information can be displayed using the commands show device, show snmp and write terminal. Note   When a hostname is used rather than an IP address, the hostname is resolved as an IP address when written to the configuration.
Server Configuration Mode	urlrewrite <domainName> [sslport <portid>] [clearport <portid>] <redirectonly> no urlrewrite <domainName>	Availability: Remote, Serial, Telnet Sets or remove a specified URL rewrite rule for the current secure server. The domainName is the domain or file identifier as a domain name, IP address, or path and file name. An * (asterisk) wild card character can be used to specify more than one server in a single domain, e.g., "*.company.com". The redirectonly keyword is used to indicate that only the "Location;" field in the HTTP 30x redirect header should be rewritten. This solves a common problem with Web servers using insecure HTTP 30x redirects. Up to 32 URL rewrite rules can be configured. Use the no form of the command to clear the specified rule. If more than one rule has been configured, you must specify the domain name of the rule to delete. URL rewrite information can be displayed by using the command show ssl server.

What's New in 3.1

• Increases the maximum number of concurrent connections possible.
  
  
• Adds Backend Server configuration, enabling the device to take HTTP requests from a client and process HTTPS requests to the configured server.
  
  
• Adds Reverse Proxy Server configuration, enabling the device to act as an SSL proxy for client requests. The device receives HTTP requests from the client configured to use the device as a proxy and then processes HTTPS requests to the requested web site.
  
  
• Adds SNTP support.
  
  
• Adds ability to generate keys on the device and save them to disk at time of creation.
  
  
• Adds ability to generate certificate signing requests or self-signed certificates.
  
  
• An additional security policy has been added to address potential problems in non-US installations using Internet Explorer. This policy, noexport56, includes the following ciphers: DES-CBC3-SHA, ARC-SHA, ARC4-MD5, DES-CBC-SHA, DES-CBC3-MD5, EXP-DES-CBC-SHA, EXP-ARC2-MD5, and EXP-ARC4-MD5. While this security policy disables the 56-bit cipher suite, it does not compromise the strength or the integrity of the encryption in any way.
  
  
• Adds ability to suspend SSL server activity.
  
  
• Adds client authentication ability to SSL server entries.
  
  
• Adds ability to have automatic HTTP redirection to HTTPS.
  
  
• Expands the SNMP capabilities by enhancing GET capabilities.
  
  
• Adds the monitor command which expands the ability of showing statistics, device state, and configuration.
  
  
• Adds the ability to set the baud rate of the Console port.
  
  
• Adds the ability to turn on/off session caching.
  
  
• HTTP headers can now be added to backend HTTP stream.
  
  
• Adds ability to set the port for telnet and web management.
  
  
• Adds ability to terminate sessions from the command line.
  
  
• Adds custom completion to the help commands.
  
  
• Adds the ability to set the date on the device manually.
  
  
• Command syntax is now displayed with a ? rather than TAB which still shows completion of the command.
  
  
• Adds Ephemeral RSA toggle.
  
  
• Expands GUI functionality including Secure Server Wizard.
  
  

Notes for 3.1

The following sections contain notes related to the 3.1 release.

Upgrading from Previous Releases

The 3.1 version can only be upgraded from 3.0 and later releases. Upgrading from other versions can fail or cause the loss of certain configuration parameters. The CD includes a 306 directory containing firmware images and remote configuration software necessary for the incremental update. Before continuing with the upgrade, please read the notes below. To install the 3.0.6 version from a previous firmware release, see the file RelNot_306.pdf in the 306 directory of the distribution CD.

Upgrade Notes

Table 4, below, presents device behaviors resulting from several upgrade scenarios as well as workarounds, if available.

Table 4: Upgrade Scenarios

Scenario	Result	Workaround
User-defined security policy "noexport56" is present. Reboot.	The user-defined security policy is over-written.	Recreate the existing user-defined security policy using a different name before updating the device.
User-defined certificate group "defaultCA" is present. Reboot.	The user-defined certificate group is over-written.	Recreate the existing user-defined certificate group with a different name before updating the device.
Prior to update, 251 user-defined security policies are present.	The security policy listed as index number 251 is deleted at reboot.	1. Prior to updating, attach to the device using a CLI and use the show ssl command. 2. Look at the list in the Security Policies block. The Id 251 security policy is deleted at reboot. You can delete another security policy to preserve that one. 3. Identify the security policy used least. 4. Use the following commands to delete it. enable configure ssl no secpolicy polname Proceed with the update as instructed.
Prior to update, 64 user-defined certificate groups are present.	The certificate group listed as index number 64 is deleted at reboot.	1. Prior to updating, attach to the device using a CLI and use the show ssl command. 2. Look at the list in the Certificate Groups block. The Id 64 certificate group is lost when rebooting. You can delete another group to preserve that one. 3. Identify the certificate group used least. 4. Use the following commands to delete it. enable configure ssl no certgroup certgpname Proceed with the update as instructed.
Prior to update, more than 495 user-defined certificates are present.	Certificates listed as index number 499 and above are deleted at reboot.	1. Prior to updating, attach to the device using a CLI and use the show ssl command. 2. Look at the list in the Certificates block. Certificates listed as Id 499 and above are lost when rebooting. You can delete any less-used certificates to preserve the user-defined certificates listed as Id 499 and above. 3. Identify the certificates used least. 4. Use the following commands to delete each certificate. enable configure ssl no cert certname Proceed with the update as instructed.

Downgrading to 3.0.6

Devices flashed with version 3.1 firmware can be downgraded to version 3.0.6 firmware. The 310 directory contains an Adobe Acrobat file named DowngrdNote.pdf. This file has instructions for proceeding with the downgrade.

Operational Notes for 3.1

• Configuring a device using multiple sessions or methods simultaneously can cause undesirable results. We recommend only one session be used at a time to make configuration changes.
  
  
• If you change the IP address of a device with the remote configuration manager, the connection is lost to that device and must be re-established by restarting the remote configuration manager or using the discover command to find the device.
  
  
• After changing a device from one-port to two-port mode, write the configuration to flash and reload (reboot) the device for proper functioning.
  
  
• Copying to a device a configuration that changes the IP address or resets the interface settings can have unexpected results. If a configuration file was saved using the remote configuration manager or the onboard CLI, we recommend the same configuration manager be used to copy the configuration back to the device.
  
  
• Changing terminal settings in variance with the actual window size can affect the readline capabilities of the device: the displayed cursor position might not be indicative of its actual position.
  
  
• No error message is displayed when deleting an access list that is referenced by certain subsystems. Access is denied.
  
  
• Although you can set the encryption method for the remote management using the GUI, the encryption is not enabled until a shared secret (passphrase) is set and remote management encryption is enabled. Use the serial console to set the shared secret; use any CLI to enable remote management encryption.
  
  
• When using the Secure Content Accelerator with a CSS, do not set the keep-alive monitor on the CSS to use TCP service port 2932. This port is reserved for communication with the SSL appliance using the remote configuration manager. If you set the remote management port to a different TCP service port, ensure that the CSS keep-alive monitor does not use that port.
  
  

Network Design and Command Notes for 3.1

• If your firewall or router filters traffic based upon MAC address, you must allow multiple MAC addresses per IP address on the interface connected to the device.
  
  
• Changing the interface speed and duplex from autonegotiation does not display forced configuration if open connections are present. Forced speed and duplex settings are displayed only if a non-autonegotiated speed is specified.
  
  
• Adding a static route entry for duplicating a previously RIP-discovered route is not supported.
  
  
• Deleting a RIP-discovered route is not supported.
  
  
• A RIP-discovered default route cannot be cleared with the command clear ip routes or by disabling RIP alone. To remove this type of route, disable RIP and reload the device.
  
  
• The command ip route does not allow a change to an existing entry. To change an entry, delete the old entry first and then add the new one.
  
  
• When changing TCP service ports in the remote management and Web management subsystems, the device must be reloaded (rebooted) for the change to take effect. When changing TCP service ports in the telnet subsystem, the reassignment is immediate. Subsequent telnet connections must be made with the newly assigned port.
  
  
• In two-port mode services such as syslog, RIP, RDATE server, SNTP server, and SNMP are available only through the "Server" port.
  
  
• There is no abort for the traceroute command. If the host cannot be reached, the procedure will take several minutes to timeout.
  
  
• The help system for the ping completion of the traceroute command indicates a lookup option. This option is unavailable.
  
  
• Multiple subsystems can be set to use the same access port. However, this causes undesirable results. Please ensure each subsystem "listening" port is unique on the device.
  
  
• To use the syslog ability, the configured syslog server must be set to listen for remote entries.
  
  

Secure Server Notes for 3.1

• If you edit an object referenced by a server, the server must be restarted before the changes will take effect. To restart the server, enter Privileged and Configuration modes, and use the suspend and activate commands.
  
  
• Non-transparent server objects are not updated if the device IP address is changed. Reloading the device or accessing the configuration of each server object resets the IP address assignment.
  
  
• Older browsers do not support chained certificates. We recommend upgrading to a newer browser version if chained certificate support is desired.
  
  
• The HTTP redirect functionality is supported only in one-port mode at present.
  
  
• A saved configuration file does not contain private keys. Private keys must be loaded separately with names exactly matching those referenced by the secure server. Additionally, old private keys are not removed from the startup-configuration by copying a new configuration to the device. To remove the old private keys, delete each private key, and write the running-configuration to the startup configuration or erase the startup-configuration.
  
  
• When using client authentication, individual Web browsers behave very differently in the way they filter requests for client certificates and how they cache certain aspects of the session.
  
  

GUI Notes for 3.1

• When setting up the device with SSL client-side GUI access, do not configure a non-transparent secure server to use the same localport.
  
  
• Erasing the running-configuration of a device using the GUI disconnects the Web browser from the device. To continue configuration, reconnect to the device.
  
  
• Setting the localport in a secure server entry to the listening TCP port of the Web management subsystem renders the GUI is inaccessible. You must use a different listening TCP port for each entity.
  
  
• When pasting a configuration via the GUI, the existing configuration is erased first; therefore, all configurations pasted using the GUI should be complete configurations. Incremental configuration updates are only possible by adding the changes to a complete configuration, and then pasting this configuration. An option for overwriting or incrementally updating a configuration using a pasted configuration will be added at a future date.
  
  
• The GUI telnet client does not process a backspace to the beginning of a line. Press Enter to obtain a new line and enter the command.
  
  
• The administrative timeout in the GUI does not limit access from the same browser. Disconnect the browser when not at the workstation.
  
  
• The GUI telnet client cannot connect if the port is not set to the default setting or if telnet access has been disabled on the device.
  
  
• In certain situations the GUI does not report errors when trying to delete an object referenced by another object. This situation usually results in silent failure. However, be aware that the GUI allows you to delete a certificate referenced by a certificate group.
  
  
• The GUI caches certain items and can misrepresent the state of the actual device in certain circumstances, such as if the device is rebooted without saving changes. To obtain the current device state, refresh the page. This can be accomplished by holding the SHIFT-clicking the Refresh button.
  
  
• Once Web management is enabled, it is always accessible via the "Server" port (two-port mode) or the "Network" port (one-port mode) even if SSL client-side access has been configured. Use an access list to prevent unwanted access.
  
  
• Assigning a Web management access list to the device completely prevents HTTPS access from the GUI. Setting the following access list allows HTTPS access to the GUI from any IP address:
  
  

access-list 10 permit 127.0.0.1 0.0.0.0
web-mgmt access-list 10
 

CLI Notes for 3.1

• The monitor command can take an interval. The updated syntax is monitor [seconds] <command>, where seconds is the number of seconds between display refreshes and command is the command to use for display.
  
  
• The write messages command is available during serial and telnet management sessions. Instead of a file name, specify a URL.
  
  
• The copy to startup-configuration command replaces the startup-configuration. The keys and shared-secret password still exist unless they have been deleted or erased.
  
  
• Erasing the running-configuration of a device using the CLI disconnects any remote configuration manager, GUI, or telnet sessions from the device. To continue configuration, reconnect to the device.
  
  
• We do not recommend pasting complete configurations using the CLI. The device can lock up. Pasting sections of the configuration alleviates this problem.
  
  
• Invalid date strings may be accepted when entering a date. Verify the setting using the show date command, and correct the date if necessary.
  
  
• The custom completer completes previously created objects with the word "create" if TAB is pressed after the full name is typed. To edit an existing object, ensure "create" is not part of the command.
  
  
• When writing configuration files to the running configuration, the new configuration file appends to the existing configuration rather than replacing it. In the process of recreating existing configuration information, some errors will be displayed. These can be ignored safely.
  
  
• When trying to clear a current management session, an appropriate error message is displayed. However, the message sent to the message buffer might be misleading and can be safely ignored.
  
  
• The on prefix will not change if you change the hostname of the referenced device. You must change the on prefix manually.
  
  
• The passphrase option in the password command documentation is misleading. A passphrase is not supplied on the command line, but requested after entering the password command.
  
  

SNMP Notes for 3.1

• Disabling SNMP does not disable the associated TCP ports. To disable the ports, save the disabled configuration and reload the device.
  
  
• Certificate verification and SSL negotiation failure traps do not function.
  
  
• You can set the SNMP access list to a non-existent one using the GUI. In this instance the access list behavior is to deny all traffic to that subsystem.
  
  
• The factory-set default SNMP community is "public"; however, "public" is not listed in the configuration. The behavior of setting and resetting the SNMP community is demonstrated in the table below,
  
  

Command	SNMP community is set to...	SNMP community in configuration is...
snmp default community XYZ	XYZ	XYZ
no snmp default community	XYZ	No default community listed
snmp default community public	public	public

Linux-Specific Issues for 3.1

• Using ^C to abort the QuickStart wizard may not work if the intr char is not set to ^C. Check the intr char using the command stty -a at the Linux prompt, and use this key combination to abort the QuickStart wizard.
  
  
• While using the monitor command only the Enter key will abort the display.
  
  

Solaris-Specific Issues for 3.1

• The remote configuration manager will not run using the sh shell.
  
  
• While using the monitor command only the Enter key will abort the display.
  
  

Windows NT 4.0-Specific Issues for 3.1

• The arrow keys on the Windows NT 4.0 default telnet client when accessing the CLI do not behave as expected. To scroll through the command history, use CTRL-N and CTRL-P.
  
  
• In rare instances when using the Windows version of the configuration manager, resizing the window while doing a continuous display of statistics can cause an exception in the configuration manager.
  
  
• Pasting certificates or keys using the default Windows NT telnet client may fail. This may be the result of the Return character at the end of each line in the file. If you open the file with Notepad and see black boxes at the end of each line, delete them and replace them with carriage returns using the Enter key. The file should load after this.
  
  

Windows 2000-Specific Issues for 3.1

In rare instances when using the Windows version of the configuration manager, resizing the window while doing a continuous display of statistics can cause an exception in the configuration manager.

Version 3.1 Command Changes

Table 5 and Table 6 list CLI commands and options that have been added or changed to software version 3.1. Changed commands are listed in their current 3.1 format. No commands have been removed in this release. The command descriptions are a summary. Please see the Cisco 11000 Series Secure Content Accelerator Configuration Guide for more information.

Table 5: CLI Commands Added in 3.1

Mode	Command and Syntax	Description
Top Level: Non-Privileged and Privileged Modes	monitor <command> on <devname|groupname|all> monitor <command>	Availability: Remote, Serial, Telnet Displays the results of the specified show command at one second intervals, where command is the command. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.
	set monitor-interval <value> no set monitor-interval	Availability: Remote, Serial, Telnet Sets the number of seconds between monitor-prefixed command refreshes. Use the no form of the command to return the monitor interval to default value.
	show flow on <devname|groupname|all> show flow	Availability: Remote, Serial, Telnet Displays IP connection information for one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.
	show rdate-server on <devname|groupname|all> show rdate-server	Availability: Remote, Serial, Telnet Displays the IP address of the RDATE protocol server configuration for one or more devices.
	show sntp-server on <devname|groupname|all> show sntp-server	Availability: Remote, Serial, Telnet Displays SNTP-server information for one or more devices. The SNTP server is used for date and time information.
	show ssl session-stats [continuous] [interval <value>] on <devname|groupname|all> show ssl session-stats [continuous] [interval <value>]	Availability: Remote, Serial, Telnet Displays SSL session statistics summed over all secure logical servers on one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.
Top Level: Non-Privileged and Privileged Modes (continued)	show telnet on <devname|groupname|all> show telnet	Availability: Remote, Serial, Telnet Displays telnet management information for one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.
	show web-management on <devname|groupname|all> show web-management	Availability: Remote, Serial, Telnet Displays Web-based GUI management information for one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.
	terminal baud <1200|2400|4800|9600|19200|38400|115200>	Availability: Serial Sets the baud for communicating with the Secure Content Accelerator.
Top Level: Privileged Mode	clear line <sessionId>	Availability: Serial Closes a specified management session, where sessionId is the session identifier.
	clear ssl session-stats on <devname|groupname|all> clear ssl session-stats	Availability: Remote, Serial, Telnet Resets all SSL session statistics for one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.
	refresh	Availability: Remote, Serial, Telnet Updates device information in the configuration manager.
Group Configuration Mode	finished	Availability: Remote Exits Group Configuration Mode and returns to Top Level mode.
Configuration Mode	finished	Availability: Remote, Serial, Telnet Leaves Configuration Mode and returns to Top Level mode.
	registration-code <code>	Availability: Remote, Serial, Telnet Stores the registration code of the device.
	sntp-server <ipaddr> no sntp-server	Availability: Remote, Serial, Telnet Assigns an SNTP server, where ipaddr is the IP address of the server. Use the no form of the command to remove the SNTP server information.
Configuration Mode (continued)	telnet port <portid> no telnet port <portid>	Availability: Remote, Serial, Telnet Specifies the TCP service port to use for telnet management sessions, where portid is the TCP service port to be used when managing the device via a telnet session. Use the no form of the command to return the telnet management port to the default setting. The port assignment is used at the next attach.
	web-mgmt port <portid> no web-mgmt port <portid>	Availability: Remote, Serial, Telnet Specifies the TCP service port used for management with the Web-based GUI, where portid is the TCP service port to be used when managing the device via the GUI. Use the no form of the command to return the GUI management port to the default setting. The port assignment is used at the next attach.
Interface Configuration Mode	finished	Availability: Remote, Serial, Telnet Leaves Interface Configuration Mode and returns to Top Level mode.
SSL Configuration Mode	backend-server <servname> [create] no backend-server <servname>	Availability: Remote, Serial, Telnet Creates and/or configures the specified backend server, where servname is the name of the server, and enters Backend Server Configuration mode for that server. The no form of the command is used to remove the specified backend server. A device can have a total of 255 servers in any combination of backend, reverse-proxy, or standard secure servers.
	finished	Availability: Remote, Serial, Telnet Leaves SSL Configuration Mode and returns to Top Level mode.
	gencsr <key <keyname>> [newhdr] [digest md5|sha1] [output <filename|url>]	Availability: Remote, Serial, Telnet Generates a certificate signing request and/or self-signed certificate, where keyname is the name of the key to use for generation and filename and url are the location for the optional output file.
	reverse-proxy-server <servname> [create] no reverse-proxy-server <servname>	Availability: Remote, Serial, Telnet Creates and/or configures the specified reverse-proxy server, where servname is the name of the server, and enters Reverse-Proxy Server Configuration mode for that server. The no form of the command is used to remove the specified reverse-proxy server. A device can have a total of 255 servers in any combination of backend, reverse-proxy, or standard secure servers.
Backend Server Configuration Mode	activate	Availability: Remote, Serial, Telnet Activates the current suspended backend server if enough information has been configured.
	certgroup serverauth <certgroupname> no certgroupchain	Availability: Remote, Serial, Telnet Assigns a certificate group to be used for server certificate authentication, where certgroupname is the name of the existing certificate group. The no form of the command is used to disable server authentication using the certificate group. When using the no form of the command, you need not specify any certificate group name. Only one certificate group can be used.
	end	Availability: Remote, Serial, Telnet Exits Backend Server Configuration mode, activates all changes, and returns to SSL Configuration mode.
	exit	Availability: Remote, Serial, Telnet Exits Backend Server Configuration mode, activates all changes, and returns to SSL Configuration mode.
	finished	Availability: Remote, Serial, Telnet Leaves Backend Server Configuration Mode and returns to Top Level mode.
	help [command]	Availability: Remote, Serial, Telnet Displays help information for the specified command. If you do not specify a command, help information is displayed for all Backend Server Configuration Commands.
	info	Availability: Remote, Serial, Telnet Displays current information about the logical secure server being edited or created.
	ip address <ipaddr> [netmask <mask>] no ip address	Availability: Remote, Serial, Telnet Sets the specified IP address for the backend server, where ipaddr is the IP address and mask is the valid netmask. Using the no form of the command clears the IP address for the backend server.
	localport <port|default>	Availability: Remote, Serial, Telnet Specifies the TCP service port through which non-secure connections are received, where port is the port specification. Using the keyword default sets the port specification to 80.
	log-url <ipaddr>	Availability: Remote, Serial, Telnet Specifies a host for logging of URL requests, where ipaddr is the IP address of the log host.
Backend Server Configuration Mode (continued)	remoteport <port|default>	Availability: Remote, Serial, Telnet Specifies the TCP service port through which redirected secure connections are sent, where port is the port specification. Using the keyword default sets the port specification to 443.
	secpolicy <polname|all|default|strong|weak>	Availability: Remote, Serial, Telnet Creates an association between this server and the specified security policy, where polname is the name of the existing security policy.
	serverauth enable no serverauth enable	Availability: Remote, Serial, Telnet Enables server certificate authentication. Using the no form of the command disables server certificate authentication.
	serverauth ignore all | none|signature-failure| expired-date|cert-not-yet-valid| invalid-ca|domain-name no serverauth ignore all | none|signature-failure| expired-date|cert-not-yet-valid| invalid-ca|domain-name	Availability: Remote, Serial, Telnet Specifies the server authentication errors to ignore. Any combination of options can be used currently. Use the no form of the command to cease ignoring the specific server authentication error.
	session-cache enable no session-cache enable	Availability: Remote, Serial, Telnet Enables session caching. Use the no form of the command to disable session caching.
	session-cache size <cachesize>	Availability: Remote, Serial, Telnet Specifies the size of the session cache, where cachesize is the number of sessions to be cached. The default is 1024. The acceptable range is 1 to 5096.
	session-cache timeout <seconds>	Availability: Remote, Serial, Telnet Specifies the session cache length before being timed out, where seconds is the number of seconds before the cache times out.
	suspend [now]	Availability: Remote, Serial, Telnet Suspends the function of the backend server.
	transparent no transparent	Availability: Remote, Serial, Telnet Enables the backend server to function as a transparent proxy (default). When transparent proxy behavior is disabled, the device accepts connections on the IP address of the Secure Content Accelerator rather than on the server address. The no form of the command is used to disable this behavior.
Certificate Configuration Mode	finished	Availability: Remote, Serial, Telnet Leaves Certificate Configuration Mode and returns to Top Level mode.
Certificate Group Configuration Mode	finished	Availability: Remote, Serial, Telnet Leaves Certificate Group Configuration Mode and returns to Top Level mode.
Key Configuration Mode	finished	Availability: Remote, Serial, Telnet Leaves Key Configuration Mode and returns to Top Level mode.
	genrsa [bits <512|1024>] [encrypt <des|des3>] [seed <seedstring>] [output <filename|url>]	Availability: Remote, Serial, Telnet Generates an RSA key.
Reverse-Proxy Server Configuration Mode	activate	Availability: Remote, Serial, Telnet Activates the current suspended reverse-proxy server if enough information has been configured.
	certgroup serverauth <certgroupname> no certgroupchain	Availability: Remote, Serial, Telnet Assigns a certificate group to be used for server certificate authentication, where certgroupname is the name of the existing certificate group. The no form of the command is used to disable server authentication using the certificate group. When using the no form of the command, you need not specify any certificate group name. Only one certificate group can be used.
	end	Availability: Remote, Serial, Telnet Exits Reverse-Proxy Server Configuration mode, activates all changes, and returns to SSL Configuration mode.
	exit	Availability: Remote, Serial, Telnet Exits Reverse-Proxy Server Configuration mode, activates all changes, and returns to SSL Configuration mode.
	finished	Availability: Remote, Serial, Telnet Leaves Reverse-Proxy Server Configuration Mode and returns to Top Level mode.
	help [command]	Availability: Remote, Serial, Telnet Displays help information for the specified command. If you do not specify a command, help information is displayed for all Reverse-Proxy Server Configuration Commands.
	info	Availability: Remote, Serial, Telnet Displays current information about the logical secure server being edited or created.
	ip address <ipaddr> [netmask <mask>] no ip address	Availability: Remote, Serial, Telnet Sets the specified IP address for the backend server, where ipaddr is the IP address and mask is the valid netmask. Using the no form of the command clears the IP address for the backend server.
Reverse-Proxy Server Configuration Mode (continued)	localport <port|default>	Availability: Remote, Serial, Telnet Specifies the TCP service port through which non-secure connections are received, where port is the port specification. Using the keyword default sets the port specification to 80.
	log-url <ipaddr>	Availability: Remote, Serial, Telnet Specifies a host for logging of URL requests, where ipaddr is the IP address of the log host.
	remoteport <port|default>	Availability: Remote, Serial, Telnet Specifies the TCP service port through which redirected secure connections are sent, where port is the port specification. Using the keyword default sets the port specification to 443.
	secpolicy <polname|all|default|strong|weak>	Availability: Remote, Serial, Telnet Creates an association between this server and the specified security policy, where polname is the name of the existing security policy.
	serverauth enable no serverauth enable	Availability: Remote, Serial, Telnet Enables server certificate authentication. Using the no form of the command disables server certificate authentication.
	serverauth ignore all | none|signature-failure| expired-date|cert-not-yet-valid| invalid-ca|domain-name no serverauth ignore all | none|signature-failure| expired-date|cert-not-yet-valid| invalid-ca|domain-name	Availability: Remote, Serial, Telnet Specifies the server authentication errors to ignore. Any combination of options can be used currently. Use the no form of the command to cease ignoring the specific server authentication error.
	session-cache enable no session-cache enable	Availability: Remote, Serial, Telnet Enables session caching. Use the no form of the command to disable session caching.
	session-cache size <cachesize>	Availability: Remote, Serial, Telnet Specifies the size of the session cache, where cachesize is the number of sessions to be cached. The default is 1024. The acceptable range is 1 to 5096.
	session-cache timeout <seconds>	Availability: Remote, Serial, Telnet Specifies the session cache length before being timed out, where seconds is the number of seconds before the cache times out.
	suspend [now]	Availability: Remote, Serial, Telnet Suspends the function of the reverse-proxy server.
Security Policy Configuration Mode	finished	Availability: Remote, Serial, Telnet Leaves Security Policy Configuration Mode and returns to Top Level mode.
Server Configuration Command Mode	activate	Availability: Remote, Serial, Telnet Activates the current logical secure server if enough information has been configured.
	certgroup clientauth <certgroupname> no clientauth	Availability: Remote, Serial, Telnet Assigns a certificate group to be used as a certificate trust list for client certificate authentication. The no form of the command is used to disable client authentication using the certificate group. When using the no flag, you need not specify any certificate group name. Only one certificate chain can be used.
	clientauth enable no clientauth enable	Availability: Remote, Serial, Telnet Enables client certificate authentication. Use the no form of the command to disable client certificate authentication.
	clientauth error <cert-not-provided| cert-not-yet-valid| cert-has-expired| cert-revoked|cert-has-invalid-ca| cert-has-signature-failure| cert-other-error|all> <fail|failhtml|ignore|redirect <url>> no clientauth error <cert-not-provided| cert-not-yet-valid| cert-has-expired|cert-revoked| cert-has-invalid-ca| cert-has-signature-failure| cert-other-error|all >	Availability: Remote, Serial, Telnet Specifies the client certificate authentication errors to ignore. Any combination of options can be used currently. Use the no form of the command to cease ignoring the specific client authentication error.
	clientauth verifydepth <depth>	Availability: Remote, Serial, Telnet Specifies the level of certificate within the certificate group to use when verifying client certificates, where depth is the number of certificates within the certificate group to use for authentication.
	ephrsa no ephrsa	Availability: Remote, Serial, Telnet When an export browser version connects to a server using 1024-bit keys, this allows the RSA key exchange (the SSL handshake) to be negotiated using a dynamically created 512-bit key. Using ephemeral RSA ensures the device complies with United States commerce laws. The default is no ephemeral RSA. Use the no form of the command to disable ephemeral RSA.
	finished	Availability: Remote, Serial, Telnet Leaves Server Configuration Mode and returns to Top Level mode.
Server Configuration Mode (continued)	httpheader <session|server-cert|client-cert| pre-filter|prefix <prefixString>> no httpheader <session|server-cert|client-cert| pre-filter|prefix>	Availability: Remote, Serial, Telnet Specifies the header information to pass to backend HTTP servers. Any combination of options can be used currently. Use the no form of the command to cease using the specific option.
	redirect no redirect	Availability: Remote, Serial, Telnet Enables server redirection. Use the no form of the command to disable server redirection.
	session-cache enable no session-cache enable	Availability: Remote, Serial, Telnet Enables session caching. Use the no form of the command to disable session caching.
	session-cache size <cachesize>	Availability: Remote, Serial, Telnet Specifies the size of the session cache, where cachesize is the number of sessions. The default is 1024. The acceptable range is 1 to 5096.
	session-cache timeout <seconds>	Availability: Remote, Serial, Telnet Specifies the session cache length before being timed out, where seconds is the number of seconds.
	suspend [now]	Availability: Remote, Serial, Telnet Suspends the function of the server.