Release Notes for the Cisco VPN 5000 Concentrator Software Version 5.2.16

These release notes provide information about the Cisco VPN 5000 concentrator software Version 5.2.16. These release notes are updated as needed to describe caveats that were fixed from the previous releases, open caveats, and documentation updates.

New Features

The following sections list new features since the previous major release. To see which caveats were fixed in maintenance releases for v5.2, see the "VPN 5000 Concentrator Software Caveats Fixed from Previous Releases" section.

VPN 5000 Software Features

Table 1 lists new features since Compatible Systems IntraPort software Version 5.1.x. IntraPort servers are now called the Cisco VPN 5000 concentrator series.

Table 1: VPN 5000 Software New Features

Feature Description

Server-side certificates and certificate generation to support hybrid XAUTH authentication

Allows Axent Defender, SecurID, and RADIUS to use hybrid XAUTH to authenticate clients

No differentiation between supported numbers of client tunnels and LAN-to-LAN tunnels

Allows you to combine tunnels of any type to reach to the maximum number of tunnels supported.

LAN-to-LAN tunnel rekeying and perfect forward secrecy (PFS)

Increases the security of the tunnel through rekeying and PFS. PFS specifies that every time the concentrator computes encryption or authentication keys, it includes a new Diffie-Hellman Key Exchange. Rekeying forces the tunnel to periodically be reestablished with a new key. Both techniques greatly increase the difficulty of finding the session keys used to encrypt a VPN session.

Generic LAN-to-LAN tunnel partner

Allows you to configure a concentrator as a default responder to allow tunnels with any remote peer, without having to configure the concentrator for communication with each individual peer.

New or improved VPN management commands

show vpn command provides extensive displays to help troubleshoot and maintain VPN tunnels.

reset vpn command terminates VPN tunnels

vpn cutoff command stops new connections

Feature	Description
Server-side certificates and certificate generation to support hybrid XAUTH authentication	Allows Axent Defender, SecurID, and RADIUS to use hybrid XAUTH to authenticate clients
No differentiation between supported numbers of client tunnels and LAN-to-LAN tunnels	Allows you to combine tunnels of any type to reach to the maximum number of tunnels supported.
LAN-to-LAN tunnel rekeying and perfect forward secrecy (PFS)	Increases the security of the tunnel through rekeying and PFS. PFS specifies that every time the concentrator computes encryption or authentication keys, it includes a new Diffie-Hellman Key Exchange. Rekeying forces the tunnel to periodically be reestablished with a new key. Both techniques greatly increase the difficulty of finding the session keys used to encrypt a VPN session.
Generic LAN-to-LAN tunnel partner	Allows you to configure a concentrator as a default responder to allow tunnels with any remote peer, without having to configure the concentrator for communication with each individual peer.
New or improved VPN management commands	show vpn command provides extensive displays to help troubleshoot and maintain VPN tunnels. reset vpn command terminates VPN tunnels vpn cutoff command stops new connections

Hardware Supported

Table 2 lists the hardware and software builds supported for concentrator software Version 5.2.16:

Table 2: Supported Hardware for Software Version 5.2.15

Model Software Build

IntraPort 2¹

vpn-intraport-2-x.x.x²-[3]³des.dld

IntraPort 2+¹

vpn-intraport-2plus-x.x.x-[3]des.dld

VPN 5001

vpn-5001-x.x.x-[3]des.dld

IntraPort Carrier and Enterprise¹, VPN 5002 and 5008

vpn-5002-5008-x.x.x-[3]des.dld

¹ Compatible Systems legacy platforms.
² x.x.x is the software version, for example, 5.2.2.
³U.S. builds include 3DES; export builds include DES. The file name reflects the encryption level.

Model	Software Build
IntraPort 2¹	vpn-intraport-2-x.x.x²-[3]³des.dld
IntraPort 2+¹	vpn-intraport-2plus-x.x.x-[3]des.dld
VPN 5001	vpn-5001-x.x.x-[3]des.dld
IntraPort Carrier and Enterprise¹, VPN 5002 and 5008	vpn-5002-5008-x.x.x-[3]des.dld

Upgrading the IntraPort 2 and 2+ Servers

The IntraPort 2 and 2+ servers have the same functionality as the VPN 5001 concentrator except for the number of tunnels supported. Table 3 lists the tunnels supported for each platform.

Table 3: Tunnels Supported for the VPN 5001 and IntraPort 2 and 2+

Model Tunnels

VPN 5001 concentrator

1500

IntraPort 2+

500

IntraPort 2

64

Model	Tunnels
VPN 5001 concentrator	1500
IntraPort 2+	500
IntraPort 2	64

For information about configuring and upgrading the IntraPort 2 and 2+, use the information about the VPN 5001 concentrator in the Cisco VPN 5001 Software Configuration Guide.

Upgrading the IntraPort Carrier and Enterprise Servers

The IntraPort Carrier and Enterprise servers have the same functionality as the VPN 5002 or 5008 concentrators. For information about configuring the IntraPort Carrier and Enterprise servers, see the VPN 5002 and VPN 5008 information in the Cisco VPN 5002 and 5008 Software Configuration Guide. The Carrier and Enterprise servers use the same software build as the VPN 5002 and VPN 5008 concentrators.

You can upgrade the Carrier server according to the Cisco VPN 5002 and 5008 Software Configuration Guide. To upgrade the Enterprise server to the new version, follow these steps:

Note You only need to use this procedure the first time you upgrade an Enterprise server to Version 5.2.x or later. After you perform the upgrade, you can use the normal procedure to load software.

Step 1 As a precaution, save the configuration by using TFTP according to the Cisco VPN 5002 and 5008 Software Configuration Guide.

This procedure preserves and uses the configuration already in the concentrator. To copy the configuration back to the concentrator at the end of this procedure, copy it using the following file name:

vpn5002_8.cfg

Step 2 On the module in slot 0, attach a console to the console port.

Step 3 On the module in slot 0, set the test switch to position 3.

Step 4 Restart the concentrator.

Step 5 At the console prompt, enter:

setip address mask [gateway]

Where:

address is the IP address of the port in slot 0.
mask is the subnet mask.
gateway is the default gateway.

Step 6 Set the test switch back to 0.

Step 7 Download the new vpn-5002-5008-x.x.x-[3]des.dld software using TFTP or the VPN 5000 Manager.

After you perform the download, the concentrator reboots using the new software. The software then propagates to the other cards in the chassis.

Interoperability

The VPN 5000 concentrator series can establish LAN-to-LAN tunnels with other Cisco products that support:

IPsec DES or 3DES
Cisco IOS Release 12.1(1)T or Release 12.1(2)

VPN 5000 Concentrator Software Caveats Fixed from Previous Releases

The following sections list the caveats fixed from previous releases of the VPN 5000 software.

Cisco VPN 5000 Concentrator Software Caveats Fixed from Version 5.2.15

The following caveats were fixed from Version 5.2.15.

CSCco00501

: When configuring IPX for a LAN-to-LAN tunnel, the show ipx route command no longer indicates that the bind to address is the ip vpnxx port. It now indicates the correct bound to port address.

CSCco1108

: The VPN client for Windows 2000 can now Telnet through an established VPN tunnel to any other VPN 5000 concentrator connected on that same subnet.

CSCdr68358

: Using the Source Address parameter of the Telnet command within the VPN 5000 concentrator no longer restarts the concentrator.

CSCdr93679

: The RADIUS Acct-Session-Time no longer accrues with successive attempts to send Accounting stop packets from the VPN 5000 concentrator to the RADIUS server.

CSCdr93842

: RADIUS accounting stop packets now contain the User-Name.

CSCdr95812

: LAN-to-LAN tunnels can now be closed manually from a default responder. A default responder has the Tunnel Partner VPN Default section.

CSCds01953

: IP packets that have the TOS field set, like in VoIP and QOS applications, now have that information copied into the IPsec packet header when it gets tunneled.

CSCds02352

: A restart event no longer occurs when a RADIUS server is defined but unreachable, the SecAddress keyword is set to 0.0.0.0, and a certificate is present in the concentrator.

CSCds03578

: Assigning IP addresses to clients from a RADIUS server now works.

CSCds13425

: SecurID processing no longer fails with the following log message:

Notice   8/24/00 4:48:30 -- reason: S_SECURID_FAILURE (254@2311)

CSCds14573

: VPN clients in a group with the VPNGroupDLCI keyword no longer get disconnected from a DS3 card on a VPN 5002 concentrator when the VPN group's connect timeout is reached.

CSCds21213

: When using the VPN 5000 Manager to issue the reset tcp socket all command, the VPN concentrator no longer reboots.

CSCds31492

: RADIUS stop packets are now sent correctly.

Cisco VPN 5000 Concentrator Software Caveats Fixed from Version 5.2.14

The following caveats were fixed from Version 5.2.14.

CSCdr44717

: The BackupServer keyword in the SecurID section now works to allow the concentrator to use a backup SecurID server if the main server stops responding.

CSCdr53740

: If you use SecurID with an internal VPN User list, but also use RADIUS for accounting, the concentrator now returns the SecurID user name to the RADIUS server, not just the VPN User list name, which might be a shared login for multiple users.

CSCdr59880

: When you use the show vpn users and show vpn partners commands, the concentrator now displays the VPN port number instead of the internal interface. Only the VPN port number (not the internal interface number) can be used to reset VPN connections using the reset vpn command.

CSCdr60803

: The boot command now works over Telnet.

CSCdr78162

: The VPN 5000 concentrator now returns attribute 25 to a RADIUS server when addresses are assigned from a RADIUS IP address pool.

Cisco VPN 5000 Concentrator Software Caveats Fixed from Version 5.1.x

The following caveats were fixed from Compatible Systems IntraPort Version 5.1.x. IntraPort servers are now called the Cisco VPN 5000 concentrator series.

CSCco00281

: G2 now works for the IKE Policy section. The IKE Policy section keyword and argument protection = xxx_yyy_G2, now works, where xxx = MD5 or SHA, and yyy = DES or 3DES.

CSCco00425

: If you press Ctrl-C during the display of a show command, this action no longer causes the concentrator to restart.

CSCco00597

: LAN-to-LAN tunnels running IPX between two VPN 5001 concentrators no longer drop the connection after 15 minutes in rare conditions.

CSCco00712

: IP packet filters on the VPN 5002 or 5008 concentrator now work correctly on modules installed in slots other than slot 0.

CSCco00764

: When the VPN 5000 Client for Windows NT connects to slot 1, a traceroute from a DOS shell no longer returns the first hop as 76.0.0.1.

CSCco00814

: A tunnel between an IntraPort 2+ and an IntraPort 2 no longer suddenly stops routing traffic. Formerly, when an IntraPort 2+ used both Ethernet connections and the IntraPort 2 used only one connection, if a packet generated by the IntraPort 2+ was sent directly to the Intraport 2 over the tunnel, the tunnel stopped routing across the tunnel.

CSCco00962

: The IntraPort 2+ no longer reboots itself under rare conditions with heavy traffic.

CSCco00976

: The SecurIDRequired = On keyword in the VPN Group section no longer overrules the Enabled = Off keyword in the SecurID section. Formerly, the SecurID section keyword was ignored.

CSCco01041

: The VPN 5002 concentrator no longer occasionally restarts unexpectedly during its normal boot process.

CSCco01072

: Macintosh VPN users using SecurID are now deleted after terminating the tunnel. Formerly, the VPN concentrator stopped accepting connections because unconnected users were still taking up system resources. The output from the show vpn users command showed no users connected, but the show os vpn command showed connections. The maximum number of connections had been exceeded.

CSCco01130

: CiscoSecureNT no longer fails for user authentication. Formerly, the CiscoSecureNT server "tagged" the Tunnel-Password values when the server returned the values to the concentrator.

CSCco01147

: OSPF route aggregation no longer causes a VPN 5001 concentrator to restart.

CSCco01193

: Switch 9 on the test switch in slot 0 no longer causes lack of connectivity to other slots.

CSCdr33183

: SecurID passcodes greater than16 characters no longer disable further authentication. Formerly, if your VPN group specified the VPN username to be used as the SecurID username (SecurIDUsername = False), and your passcode was more than 16 characters, you could not connect after that attempt even with the proper passcodes. No other users in a VPN group with SecurIDUsername = False were able to connect either.

CSCdr42036

: The show os state command no longer displays the enabled password without being enabled.

CSCdr43915

: The Ethernet port no longer begins processing packets before other stacks are initialized. Formerly, this caused the concentrator to restart at boot time while other processes completed initialization.

Cisco VPN 5000 Concentrator Software Open Caveats

The following sections list known issues with the VPN 5000 concentrator software Version 5.2.16.

Apply Command

The apply command does not apply configuration changes for all section keywords. Table 4 provides a partial list of keywords and whether they work with apply.

Table 4: Apply Command Functionality

Section and Keywords Apply Command Works (Yes or No)

Certificates

  CertificateGenerator

Yes

Domain Name Server

  PrimaryServer

No

Ethernet Interface Ethernet x

  duplex

No

  speed

No

General

  password

Yes

  enablepassword

Yes

  ipsecgateway

Yes

  devicename

Yes

IP Ethernet 0

  mode

Yes

  ipaddress

Yes

  subnetmask

Yes

  ripversion

Yes

  ripin

Yes

  ripout

Yes

IP Ethernet 1

  mode

Yes

  ipaddress

Yes

  subnetmask

Yes

IP Static
Yes

IPX Ethernet 0

  Mode

Yes

IP VPN x

  Mode

No

  RIPVersion

No

  RIPOut

No

  RIPIn

No

Logging

  enabled

Yes

  level

Yes

  logtoauxport

Yes

  protection

No

Time Server

  TimeProtocol

No

  Enabled

Yes

  Adjust

Yes

  Serveraddress

Yes

Tunnel Partner VPN x

  Transform

No

  KeyManage

No

  SharedKey

No

  BindTo

No

  Partner

No

VPN Group (change an existing group)

  LocalIPNet

Yes

  SaveSecrets

Yes

  LocalIPXNet

Yes

  IPNet

No

  DNSPrimaryServer

No

VPN Users (add a user)
Yes

VPN Users (change an existing user)
Yes

Section and Keywords	Apply Command Works (Yes or No)
Certificates
CertificateGenerator	Yes
Domain Name Server
PrimaryServer	No
Ethernet Interface Ethernet x
duplex	No
speed	No
General
password	Yes
enablepassword	Yes
ipsecgateway	Yes
devicename	Yes
IP Ethernet 0
mode	Yes
ipaddress	Yes
subnetmask	Yes
ripversion	Yes
ripin	Yes
ripout	Yes
IP Ethernet 1
mode	Yes
ipaddress	Yes
subnetmask	Yes
IP Static	Yes
IPX Ethernet 0
Mode	Yes
IP VPN x
Mode	No
RIPVersion	No
RIPOut	No
RIPIn	No
Logging
enabled	Yes
level	Yes
logtoauxport	Yes
protection	No
Time Server
TimeProtocol	No
Enabled	Yes
Adjust	Yes
Serveraddress	Yes
Tunnel Partner VPN x
Transform	No
KeyManage	No
SharedKey	No
BindTo	No
Partner	No
VPN Group (change an existing group)
LocalIPNet	Yes
SaveSecrets	Yes
LocalIPXNet	Yes
IPNet	No
DNSPrimaryServer	No
VPN Users (add a user)	Yes
VPN Users (change an existing user)	Yes

General System Caveats

CSCco00582

: When a user connects to a VPN 5002 or 5008 concentrator using RADIUS, statistics for the connection on slots other than slot 0 are not logged in the log file correctly.
: No workaround.

CSCco01034

: Rarely, exiting a Telnet session does not terminate the session on the concentrator. When you reconnect, you see output from the first telnet session, for example, from a long show command.
: Workaround: Determine the TCP socket by entering show os tcp. Then enter reset tcp socket.

CSCco01065

: Accounting does not work with the Livingston 2.1 RADIUS server, even though authentication between a VPN 5000 concentrator and a Livingston 2.1 RADIUS server does work.
: Workaround: In the Radius section, set AcctPort = 1813 and AuthPort = 1812.

CSCdr53664

: When using RADIUS to authenticat users, the show vpn users command shows incorrect information. For example, the VPN group name displays as a number, the client and local addresses are incorrect, and the connect time is wrong.
: Workaround: View the correct information in the log using the show system log command.

CSCdr62690

: When you use the Cisco 2900 terminal server running Cisco IOS Release 12.0(5)T1 to manage the VPN 5000 concentrator through the console port, a condition can occur where the VPN 5000 concentrator receives CR/LF characters from the 2900. This condition can cause the concentrator to go into a restart loop during a save or boot command.
: No workaround.

CSCdr63464

: When you perform bridging across a LAN-to-LAN tunnel, the concentrator makes the Bridge port a VPN-only port. The tunnel is fully functional, but a VPN-only port cannot respond to Telnet or the VPN 5000 Manager.
: Workaround: To manage the device, use a console connected directly to the console port.

CSCdr63646

: When you use IPX packet filters on the VPN 5002 or 5008 concentrator, modules installed in slots other than slot 0 might not filter all packets correctly.
: No workaround.

CSCdr71541

: The certificate remove command does not work, so you cannot a remove a root or server certificate from the concentrator.
: Workaround: If you want to prevent connectivity to the concentrator, revoke the certificate on the CA. If you created the certificate from a CG, there is no workaround.

CSCds17529

: When using the MIB for the VPN 5001 concentrator, the mappings do not correspond.
: No workaround.

Module and Port Caveats

CSCco00572

: When the 10/100BaseT Ethernet port is unplugged from the network and then reconnected, it does not renegotiate its speed or duplex setting correctly in auto detect mode.
: Workaround: Connect the Ethernet cable to the hub or switch, and turn off the concentrator and then turn it on.

CSCco00743

: Modules are not hot-swappable. If you remove and reinsert a module without turning off power, this action causes a restart.
: No workaround.

CSCco00746

: If the Ethernet port does not sense the duplex mode automatically, and you set the duplex manually in the Ethernet Interface section, the port automatically defaults the speed to 10BaseT even if the link is 100BaseT.
: Workaround: Set the port speed as well as the duplex mode.

CSCco00999

: In cases where not all slots in a VPN 5002 or 5008 are filled, the show version command might print an erroneous message on the console. The message is similar to the following message:

Bad value read from iop 1  -2/536878260

: This message does not indicate any error in operation; it only indicates that a module is not present in the slot indicated.
: No workaround.

CSCco01024

: The interface command on the VPN 5002 or 5008 concentrator defaults to WAN 0:0 no matter which port you enter. As a result, you cannot set the loopback mode on DS3 or HSSI interfaces in other slots.
: No workaround.

CSCco01172

: The show version command only shows the hardware version for the module in slot 0.
: Workaround: Connect the console cable to each module, and enter the show version command to see the hardware revision of the module you are attached to.

VPN Tunneling Caveats

CSCco00608

: When you are using the concentrator to establish a main-mode LAN-to-LAN tunnel to another vendor's equipment, the concentrator does not check packets sent over the tunnel to ensure that they meet the address requirements specified by the Peer or LocalAccess keywords. If you add a route to send traffic over the tunnel that is not on the Peer network, the concentrator sends the traffic. If the remote peer sends traffic that is not on the LocalAccess network, the concentrator accepts the traffic and forwards it.
: Workaround: Create IP packet filters and apply them to the VPN tunnel port.

CSCco00618

: Netware Directory Services does not work correctly over a VPN tunnel; the Neat16.exe and Nal.exe applications do not run.
: Workaround: NWAdmin.exe runs correctly and can be used instead.

CSCco00741

: Under rare conditions, numbered VPN tunnels opening and closing can fill an IP broadcast table, preventing further tunnels from opening. Check the system log for "IP Broadcast hash full" errors.
: Workaround: Restart the concentrator.

CSCco00749

: If you configure multiple VPN-only ports on a VPN 5008 concentrator, all traffic to or from a given VPN-only port is only sent to or from Ethernet 0:0. For example, if clients connect to VPN-only port 3:0, they can only reach the networks connected to Ethernet 0:0.
: No workaround.

CSCco00914

: If you configure a WINSPrimaryServer or WINSSecondaryServer in the VPN Group section, this configuration does not forward WINS traffic from the client correctly. Normally, specifying a WINS server on the concentrator redirects any client WINS traffic over the tunnel, regardless of the WINS server configured on the client PC. However, while the client can see hosts in the Network Neighborhood, the client receives an error message when it attempts to connect.
: Workaround: Have the client user configure the remote WINS servers in the Network Control Panel or in the dial-up profile, and do not specify a WINS server on the concentrator.

CSCco00938

: When the VPN 5000 concentrator is placed behind a device performing Network Address Translation (NAT), the VPN connections are dropped in approximately 200 seconds due to Keep Alive Packets that do not pass through properly.
: Workaround: Do not use NAT in front of the VPN 5000 concentrator.

CSCco00997

: The ARP table becomes corrupt when a client connects from the local LAN.
: Workaround: Enter the reset arp all command to clear the ARP cache and allow client connections again.

CSCco01037

: For a VPN 5002 or 5008 concentrator with Ethernet slot 0 connected, and disconnected Ethernet modules in other slots, clients that are authenticated with RADIUS can only connect some of the time. When clients connect to the concentrator, the concentrator distributes the tunnel processing between all slots. RADIUS users assigned to slots other than 0, however, cannot connect.
: The system log indicates this error during startup as:

Error    2/2/00 12:08:41 Slot 1: radius accounting: Unable to bind to an IP address.

: This error is caused by the Ethernet port in slot 0 failing to negotiate the link parameters in a timely manner.
: Workaround: Set the Ethernet interfaces' speed and duplex in the Ethernet Interface section.

CSCco01155

: The vpn tunnel down command does not work with a LAN-to-LAN tunnel established using the Tunnel Partner VPN Default section.
: Workaround: Use the reset vpn number command.

CSCco01175

: SSH-2 does not work over a VPN connection.
: No workaround.

CSCdr28216

: The Solaris VPN 5000 Client does not tunnel any traffic without an IPNet defined in the VPN Group section. It should tunnel all traffic.
: Workaround: Configure the VPN Group with an IPNet value.

CSCdr33950

: The BackupServer keyword in the VPN Group section that allows a concentrator to pass excess users to another concentrator does not work. If a VPN group reaches its maximum connections, the group does not pass the excess users over to a backup server even if it is configured to do so.
: No workaround.

CSCdr60383

: The concentrator cannot use a server certificate based on a key length greater than 2048 bits.
: Workaround: Use a server certificate with a key length smaller than or equal to 2048 bits.

CSCdr61878

: Users in the internal VPN Users database who repeatedly enter incorrect shared secret passwords eventually cause all of the resources for their VPN Group to be used up by "ghost" connections. This condition only occurs when the concentrator uses a server certificate and RADIUS.
: Workaround: Reset the ghost connections by entering reset vpn all two times. However, this command also resets all LAN-to-LAN tunnels and all other client connections. The long-term workaround is to migrate the usernames local to the concentrator over to the RADIUS server.

CSCdr88761

: On a VPN 5001 concentrator, when more than 2,800 clients connect in rapid sequence, the concentrator reboots.
: No workaround.

CSCds16599

: When connecting to a VPN 5002 or VPN 5008 concentrator, Microsoft Exchange users might see intermittent problems with large file attachments and synchronization functions. These problems only occur when the client connects to slot 1 on the concentrator.
: Workaround: Reconnect until you get a different slot assignement.

AppleTalk and VPN Caveats

CSCco00848

: When running AppleTalk over a LAN-to-LAN tunnel, duplicate directly connected routes might randomly appear in the routing table for one or both ends of the tunnel, and disrupt AppleTalk routing for the tunnel.
: The following sample routing table appears if you enter the show appletalk routing command:

Directly connected routes:
Network       Gateway       Port      Hop Age  Flgs  Zone Name
3100          204.138.9.2      VPN0     0   0  0d00  Fibre WAN
3250 - 3399   3250:1         Eth0 P2    0   0  0f00  Remote Site
3100          204.138.9.2      VPN0     0   0  0d00  Fibre WAN
 
Dynamic routes discovered via RTMP:
Network       Gateway       Port      Hop Age  Flgs  Zone Name
1 - 1         204.138.9.2      VPN0     2   1  0f00  WAN

: No workaround.

CSCco01007

: The show appletalk config command for a VPN interface displays limited or no AppleTalk information.
: For example, if you configure AppleTalk as follows:

show config appletalk vpn 0
[ AppleTalk VPN 0 ]
Mode                     = Routed
Seed                     = Seed
NetLower                 = 3101
Node                     = 1
DefZone                  = "Fibre WAN-x"
Updates                  = Periodic

: The show commands appear as:

show appletalk config
Port       Phase   Seed  Netnum         Node  Zone Name
Ether0         1   ** Disabled **
Ether0         2   ** Disabled **
Ether1         1   ** Disabled **
Ether1         2   ** Disabled **
Bridge         1   ** Disabled **
Bridge         2   ** Disabled **
VPN0                                    1 
 
NBP Filters:
                    Stay in    Lookups    Tilde     Laser-
Port       Phase   zone?      In  Out    Devices   Writers
Ether0         1   ** Disabled **
Ether0         2   ** Disabled **
Ether1         1   ** Disabled **
Ether1         2   ** Disabled **
Bridge         1   ** Disabled **
Bridge         2   ** Disabled **
 
Appletalk Zone List:

: Workaround: Try the command several times and verify interface settings using show config appletalk vpn number.

Documentation Updates

The following sections describe updates to the printed documentation.

Cisco VPN 5001 Software Configuration Guide (PN 78-11008-01) and the Cisco VPN 5002 and 5008 Software Configuration Guide (PN 78-11002-01)

(5001 pg. 10-9; 5002 and 5008 pg. 11-9) When you request a certificate from a certificate generator, the certificate import request command should be certificate request import.
(5001 pg. 3-3; 5002 and 5008 pg. 3-3) When you configure the Time Server section, enter the following keyword:

BindTo = {Ethernet | WAN} slot:port[.subinterface]

: This keyword specifies the interface IP address the concentrator uses as a source address for all packets sent to the time server.

(5001 pg. 3-6; 5002 and 5008 pg. 4-1) The Ethernet interface automatically senses the speed and duplex only if you connect the cabling at startup. Otherwise, the port defaults to 10BaseT and half duplex.
(5001 pg. 7-2; 5002 and 5008 pg. 8-2) For the VPN group, the maximum number of connections is limited by the LocalIPNet mask. A 24-bit mask sets the MaxConnections to 254 even though the default is the maximum connections for the port (for example, 5000).
(5001 pg. 8-2; 5002 and 5008 pg. 9-2) For a VPN user, use the following syntax with quotes around the Shared_Secret:

"username" Config=VPN_group [SharedKey="Shared_Secret"]

(5001 pg. 8-7; 5002 and 5008 pg. 9-7) If you are using the RADIUS server to assign IP addresses, do not use the vendor-specific attribute 2. For IPX, do not use vendor-specific attribute 7.
(5001 pg. 8-9; 5002 and 5008 pg. 9-9) The SecurID section EncryptionType keyword should be EncryptMethod.
(5001 pg. 9-6; 5002 and 5008 pg. 10-6) For a generic tunnel partner, you must name the section Tunnel Partner VPN Default, not just Tunnel Partner Default.
(5001 pg. 10-4; 5002 and 5008 pg. 11-4) For the certificate generate commands, the optional state is a string with no spaces and the country is a 2-letter country code and not the other way around.
(5008 pg. 15-8) In the "LAN-to-LAN Tunneling" example for the VPN 5002 and 5008 concentrators, the IP address for VPN 5008 Concentrator 2 [ IP WAN 1:0 ] should be 176.100.26.8.
(5001 pg. 14-2; 5002 and 5008 pg. 15-11) In the "Remote Users, Offices, and a Central Site" example, the illustration should show the router IP address as 136.5.5.2.
(5002 and 5008 pgs. 15-7, 15-9, and 15-12) In the "LAN-to-LAN Tunneling" and "Remote Users, Offices, and a Central Site" examples, the Tunnel Partner section SharedSecret keyword should be SharedKey.
(5001 pg. 14-3) In the example, the Tunnel Partner section certificates = on keyword should be SharedKey = sharedkey.
(5001 pgs. B-2 and B-3; 5002 and 5008 pgs. B-2 and B-3) When you are setting the IP address with the test switch, use the following syntax with setip as one word:

setip address mask gateway

Cisco VPN 5000 Concentrator Series Command Reference Guide (PN 78-11003-01)

(pg. 90) The SecurID section EncryptionType keyword should be EncryptMethod.
(pg. 191) The certificate import request command should be certificate request import.
(pg. 189) For the certificate generate commands, the optional state is a string with no spaces and the country is a 2-letter country code and not the other way around.
(pg. 110) The VPN Group section PFS keyword is not supported.
Add the following command to the "Reset Commands" chapter:

reset vpn {number | all}

: The reset vpn command terminates a specific tunnel or all tunnels, including client and LAN-to-LAN tunnels.

number

Resets a specific tunnel. To view the tunnel number, enter the show vpn runtime or show vpn config command.

all

Resets all tunnels.

number	Resets a specific tunnel. To view the tunnel number, enter the show vpn runtime or show vpn config command.
all	Resets all tunnels.

Add the following command to the "Miscellaneous Commands" chapter:

vpn trace {enable | disable | reset |
dump {all | user user} [{before | after} time | first | last] [slot number] [bad] [!]}

: The vpn trace dump command shows information about all matching VPN connections, including information about the time, the VPN number, the real IP address of the peer, the scripts that have been run, and in the case of an error, the routine and line number of the software code where the error occurred.

enable

On by default, this command enables VPN trace logging.

disable

Turns off VPN trace logging.

reset

Resets the trace log.

dump {all | user user} [{before | after} time | first | last] [slot number] [bad] [!]

Displays the matching VPN trace log entries.

all displays all user connections.

user user displays a specific user's connection. user can be all or part of a user name or an IP address.

before or after time displays all entries that occurred before or after a specific time, where time is the time in seconds since the concentrator started up.

first or last displays the first or last entry.

slot number displays connections only for the specified module.

bad shows connections that had an error.

! forces access to the trace. If you enter the vpn trace dump command and you receive a message that the concentrator cannot lock the trace, or if the system is locked up, enter ! to force access. Caution: This command might clear the entire trace log.

enable	On by default, this command enables VPN trace logging.
disable	Turns off VPN trace logging.
reset	Resets the trace log.
dump {all \| user user} [{before \| after} time \| first \| last] [slot number] [bad] [!]	Displays the matching VPN trace log entries. all displays all user connections. user user displays a specific user's connection. user can be all or part of a user name or an IP address. before or after time displays all entries that occurred before or after a specific time, where time is the time in seconds since the concentrator started up. first or last displays the first or last entry. slot number displays connections only for the specified module. bad shows connections that had an error. ! forces access to the trace. If you enter the vpn trace dump command and you receive a message that the concentrator cannot lock the trace, or if the system is locked up, enter ! to force access. Caution: This command might clear the entire trace log.

(pg. 178) Change the tftp command to:

tftp {get {code | config} TFTP_server_IP_address filename |
put config TFTP_server_IP_address filename |
{disable | enable} [timeout] [TFTP_client_IP_address]}

: The tftp commands allow you to configure the concentrator as a Trivial File Transfer Protocol (TFTP) server or to use it as a TFTP client to copy software or configuration files.

get {code | config} TFTP_server_IP_address filename

Downloads software or a configuration file from the specified TFTP server.

code specifies a software load.

config specifies a text configuration file.

TFTP_server_IP_address specifies the TFTP server IP address.

filename is the name of the file you want to download from the TFTP server tftpboot directory. See "Transfer configuration files to and from the device using an ASCII mode transfer, and software files using a binary mode transfer. The following chart shows the different device types and configuration file names:" for configuration file names.

put config TFTP_server_IP_address filename

Uploads a configuration file to the specified TFTP server.

TFTP_server_IP_address specifies the TFTP server IP address.

filename is the name of the file you want to upload to the TFTP server tftpboot directory. See "Transfer configuration files to and from the device using an ASCII mode transfer, and software files using a binary mode transfer. The following chart shows the different device types and configuration file names:" for configuration file names.

{disable | enable} [timeout] [TFTP_client_IP_address]

Configures the concentrator to act as a TFTP server so you can get or put software or configuration files.

disable cancels a previous enable command.

enable allows you to use TFTP. You cannot use the concentrator as a TFTP server unless you enter this command from a console or from a remote host running Telnet. This command allows you to use TFTP within a specified period only from the remote IP host specified.

timeout specifies the length of time in seconds you can TFTP to the concentrator. The default is 60 seconds.

TFTP_client_IP_address specifies the IP host allowed to TFTP to the concentrator. By default, the concentrator uses the IP address of the Telnet host issuing the enable command. If you issue the enable command from a console, you must specify an address.

get {code \| config} TFTP_server_IP_address filename	Downloads software or a configuration file from the specified TFTP server. code specifies a software load. config specifies a text configuration file. TFTP_server_IP_address specifies the TFTP server IP address. filename is the name of the file you want to download from the TFTP server tftpboot directory. See "Transfer configuration files to and from the device using an ASCII mode transfer, and software files using a binary mode transfer. The following chart shows the different device types and configuration file names:" for configuration file names.
put config TFTP_server_IP_address filename	Uploads a configuration file to the specified TFTP server. TFTP_server_IP_address specifies the TFTP server IP address. filename is the name of the file you want to upload to the TFTP server tftpboot directory. See "Transfer configuration files to and from the device using an ASCII mode transfer, and software files using a binary mode transfer. The following chart shows the different device types and configuration file names:" for configuration file names.
{disable \| enable} [timeout] [TFTP_client_IP_address]	Configures the concentrator to act as a TFTP server so you can get or put software or configuration files. disable cancels a previous enable command. enable allows you to use TFTP. You cannot use the concentrator as a TFTP server unless you enter this command from a console or from a remote host running Telnet. This command allows you to use TFTP within a specified period only from the remote IP host specified. timeout specifies the length of time in seconds you can TFTP to the concentrator. The default is 60 seconds. TFTP_client_IP_address specifies the IP host allowed to TFTP to the concentrator. By default, the concentrator uses the IP address of the Telnet host issuing the enable command. If you issue the enable command from a console, you must specify an address.

: Transfer configuration files to and from the device using an ASCII mode transfer, and software files using a binary mode transfer. The following chart shows the different device types and configuration file names:

Concentrator
Configuration File Name

VPN 5001

vpn5001.cfg

VPN 5002 and 5008

vpn5002_8.cfg

Concentrator	Configuration File Name
VPN 5001	vpn5001.cfg
VPN 5002 and 5008	vpn5002_8.cfg

: You can also create a text-based configuration file and use the VPN 5000 Manager to transfer the file to and from the device. This method uses a secure transfer mechanism, preventing the configuration from being observed while it is in transit to the device. See the Cisco VPN 5000 Manager Software Reference Guide for more information.

Add the following command to the "Miscellaneous Commands" chapter:

vpn cutoff {on | off}

: This command stops any new VPN connections. You might want to disallow new connections before a code download or another reason for a restart. This command allows already connected users to disconnect before you restart the concentrator.

(pg. 99) Add the following keyword to the Time Server section:

BindTo = {Ethernet | WAN} slot:port[.subinterface]

Specifies which interface's IP address the concentrator uses as a source address for all packets sent to the time server.

BindTo = {Ethernet \| WAN} slot:port[.subinterface]	Specifies which interface's IP address the concentrator uses as a source address for all packets sent to the time server.

(pg. 101) Add the following two keywords to the Tunnel Partner section:

MaxKeyKBytes = KB

Sets the maximum number of kilobytes of traffic, between 2560 and 536870912, that can pass over the tunnel before the tunnel initiator rekeys the tunnel. The default is 1048576. When the concentrator first establishes the tunnel, it encrypts and authenticates packets using keys determined by IKE. If you rekey, this action provides added security by limiting the amount of time available to break a particular key. If you also set KeyLifeSecs, the concentrator uses whichever value occurs first. Only the tunnel initiator's MaxKeyKBytes value is used.

KeyLifeSecs = seconds

Sets the maximum number of seconds, between 600 and 86400, before the tunnel initiator rekeys the tunnel. The default is 86400. When the concentrator first establishes the tunnel, it encrypts and authenticates packets using keys determined by IKE. If you rekey, this action provides added security by limiting the amount of time available to break a particular key. If you also set MaxKeyKBytes, the concentrator uses whichever value occurs first. Only the tunnel initiator's KeyLifeSecs value is used.

MaxKeyKBytes = KB	Sets the maximum number of kilobytes of traffic, between 2560 and 536870912, that can pass over the tunnel before the tunnel initiator rekeys the tunnel. The default is 1048576. When the concentrator first establishes the tunnel, it encrypts and authenticates packets using keys determined by IKE. If you rekey, this action provides added security by limiting the amount of time available to break a particular key. If you also set KeyLifeSecs, the concentrator uses whichever value occurs first. Only the tunnel initiator's MaxKeyKBytes value is used.
KeyLifeSecs = seconds	Sets the maximum number of seconds, between 600 and 86400, before the tunnel initiator rekeys the tunnel. The default is 86400. When the concentrator first establishes the tunnel, it encrypts and authenticates packets using keys determined by IKE. If you rekey, this action provides added security by limiting the amount of time available to break a particular key. If you also set MaxKeyKBytes, the concentrator uses whichever value occurs first. Only the tunnel initiator's KeyLifeSecs value is used.

(pg. 299 and 300) In the show vpn users and show vpn partners displays, replace IF and its description with the following value:

Port Number

The VPN port number to which the client or peer is connected. You can use this port number with the reset vpn number command.

Port Number	The VPN port number to which the client or peer is connected. You can use this port number with the reset vpn number command.

Obtaining Documentation

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.

Documentation CD-ROM

Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly. Therefore, it is probably more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.

Ordering Documentation

Registered CCO users can order the Documentation CD-ROM and other Cisco Product documentation through our online Subscription Services at http://www.cisco.com/cgi-bin/subcat/kaojump.cgi.

Nonregistered CCO users can order documentation through a local account representative by calling Cisco's corporate headquarters (California, USA) at 408 526-4000 or, in North America, call 800 553-NETS (6387).

Obtaining Technical Assistance

Cisco provides Cisco Connection Online (CCO) as a starting point for all technical assistance. Warranty or maintenance contract customers can use the Technical Assistance Center. All customers can submit technical feedback on Cisco documentation using the web, e-mail, a self-addressed stamped response card included in many printed docs, or by sending mail to Cisco.

Cisco Connection Online

Cisco continues to revolutionize how business is done on the Internet. Cisco Connection Online is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.

CCO's broad range of features and services helps customers and partners to streamline business processes and improve productivity. Through CCO, you will find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online support services, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.

Customers and partners can self-register on CCO to obtain additional personalized information and services. Registered users may order products, check on the status of an order and view benefits specific to their relationships with Cisco.

You can access CCO in the following ways:

WWW: www.cisco.com
Telnet: cco.cisco.com
Modem using standard connection rates and the following terminal settings: VT100 emulation; 8 data bits; no parity; and 1 stop bit.
- From North America, call 408 526-8070
- From Europe, call 33 1 64 46 40 82

You can e-mail questions about using CCO to cco-team@cisco.com.

Technical Assistance Center

The Cisco Technical Assistance Center (TAC) is available to warranty or maintenance contract customers who need technical assistance with a Cisco product that is under warranty or covered by a maintenance contract.

To display the TAC web site that includes links to technical support information and software upgrades and for requesting TAC support, use www.cisco.com/techsupport.

To contact by e-mail, use one of the following:

Language
E-mail Address

English

tac@cisco.com

Hanzi (Chinese)

chinese-tac@cisco.com

Kanji (Japanese)

japan-tac@cisco.com

Hangul (Korean)

korea-tac@cisco.com

Spanish

tac@cisco.com

Thai

thai-tac@cisco.com

Language	E-mail Address
English	tac@cisco.com
Hanzi (Chinese)	chinese-tac@cisco.com
Kanji (Japanese)	japan-tac@cisco.com
Hangul (Korean)	korea-tac@cisco.com
Spanish	tac@cisco.com
Thai	thai-tac@cisco.com

In North America, TAC can be reached at 800 553-2447 or 408 526-7209. For other telephone numbers and TAC e-mail addresses worldwide, consult the following web site: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml.

Documentation Feedback

If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.

You can e-mail your comments to bug-doc@cisco.com.

To submit your comments by mail, for your convenience many documents contain a response card behind the front cover. Otherwise, you can mail your comments to the following address:

Cisco Systems, Inc.
Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate and value your comments.

Access Registrar, AccessPath, Are You Ready, ATM Director, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, CiscoLink, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Networking Academy, Fast Step, FireRunner, Follow Me Browsing, FormShare, GigaStack, IGX, Intelligence in the Optical Core, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, iQuick Study, iQ Readiness Scorecard, The iQ Logo, Kernel Proxy, MGX, Natural Network Viewer, Network Registrar, the Networkers logo, Packet, PIX, Point and Click Internetworking, Policy Builder, RateMUX, ReyMaster, ReyView, ScriptShare, Secure Script, Shop with Me, SlideCast, SMARTnet, SVX, TrafficDirector, TransPath, VlanDirector, Voice LAN, Wavelength Router, Workgroup Director, and Workgroup Stack are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Empowering the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, Cisco, the Cisco Certified Internetwork Expert Logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Collision Free, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastLink, FastPAD, IOS, IP/TV, IPX, LightStream, LightSwitch, MICA, NetRanger, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries.

All other brands, names, or trademarks mentioned in this document/website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any of its resellers. (0008R)

Table of Contents

Release Notes for the Cisco VPN 5000 Concentrator Software Version 5.2.16

Cisco VPN 5001 Software Configuration Guide (PN 78-11008-01) and the Cisco VPN 5002 and 5008 Software Configuration Guide (PN 78-11002-01)

Cisco VPN 5000 Concentrator Series Command Reference Guide (PN 78-11003-01)