Release Notes for Management Center for VPN Routers 1.3 on Windows 2000 and Solaris

These release notes are for use with Management Center for VPN Routers (Router MC) 1.3.

System Requirements for Router MC 1.3

Router MC is a component of the VPN/Security Management Solution (VMS). VMS integrates CiscoWorks, VPN Monitor, CiscoWorks Common Services, and other individual applications.

The system requirements for Router MC are the same as the requirements for the VPN/Security Management Solution. See the Quick Start Guide for the VPN/Security Management Solution 2.2 for a list of server and client system requirements. This guide can be found at the following location on Cisco.com:
Products & Services > Network Management CiscoWorks > CiscoWorks VPN/Security Management Solution > Technical Documentation > Quick Start.

New Features

Router MC 1.3 contains the following new features and changes since Router MC 1.2.1:

–

Additional predefined services for CBAC inspection, including Skinny, SIP, RTSP, and ICMP.

–

ICMP qualifier messages for the ICMP protocol that can be selected as a service when creating an access rule.

–

Enhanced access rule definition that includes the option to have Router MC create an additional ACL to permit inspected traffic from a specific source and destination.

–

ACL logging—logging of all filtered traffic that matches the access rule to an external Syslog server.

•

Router MC now keeps existing security-related CLI commands that were not configured using Router MC on the devices, instead of removing them and creating new Router MC specific commands. This enables you to add devices to an existing network and manage them with Router MC, without affecting the policies that are already defined in your network. This is now the default behavior of Router MC, however, you can set the application to remove existing policies and replace them with Router MC generated CLI commands, if required.

•

Support for preshared key management only. Router MC can be set up to manage only preshared keys on your devices, and no other policies.

•

The default working mode is now Workflow Disabled mode. In this mode, there is no need to create an activity before making configuration changes or to create a job before deploying policies to your devices.

•

Router MC now provides hot-linked taskflow diagrams that lead you through all the steps required for VPN or firewall configuration, from importing your devices through deployment. By clicking each icon in the taskflow diagram, you can move directly to the relevant page in the application to perform the required task.

–

Tunnel policy: Transform set with 3DES and SHA, ACL permitting all traffic tunnels all traffic between the internal networks and inside interfaces on the peers, in both directions.

•

Router MC now enables the configuration of global lifetime settings for the crypto IPSec security association (SA).

Product Documentation

Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the Router MC documentation on Cisco.com for the most updated documentation.

Table 1 Product Documentation
Document Title	Available Formats
Release Notes for Router MC 1.3	•PDF on the Router MC download page on Cisco.com. •On Cisco.com: –Log into Cisco.com. –Select Products & Services > Network Management CiscoWorks > CiscoWorks Management Center for VPN Routers > Technical Documentation > Release Notes .
Installing Management Center for VPN Routers 1.3 on Windows 2000 and Solaris	•PDF in the Router MC software package that can be downloaded from Cisco.com. •On Cisco.com: –Log into Cisco.com. –Select Products & Services > Network Management CiscoWorks > CiscoWorks Management Center for VPN Routers > Technical Documentation > Installation Guides . •Printed document available by order (part number DOC-7816158=).¹
Using Management Center for VPN Routers 1.3	•PDF in the Router MC software package that can be downloaded from Cisco.com. •On Cisco.com: –Log into Cisco.com. –Select Products & Services > Network Management CiscoWorks > CiscoWorks Management Center for VPN Routers > Technical Documentation > User Guides . •Printed document available by order (part number DOC-7816157=). 1
Supported Devices and Software for Management Center for VPN Routers 1.3	•On Cisco.com: –Log into Cisco.com. –Select Products & Services > Network Management CiscoWorks > CiscoWorks Management Center for VPN Routers > Technical Documentation > Device Support Tables .
Context-sensitive online help	•Click Help in any page in Router MC for context-sensitive help. •Select Router Management Center from the navigation tree in the CiscoWorks desktop, then click Help.

¹See Obtaining Documentation.

Additional Information for Working with Router MC

•

Internal error on login if processes have not yet started up—On first login to Router MC after installation, it takes a few minutes for all the required processes to start up. If some of the processes are not yet up and running when you try to log in, an error message is displayed. Please wait a few minutes, then log in again.

•

Target folders for backup, deploy or rollback must be located under the CiscoWorks Common Services installation folder—On Solaris, an error occurs if you try to back up, deploy, or roll back to a folder that is not in the CiscoWorks Common Services installation folder.

Backup and deployment on Solaris can be done only in locations that are under the CiscoWorks Common Services installation folder, such as, /opt/CSCOpx. If you want to back up or deploy to a different location, you must use the ROOT user to change the permissions of the new location, enabling full UNIX permissions for backup or deploy.

•

Auto Update Server (AUS) patch supports IOS 12.3 and later versions—The AUS CNS Event Gateway enables Router MC to manage Cisco IOS devices with dynamically assigned IP addresses. The current AUS version 1.1 does not support Cisco IOS Release 12.3 devices. An AUS patch is now available that supports Cisco IOS devices running 12.3 and later versions. If you require this patch, please contact Cisco technical support.

•

Refresh pages to update information, or clear browser cache—If the information displayed on a Router MC page does not seem updated, or if information seems to be missing, try refreshing the page. For example, refresh the Device Hierarchy page if the device hierarchy is not displayed. If this does not work, try clearing your browser's cache and then refreshing the page.

•

No support for multiple application windows—Router MC does not support multiple open application windows. Router MC is launched in a single browser window. This window is reused if you open another instance of Router MC. Therefore, please do not try to open more than one Router MC application window simultaneously (either from the CiscoWorks desktop, or by any other means).

•

ios-mdc = Router MC—"ios-mdc" in filenames, messages, or log files refers to Router MC.

•

Router MC does not support Japanese characters. It supports only English characters. If Router MC is installed on a Japanese operating system, Japanese characters cannot be used to create activities or define policies, etc.

Additional Troubleshooting Information

Following is additional troubleshooting information that is not documented in the troubleshooting section of the Router MC online help or user guide.

Explanation—If you used beginning and ending commands in Router MC 1.2.1 and then you upgraded to Router MC 1.3, there might be blank lines in the CLI configuration that cause the deployment to fail.

Recommended Action—Check the incremental Telnet configuration for the devices to which you want to deploy, under Configuration > View Configs. If there are blank lines in the CLI, go to Configuration > Config Additions > Beginning and Ending Commands and click Apply. Then, deploy to the devices again.

Note If you use beginning and ending commands in Router MC 1.3, this problem will not occur because Router MC now removes any blank lines in the generated CLI.

Known Problems in Router MC 1.3

Table 2 describes the significant severity level 3 and 4 problems known to exist in this release. It does not contain a full list of known problems.

Table 2 Known Problems in Router MC 1.3
Bug ID	Summary	Explanation
CSCsa09681	Device import process remains "in progress"	Workaround: Log out of Router MC and CiscoWorks. Stop and restart the Daemon Manager, then log in again and import the device(s).
CSCsa11589	Deployment fails on Solaris	In rare cases, import or deployment on Solaris fail when the following conditions exist together: •Router MC is installed on Solaris. •The MOTD banner is included in the device configuration. •ACS privilege level is 15, Workaround: Remove the banner and try to import or deploy again.
CSCsa11994	Restore of Solaris database fails	This might occur when other Management Centers are installed on the same server as Router MC. Workaround: Stop and restart the Daemon manager, as follows: /etc/init.d/dmgtd stop /etc/init.d/dmgtd start Then, log into Router MC again. The restored database will load.
CSCsa03509	Cannot delete a device and then immediately import it again	In Workflow Disabled mode, if you delete a device and then try to import it again, you get a message saying that you cannot add the device in the current activity. Workaround: Click the Save and Deploy icon. In the displayed deployment wizard, click Cancel. Then, try importing the device again.
CSCin67893	Cannot restore a Router MC 1.2.1 database to a Solaris machine running Router MC 1.3	On Solaris, if you backed up a Router MC 1.2.1 database and you try to restore it to a Router MC 1.3 installation, the restore operation might not work. Workaround: If you are working with Router MC 1.2.1 and have not yet installed Router MC 1.3: 1. Back up your database. 2. Install Router MC 1.2.1. The database is automatically restored to the Router MC 1.3 machine. If you are working with Router MC 1.3 and you want to restore a Router MC 1.2.1 database: 1. Uninstall Router MC 1.3 (this will delete the current database). 2. Install Router MC 1.2.1. 3. Restore the required database. 4. Install Router MC 1.3. The database is automatically restored to the Router MC 1.3 machine.
CSCeb48383	Interfaces on the VPN Services Module do not show up for selection as inside interfaces.	Router MC does not support trunk and access mode inside interfaces on the VPN Services Module because these interfaces do not have an IP address. Therefore, these interfaces will not be available for selection as inside interfaces. Workaround: Select a routed interface as the inside interface.
CSCin66282	On a single client, cannot open two separate browser instances of Router MC against a Solaris server.	If you have Router MC installed on a Solaris server, you cannot open two browsers running Router MC at the same time, from the same client machine. For example, if you log into CiscoWorks with two different user names, you will not be able to open a separate browser instance of Router MC for each user name. Workaround: Close your current browser before trying to launch another instance of Router MC.
CSCin66348	Problems when copying and pasting large number of access rules.	When copying and pasting more than sixty access rules at one time, the application freezes or an error message is displayed. Workaround: Copy and paste smaller groups of access rules.
CSCsa01521	Error on Solaris when importing and deploying approximately 100 devices.	Router MC does not support the deployment of more than approximately 100 devices at one time, on a Solaris station. To resolve this problem, you can redeploy the devices that failed, or try the following workaround: 1. Stop the CW2000 Daemon Manager: `/etc/init.d/dmgtd stop` 2. Edit the system parameter that limits the number of files that can be open at the same time, as follows: In the /etc/rc.config.d/CiscoRMCtrl file, change the value of PX_OPENFILES from 256 to 1024. 3. Restart the Daemon Manager: `/etc/init.d/dmgtd start` 4. Log into CiscoWorks and Router MC again.

Problems in Other VMS Applications that Affect Router MC

Table 3 describes some problems in Common Services and other VMS applications that directly affect the functioning of Router MC.

Table 3 Known Problems in Common Services that Affect Router MC
Bug ID	Summary	Explanation
CSCeb16968	MC defined services do not function after ACS upgrade.	After you upgrade Cisco Secure ACS, authorization support for Management Center (MC) applications fails. In the Shared Profile Components section of the Cisco Secure ACS HTML interface, each MC that has registered with Cisco Secure ACS has a set of pages for configuring authorization components. If you access a page for editing or adding authorization components, you see an error message about a missing XML file. Workaround: You must use CiscoWorks to reregister all MCs with Cisco Secure ACS: 1. Log into the CiscoWorks desktop with admin privileges. 2. Select Server Configuration > Setup > Security > Select Login Module. 3. Configure CiscoWorks to use the CiscoWorks Local module, and then configure CiscoWorks to use the TACACS+ module. 4. Select VPN Security Management Solution > Administration > Common Services > Configuration > AAA Servers. 5. Unregister all MCs and then reregister all MCs. 6. Log out of CiscoWorks.

Resolved Problems in Router MC 1.3

Table 4 shows the problems that appeared in the release notes for Router MC 1.2.1 that have since been resolved.

Obtaining Documentation

Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation on the World Wide Web at this URL:

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription.

Registered Cisco.com users can order a single Documentation CD-ROM (product number DOC-CONDOCCD=) through the Cisco Ordering tool:

All users can order monthly or quarterly subscriptions through the online Subscription Store:

Ordering Documentation

Table 4 Resolved Problems in Router MC 1.3
Bug ID	Summary	Additional Information
CSCeb80970	Incorrect ACL created for inspection rule.	The protocol for the predefined services is now correct.
CSCeb64470	CLI commands without the Router MC naming convention are not removed from the configuration.	Router MC now removes existing CLI commands if necessary, even if they were not configured using Router MC.
CSCeb47192	Router MC does not allow definition of IPSec lifetime.	Router MC now provides for the configuration of the IPSec lifetime as part of the tunnel policy.

•

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:

•

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

Obtaining Technical Assistance

Cisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) website, as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from the Cisco TAC website. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC website, including TAC tools and utilities.

Cisco.com

Cisco.com offers a suite of interactive, networked services that let you access Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.

Cisco.com provides a broad range of features and services to help you with these tasks:

To obtain customized information and service, you can self-register on Cisco.com at this URL:

Technical Assistance Center

The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two types of support are available: the Cisco TAC website and the Cisco TAC Escalation Center. The type of support that you choose depends on the priority of the problem and the conditions stated in service contracts, when applicable.

•

Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration. There is little or no impact to your business operations.

•

Priority level 3 (P3)—Operational performance of the network is impaired, but most business operations remain functional. You and Cisco are willing to commit resources during normal business hours to restore service to satisfactory levels.

•

Priority level 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operations are negatively impacted by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

•

Priority level 1 (P1)—An existing network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Cisco TAC Website

The Cisco TAC website provides online documents and tools to help troubleshoot and resolve technical issues with Cisco products and technologies. To access the Cisco TAC website, go to this URL:

All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website require a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:

If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC website, you can open a case online at this URL:

If you have Internet access, we recommend that you open P3 and P4 cases online so that you can fully describe the situation and attach any necessary files.

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:

Before calling, please check with your network operations center to determine the Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

•

The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

•

Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

•

Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:

•

iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:

•

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

•

Training—Cisco offers world-class networking training. Current offerings in network training are listed at this URL:

Table Of Contents