Table of Contents

Contents
Introduction
Features and Functionality Changes

New or Improved Features and Functionality
Deprecated Features and Functionality

System Requirements

Minimum Hardware Requirements
Recommended Hardware Requirements

Hardware Supported
Software Compatibility

Installation Notes

License Key Information (Evaluation Version Only)

Limitations and Restrictions

Address Translation on Unmanaged Gateway Objects

Caveats

Platform Caveats

Cisco Secure PIX Firewall
Cisco IOS Release 12.0

Open Caveats---Version 2.0

Importing Previously Defined Configurations
Topology Definition
Policy Definition
Policy Generation, Distribution, and Enforcement
IPSec Tunnel Definition
Reporting and Monitoring
System Configuration and Maintenance

Related Documentation

Platform Documents

Cisco Secure PIX Firewall
Cisco IOS Release 12.0

Obtaining Documentation

World Wide Web
Documentation CD-ROM
Ordering Documentation

Obtaining Technical Assistance

Cisco Connection Online
Technical Assistance Center
Documentation Feedback

Release Notes for Cisco Secure Policy Manager Version 2.0

March 2000

These release notes pertain to Cisco Secure Policy Manager Version 2.0.

Warning Please see the READMEFIRST file on the CD-ROM for late breaking information.

Contents

• "Introduction" section

• "Features and Functionality Changes" section

• "System Requirements" section

• "Installation Notes" section

• "Limitations and Restrictions" section

• "Caveats" section

• "Related Documentation" section

• "Obtaining Documentation" section

• "Obtaining Technical Assistance" section

Introduction

Cisco Secure Policy Manager is a scalable, comprehensive security policy management system for Policy Enforcement Points, specifically Cisco Secure PIX Firewalls and Cisco IOS Routers that include either the Cisco Secure Integrated Software or the Cisco Secure Integrated VPN Software. With Cisco Secure Policy Manager, customers can define, distribute, enforce, and audit multiple distributed security policies from a central location. As the management cornerstone of the Cisco end-to-end security product line and a fundamental element of CiscoAssure Policy Networking, Cisco Secure Policy Manager can dramatically simplify firewall and IPSec VPN management.

Features and Functionality Changes

This section describes the significant changes in a feature or functionality found in Cisco Secure Policy Manager. However, this section does not address the caveats resolved as part of the ongoing maintenance and development of this product.

New or Improved Features and Functionality

New or improved features and functionality in Cisco Secure Policy Manager improve your experience and provide enhanced support for managing your network security. The following list identifies such features and functionality:

• Internet Semantic Changes. (improved) Cisco Secure Policy Manager now interprets the Internet node as "any" when generating command sets based on security policies that reference that node. Previously, the Internet node was interpreted as any network that was not defined in your Network Topology tree. This improvement results in smaller, less restrictive command sets and a faster policy generation phase.

• IOS Router Support. (new) Cisco Secure Policy Manager now manages IOS Routers, specifically controlling the Cisco Secure Integrated Software and Cisco Secure Integrated VPN Software, enabling you to create VPN tunnels in your network policies.

• IPSec Tunnel Templates and IPSec Tunnel Groups. (new) IPSec security features are implemented through IPSec Tunnel Templates and IPSec Tunnel Groups. IPSec Tunnel Templates specify the protocols and ciphers that are used to set up the IPSec tunnel and encrypt and/or authenticate the traffic using the IPSec tunnel. IPSec Tunnel Groups are based on an IPSec Tunnel Template. They define the network objects that are the endpoints for the tunnel traffic, while the IPSec Tunnel Template provides the actual configuration of the tunnel between those endpoints. A new node in Policy Builder, the Use Tunnel non-terminal action node, provides the mechanism by which you can specify the services that are to use the tunnel defined by the IPSec Tunnel Group.

• Certificate Authority. (new) You can now identify hosts on your network that run Certificate Authority server software. Cisco Secure Policy Manager enables you to specify that these hosts are responsible for authenticating certificates using IPSec tunnels created and maintained by the Policy Enforcement Points on your network.

• Policy Builder. (improved) The redesigned Policy Builder now includes support for filtering Java and enabling the use of IPSec Tunnel Groups for secure communication based on specific network services.

• Security Policy Enforcement branch. (improved) You can now reference a network object multiple times within the Security Policy Enforcement branch. In addition, you can define source-based and/or destination-based security policies, enabling you to define the policies from the perspective of the network service or collection of assets that you are controlling.

• Route Generation. (improved) Routes are now generated for arbitrary network topologies. The route generation is no longer restricted to simple network topologies that involve network shortcuts. You can now disable all generated routes on a per-Policy Enforcement Point basis.

• Topology Wizard. (improved) This wizard enables you to easily add any gateway object, such as a Policy Enforcement Point, and all network objects that are required to successfully install that gateway object. The wizard now includes support for the IOS Router, as well as the PIX Firewall.

• Path Restrictions. (new) You can restrict traffic flows across regions of your network. This feature replaces the "Limit Scope to" feature that existed on the Network nodes within the Network Topology tree. For more information about this new feature, refer to the online help associated with the Mapping panel.

• Database Recovery. (improved) Improvements have been made in the Policy Database to prevent problems where the Policy Database would shut down without performing a checkpoint of the working data stored in memory mapped files.

• SSL Support. (new in Version 1.1) A session between a web browser and the reporting agent can be encrypted using the Secure Sockets Layer (SSL) protocol. For information on configuring your web browser to use SSL, refer to the "Working with 3rd-Party Web Browsers" section in online help.

• What's This? Help. (new in Version 1.1) Field-level context help can be accessed by right-clicking a label or control within the user interface.

Deprecated Features and Functionality

Deprecated features are those features and functionality that will be removed from Cisco Secure Policy Manager in an upcoming release. You should avoid becoming dependent on these features and familiarize yourself with those features that replace the deprecated ones. You should consider the following features, found in Cisco Secure Policy Manager Version 1.0 and Version 1.1, deprecated:

• Network Wizard. This wizard's functionality is replaced by three features:

  • You can add a Cisco Secure Policy Manager host to the Network Topology tree by defining the network on which that server resides and then defining a new host node under that network. You are prompted to specify whether you want to add the Cisco Secure Policy Manager host, which is automatically populated, or define another host manually.

  • The General panel on the Network Topology node enables you to remove required and previously defined network objects.

  • The Topology Wizard enables you define and discover the settings for gateway objects.

• Interface Wizard. This functionality has been replaced by the Topology Wizard. The Topology Wizard enables you to manually define or automatically discover the interface settings on a Policy Enforcement Point, such as a Cisco Secure PIX Firewall.

• Limit Scope to. This feature enabled you to restrict routing rule propagation about a specific network to a specific upstream gateway object. This functionality was expanded and replaced by path restrictions, which can be defined in the Mapping panel.

• Uncompiled Help Source. The uncompiled help source enabled you to use an HTML browser to view the Help system files.

System Requirements

You can install Cisco Secure Policy Manager on any computer that meets the minimum hardware requirements and that runs Microsoft Windows NT Server version 4.0 or Windows NT Workstation version 4.0 using an NTFS file partition. You can also install the GUI client for Cisco Secure Policy Manager on a computer that runs Windows NT 4.0, Windows 95, or Windows 98. The demo version also runs on Windows NT 4.0, Windows 95, or Windows 98.

Cisco Secure Policy Manager also requires several pieces of requisite software to operate as intended, including the following:

• The server must be partitioned using NTFS---not FAT

• Service Pack 5 for Windows NT (to update files in the operating system)

• Microsoft Internet Explorer version 5.0 (for displaying generated system reports and online help)

• HTML Help version 1.22a support (for viewing online HTML-based Help topics)

• Cisco Secure VPN Client enables you to secure the command communication channel between the Cisco Secure Policy Manager system and a managed IPSec-enabled Policy Enforcement Point.

You must also have the TCP/IP protocol stack installed and operating correctly on each computer before you begin installation. The Autostart utility makes fulfilling the software requirements easy by checking the target computer for all requisites and then allowing you to install any missing requisites before continuing with the setup program. You cannot proceed with the setup program unless you install all requisite software.

The computer or computers on which you install Cisco Secure Policy Manager must meet the minimum hardware requirements; otherwise, we cannot guarantee the integrity and functionality of the system that you install. To ensure optimal performance, though, you should install Cisco Secure Policy Manager on computers that meet or exceed these recommended hardware requirements.

Note You should define the virtual memory settings for your Windows NT computer to be at least two times the physical memory installed in the computer. To reduce fragmented memory allocation and improve efficiency, you should also specify the same value for the Initial Size and Maximum Size boxes in the Virtual Memory dialog box, which you can access from the Performance panel of the My Computer property sheet.

Minimum Hardware Requirements

• 200 MHz Pentium processor

• 96 MB of RAM memory

• 2 GB free hard drive space

• 1 or more properly configured network adapter cards

• 1024 x 768 video adapter card capable of at least 64 K color

• CD-ROM drive (preferably Autorun-enabled)

• Modem (optional for pager notifications)

• Mouse

• SVGA color monitor

Recommended Hardware Requirements

• 400 MHz Pentium II processor or greater

• 128 MB of RAM memory or greater

• 4 GB free hard drive space or greater

• 1 or more properly configured network adapter cards

• 1024 x 768 video adapter card capable of at least 64 K color

• Sound card with speakers/headphones (optional for audio support in training videos)

• SVGA color monitor

• CD-ROM drive (Autorun-enabled)

• Modem (optional for pager notifications)

• Mouse

Hardware Supported

This section identifies the Policy Enforcement Points, such as Cisco Secure PIX Firewalls, currently managed by Cisco Secure Policy Manager.

Table 1 lists the Cisco Secure PIX Firewall and IOS versions (for Cisco router/firewalls and Cisco VPN Gateways) currently supported by Cisco Secure Policy Manager. Certain versions of the Cisco Secure PIX Firewall require connection to the inside interface to receive commands from the Policy Distribution Point host. These dependencies are listed in the following table.

---

Note A Cisco Router/Firewall is Cisco router running the firewall feature set. A Cisco VPN Gateway is a Cisco router running the IPSec VPN feature set. These feature sets are part of the Cisco Secure Integrated Software and Cisco Secure Integrated VPN Software solutions for Cisco routers.

---

Policy Enforcement Points, though managed by Cisco Secure Policy Manager, are not part of the installed system. Therefore, before you can manage a Policy Enforcement Point, you must ensure that it has a basic configuration that enables it to receive commands from Cisco Secure Policy Manager. Cisco Secure Policy Manager supports Ethernet, Token Ring, and FDDI interfaces installed in the Cisco Secure PIX Firewalls.

The following table identifies supported IOS Router images and memory requirements for those routers that are managed by Cisco Secure Policy Manager Version 2.0.

Table 2: Supported IOS Images and Memory Requirements

		Memory Needed
Image Name	Features	Flash	RAM
c1700-bnor2sy56i-mz.120-7.T1	IP/IPX/AT/IBM/FW Plus IPSec 56	8	24
c1700-osy56i-mz.120-7.T1	IP/FW Plus IPSec 56	8	20
c2600-io3s56i-mz.120-7.T1	IP/FW/IDS IPSec 56	8	32
c2600-jo3s56i-mz.120-7.T1	Enterprise/FW/IDS Plus IPSec 56	16	40
c3620-io3s56i-mz.120-7.T1	IP/FW/IDS IPSec 56	16	32
c3620-jo3s56i-mz.120-7.T1	Enterprise/FW/IDS Plus IPSec 56	16	48
c3640-io3s56i-mz.120-7.T1	IP/FW/IDS IPSec 56	16	48
c3640-jo3s56i-mz.120-7.T1	Enterprise/FW/IDS Plus IPSec 56	16	48
c7100-io3s56i-mz.120-5.XE5	IP/FW/IDS IPSec 56	16	64
c7100-jo3s56i-mz.120-5.XE5	Enterprise/FW/IDS Plus IPSec 56	16	64
c7200-io3s56i-mz.120-7.T1	IP/FW/IDS IPSec 56	16	64
c7200-jo3s56i-mz.120-7.T1	Enterprise/FW/IDS Plus IPSec 56	16	64

Table Key:

FW: Firewall Feature Set

IPSec 56: 56-bit IPSec

IBM: IBM Support

AT: Appletalk Protocol Support

IPX: IPX Protocol Support

Enterprise: All features

Software Compatibility

The following software either is known to conflict with Cisco Secure Policy Manager or has not been extensively tested with this product:

• CSCdm35411, CSCdm35416, CSCdm35421, CSCdm35427, CSCdm35430: GUI client only supports the U.S. version of Windows NT

Currently, the only supported operating system is the U.S. version of Windows NT 4.0, running Service Pack 5. This product has not been tested with non-U.S. versions of the operating system.

• Cisco Secure Policy Manager has not been tested with Windows NT Service Pack 6 or Windows 2000

This product has not been tested with Windows NT Service Pack 6 or Windows 2000. As a result, you cannot install Cisco Secure Policy Manager on a host that is running Service Pack 6 or Windows 2000.

• CSCdm93310: CHC does not respond to service manager on exit before 01/01/1999

Cisco Secure Policy Manager operates from 01/01/1999 through 12/31/2035. If you attempt to run the Cisco Controlled Host Component outside this time range, it may stop responding to the Windows NT Service Control Manager (SCM) and you may get an application event that states the service hung on starting. The only way to get the service working properly again is to change the date to a valid date (within the operational period specified above) and reboot the computer.

Installation Notes

For instructions about managing your installed Cisco Secure Policy Manager server, refer to the "Upgrading, Reinstalling, and Uninstalling" section of Appendix B, "Working with Cisco Secure Policy Manager"of the Cisco Secure Policy Manager Installation Guide document.

The following note applies to installing any release or installation type of Cisco Secure Policy Manager:

• Demo installation requirements

To install the Demo, your computer only needs Internet Explorer 3.02 or later. However, the CD-ROM does not include this version of Internet Explorer. It only includes Internet Explorer 5.0 and the Windows NT Service Pack 5 setup programs.

• Video installation requirements

To use the videos, your computer must have a sound card and speakers installed and configured properly.

License Key Information (Evaluation Version Only)

The following list identifies where to locate the license disk that is required to install the evaluation version of Cisco Secure Policy Manager, as well as identifies the limitations and password associated with the license.

• Location: The license disk is located in the root folder of the Zip file that you download from CCO in the file named license.dsk.

• License Restrictions: The key supports up to 20 Policy Enforcement Points for Version 2.0, and it is valid for 90 days.

• Password: cisco

Limitations and Restrictions

Address Translation on Unmanaged Gateway Objects

Cisco Secure Policy Manager does not support the use of address translation rules on unmanaged gateway objects defined within the Network Topology tree. In other words, Cisco Secure Policy Manager cannot model any type of address translation rules that affect a traffic flow that traverses unmanaged devices.

Caveats

This section identifies caveats and issues for Cisco Secure Policy Manager.

Platform Caveats

Refer to the appropriate release notes for information about hardware caveats that might affect Cisco Secure Policy Manager. You can access these release notes online at the following URLs:

Cisco Secure PIX Firewall

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/

Cisco IOS Release 12.0

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120cavs/
index.htm

Open Caveats---Version 2.0

This section identifies known caveats and issues with Cisco Secure Policy Manager Version 2.0.

Importing Previously Defined Configurations

• CSCdm78017: Import *.cpm file operation guidelines

After you import a *.cpm file, you must perform a Save operation and allow that operation to complete before you perform a Save and Update operation. This order of operations is necessary to generate the device-specific command sets correctly. The first operation stores the new data in the Policy Database, and the second operation generates the command sets.

Topology Definition

• CSCdr02076: Complex topology/policy examples can generate command sets that are too large for the rich edit control used for the Command panel when running the GUI client on a Windows 95 or Windows 98 computer.

If you generate command sets that are too large for the rich edit control supported by Windows 95 and Windows 98, the Command panel will appear blank after you generate the command sets by performing a Save and Update operation.

Workaround/Solution: Currently, the only workaround is to generate the command sets on a host that this running Windows NT 4.0.

• CSCdp71047: A loop in the routing calculation is causing the GUI client to hang (IOS/Cisco Secure PIX Firewall)

When you define a topology that contains a large number of network shortcuts (over 30) that connect the bottom most legs of a network, a loop is created in the router calculation.

Workaround/Solution: Currently, the only workaround is to remove the additional network shortcuts.

• CDCdp94772: Changing the names of interfaces deletes path restriction rules that reference that interface

If you rename an interface in a gateway object, any rules that reference that interface in the Disable paths to box of the Path Restrictions list in the Mapping panel of any gateway object are deleted the next time that you perform a Save and Update operation.

Workaround/Solution: You must manually redefine any such rules using the GUI client.

• CSCdm77487: Renaming the Cisco Secure PIX Firewall node does not generate hostname command

If you change the name of a Cisco Secure PIX Firewall node in the GUI client, a corresponding hostname command is not distributed to that Cisco Secure PIX Firewall. Instead, you must use either the epilogue or prologue command set in the Command panel to manually specify the hostname for that Cisco Secure PIX Firewall.

• CSCdk95364: AAA servers are not supported by Cisco Secure Policy Manager

AAA must be configured outside Cisco Secure Policy Manager. It is not supported in Version 1.0, Version 1.1, or Version 2.0.

Policy Definition

• CSCdp79515: Java blocking commands are not correctly generated for Cisco Secure PIX Firewall if the specified service is All IP or a mix of HTTP and All IP.

If you define a security policy abstract with an IF Service is condition value of All IP or a mix of All IP and HTTP, Cisco Secure Policy Manager does not generate the correct command set that filters Java applets found within HTTP.

Workaround/Solution: Create an explicit HTTP policy with Java blocking, followed by the All IP policy. For example:

If source is This Network Object and service is HTTP and destination is Network 1 then
	Block Java
	Permit
ELSE If source is This Network Object and service is All IP and destination is Network 1 then
	Permit
 

• CSCdr01930: Selecting a target Syslog server node does not automatically generate security policies to enable Syslog traffic from the Policy Enforcement Point to the Syslog server.

In cases where you select a Syslog server as a target for the Syslog data streams generated by a Policy Enforcement Point and that Syslog server is not a member of the network that is directly connected to an interface in that Policy Enforcement Point, Cisco Secure Policy Manager does not automatically generate and apply the security policies (in the Cisco System Folder of the Policy Enforcement branch) that enable this network service to traverse managed gateway objects along the path to that Syslog server. The documentation provided does indicate that such policies are generated.

Workaround/Solution: You must manually define and apply the security policies that enable the Syslog network service to reach the target Syslog server.

Policy Generation, Distribution, and Enforcement

The following caveats are related to generated/distributed the command sets.

Specific to Cisco Secure Policy Manager

• CSCdp87612: No warning or error messages generated when Cisco Secure Policy Manager does not publish to the correct Policy Enforcement Point interface address

When you select a Policy Distribution Point in a Policy Enforcement panel of a managed gateway object, you should also select an IP address for the Policy Enforcement Point that is associated with the interface installed in that managed gateway object that is attached to the network directly connected to the selected Policy Distribution Point. However, if you do not select an IP address, Cisco Secure Policy Manager does not generate a warning or error message stating that the IP address is not one associated with the interface that is directly connected to a network that reaches the Policy Distribution Point.

Workaround/Solution: Verify that the IP address is attached to the correct network.

• CSCdp08523: Policy server should notify administrator about distribution order for IPSec

If you have two Policy Enforcement Points that act as peers for a tunnel through which all traffic or Telnet can pass and you publish the derived command set to the local peer Policy Enforcement Point first, you can break connectivity to the remote peer. This break in connectivity occurs because nothing is configured for the tunnel to be created on the remote Policy Enforcement Point.

Workaround/Solution: When you publish the derived command sets to a Policy Enforcement Point, your best choice is to manually publish them so that they are not automatically sent to managed Policy Enforcement Points. This setting enables you to distribute commands from the farthest Policy Enforcement Point to the closest Policy Enforcement Point, which prevents tunnels from being created on the nearer Policy Enforcement Point while you are trying to distribute command sets to the farther Policy Enforcement Point. First, publish the generated command sets to the remote Policy Enforcement Point and then to the nearer Policy Enforcement Point. Thus, when the nearer Policy Enforcement Point tries to establish a tunnel with the remote Policy Enforcement Point, the configuration information exists on both Policy Enforcement Points and the tunnels can be negotiated and accepted.

• CSCdm12877: You cannot define an address translation rule for the same network object in the Mapping panel of two different Cisco Secure PIX Firewall nodes

The case, referred to as nested network address translation (NAT), is not currently supported. It typically seems plausible in a nested Cisco Secure PIX Firewall scenario. You cannot nest any forms of address translation within the defined topology.

Workaround/Solution: Currently, no workaround exists.

• CSCdm92145: Generated logging host commands point to incorrect interface

When Cisco Secure Policy Manager generates the logging host commands for the Cisco Secure PIX Firewall, some of the commands may point the Syslog stream out an interface where the host does not reside (for example, the statement could read logging host outside when the actual Syslog server resides somewhere off the inside interface). This problem is caused by a routing discrepancy that only affects the Syslog servers and Policy Monitor Points. Depending upon your network topology, this caveat can increase network traffic as the Syslog data is sent out the wrong interface.

Workaround/Solution: The workaround involves two steps:

Step 2 In the Epilogue box of the Command panel on the same Cisco Secure PIX Firewall node, type the logging host command and specify the correct interface information.

This workaround prevents Syslog traffic from being sent over the incorrect interface.

• CSCdm19070: Duplicate opposing conduits created

When Cisco Secure Policy Manager generates conduit commands permitting network access, it generates a duplicate set of conduit commands that deny the same network access. These deny commands are generated immediately following the permit commands. Although this does not harm the usability of the config (because conduits are processed in order), it does take up config memory. This problem occurs quite frequently, but it is harmless.

Workaround/Solution: Currently, no workaround exists.

• CSCdm26876: Outbound commands display the port twice

When you define a network service that has only one port (such as Telnet), the outbound command generated by Cisco Secure Policy Manager uses the port-port format (for Telnet, it generates 23-23). This command entry format is acceptable to the Cisco Secure PIX Firewall. Therefore, you can safely ignore entries with two ports.

Workaround/Solution: Currently, no workaround exists.

Specific to PIX Firewall Support

• CSCdp81369: No commands are generated for disabled interface

If a PIX Firewall is configured and later an interface is disabled, no commands are generated to actually shut down the interface

Workaround/Solution: Manually shut down the interface.

• CSCdp62614: Cisco Secure Policy Manager generates incorrect SMTP configuration for Cisco Secure PIX Firewall

Cisco Secure Policy Manager generates incorrect SMTP configuration when creating a device-specific command set to resolve a policy that enables an e-mail server to send SMTP mail to the Internet via an interface at a higher security level than the one on which the mail server resides. The result is that the conduit commands that enable this network service are generated incorrectly.

Workaround/Solution: Manually edit the command set to remove/revise the incorrectly generated commands.

• CSCdp70997: Extra conduit commands for accessing certificate server (Cisco Secure PIX Firewall)

Extra conduit commands are being generated when you define a policy that permits access to a certificate server.

Workaround/Solution: Currently, no workaround exists.

• CSCdp79679: "Renegotiate Protocols After" option on the IKE Tunnel Template cannot be set to 0 KB for Cisco Secure PIX Firewall

The KBytes box in the Renegotiate Protocols After area in the Protocol panel of the tunnel template properties specifies the amount of traffic, in kilobytes, that can pass through the tunnel before the session is renegotiated. Setting this field to 0 (zero) disables this setting. Cisco Secure PIX Firewall does not currently support disabling this setting, and it will specify a default value in the generated commands if this field is set to 0.

Workaround/Solution: When using Cisco Secure Policy Manager to manage Cisco Secure PIX Firewall, you do not have the option of disabling the KBytes setting. You can, however, set the option sufficiently high so that renegotiation will occur at less frequent intervals, or so that the time specified in the Time field will elapse and cause session renegotiation before the KBytes setting is reached.

The maximum value that you can enter in the KBytes field is 536870912 (the KBytes field does not accept commas as input with large numbers).

• CSCdp72208: Commands are generated for interfaces that are marked as "administrative down" on a Cisco Secure PIX Firewall

Currently, even if an interface is marked as being administratively down, Cisco Secure Policy Manager generates commands for that interface. This problem arises when you discover a Cisco Secure PIX Firewall.

Workaround/Solution: You can resolve this issue by specifying that the interface is disabled in the Interfaces panel of the PIX Firewall node within the Network Topology tree.

IPSec Tunnel Definition

• CSCdp77711: Cisco Secure Policy Manager does not support Cisco Secure PIX Firewalls sysopt ipsec pl-compatible command (Cisco Secure PIX Firewall)

Cisco Secure PIX Firewall OS 5.1 has a command sysopt ipsec pl-compatible that enables IPSec packets to bypass the Cisco Secure PIX Firewall's NAT and ASA features and allows incoming IPSec packets to terminate on the inside interface. It is often used when generating IPSec commands that could cause conflicts and dropped traffic.

Workaround/Solution: Currently, no workaround exists.

• CSCdp78690: GRE tunnel commands not working work with CBAC

The GRE packets do not trigger CBAC for Cisco Secure Integrated Software. Currently this is being researched with the IOS Router development team.

Workaround/Solution: Currently, no workaround exists.

• CSCdp16911: IPSec support is assumed regardless of version running on Cisco Secure PIX Firewall/IOS Router

The IPSec check box is automatically selected whenever a new gateway object is created. In addition, if you use the Topology Wizard to define a new managed gateway object, you can rediscover the settings for that gateway object until you perform a Save operation.

Workaround/Solution: Manually clear the IPSec check box, or rediscover the settings for that gateway object. If you downgrade the support of a managed gateway object, you must rediscover the settings to correct the IPSec support value.

Reporting and Monitoring

• CSCdp34892: HTTP service on 127.0.0.1:8080 conflicts with reporting agent

If you install the Cisco Documentation CD-ROM on a host that is running the reporting agent for Cisco Secure Policy Manager, a port conflict can arise between the web server software used by the CD-ROM application and the reporting agent. If this configuration exists, the following error message is generated when you attempt to access the CD-ROM: "Error accessing files on Cisco CD-ROM in your CDROM drive."

Workaround/Solution: You can reassign the port used by the reporting agent by modifying the Cisco Policy Reporter network service definition and then re-selecting that service in the Policy Reports panel for each primary or secondary server installed on your network. After you complete this setting change, you are able to use the documentation CD-ROM and the reports generated by Cisco Secure Policy Manager.

• CSCdm63845: Renaming the Cisco Secure PIX Firewall node does not update in reports

When you rename the Cisco Secure PIX Firewall node, the network service activity reports use the old name until the Cisco Secure Policy Manager server that is monitoring that Cisco Secure PIX Firewall is rebooted. To work around this problem, exit the GUI client (saving your changes first) and then restart it.

• CSCdk95377: Reports in GUI use cached copy

When accessing a generated report from the GUI client, the web browser caches the first report that is viewed. If you regenerate the report, you will still see the first one until you click Refresh. You can ensure current reports are seen by changing the browser settings for Internet Explorer so that you reload each page for all requests.

To verify that your pages are reloaded on each page visit, perform the following task:

Step 2 To view the Internet Explorer Properties dialog box, click Properties on the shortcut menu.

Step 3 To specify that the pages are reloaded each time, click Settings under Temporary Internet Files in the General panel.

Step 4 Under Check for newer versions of stored pages, click Every visit to the page.

Step 5 To save your changes and close the Settings dialog box, click OK.

Step 6 To apply your changes and close the Internet Explorer Properties box, click OK in the General panel.

Note If you use Netscape Navigator, you may also experience this problem. You can configure Netscape Navigator with similar settings to resolve this problem.

System Configuration and Maintenance

• CSCdr13227: Identification Type for Cisco Secure VPN Client's remote host is incorrectly specified

The default certificate used by the VPN client is "none." To use certificates for IPSec-based communications between Cisco Secure Policy Manager servers and a remote host, you must manually specify the Cisco Secure VPN Client settings that enable those specific communications to a remote party and select the correct certificate for the "My Identity" option. In addition, for each specific connection, you must specify that the "Remote Party Identity Type" option is "IP_range" and identify the correct IP subnet and net mask.

• CSCdo84910: Cisco Secure Policy Manager does not detect address changes on a host that is running one of the system's components

If you manually change the IP address of a host running some component of the Cisco Secure Policy Manager system, the system does not detect that address change automatically, unless you uninstall and reinstall that feature type.

Workaround/Solution: You can use the GUI client to change the IP address of the primary or secondary server manually. If you change the network on which the primary or secondary server is running, you must perform a drag-and-drop operation to move the Host node onto that network in the Network Topology tree first, and then modify the IP address in the General panel of that Host node. Any references to that Host node will be lost. You must redefine these references, such as those in the Policy Enforcement panel of a Policy Distribution Point.

• CSCdm94143: Policy Database can crash while the Cisco Secure PIX Firewall control agent generates device-specific commands due to overlapping Save and Update operations

This issue arises within large topologies when a Save and Update operation takes a long time to complete. If the GUI client returns from the Save and Update operation before the command sets are generated by the control agents and you perform a second Save and Update operation, it can cause the Policy Database to crash.

Workaround/Solution: After you perform a Save and Update operation, you should allow the device-specific command set to generate completely before you perform another Save and Update operation. The best way to avoid this situation is to ensure that the "Current Policy Generation" number matches the "Processing Complete" number of each Policy Enforcement Point in the System Inconsistencies panel.

• CSCdm14477: Policy Database dies under heavy load of Cisco Secure PIX Firewall Syslog messages

The following maximum threshold values exist for the specified hardware configurations:

• Quad Processor Computer with 1 GB of memory: 160 messages per second

• Recommended Configuration: 80 messages per second

• Minimum Configuration: 50 messages per second

When the system is under high stress, frequently saving or requesting reports (every 10 minutes) may disable the system. Error messages similar to the following appear in the Windows NT Event Viewer when this error occurs:

Krs error 28772: Database terminating with message: Failed to map page.

Krs error 28801: The process cannot access the file because another process has locked a portion of the file. Failed to create file mapping for backing file d:\csm\data\memory\memfrm1730.mmf.

• CSCdm30221: Log files consume all disk space on a secondary server

You must define the disk space settings for the Policy Database in all primary and secondary server panels (hosts running components of Cisco Secure Policy Manager). In addition, this setting must be less than the total available disk space on the host. If you fail to define these settings, the system can become unusable.

• CSCdk95444: Policy Database > Backup command does not display status of backups

Backing up the Policy Database can take a long time, depending on the size of the database. You should be patient during backups because feedback is not provided about the progress of the backup.

Workaround/Solution: Currently, no workaround exists.

Related Documentation

The following documents directly support Cisco Secure Policy Manager:

• Cisco Secure Policy Manager Installation Guide

• Configuring Cisco Secure Policy Manager

• Notes for Upgrading the License Key for Cisco Secure Policy Manager

In addition to these documents, an extensive Help system is provided with the GUI client, the user interface that configures Cisco Secure Policy Manager.

Platform Documents

The following sections identify the documents and associated web pages for the various platforms supported by Cisco Secure Policy Manager.

Cisco Secure PIX Firewall

The following documents provide information about configuring the Cisco Secure PIX Firewall hardware and provide references to the command sets that can be specified in the Command panel associated with each Cisco Secure PIX Firewall node defined under the Network Topology tree of the GUI client.

• Configuration Guide for the Cisco Secure PIX Firewall

• Quick Installation Guide for the Cisco Secure PIX Firewall

• Regulatory Compliance and Safety Information for the Cisco Secure PIX Firewall

• System Log Messages for the Cisco Secure PIX Firewall

All these documents, including these release notes, apply to all Cisco Secure PIX Firewall hardware versions, including the Cisco Secure PIX Firewall, PIX 10000, PIX 510, and PIX 520 models.

Cisco provides Cisco Secure PIX Firewall technical tips at

• http://www.cisco.com/warp/public/110/index.shtml#pix

Cisco IOS Release 12.0

The following link provides a list of documents and information about configuring Cisco IOS Release 12.0 and provides references to the command sets that can be specified in the Command panel associated with each IOS Router node defined under the Network Topology tree of the GUI client:

• http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/index.htm

Obtaining Documentation

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.

Documentation CD-ROM

Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly. Therefore, it is probably more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.

Ordering Documentation

Registered CCO users can order the Documentation CD-ROM and other Cisco Product documentation through our online Subscription Services at http://www.cisco.com/cgi-bin/subcat/kaojump.cgi.

Nonregistered CCO users can order documentation through a local account representative by calling Cisco's corporate headquarters (California, USA) at 408 526-4000 or, in North America, call 800 553-NETS (6387).

Obtaining Technical Assistance

Cisco provides Cisco Connection Online (CCO) as a starting point for all technical assistance. Warranty or maintenance contract customers can use the Technical Assistance Center. All customers can submit technical feedback on Cisco documentation using the web, e-mail, a self-addressed stamped response card included in many printed docs, or by sending mail to Cisco.

Cisco Connection Online

Cisco continues to revolutionize how business is done on the Internet. Cisco Connection Online is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.

CCO's broad range of features and services helps customers and partners to streamline business processes and improve productivity. Through CCO, you will find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online support services, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.

Customers and partners can self-register on CCO to obtain additional personalized information and services. Registered users may order products, check on the status of an order and view benefits specific to their relationships with Cisco.

You can access CCO in the following ways:

• WWW: www.cisco.com

• Telnet: cco.cisco.com

• Modem using standard connection rates and the following terminal settings: VT100 emulation; 8 data bits; no parity; and 1 stop bit.

  • From North America, call 408 526-8070

  • From Europe, call 33 1 64 46 40 82

You can e-mail questions about using CCO to cco-team@cisco.com.

Technical Assistance Center

The Cisco Technical Assistance Center (TAC) is available to warranty or maintenance contract customers who need technical assistance with a Cisco product that is under warranty or covered by a maintenance contract.

To display the TAC web site that includes links to technical support information and software upgrades and for requesting TAC support, use www.cisco.com/techsupport.

To contact by e-mail, use one of the following:

Language	E-mail Address
English	tac@cisco.com
Hanzi (Chinese)	chinese-tac@cisco.com
Kanji (Japanese)	japan-tac@cisco.com
Hangul (Korean)	korea-tac@cisco.com
Spanish	tac@cisco.com
Thai	thai-tac@cisco.com

In North America, TAC can be reached at 800 553-2447 or 408 526-7209. For other telephone numbers and TAC e-mail addresses worldwide, consult the following web site: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml.

Documentation Feedback

If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.

You can e-mail your comments to bug-doc@cisco.com.

To submit your comments by mail, for your convenience many documents contain a response card behind the front cover. Otherwise, you can mail your comments to the following address:

Cisco Systems, Inc.
Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate and value your comments.

This document is to be used in conjunction with the documents listed in the "Related Documentation" section.

Access Registrar, AccessPath, Any to Any, AtmDirector, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, the Cisco logo, Cisco Certified Internetwork Expert logo, CiscoLink, the Cisco Management Connection logo, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Capital, the Cisco Systems Capital logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, the Cisco Technologies logo, ConnectWay, Fast Step, FireRunner, Follow Me Browsing, FormShare, GigaStack, IGX, Intelligence in the Optical Core, Internet Quotient, IP/VC, Kernel Proxy, MGX, MultiPath Data, MultiPath Voice, Natural Network Viewer, NetSonar, Network Registrar, the Networkers logo, Packet, PIX, Point and Click Internetworking, Policy Builder, Precept, ScriptShare, Secure Script, ServiceWay, Shop with Me, SlideCast, SMARTnet, SVX, The Cell, TrafficDirector, TransPath, ViewRunner, Virtual Loop Carrier System, Virtual Service Node, Virtual Voice Line, VisionWay, VlanDirector, Voice LAN, WaRP, Wavelength Router, Wavelength Router Protocol, WebViewer, Workgroup Director, and Workgroup Stack are trademarks; Changing the Way We Work, Live, Play, and Learn, Empowering the Internet Generation, The Internet Economy, and The New Internet Economy are service marks; and ASIST, BPX, Catalyst, Cisco, Cisco IOS, the Cisco IOS logo, Cisco Systems, the Cisco Systems logo, the Cisco Systems Cisco Press logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastLink, FastPAD, FastSwitch, GeoTel, IOS, IP/TV, IPX, LightStream, LightSwitch, MICA, NetRanger, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any of its resellers. (9912R)

Copyright © 2000, Cisco Systems, Inc.
All rights reserved.

Posted: Thu May 25 12:47:06 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.