Release Notes for Monitoring Center for Performance 2.0 on Solaris

The Monitoring Center for Performance 2.0 (Performance Monitor) is a browser-based tool that monitors and troubleshoots the health and performance of enterprise network security services. Performance Monitor replaces the VPN Monitor 1.x application.

Supported service types are remote-access VPN, site-to-site VPN, firewall, load-balancing, and SSL.

Performance Monitor 2.0 Documentation

Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.

Table 1 Product Documentation
Document Title	Available Formats
Installing Monitoring Center for Performance 2.0 on Solaris	•PDF on the product CD-ROM. •On Cisco.com: a. Log into Cisco.com. b. Select Products & Services > Network Management CiscoWorks > CiscoWorks Monitoring Center for Performance > Technical Documentation > Installation Guides. •Printed document available by order (part number DOC-7815515=).¹
Using Monitoring Center for Performance 2.0	•PDF on the product CD-ROM. •On Cisco.com: a. Log into Cisco.com. b. Select Products & Services > Network Management CiscoWorks > CiscoWorks Monitoring Center for Performance > Technical Documentation > User Guides. •Printed document available by order (part number DOC-7815514=). 1
Supported Devices and Software Versions for Monitoring Center for Performance 2.0	On Cisco.com: 1. Log into Cisco.com. 2. Select Products & Services > Network Management CiscoWorks > CiscoWorks Monitoring Center for Performance > Technical Documentation > Device Support Tables.
FAQs and Troubleshooting Guide for Monitoring Center for Performance 2.0	On Cisco.com: 1. Log into Cisco.com. 2. Select Products & Services > Network Management CiscoWorks > CiscoWorks Monitoring Center for Performance > Alerts and Troubleshooting > Troubleshooting Guides.
Release Notes for Monitoring Center for Performance 2.0 on Solaris	•Printed document that was included with the product. •On Cisco.com: a. Log into Cisco.com. b. Select Products & Services > Network Management CiscoWorks > CiscoWorks Monitoring Center for Performance > Technical Documentation > Release Notes.
Context-sensitive online help	•Select an option from the navigation tree, then click Help. •Click the Help button in the dialog box.

¹See Obtaining Documentation.

Browser Information

Performance Monitor supports Netscape 4.76 on Solaris and Netscape 4.79 on Windows. Performance Monitor does not support Netscape 7.x. If you choose to use Netscape 7.x, some of the features might not display correctly.

If VMS 2.2 Update 1 is installed in your system, see Readme for CiscoWorks VMS 2.2 Update 1 for information on Netscape 4.x browser settings and Java support.

Correction to the User Guide and the Online Help

At the time of shipment, the Launch VPN Device Manager button was removed from the following Site-to-Site VPN pages, but the user guide and the online help were not updated:

Tip

When you click Launch VPN Device Manager in the Site-to-Site VPN page, you open the VPN Device Manager (VDM) application if it is enabled for the described router or service module. You use this embedded tool to configure or reconfigure the device. See Cisco.com for information about VDM.

Addition to the User Guide and the Online Help

The following new additions are not documented in the user guide and online help:

Configuring Linkup and Linkdown Traps

•

User Guide—Table 2-4, Setup Procedures for VPN 3000 Concentrators, in the Getting Started With Performance Monitor chapter.

•

Online Help—Setup Procedures for VPN 3000 Concentrator' table in the Setting up Devices topic.

You must configure the VPN concentrator to send linkup and linkdown traps to Performance Monitor.

Step 9

In the Destination field, enter the IP address of Performance Monitor.

Understanding the Monitor and Reports Table

When you click on the Monitor tab and the Reports tab, a table is displayed. The Monitor table describes the services and device types that you can monitor. The Reports table describes the services and device types for which you can get reports. The following table describes what the information in the table means:

Check Mark	Service is supported by this platform.
N/A	Not applicable. Service is not supported by this platform.
N/S	Not supported. Service is supported by this platform; however, Performance Monitor does not monitor this type of service on this platform.

Note The load balancing service refers to the Server Load Balancing (SLB) functionality performed by the Content Switching Module (CSM) in the Cisco Catalyst 6500 series switches. This does not refer to the load balancing clusters in Cisco VPN 3000 concentrators.

Enabling SSH on the SSL Module

If AAA is used for login authentication, refer to the standard IOS AAA configuration procedure.

In this example, the key pair name is ssh-key, but you could use any other name string.

Step 4

To verify that SSH is configured correctly, enter the show ip ssh command at the CLI. For example:

MCP Process Maintenance

Performance Monitor polls a large number of devices frequently. To improve overall performance, the MCP process restarts once a week. A cron job is added, which automatically shuts down and restarts this process every Sunday at 3.30 a.m. The day and time can be edited.

During this time, polling does not take place and any traps sent to Performance Monitor are lost. You cannot import any devices into Performance Monitor because validation tasks do not run. The user interface is not affected and you can see all data in the database. But, when you run historical reports, you might see a dip in the graph for that period of time. The shutdown and restart process generally takes a couple of minutes.

Known Problems

Table 2 Known Problems
Bug ID	Summary	Additional Information
CSCeb57907	Cannot import an SSL service module from a CSV file	Symptom: You cannot import an SSL service module in a Cisco Catalyst 6500 into Performance Monitor from a CSV file. Conditions: If you try to import a CSV file that contains the IP address of the SSL service module, the SSL service module is not validated. This occurs for both SSL 1.0 and 1.1 versions. Workaround: Manually add the SSL service module to Performance Monitor. Further Problem Description: Performance Monitor uses SNMP to talk to the device and determines its type based on the value of the SysObjectId of the device. Because SSL service module 1.0 and 1.1 do not support SNMP, Performance Monitor cannot determine the type of the device. Therefore, the IP address validation fails and the SSL service module is not imported into Performance Monitor.
CSCeb48303	All CSM VLANs not displayed in the Load Balancing Interfaces page	Symptom: If multiple VLANs are configured for the Content Switching Module (CSM) in a Cisco Catalyst 6500, only some of the VLANs are displayed in the Load Balancing Interfaces page under Monitor > Load Balancing > Interfaces. Conditions: Only routed VLANs associated with the CSM are displayed in the Load Balancing Interfaces page. Workaround: There is no workaround. Further Problem Description: This problem results from the ciscoVlanIfTableRelationship MIB, which is populated only for routed VLANs.
CSCsa01937	Changes in cluster membership of a Cisco VPN 3000 concentrator not reflected in the user interface	Symptom: If you change the cluster membership of a Cisco VPN 3000 concentrator, Performance Monitor is not immediately aware of this change. Therefore, the change is not reflected in the user interface. Conditions: Performance Monitor updates the cluster membership record once a day by default. If you add or delete VPN concentrators in a cluster, the information is not updated immediately in the cluster membership record. Workaround: To get updated information, select Devices > Importing Devices, then click Revalidate.
CSCec28656	Takes a long time to load a 32-KB row in User Session Report	Symptom: If the search result is more than 10,000 entries, the User Session Report page under Reports > Remote Access > User Session Report takes a long time to load (5 minutes or more). Conditions: On a VPN 3000 concentrator or across multiple concentrators, if you select the Search All Users checkbox to get all the sessions during a specified time interval, the result can be more than 10,000 rows. In such a situation, the User Session Report page takes a long time to load (5 minutes or more) or might even display a blank page. If the page does load, and you choose to sort the results, the sort will take a long time or you receive a blank page. Workaround: To display the report faster, do one of the following: •Narrow the search criteria by adjusting the Start Time and the End Time of the report. •Select a specific device instead of selecting multiple devices from the navigation tree.
CSCec17725	No interface down event for v1 trap	Symptom: After the interface state changed on a monitored device, Performance Monitor did not generate an event. Conditions: Performance Monitor does not process SNMP v1 linkUp and linkDown traps. It processes only SNMP v2 linkUp and linkDown traps. Workaround: Configure the device to send SNMP v2 traps to Performance Monitor. The interface status is updated only after a polling cycle is completed.
CSCec05521	Notifications are sent only on default ports	Symptom: Performance Monitor does not send Syslog or Trap notifications on non-default ports. The Trap notifications are always sent to port 162 and the Syslog notifications are always sent to port 514. Conditions: If a port value other than the default is configured on a particular host, Performance Monitor ignores the setting and sends the Trap notifications to UDP port 162 and the Syslog notifications to port 514 on that host. Workaround: There is no workaround.
CSCec28918	User logged in once but two sessions are displayed in the User Session Report	Symptom: The User Session Report under Reports > Remote Access > User Session Report displays two sessions for the same user even though the user logged in only once within the time selected for the report. The end time of one session exactly matches the start time of the second session. Conditions: This occurs on VPN 3000 concentrators when large number of users are logged in simultaneously. Workaround: There is no workaround except for manually merging the two sessions into one. The start time is the start time of the first session and the end time is the end time of the second session. The duration is the sum of the duration of the two sessions. You cannot get an accurate count of the number of bytes in and the number of bytes out.
CSCec59177	SSL Module Graphs page does not refresh the graphs	Symptom: The SSL Module Graphs page is not refreshed with new graphs when a different SSL module is selected from the Select Device list. Conditions: When you select Monitor > SSL > Module Details, graphs are displayed. These graphs correspond to the IP address of the device that is listed in the Select Device list. If you want to see graphs for another SSL module and you select another IP address from the Select Device list, the graphs are not refreshed. Workaround: Select Monitor > SSL > Modules, then click the IP address of the SSL module (in the Module column) for which you want to view graphs.
CSCec55994	Unable to import devices into Performance Monitor	Symptom: After you complete all the required steps in the import devices wizard, the new tasks are not displayed in the Device Validation Tasks page under Devices > Importing Devices. The devices that are being imported do not show up in any of the user interface pages. Conditions: The MCP process is responsible for device validation and polling. If this process is not running, the Device Validation Tasks page does not display the new validation tasks and the Import Devices page does not display error message. Workaround: Verify that the MCP process is running. Log into the CiscoWorks Server, then select Server Configuration > Administration > Process Management > Process Status. If the MCP process is not running, log into the CiscoWorks Server, then do one of the following: •Select Server Configuration > Administration > Process Management > Start Process. From the Start Process page, select the MCP process. •From the CLI, enter pdexec MCP at the prompt. Further Problem Description: The Tomcat JVM (user interface) sends an event to the Performance Monitor JVM to start the validation task for the device import. There is no acknowledgement from Performance Monitor. So, if the Performance Monitor JVM is not running, there is no error message in the user interface.
CSCec56300	User-defined groups display on every report page	Symptom: All user-defined groups are displayed under the device selection tree under every Reports > (service type) page. For example, when a user-defined group contains different types of devices, such as a PIX firewall and a VPN 3000 concentrator, this device group is displayed in the device selection tree in the Configure SSL Report page under Reports > SSL even though the user-defined group does not contain any SSL modules. Conditions: If you try to run a report for this user-defined group, you will get information only for the devices that the service type supports. For the devices that the service type does not support, you will get a `No data available` error message. Workaround: There is no workaround.
CSCec58766	Inbound Connection Failure% column is blank	Symptom: The Inbound Connection Failure% column in the Remote Access Clusters page under Monitor > Remote Access VPN > Clusters is always blank. Conditions: Because of a bug in Performance Monitor, the Inbound Connection Failure% column in the Remote Access Clusters page does not display any data even when there are inbound connection failures for devices in a cluster. Workaround: Select Monitor > Remote Access VPN > Devices > Failures. The Remote Access Failures page displays an Inbound Connect Failure% column. This column contains inbound connection failure percentages for individual devices. For all the devices in the cluster, add the values displayed in this column and divide that by the total number of devices to get an average value. This average value is the Inbound Connection Failure% value for the cluster.
CSCec49471	User session state marked Active instead of Completed	Symptom: Two or more similar sessions are displayed in the User Session Report under Reports > Remote Access > User Session Report. These two sessions have the same username, the same IP address, and the same VPN device name. Conditions: One session is marked Active and the other similar session has a later start time. It appears that the same user has logged-in twice from the same computer to the same device at one time. Because of a bug, the session state is marked Active instead of Completed. The duration as well as other statistics displayed in the table are wrong. Workaround: There is no workaround.
CSCsa03397	Network Mask and Protocol columns missing in Site-to-Site VPN pages	Symptom: Missing Columns in the Tunnels Page The following three columns are missing from the Tunnels page, under Monitor > Site-to-Site VPN > Tunnels: •Network Mask for Local Address •Network Mask for Remote Address •Protocol The Local Port and the Remote Port columns have redundant information. One column should be deleted and the other column should be renamed Port. This will be done in the next release of Performance Monitor. Missing Columns in the Tunnel Lookup Page The following two columns are missing from the Site-to- Site Tunnel Lookup page, under Monitor > Site-to-Site VPN > Tunnel Lookup: •Network Mask for Local Address •Network Mask for Remote Address The Local Port and the Remote Port columns have redundant information. One column should be deleted and the other column should be renamed Port. This will be done in the next release of Performance Monitor. The Local Protocol and the Remote Protocol columns have redundant information. One column should be deleted and the other column should be renamed Protocol. This will be done in the next release of Performance Monitor. Workaround: There is no workaround.

Obtaining Documentation

Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation on the World Wide Web at this URL:

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription.

Registered Cisco.com users can order a single Documentation CD-ROM (product number DOC-CONDOCCD=) through the Cisco Ordering tool:

All users can order annual or quarterly subscriptions through the online Subscription Store:

Ordering Documentation

•

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:

•

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance.

Cisco TAC Website

The Cisco TAC website ( http://www.cisco.com/tac) provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year.

Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:

Opening a TAC Case

The online TAC Case Open Tool ( http://www.cisco.com/tac/caseopen) is the fastest way to open P3 and P4 cases. (Your network is minimally impaired or you require product information). After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using these recommendations, your case will be assigned to a Cisco TAC engineer.

For P1 or P2 cases (your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

TAC Case Priority Definitions

To ensure that all cases are reported in a standard format, Cisco has established case priority definitions.

Priority 1 (P1)—Your network is "down" or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

•

The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

•

Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

•

Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:

•

iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:

•

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

•

Training—Cisco offers world-class networking training. Current offerings in network training are listed at this URL:

Table Of Contents