Table of Contents
Release Notes for Cisco Secure Policy Manager Version 2.1
June 2000
These release notes pertain to Cisco Secure Policy Manager Version 2.1.
 |
Warning Please see the READMEFIRST file on the CD-ROM for late breaking information. |
Cisco Secure Policy Manager is a scalable, comprehensive security policy management system for Policy Enforcement Points, specifically Cisco Secure PIX Firewalls and Cisco IOS Routers that include either the Cisco Secure Integrated Software or the Cisco Secure Integrated VPN Software. With Cisco Secure Policy Manager, customers can define, distribute, enforce, and audit multiple distributed security policies from a central location. As the management cornerstone of the Cisco end-to-end security product line and a fundamental element of CiscoAssure Policy Networking, Cisco Secure Policy Manager can dramatically simplify firewall and IPSec VPN management.
This section describes the significant changes in a feature or functionality found in Cisco Secure Policy Manager. However, this section does not address the caveats resolved as part of the ongoing maintenance and development of this product.
New or improved features and functionality in Cisco Secure Policy Manager improve your experience and provide enhanced support for managing your network security. The following list identifies such features and functionality:
- Network Object Groups. (improved in Version 2.1) Network Object Groups can now be used as objects in the Security Policy Enforcement branch to which you can apply policy.
- Policy Domains and Perimeters. (new in Version 2.1) Policy domains are logical collections of network perimeters that can be referenced in the source or destination conditions of security policies or placed in the Security Policy Enforcement branch and have policy applied. Perimeters, previously only available in the source or destination conditions of a security policy, are now branch objects on the Policy Domains branch of the Tools and Services tree and they can now be placed in the Security Policy Enforcement branch and have policy applied to them.
- Cloud Networks. (improved in Version 2.1) Cisco Secure Policy Manager now enables you to view cloud networks as part of the Network Topology tree (rather than only within the Cloud node definition), as well as perform a drag-and-drop operation to move cloud networks into the Security Policy Enforcement branch for better refinement of network policy definition. Cloud networks also can be referenced in If Source is and If Destination is conditions in security policy abstracts.
- Regional Flow Control Tool. (new in Version 2.1) Cisco Secure Policy Manager now provides a separate client to assist you in defining regional flow restrictions. This client enables you to define regions and automatically generate path restriction rules that are required to enforce the regional flow restriction.
- Troubleshooting Tool Kit Help. (new in Version 2.1) The Troubleshooting Tool Kit for Cisco Secure Policy Manager now has its own HTML Help file to guide you through tasks that you can perform using this separate utility.
- Getting Started Videos. (improved in Version 2.1) The Getting Started Video series consists of an introduction and six lessons that walk you through the basic steps required to get your Cisco Secure Policy Manager system up and running.
- Internet Semantic Changes. (improved in Version 2.0) Cisco Secure Policy Manager now interprets the Internet node as "any" when generating command sets based on security policies that reference that node. Previously, the Internet node was interpreted as any network that was not defined in your Network Topology tree. This improvement results in smaller, less restrictive command sets and a faster policy generation phase.
- IOS Router Support. (new in Version 2.0) Cisco Secure Policy Manager now manages IOS Routers, specifically controlling the Cisco Secure Integrated Software and Cisco Secure Integrated VPN Software, enabling you to create VPN tunnels in your network policies.
- IPSec Tunnel Templates and IPSec Tunnel Groups. (new in Version 2.0) IPSec security features are implemented through IPSec Tunnel Templates and IPSec Tunnel Groups. IPSec Tunnel Templates specify the protocols and ciphers that are used to set up the IPSec tunnel and encrypt and/or authenticate the traffic using the IPSec tunnel. IPSec Tunnel Groups are based on an IPSec Tunnel Template. They define the network objects that are the endpoints for the tunnel traffic, while the IPSec Tunnel Template provides the actual configuration of the tunnel between those endpoints. A new node in Policy Builder, the Use Tunnel non-terminal action node, provides the mechanism by which you can specify the services that are to use the tunnel defined by the IPSec Tunnel Group.
- Certificate Authority. (new in Version 2.0) You can now identify hosts on your network that run Certificate Authority server software. Cisco Secure Policy Manager enables you to specify that these hosts are responsible for authenticating certificates using IPSec tunnels created and maintained by the Policy Enforcement Points on your network.
- Policy Builder. (improved in Version 2.0) The redesigned Policy Builder now includes support for filtering Java and enabling the use of IPSec Tunnel Groups for secure communication based on specific network services.
- Security Policy Enforcement branch. (improved in Version 2.0) You can now reference a network object multiple times within the Security Policy Enforcement branch. In addition, you can define source-based and/or destination-based security policies, enabling you to define the policies from the perspective of the network service or collection of assets that you are controlling.
- Route Generation. (improved in Version 2.0) Routes are now generated for arbitrary network topologies. The route generation is no longer restricted to simple network topologies that involve network shortcuts. You can now disable all generated routes on a per-Policy Enforcement Point basis.
- Topology Wizard. (improved in Version 2.0) This wizard enables you to easily add any gateway object, such as a Policy Enforcement Point, and all network objects that are required to successfully install that gateway object. The wizard now includes support for the IOS Router, as well as the PIX Firewall.
- Path Restrictions. (new in Version 2.0) You can restrict traffic flows across regions of your network. This feature replaces the "Limit Scope to" feature that existed on the Network nodes within the Network Topology tree. For more information about this new feature, refer to the online help associated with the Mapping panel.
- Database Recovery. (improved in Version 2.0) Improvements have been made in the Policy Database to prevent problems where the Policy Database would shut down without performing a checkpoint of the working data stored in memory mapped files.
- SSL Support. (new in Version 1.1) A session between a web browser and the reporting agent can be encrypted using the Secure Sockets Layer (SSL) protocol. For information on configuring your web browser to use SSL, refer to the "Working with 3rd-Party Web Browsers" section in online help.
- What's This? Help. (new in Version 1.1) Field-level context help can be accessed by right-clicking a label or control within the user interface.
Deprecated features are those features and functionality that will be removed from Cisco Secure Policy Manager in an upcoming release. You should avoid becoming dependent on these features and familiarize yourself with those features that replace the deprecated ones. You should consider the following features, found in Cisco Secure Policy Manager Version 1.0 and Version 1.1, deprecated:
- Network Wizard. This wizard's functionality is replaced by three features:
- You can add a Cisco Secure Policy Manager host to the Network Topology tree by defining the network on which that server resides and then defining a new host node under that network. You are prompted to specify whether you want to add the Cisco Secure Policy Manager host, which is automatically populated, or define another host manually.
- The General panel on the Network Topology node enables you to remove required and previously defined network objects.
- The Topology Wizard enables you define and discover the settings for gateway objects.
- Interface Wizard. This functionality has been replaced by the Topology Wizard. The Topology Wizard enables you to manually define or automatically discover the interface settings on a Policy Enforcement Point, such as a Cisco Secure PIX Firewall.
- Limit Scope to. This feature enabled you to restrict routing rule propagation about a specific network to a specific upstream gateway object. This functionality was expanded and replaced by path restrictions, which can be defined in the Mapping panel.
- Uncompiled Help Source. The uncompiled help source enabled you to use an HTML browser to view the Help system files.
You can install Cisco Secure Policy Manager on any computer that meets the minimum hardware requirements and that runs Microsoft Windows NT Server version 4.0 or Windows NT Workstation version 4.0 using an NTFS file partition. You can also install the GUI client for Cisco Secure Policy Manager on a computer that runs Windows NT 4.0, Windows 95, or Windows 98. The demo version also runs on Windows NT 4.0, Windows 95, or Windows 98.
To operate as intended, Cisco Secure Policy Manager also requires several pieces of requisite software, including the following:
- The server must be partitioned using NTFS---not FAT
- Service Pack 6a for Windows NT (to update files in the operating system)
- Microsoft Internet Explorer version 5.0 (for displaying generated system reports and online help)
- HTML Help version 1.31 support (for viewing online HTML-based Help topics)
- Cisco Secure VPN Client version 1.1 enables you to secure the command communication channel between the Cisco Secure Policy Manager system and a managed IPSec-enabled Policy Enforcement Point.
You must also have the TCP/IP protocol stack installed and operating correctly on each computer before you begin installation. The Autostart utility makes fulfilling the software requirements easy by checking the target computer for all requisites and then allowing you to install any missing requisites before continuing with the setup program. You cannot proceed with the setup program unless you install all requisite software.
The computer or computers on which you install Cisco Secure Policy Manager must meet the minimum hardware requirements; otherwise, we cannot guarantee the integrity and functionality of the system that you install. To ensure optimal performance, though, you should install Cisco Secure Policy Manager on computers that meet or exceed these minimum hardware requirements.
 |
Note You should define the virtual memory settings for your Windows NT computer to be at least two times the physical memory installed in the computer. To reduce fragmented memory allocation and improve efficiency, you should also specify the same value for the Initial Size and Maximum Size boxes in the Virtual Memory dialog box, which you can access from the Performance panel of the My Computer property sheet. |
- 200 MHz Pentium processor
- 96 MB of RAM memory
- 2 GB free hard drive space
- 1 or more properly configured network adapter cards
- 1024 x 768 video adapter card capable of at least 64 K color
- CD-ROM drive (preferably Autorun-enabled)
- Modem (optional for pager notifications)
- Mouse
- SVGA color monitor
- Sound card with speakers/headphones (optional for audio support in training videos)
This section identifies the Policy Enforcement Points, such as Cisco Secure PIX Firewalls, currently managed by Cisco Secure Policy Manager.
Table 1 lists the Cisco Secure PIX Firewall and IOS versions (for Cisco router/firewalls and Cisco VPN Gateways) currently supported by Cisco Secure Policy Manager. Certain versions of the Cisco Secure PIX Firewall require connection to the inside interface to receive commands from the Policy Distribution Point host. These dependencies are listed in the following table.
Table 1: Supported Policy Enforcement Points and Interface Dependencies
| Policy Enforcement Point
| Supported Version
| Managed Interface Dependency
|
|---|
Cisco Secure PIX Firewall
| 4.2(4)
| Inside
|
4.2(5)
| Inside
|
4.4(x)
| Inside
|
5.1(x)
| (none)
|
Cisco Router/Firewall and Cisco VPN Gateway
| IOS 12.0(5)T
| (none)
|
IOS 12.0(5)XE
| (none)
|
IOS 12.0(7)T
| (none)
|
IOS 12.1(1)
| (none)
|
Policy Enforcement Points, though managed by Cisco Secure Policy Manager, are not part of the installed system. Therefore, before you can manage a Policy Enforcement Point, you must ensure that it has a basic configuration that enables it to receive commands from Cisco Secure Policy Manager. Cisco Secure Policy Manager supports Ethernet, Token Ring, and FDDI interfaces installed in the Cisco Secure PIX Firewalls.
The following table identifies supported IOS Router images and memory requirements for those routers that are managed by Cisco Secure Policy Manager Version 2.1.
Table 2: Supported IOS Images and Memory Requirements
|
|
| Memory Needed
|
|---|
| Image Name
| Features
| Flash
| RAM
|
|---|
c1700-bnor2sy56i-mz.120-7.T1
| IP/IPX/AT/IBM/FW Plus IPSec 56
| 8
| 24
|
c1700-osy56i-mz.120-7.T1
| IP/FW Plus IPSec 56
| 8
| 20
|
c2600-io3s56i-mz.120-7.T1
| IP/FW/IDS IPSec 56
| 8
| 32
|
c2600-jo3s56i-mz.120-7.T1
| Enterprise/FW/IDS Plus IPSec 56
| 16
| 40
|
c3620-io3s56i-mz.120-7.T1
| IP/FW/IDS IPSec 56
| 16
| 32
|
c3620-jo3s56i-mz.120-7.T1
| Enterprise/FW/IDS Plus IPSec 56
| 16
| 48
|
c3640-io3s56i-mz.120-7.T1
| IP/FW/IDS IPSec 56
| 16
| 48
|
c3640-jo3s56i-mz.120-7.T1
| Enterprise/FW/IDS Plus IPSec 56
| 16
| 48
|
c7100-io3s56i-mz.120-5.XE5
| IP/FW/IDS IPSec 56
| 16
| 64
|
c7100-jo3s56i-mz.120-5.XE5
| Enterprise/FW/IDS Plus IPSec 56
| 16
| 64
|
c7200-io3s56i-mz.120-7.T1
| IP/FW/IDS IPSec 56
| 16
| 64
|
c7200-jo3s56i-mz.120-7.T1
| Enterprise/FW/IDS Plus IPSec 56
| 16
| 64
|
Table Key:
- FW: Firewall Feature Set
- IPSec 56: 56-bit IPSec
- IBM: IBM Support
- AT: Appletalk Protocol Support
- IPX: IPX Protocol Support
- Enterprise: All features
The following software either is known to conflict with Cisco Secure Policy Manager or has not been extensively tested with this product:
- CSCdm35411, CSCdm35416, CSCdm35421, CSCdm35427, CSCdm35430: GUI client only supports the U.S. version of Windows NT
- Currently, the only supported operating system is the U.S. version of Windows NT 4.0, running Service Pack 6a. This product has not been tested with non-U.S. versions of the operating system.
- Cisco Secure Policy Manager has not been tested with Windows 2000
- This product has not been tested with Windows 2000. As a result, you cannot install Cisco Secure Policy Manager on a host that is running Windows 2000.
- CSCdm93310: CHC does not respond to service manager on exit before 01/01/1999
- Cisco Secure Policy Manager operates from 01/01/1999 through 12/31/2035. If you attempt to run the Cisco Controlled Host Component outside this time range, it may stop responding to the Windows NT Service Control Manager (SCM) and you may get an application event that states the service hung on starting. The only way to get the service working properly again is to change the date to a valid date (within the operational period specified above) and reboot the computer.
- CSCdp64934: Cisco Secure VPN Client removes existing connection entries
- When Cisco Secure Policy Manager publishes policies to the Cisco Secure VPN Client that is used for IPSec-based communications between the Cisco Secure Policy Manager host and a Policy Enforcement Point, any connection entries that are not managed by Cisco Secure Policy Manager are discarded automatically.
- Workaround/Solution: Currently, no workaround exists.
- CSCdr31294: Autostart program does not detect previous installation of Cisco Secure VPN Client
- Cisco Secure Policy Manager Version 2.1 is only designed to work with Cisco Secure VPN Client 1.1. The Autostart program does not detect whether a version of Cisco Secure VPN Client is installed; therefore, you must manually verify that you have the correct version installed on the target computer.
For instructions about managing your installed Cisco Secure Policy Manager server, refer to Appendix A of the Cisco Secure Policy Manager Installation Guide document.
The following note applies to installing any release or installation type of Cisco Secure Policy Manager:
- Demo installation requirements
- To install the Demo, your computer only needs Internet Explorer 3.02 or later. However, the CD-ROM does not include this version of Internet Explorer. It only includes Internet Explorer 5.0 and the Windows NT Service Pack 6a setup programs.
- Video installation requirements
- To use the videos, your computer must have a sound card and speakers installed and configured properly, a standard *.avi player (Windows Media Player), and you must install the TechSmith Decompression Codec software. You have the option of installing this codec during the Cisco Secure Policy Manager installation.
The following list identifies where to locate the license disk that is required to install the evaluation version of Cisco Secure Policy Manager, as well as identifies the limitations and password associated with the license.
- Location: The license disk is located in the root folder of the Zip file that you download from CCO in the file named
license.dsk.
- License Restrictions: The key supports up to 20 Policy Enforcement Points for Version 2.1, and it is valid for 90 days.
- Password: cisco
Cisco Secure Policy Manager does not support the use of address translation rules on unmanaged gateway objects defined within the Network Topology tree. In other words, Cisco Secure Policy Manager cannot model any type of address translation rule that affects a traffic flow that traverses unmanaged devices.
This section identifies caveats and issues for Cisco Secure Policy Manager.
Refer to the appropriate release notes for information about hardware caveats that might affect Cisco Secure Policy Manager. You can access these release notes online at the following URLs:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120cavs/
index.htm
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121relnt/
121cavs/index.htm
This section identifies known caveats and issues with Cisco Secure Policy Manager Version 2.1.
- CSCdm78017: Import *.cpm file operation guidelines
- After you import a *.cpm file, you must perform a Save operation and allow that operation to complete before you perform a Save and Update operation. This order of operations is necessary to generate the device-specific command sets correctly. The first operation stores the new data in the Policy Database, and the second operation generates the command sets.
- CSCdr36110: HTTPS service definition set to Reporter during import from 1.x to 2.x.
- When importing *.cpm files from Version 1.1, Cisco Secure Policy Manager generates incorrect default values for reporting. This issue exhibits itself by the inability to see any reports. This issue results from the fact that Cisco Secure Policy Manager Version 1.x did not define an entry for the Associated HTTPS Service box on the Policy Reports tab of the Cisco Secure Policy Manager host, whereas Version 2.x does. Therefore, Cisco Secure Policy Manager 2.x sets the HTTPS port to Cisco Policy Reporter, instead of Cisco Policy Reporter (SSL), when importing the Version 1.x *.cpm file. This default value matches the port specified for standard HTTP traffic. When viewing reports, however, HTTPS takes precedence over HTTP, which causes the side effect of not being able to view reports.
- Workaround/Solution: One of two workarounds can be used:
- When accessing the Policy Reporting Point from a browser, prefix your URL address with https:// instead of http://. However, this solution is limited to correcting the problem in external browsers, and it does not work within the GUI client because the GUI client always attempts to access the pages using the previously mentioned default value.
- To view reports within the GUI client, change the value of the Associated HTTPS Service box to Secure Sockets Layer (SSL) on the Policy Reports tab of the Cisco Secure Policy Manager host that is running the Primary Policy Database.
- CSCdr36595: Deleting a managed device can cause an inconsistency error
- When you remove a managed device, the system security policies contain references to the device to allow the management traffic to flow between the Cisco Secure Policy Manager host and the managed device. Normally, Cisco Secure Policy Manager will regenerate these system security policies during a Save operation. However, in this case, a system consistency error prevents the regeneration unless consistency checking is disabled.
- Workaround/Solution: You can avoid this problem in two ways that will result in a regenerated, error-free system policy:
- (preferred method) Remove the policy applied to the Cisco Secure Policy Manager hosts in the Cisco System Folder under the Security Policy Enforcement branch, and perform the Save operation.
- Disable the System Consistency Check, and perform the Save operation. Once the Save operation is complete, you can re-enable this check.
- CSCdp80900: You should not be allowed to define network objects on a network that is attached to a virtual, or loopback, interface
- Currently, you can define a host or gateway object on a network that is attached to a virtual interface. You should not be allowed to define such network objects. Therefore, we strongly recommend that you do not specify such configurations within Cisco Secure Policy Manager, as they have no logical meaning within the system.
- Workaround/Solution: Do not define such configurations.
- CSCdr02076: Complex topology/policy examples can generate command sets that are too large for the rich edit control used for the Command panel when running the GUI client on a Windows 95 or Windows 98 computer.
- If you generate command sets that are too large for the rich edit control supported by Windows 95 and Windows 98, the Command panel will appear blank after you generate the command sets by performing a Save and Update operation.
- Workaround/Solution: Currently, the only workaround is to generate the command sets on a host that this running Windows NT 4.0.
- CSCdr35898: Client/server product panels require selection to initialize IP address assignment
- When you specify that a client/server product, such as Syslog, Radius, TACACS+, or a Certificate Authority, is running on a Host node, you must select a value in the IP Address box on the tab that appears after you define the client/server product type. By selecting this value, you are initializing the IP address that is assigned to this network service.
- CSCdm77487: Renaming the Cisco Secure PIX Firewall node does not generate hostname command
- If you change the name of a Cisco Secure PIX Firewall node in the GUI client, a corresponding hostname command is not distributed to that Cisco Secure PIX Firewall. Instead, you must use either the epilogue or prologue command set in the Command panel to manually specify the hostname for that Cisco Secure PIX Firewall.
- CSCdk95364: AAA servers are not supported by Cisco Secure Policy Manager
- AAA must be configured outside Cisco Secure Policy Manager. It is not supported in Version 1.0, Version 1.1, Version 2.0, or Version 2.1.
- CSCdp79515: Java blocking commands are not correctly generated for Cisco Secure PIX Firewall if the specified service is All IP or a mix of HTTP and All IP.
- If you define a security policy abstract with an IF Service is condition value of All IP or a mix of All IP and HTTP, Cisco Secure Policy Manager does not generate the correct command set that filters Java applets found within HTTP.
- Workaround/Solution: Create an explicit HTTP policy with Java blocking, followed by the All IP policy. For example:
If source is This Network Object and service is HTTP and destination is Network 1 then
Block Java
Permit
ELSE If source is This Network Object and service is All IP and destination is Network 1 then
Permit
The following caveats are related to generated/distributed the command sets.
Specific to Cisco Secure Policy Manager
- CSCdp87612: No warning or error messages generated when Cisco Secure Policy Manager does not publish to the correct Policy Enforcement Point interface address
- When you select a Policy Distribution Point in a Control panel of a managed gateway object, you should also select an IP address for the Policy Enforcement Point that is associated with the interface installed in that managed gateway object that is attached to the network directly connected to the selected Policy Distribution Point. However, if you do not select an IP address, Cisco Secure Policy Manager does not generate a warning or error message stating that the IP address is not one associated with the interface that is directly connected to a network that reaches the Policy Distribution Point.
- Workaround/Solution: Verify that the IP address is attached to the correct network.
- CSCdp08523: Policy server should notify administrator about distribution order for IPSec
- If you have two Policy Enforcement Points that act as peers for a tunnel through which all traffic or Telnet can pass and you publish the derived command set to the local peer Policy Enforcement Point first, you can break connectivity to the remote peer. This break in connectivity occurs because nothing is configured for the tunnel to be created on the remote Policy Enforcement Point.
- Workaround/Solution: When you publish the derived command sets to a Policy Enforcement Point, your best choice is to manually publish them so that they are not automatically sent to managed Policy Enforcement Points. This setting enables you to distribute commands from the farthest Policy Enforcement Point to the closest Policy Enforcement Point, which prevents tunnels from being created on the nearer Policy Enforcement Point while you are trying to distribute command sets to the farther Policy Enforcement Point. First, publish the generated command sets to the remote Policy Enforcement Point and then to the nearer Policy Enforcement Point. Thus, when the nearer Policy Enforcement Point tries to establish a tunnel with the remote Policy Enforcement Point, the configuration information exists on both Policy Enforcement Points and the tunnels can be negotiated and accepted.
- CSCdm12877: You cannot define an address translation rule for the same network object in the Mapping panel of two different Cisco Secure PIX Firewall nodes
- The case, referred to as nested network address translation (NAT), is not currently supported. It typically seems plausible in a nested Cisco Secure PIX Firewall scenario. You cannot nest any forms of address translation within the defined topology.
- Workaround/Solution: Currently, no workaround exists.
Specific to PIX Firewall Support
- CSCdp81369: No commands are generated for disabled interface
- If a PIX Firewall is configured and later an interface is disabled, no commands are generated to actually shut down the interface
- Workaround/Solution: Manually shut down the interface.
- CSCdp62614: Cisco Secure Policy Manager generates incorrect SMTP configuration for Cisco Secure PIX Firewall
- Cisco Secure Policy Manager generates incorrect SMTP configuration when creating a device-specific command set to resolve a policy that enables an e-mail server to send SMTP mail to the Internet via an interface at a higher security level than the one on which the mail server resides. The result is that the conduit commands that enable this network service are generated incorrectly.
- Workaround/Solution: Manually edit the command set to remove/revise the incorrectly generated commands.
- CSCdp70997: Extra conduit commands for accessing certificate server (Cisco Secure PIX Firewall)
- Extra conduit commands are being generated when you define a policy that permits access to a certificate server.
- Workaround/Solution: Currently, no workaround exists.
- CSCdp79679: "Renegotiate Protocols After" option on the IKE Tunnel Template cannot be set to 0 KB for Cisco Secure PIX Firewall
- The KBytes box in the Renegotiate Protocols After area in the Protocol panel of the tunnel template properties specifies the amount of traffic, in kilobytes, that can pass through the tunnel before the session is renegotiated. Setting this field to 0 (zero) disables this setting. Cisco Secure PIX Firewall does not currently support disabling this setting, and it will specify a default value in the generated commands if this field is set to 0.
- Workaround/Solution: When using Cisco Secure Policy Manager to manage Cisco Secure PIX Firewall, you do not have the option of disabling the KBytes setting. You can, however, set the option sufficiently high so that renegotiation will occur at less frequent intervals, or so that the time specified in the Time field will elapse and cause session renegotiation before the KBytes setting is reached.
- The maximum value that you can enter in the KBytes field is 536870912 (the KBytes field does not accept commas as input with large numbers).
- CSCdp72208: Commands are generated for interfaces that are marked as "administrative down" on a Cisco Secure PIX Firewall
- Currently, even if an interface is marked as being administratively down, Cisco Secure Policy Manager generates commands for that interface. This problem arises when you discover a Cisco Secure PIX Firewall.
- Workaround/Solution: You can resolve this issue by specifying that the interface is disabled in the Interfaces panel of the PIX Firewall node within the Network Topology tree.
Specific to IOS Router Support
- CSCdr15844: Interactive mode commands cause distribution failure
- If you manually alter a published command set residing on an IOS router, and then attempt to republish the command set, the publishing fails because an interactive-mode prompt asks you to verify that you want to change the command set.
- Workaround/Solution: To avoid this case, you must specify a write mem command at the end of your session when you are manually altering the configuration.
- CSCdr38722, CSCdr43374: Warning message is not clear for IOS generation status
- Cisco Secure Policy Manager generates the warning message "No inspection rule is applied to the source or destined device." when an IOS router with the Firewall Feature Set is used as the source or destination of a security policy abstract. The message is generated as a warning because Cisco Secure Policy Manager cannot generate CBAC-based rules for traffic that is destined to or originating from the IOS router. This issue results from how the CBAC commands work.
- Workaround/Solution: You can safely ignore this error message, but you should understand that you have defined policies that cannot be enforced using CBAC-based inspection rules.
- CSCdr47621: IOS Router node should not be permitted to hide an interface
- Cisco Secure Policy Manager Version 2.1 incorrectly provides support for interface-wide hiding for the IOS router, as it does for Cisco Secure PIX Firewall. This results in the Policy Server generating ACLs as if this feature were possible. The resulting ACLs have mapped addresses that are incorrect. The IOS router does not support this feature.
- Workaround/Solution: Do not define address hiding rules that hide the interface on a managed IOS Router.
- CSCdp77711: Cisco Secure Policy Manager does not support Cisco Secure PIX Firewalls sysopt ipsec pl-compatible command (Cisco Secure PIX Firewall)
- Cisco Secure PIX Firewall OS 5.1 has a command sysopt ipsec pl-compatible that enables IPSec packets to bypass the Cisco Secure PIX Firewall's NAT and ASA features and allows incoming IPSec packets to terminate on the inside interface. It is often used when generating IPSec commands that could cause conflicts and dropped traffic.
- Workaround/Solution: Currently, no workaround exists.
- CSCdp78690: GRE tunnel commands not working with CBAC
- The GRE packets do not trigger CBAC for Cisco Secure Integrated Software. Currently this is being researched with the IOS Router development team.
- Workaround/Solution: Currently, no workaround exists.
- CSCdp16911: IPSec support is assumed regardless of version running on Cisco Secure PIX Firewall/IOS Router
- The IPSec check box is automatically selected whenever a new gateway object is created. In addition, if you use the Topology Wizard to define a new managed gateway object, you can rediscover the settings for that gateway object until you perform a Save operation.
- Workaround/Solution: Manually clear the IPSec check box, or rediscover the settings for that gateway object. If you downgrade the support of a managed gateway object, you must rediscover the settings to correct the IPSec support value.
- CSCdp34892: HTTP service on 127.0.0.1:8080 conflicts with reporting agent
- If you install the Cisco Documentation CD-ROM on a host that is running the reporting agent for Cisco Secure Policy Manager, a port conflict can arise between the web server software used by the CD-ROM application and the reporting agent. If this configuration exists, the following error message is generated when you attempt to access the CD-ROM: "Error accessing files on Cisco CD-ROM in your CDROM drive."
- Workaround/Solution: You can reassign the port used by the reporting agent by modifying the Cisco Policy Reporter network service definition and then re-selecting that service in the Policy Reports panel for each primary or secondary server installed on your network. After you complete this setting change, you are able to use the documentation CD-ROM and the reports generated by Cisco Secure Policy Manager.
- CSCdm63845: Renaming the Cisco Secure PIX Firewall node does not update in reports
- When you rename the Cisco Secure PIX Firewall node, the network service activity reports use the old name until the Cisco Secure Policy Manager server that is monitoring that Cisco Secure PIX Firewall is rebooted. To work around this problem, exit the GUI client (saving your changes first) and then restart it.
- CSCdk95377: Reports in GUI use cached copy
- When accessing a generated report from the GUI client, the web browser caches the first report that is viewed. If you regenerate the report, you will still see the first one until you click Refresh. You can ensure current reports are seen by changing the browser settings for Internet Explorer so that you reload each page for all requests.
- To verify that your pages are reloaded on each page visit, perform the following task:
Step 1 To access the shortcut menu, right-click the Internet Explorer icon on your desktop.
Step 2 To view the Internet Explorer Properties dialog box, click Properties on the shortcut menu.
Step 3 To specify that the pages are reloaded each time, click Settings under Temporary Internet Files in the General panel.
Step 4 Under Check for newer versions of stored pages, click Every visit to the page.
Step 5 To save your changes and close the Settings dialog box, click OK.
Step 6 To apply your changes and close the Internet Explorer Properties box, click OK in the General panel.
|
Note If you use Netscape Navigator, you may also experience this problem. You can configure Netscape Navigator with similar settings to resolve this problem. |
- CSCdr48219: Policy Database cannot grow larger than 2 GB
- Due to a virtual memory unmapping issue, Cisco Secure Policy Manager Version 2.1 (and earlier) does not support a database larger than 2 GB.
- Workaround/Solution: Currently, no workaround exists.
- CSCdp84910: Cisco Secure Policy Manager does not detect address changes on a host that is running one of the system's components
- If you manually change the IP address of a host running some component of the Cisco Secure Policy Manager system, the system does not detect that address change automatically, unless you uninstall and reinstall that feature set.
- Workaround/Solution: You can use the GUI client to change the IP address of the primary or secondary server manually. If you change the network on which the primary or secondary server is running, you must perform a drag-and-drop operation to move the Host node onto that network in the Network Topology tree first, and then modify the IP address in the General panel of that Host node. Any references to that Host node will be lost. You must redefine these references, such as those in the Control panel of a Policy Distribution Point.
- CSCdm94143: Policy Database can crash while the Cisco Secure PIX Firewall control agent generates device-specific commands due to overlapping Save and Update operations
- This issue arises within large topologies when a Save and Update operation takes a long time to complete. If the GUI client returns from the Save and Update operation before the command sets are generated by the control agents and you perform a second Save and Update operation, it can cause the Policy Database to crash.
- Workaround/Solution: After you perform a Save and Update operation, you should allow the device-specific command set to generate completely before you perform another Save and Update operation. The best way to avoid this situation is to ensure that the "Current Policy Generation" number matches the "Processing Complete" number of each Policy Enforcement Point in the System Inconsistencies panel.
- CSCdm14477: Policy Database dies under heavy load of Cisco Secure PIX Firewall Syslog messages
- The following maximum threshold values exist for the specified hardware configurations:
- Quad Processor Computer with 1 GB of memory: 160 messages per second
- Recommended Configuration: 80 messages per second
- Minimum Configuration: 50 messages per second
- When the system is under high stress, frequently saving or requesting reports (every 10 minutes) may disable the system. Error messages similar to the following appear in the Windows NT Event Viewer when this error occurs:
- Krs error 28772: Database terminating with message: Failed to map page.
- Krs error 28801: The process cannot access the file because another process has locked a portion of the file. Failed to create file mapping for backing file d:\csm\data\memory\memfrm1730.mmf.
- CSCdm30221: Log files consume all disk space on a secondary server
- You must define the disk space settings for the Policy Database in all primary and secondary server panels (hosts running components of Cisco Secure Policy Manager). In addition, this setting must be less than the total available disk space on the host. If you fail to define these settings, the system can become unusable.
- CSCdk95444: Policy Database > Backup command does not display status of backups
- Backing up the Policy Database can take a long time, depending on the size of the database. You should be patient during backups because feedback is not provided about the progress of the backup.
- Workaround/Solution: Currently, no workaround exists.
The following documents directly support Cisco Secure Policy Manager:
- Cisco Secure Policy Manager Installation Guide
- Configuring Cisco Secure Policy Manager
- Notes for Upgrading the License Key for Cisco Secure Policy Manager
In addition to these documents, an extensive help system is provided with the GUI client, the user interface that configures Cisco Secure Policy Manager. Also, a comprehensive series of online-only administrator's guides is available at:
The following sections identify the documents and associated web pages for the various platforms supported by Cisco Secure Policy Manager.
The following documents provide information about configuring the Cisco Secure PIX Firewall hardware and provide references to the command sets that can be specified in the Command panel associated with each Cisco Secure PIX Firewall node defined under the Network Topology tree of the GUI client.
- Configuration Guide for the Cisco Secure PIX Firewall
- Quick Installation Guide for the Cisco Secure PIX Firewall
- Regulatory Compliance and Safety Information for the Cisco Secure PIX Firewall
- System Log Messages for the Cisco Secure PIX Firewall
All of these documents, including these release notes, apply to all Cisco Secure PIX Firewall hardware versions, including the Cisco Secure PIX Firewall, PIX 10000, PIX 510, and PIX 520 models.
Cisco provides Cisco Secure PIX Firewall technical tips at
The following links provide a list of documents and information about configuring Cisco IOS Releases 12.0 and 12.1 and provide references to the command sets that can be specified in the Command panel associated with each IOS Router node defined under the Network Topology tree of the GUI client:
You can access the most current Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly. Therefore, it is probably more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.
Registered CCO users can order the Documentation CD-ROM and other Cisco Product documentation through our online Subscription Services at http://www.cisco.com/cgi-bin/subcat/kaojump.cgi.
Nonregistered CCO users can order documentation through a local account representative by calling Cisco's corporate headquarters (California, USA) at 408 526-4000 or, in North America, call 800 553-NETS (6387).
Cisco provides Cisco Connection Online (CCO) as a starting point for all technical assistance. Warranty or maintenance contract customers can use the Technical Assistance Center. All customers can submit technical feedback on Cisco documentation using the web, e-mail, a self-addressed stamped response card included in many printed docs, or by sending mail to Cisco.
Cisco continues to revolutionize how business is done on the Internet. Cisco Connection Online is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.
CCO's broad range of features and services helps customers and partners to streamline business processes and improve productivity. Through CCO, you will find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online support services, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on CCO to obtain additional personalized information and services. Registered users may order products, check on the status of an order and view benefits specific to their relationships with Cisco.
You can access CCO in the following ways:
- WWW: www.cisco.com
- Telnet: cco.cisco.com
- Modem using standard connection rates and the following terminal settings: VT100 emulation; 8 data bits; no parity; and 1 stop bit.
- From North America, call 408 526-8070
- From Europe, call 33 1 64 46 40 82
You can e-mail questions about using CCO to cco-team@cisco.com.
The Cisco Technical Assistance Center (TAC) is available to warranty or maintenance contract customers who need technical assistance with a Cisco product that is under warranty or covered by a maintenance contract.
To display the TAC web site that includes links to technical support information and software upgrades and for requesting TAC support, use www.cisco.com/techsupport.
To contact by e-mail, use one of the following:
| Language
| E-mail Address
|
|---|
English
| tac@cisco.com
|
Hanzi (Chinese)
| chinese-tac@cisco.com
|
Kanji (Japanese)
| japan-tac@cisco.com
|
Hangul (Korean)
| korea-tac@cisco.com
|
Spanish
| tac@cisco.com
|
Thai
| thai-tac@cisco.com
|
In North America, TAC can be reached at 800 553-2447 or 408 526-7209. For other telephone numbers and TAC e-mail addresses worldwide, consult the following web site: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml.
If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.
You can e-mail your comments to bug-doc@cisco.com.
To submit your comments by mail, for your convenience many documents contain a response card behind the front cover. Otherwise, you can mail your comments to the following address:
Cisco Systems, Inc.
Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate and value your comments.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Access Registrar, AccessPath, Any to Any, AtmDirector, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, the Cisco logo, Cisco Certified Internetwork Expert logo, CiscoLink, the Cisco Management Connection logo, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Capital, the Cisco Systems Capital logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, the Cisco Technologies logo, ConnectWay, Fast Step, FireRunner, Follow Me Browsing, FormShare, GigaStack, IGX, Intelligence in the Optical Core, Internet Quotient, IP/VC, Kernel Proxy, MGX, Natural Network Viewer, NetSonar, Network Registrar, the Networkers logo, Packet, PIX, Point and Click Internetworking, Policy Builder, Precept, RateMUX, ScriptShare, Secure Script, ServiceWay, Shop with Me, SlideCast, SMARTnet, SVX, The Cell, TrafficDirector, TransPath, ViewRunner, Virtual Loop Carrier System, Virtual Voice Line, VlanDirector, Voice LAN, Wavelength Router, Workgroup Director, and Workgroup Stack are trademarks; Changing the Way We Work, Live, Play, and Learn, Empowering the Internet Generation, The Internet Economy, and The New Internet Economy are service marks; and Aironet, ASIST, BPX, Catalyst, Cisco, Cisco IOS, the Cisco IOS logo, Cisco Systems, the Cisco Systems logo, the Cisco Systems Cisco Press logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastLink, FastPAD, FastSwitch, GeoTel, IOS, IP/TV, IPX, LightStream, LightSwitch, MICA, NetRanger, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any of its resellers. (0004R)
Copyright © 2000, Cisco Systems, Inc.
All rights reserved.
Posted: Fri Jun 9 10:07:10 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.
