Release Notes for Cisco Secure
PIX Firewall Version 5.0(3)

The Cisco Secure PIX Firewall provides secure networking and network address translation. This document describes only changes that occurred in version 5.0(3). For information on version 5.0(1) and version 5.0(2) features, installation notes, limitations and restrictions, usage notes, and caveats, refer to the following sites:

Version 5.0(1): http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/pixrn501.htm
Version 5.0(2): http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/pixrn502.htm

Unless noted otherwise, all information in the version 5.0(1) and version 5.0(2) release notes apply to version 5.0(3).

This document contains the following sections:

System Requirements

Version 5.0 requires at least 2 MB of Flash memory and at least 32 MB of RAM memory, although it will boot in 16 MB of RAM and work with a small configuration.

The maximum configuration size is 350 KB for all PIX Firewall models.

Installation instructions for replacing Flash or RAM memory are described in the Installation Guide for the Cisco Secure PIX Firewall Version 5.0.

Note You must have a new activation key before you can use any of the IPSec features or commands. You can have a new activation key sent to you by completing the form at the following site:

http://www.cisco.com/kobayashi/sw-center/internet/pix-56bit.shtml

New and Changed Information

Version 5.0(3) consists of bug fixes and command enhancements. No commands were removed.

New Commands

No new commands were added in version 5.0(3).

Changes to Existing Commands

This section includes the following topics.:

no failover Command

When a failover cable connects two PIX Firewall units, the no failover command now disables failover until you enter the failover command to explicitly enable failover. Previously, when the failover cable connected two PIX Firewall units and you entered the no failover command, failover would automatically re-enable after 15 seconds.

If you reboot the PIX Firewall without entering the write memory command and the failover cable in connected, failover mode automatically enables.

show interface Command

The show interface command has been enhanced to include eight new status counters. The new counters are only valid for Ethernet interfaces. The following example shows the new output:

show interface
interface ethernet0 "outside" is up, line protocol is up
 Hardware is i82559 ethernet, address is 00aa.0000.003b
 IP address 209.165.201.7, subnet mask 255.255.255.224
 MTU 1500 bytes, BW 100000 Kbit half duplex
        1184342 packets input, 1222298001 bytes, 0 no buffer
        Received 26 broadcasts, 27 runts, 0 giants
        4 input errors, 0 CRC, 4 frame, 0 overrun, 0 ignored, 0 abort
        1310091 packets output, 547097270 bytes, 0 underruns
        0 output errors, 28075 collisions, 0 interface resets
        0 babbles, 0 late collisions, 117573 deferred
        0 lost carrier, 0 no carrier

The counters in the last three lines are as follows:

output errors---(maximum collisions). The number of frames not transmitted because the configured maximum number of collisions was exceeded. This counter should only increment during heavy network traffic.
collisions---(single and multiple collisions). The number of messages retransmitted due to an Ethernet collision. This usually occurs on an overextended LAN (Ethernet or transceiver cable too long, more than two repeaters between stations, or too many cascaded multiport transceivers). A packet that collides is counted only once by the output packets.
interface resets---the number of times an interface has been reset. If an interface is unable to transmit for three seconds, PIX Firewall resets the interface to restart transmission. During this interval, connection state is maintained. An interface reset can also happen when an interface is looped back or shut down.
babbles---unused. ("babble" means that the transmitter has been on the interface longer than the time taken to transmit the largest frame.)
late collisions---the number of frames that were not transmitted because a collision occurred outside the normal collision window. A late collision is a collision that is detected late in the transmission of the packet. Normally, these should never happen. When two Ethernet hosts try to talk at once, they should collide early in the packet and both back off, or the second host should see that the first one is talking and wait. If you get a late collision, a device is jumping in and trying to send on the Ethernet while the PIX Firewall is partly finished sending the packet. The PIX Firewall does not resend the packet, because it may have freed the buffers that held the first part of the packet. This is not a real problem because networking protocols are designed to cope with collisions by resending packets. However, late collisions indicate a problem exists in your network. Common problems are large repeated networks and Ethernet networks running beyond the specification.
deferred---the number of frames that were deferred before transmission due to activity on the link.
lost carrier---the number of times the carrier signal was lost during transmission.
no carrier---unused.

sysopt ipsec pl-compatible Command

Using the sysopt ipsec pl-compatible command no longer requires static route statements for every host that needs to start non-IPSec connections through the PIX Firewall. The routing is now handled automatically.

Installation Notes

No new installation notes were added in version 5.0(3).

Limitations and Restrictions

No new limitations and restrictions were added in version 5.0(3).

Important Notes

The following usage notes apply to version 5.0(3):

aaa-server Command timeout Option

The aaa-server command page in Chapter 6, "Command Reference" in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.0 incorrectly lists the timeout option to the aaa-server command as an idle timer. This option actually is a retransmit timer that specifies the interval that the PIX Firewall retries access to the AAA server four times before accessing the next specified AAA server.

For example, if the timeout value is 10 seconds, PIX Firewall retransmits for 10 seconds and if no acknowledgment is received, tries three times more for a total of 40 seconds to retransmit data before the next AAA server is selected.

AAA Timeout Message for RADIUS and TACACS+

The PIX Firewall now displays the same timeout message for both RADIUS and TACACS+.
The message "aaa server host machine not responding" displays when either of the following occurs:

The AAA server system is down.
The AAA server system is up, but the service is not running.

Previously, TACACS+ differentiated the two states above and provided two different timeout messages, while RADIUS did not differentiate the two states and provided one timeout message.

crypto map Command

The crypto map map_name interface if_name command re-initializes the SA (security association) database, causing any currently established SAs to be deleted.

DNS Root Name Server Access

A DNS server on a higher level security interface needing to get updates from a root name server on the outside interface cannot use PAT (port address translation). Instead, a static command statement must be added to map the DNS server to a global address on the outside interface.

For example, PAT is enabled with these commands:

nat (inside) 1 192.168.1.0 255.255.255.0
global (inside) 1 209.165.202.128 netmask 255.255.255.224

However, a DNS server on the inside at IP address 192.168.1.5 cannot correctly reach the root name server on the outside at IP address 209.165.202.130.

To ensure that the inside DNS server can access the root name server, insert the following static command statement:

static (inside,outside) 209.165.202.129 192.168.1.5

The global address 209.165.202.129 provides a translated address for the inside server at IP address 192.168.1.5.

Failover

The Standby Logical Update Statistics output that displays when you use the show failover command only describes Stateful Failover. The "xerrs" value does not indicate an error in failover and can be ignored.

The failover timeout command does not work in this release. [CSCdm64497]

FTP and IPsec

With the IPSec port specification in the access-list command, FTP data is sent in clear text unless you add an access-list command to protect the FTP data port. In addition to requiring this command, for passive FTP, the access-list command must open all TCP ports from 1024 to 65535. [CSCdp29055]

IPSec Mode Configuration

If you use mode configuration with the PIX Firewall, any routers on the IPSec connection must run Cisco IOS software version 12.0.6T or later. [CSCdm56751]

SNMP

The SNMP "ifOutUcastPkts" object now correctly returns the outbound packet count.

static Command

Command statements for the static command cannot contain overlapping IP addresses. When IP addresses are overlapped, PIX Firewall experiences service denials without sending denial statements to syslog. [CSCdp22217] In this caveat report, an FTP session was attempted but was denied without a denial message sent to syslog.

For example, the following command statements do not work:

nat (inside) 0 10.0.0.0 255.0.0.0
static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,perim1) 10.64.0.0 10.64.0.0 netmask 255.255.0.0

In this example, the nat 0 command statement enables the identity feature so that any host on the 10.0.0.0 network can start connections to a lower security level interface. The first static command statement lets all hosts on the inside 10.0.0.0 network be visible on the outside network. The second static statement attempts to use a subset of the 10.0.0.0 address range on another interface. Because 10.64.0.0 is a part of the 10.0.0.0 range of addresses, the addresses overlap.

Supported CA Servers

PIX Firewall only supports the following certification authority (CA) servers:

Entrust---PIX Firewall supports the newest VPN Connector version 4.1 (build 4.1.0.337). Use the debug crypto ca command to ensure that the certificate is created correctly. Important error messages only display when the debug command is enabled. If you enter the fingerprint value incorrectly, the only warning message that the value is not correct appears in the debug crypto ca command output.
VeriSign---through the VeriSign Private Certificate Services (PCS) and the OnSite service that lets you establish a CA system for issuing digital certificates. When using VeriSign CA Server, always use the crloptional option with the ca configure command. Without the crloptional option, an error occurs when the PIX Firewall validates the certificate during main mode, which causes the peer PIX Firewall to fail. This problem occurs because the PIX Firewall is not able to poll the CRL from the VeriSign CA. [CSCdp42625]

Caveats

Open Caveats

Table 1 lists open caveats introduced in version 5.0(3). In addition, all open caveats in versions 5.0(1) and 5.0(2) still apply to version 5.0(3).

Table 1: Open Caveats

DDTS Number Description

CSCdp74795

The source IP address is reversed in SNMP traps. SNMP traps contain data that includes the IP address of the agent sending the trap. PIX Firewall, when sending linkDown or linkUp traps, reverses the order of the four octets of the IP address embedded in the trap data.

CSCdp48115

A DNS server behind the PIX Firewall cannot use PAT; however, adding a static command statement can be used as a workaround.

CSCdp42625

When using VeriSign CA Server, always use the crloptional option with the ca configure command. See the VeriSign note in the "Supported CA Servers" section for more information.

CSCdp29055

With the IPSec port specification in the access-list command, FTP data is sent in clear text unless you add an access-list command to protect the FTP data port. In addition to requiring this command, for passive FTP, the access-list command must open all TCP ports from 1024 to 65535.

CSCdp22217

Command statements for the static command cannot contain IP addresses that overlap between statements.

CSCdm64497

The failover timeout command does not work in this release.

CSCdm56751

If you use mode configuration with the PIX Firewall, any routers on the IPSec connection must run Cisco IOS software version 12.0.6T or later.

Resolved Caveats

Table 2 lists the resolved caveats that PIX Firewall Engineering has fixed in version 5.0(3). All closed caveats in version 5.0(1) and version 5.0(2) still apply to version 5.0(3).

Table 2: Resolved Caveats

DDTS Number Description

CSCdp94076 and CSCdp32325

During heavy traffic, the outside Ethernet interface no longer intermittently stops transmitting traffic. If an interface is unable to transmit for three seconds, PIX Firewall resets the interface to restart transmission. During the reset, the connection state is maintained. This problem only affects the PIX 515.

CSCdp69485

Various PIX Firewall software routines no longer abort processing when they should instead return a failure code.

CSCdp19390

When a failover cable connects two PIX Firewall units, the no failover command now disables failover until you enter the failover command to explicitly enable failover. See "no failover Command" for more information.

CSCdp18467

The usage note in the version 4.4(2) release notes regarding the auth-prompt command is no longer valid. The prompt string you specify with the auth-prompt accept command no longer displays twice when a user is authenticated.

CSCdp17093

An intermittent communications failure on a URL server no longer causes the PIX Firewall to enter and exit allow mode (configured with the filter url command). The PIX Firewall now sends status messages to the URL server every 5 seconds. If the PIX Firewall does not receive a reply after three tries, the URL server is marked as down and the next specified URL server becomes active. If no URL servers are available, and the PIX Firewall is configured for allow mode, the PIX Firewall enters allow mode.

CSCdp09563

The show interface command has been enhanced to include eight new status counters. The new counters are only valid for Ethernet interfaces. See "show interface Command" within "Important Notes" for more information.

CSCdp09306

Passive FTP no longer fails when the fixup protocol ftp 21 command is enabled.

CSCdm64126

%PIX-5-304001: user src_addr Accessed JAVA URL|URL dest_addr: url was incorrectly listed in the documentation as being severity level 6. This message has been fixed in System Log Messages for the Cisco Secure PIX Firewall Version 5.0 which can be viewed at the following site:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/pix55em/index.htm

CSCdm39607

The SNMP "ifOutUcastPkts" object now correctly returns the outbound packet count.

CSCdk91396

See "AAA Timeout Message for RADIUS and TACACS+" in "Important Notes" for information about the timeout message for both RADIUS and TACACS+.

DDTS Number	Description
CSCdp94076 and CSCdp32325	During heavy traffic, the outside Ethernet interface no longer intermittently stops transmitting traffic. If an interface is unable to transmit for three seconds, PIX Firewall resets the interface to restart transmission. During the reset, the connection state is maintained. This problem only affects the PIX 515.
CSCdp69485	Various PIX Firewall software routines no longer abort processing when they should instead return a failure code.
CSCdp19390	When a failover cable connects two PIX Firewall units, the no failover command now disables failover until you enter the failover command to explicitly enable failover. See "no failover Command" for more information.
CSCdp18467	The usage note in the version 4.4(2) release notes regarding the auth-prompt command is no longer valid. The prompt string you specify with the auth-prompt accept command no longer displays twice when a user is authenticated.
CSCdp17093	An intermittent communications failure on a URL server no longer causes the PIX Firewall to enter and exit allow mode (configured with the filter url command). The PIX Firewall now sends status messages to the URL server every 5 seconds. If the PIX Firewall does not receive a reply after three tries, the URL server is marked as down and the next specified URL server becomes active. If no URL servers are available, and the PIX Firewall is configured for allow mode, the PIX Firewall enters allow mode.
CSCdp09563	The show interface command has been enhanced to include eight new status counters. The new counters are only valid for Ethernet interfaces. See "show interface Command" within "Important Notes" for more information.
CSCdp09306	Passive FTP no longer fails when the fixup protocol ftp 21 command is enabled.
CSCdm64126	%PIX-5-304001: user src_addr Accessed JAVA URL\|URL dest_addr: url was incorrectly listed in the documentation as being severity level 6. This message has been fixed in System Log Messages for the Cisco Secure PIX Firewall Version 5.0 which can be viewed at the following site: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/pix55em/index.htm
CSCdm39607	The SNMP "ifOutUcastPkts" object now correctly returns the outbound packet count.
CSCdk91396	See "AAA Timeout Message for RADIUS and TACACS+" in "Important Notes" for information about the timeout message for both RADIUS and TACACS+.

Cisco Connection Online

Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.

Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.

CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW).

The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.

You can access CCO in the following ways:

WWW: http://www.cisco.com
WWW: http://www-europe.cisco.com
WWW: http://www-china.cisco.com
Telnet: cco.cisco.com
Modem: From North America, 408 526-8070; from Europe, 33 1 64 46 40 82. Use the following terminal settings: VT100 emulation; databits: 8; parity: none; stop bits: 1; and connection rates up to 28.8 kbps.

For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.

Note If you are a network administrator and need personal technical assistance with a Cisco product that is under warranty or covered by a maintenance contract, contact Cisco's Technical Assistance Center (TAC) at 800 553-2447, 408 526-7209, or tac@cisco.com. To obtain general information about Cisco Systems, Cisco products, or upgrades, contact 800 553-6387, 408 526-7208, or cs-rep@cisco.com.

Documentation CD-ROM

Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more current than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.

If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.

DDTS Number	Description
CSCdp74795	The source IP address is reversed in SNMP traps. SNMP traps contain data that includes the IP address of the agent sending the trap. PIX Firewall, when sending linkDown or linkUp traps, reverses the order of the four octets of the IP address embedded in the trap data.
CSCdp48115	A DNS server behind the PIX Firewall cannot use PAT; however, adding a static command statement can be used as a workaround.
CSCdp42625	When using VeriSign CA Server, always use the crloptional option with the ca configure command. See the VeriSign note in the "Supported CA Servers" section for more information.
CSCdp29055	With the IPSec port specification in the access-list command, FTP data is sent in clear text unless you add an access-list command to protect the FTP data port. In addition to requiring this command, for passive FTP, the access-list command must open all TCP ports from 1024 to 65535.
CSCdp22217	Command statements for the static command cannot contain IP addresses that overlap between statements.
CSCdm64497	The failover timeout command does not work in this release.
CSCdm56751	If you use mode configuration with the PIX Firewall, any routers on the IPSec connection must run Cisco IOS software version 12.0.6T or later.

Table of Contents

Release Notes for Cisco Secure PIX Firewall Version 5.0(3)

Release Notes for Cisco Secure PIX Firewall Version 5.0(3)

Release Notes for Cisco Secure
PIX Firewall Version 5.0(3)

Release Notes for Cisco Secure
PIX Firewall Version 5.0(3)