Table of Contents

Release Notes for Management Center for Firewalls 1.2 on Windows 2000
New Features
Product Documentation
Related Documentation
Installation Notes
System Requirements
Resolved Problems in Firewall MC 1.2
Known Problems
Obtaining Documentation
Obtaining Technical Assistance
Obtaining Additional Publications and Information

Release Notes for Management Center for Firewalls 1.2 on Windows 2000

These release notes are for use with the CiscoWorks Management Center for Firewalls 1.2 (Firewall MC). Firewall MC is a web-based interface that enables you to configure new PIX Firewalls and Firewall Services Modules (FWSM) and import configurations from existing firewalls. You can configure firewall device settings, access rules, and translations rules, and deploy these configurations to your network. Firewall MC also provides a powerful tool for controlling changes made to your network, showing configuration and status changes.

These release notes provide:

New Features

Management Center for Firewalls 1.2 contains the following new or improved features:

Note    For information on using Netscape 7.0 on Solaris, including installation instructions and recommended patches, see the readme file that accompanied Netscape 7.0.

Product Documentation

Note   We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on for any updates.

Table 1describes the product documentation that is available.

Table 1   Product Documentation

Installing Management Center for Firewalls 1.2 on Windows 2000

  • PDF on the product CD-ROM.
  • On

    a. Log into

    b. Select Products & Services > Network Management CiscoWorks > CiscoWorks Management Center for Firewalls > Technical Documentation > Installation Guides.

  • Printed document available by order (part number DOC-7815712=).1

Using Management Center for Firewalls 1.2

  • PDF on the product CD-ROM.
  • On

    a. Log into

    b. Select Products & Services > Network Management CiscoWorks > CiscoWorks Management Center for Firewalls > Technical Documentation > User Guides.

  • Printed document available by order (part number DOC-7815713=).1

Supported Devices, OS Versions and Commands for Management Center for Firewalls 1.2.

1. Log into

2. Select Products & Services > Network Management CiscoWorks > CiscoWorks Management Center for Firewalls > Technical Documentation > Device Support Tables.

Context-sensitive online help

  • Select an option from the navigation tree, then click Help.
  • Click the Help button in the dialog box.
See Obtaining Documentation.

Related Documentation

Note   We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on for any updates.

The following additional documentation is available:

Quick Start Guide for VPN/Security Management Solution 2.2

This document describes the basic tasks involved in preparing and configuring network devices using Management Centers. This document is available in the following formats:

Release Notes for CiscoWorks Common Services 2.2 on Windows 2000

This document contains information on issues that affect Firewall MC. It is available on at

Installation Notes

The following instructions supplement the installation information described in Installing Management Center for Firewalls 1.2 on Windows 2000. See Product Documentation.

To work around this problem, run the VMMC installer a second time to apply the CiscoWorks Common Services patches before you install Firewall MC 1.2.

Note    To obtain the correct version of CiscoWorks Common Services 2.2 and patches, you should order the VMS 2.2 product. We recommend that you do not use the evaluation version.

System Requirements

The following updated system requirements supersede the requirements listed in Installing Management Center for Firewalls 1.2 on Windows 2000. This section contains:

Server Requirements

Table 2 shows VMS bundle server requirements for Windows systems.

Table 2   Server Requirements


  • IBM PC-compatible computer with 1 GHz or faster Pentium processor.
  • 10BaseT or faster (10 Mbps or faster network connection).
  • Color monitor with video card capable of 256 colors or more.
  • CD-ROM drive.

Memory (RAM)

  • 1 GB minimum.

Available disk drive space

  • 9 GB minimum.
  • 2 GB virtual memory.1
  • NTFS file system recommended.


  • ODBC Driver Manager 3.510 or later.
  • One of the following:
    • Windows 2000 Professional.
    • Windows 2000 Server.
  • Service Pack 2, 3, or 4.
See your system administrator to set this value manually.

Client Requirements

You can access all product features from a client that fulfills the hardware, software, and browser requirements shown in Table 3.

Table 3   Hardware and Software Requirements

Hardware and software


IBM PC-compatible computer with 300 MHz or faster Pentium processor running one of the following:

  • Windows 98.
  • Windows NT 4.0.
  • Windows 2000 Server or Professional Edition with Service Pack 2 or later.

Available disk drive space

400 MB virtual memory.

Available memory

256 MB minimum.


One of the following:

On Windows 2000 and Windows XP clients:

  • Microsoft Internet Explorer 6.0 (version 6.0.2600.0000), or 6.0 with Service Pack 1 (version 6.0.2800.1106),
  • Java Virtual Machine (JVM) versions 5.1.3182 1

Note Firewall MC 1.2 has been tested on Netscape Navigator 7.0.2 and 7.1 for Windows and Netscape Navigator 7.0.2 for Solaris; however, all Netscape client support requires an upcoming CiscoWorks Common Services patch release, which provides support for Java Plug-in version 1.4.1_02. This patch will be distributed as part of a broader VMS patch. Please check the website for the latest information, and be sure to use the CiscoWorks VMS Management and Monitoring Centers (VMMC) installer to install any patches to Common Services.

Resolved Problems in Firewall MC 1.2

Table 4 lists problems resolved since the last release of Firewall MC.

Table 4   Resolved Problems

Bug ID  Summary 


Deploy errors are reported for OSPF epilog commands.


Changing an interface name causes generate and deployment errors.


Failure to remove LAN failover commands causes deploy error.


Remove dhcpd ip address <pool-range> treated as error during deploy.


Applet for access rules doesn't load after enabling SSL for CW2K desktop.


global [(if_name)] number interface not removed during deployment.


Serial parameter for aaa commands should be removed.


Serial failover on secondary unit fails to start w/o failover cmd.


Incorrect password reset results in no password change.


No warning of invalid firewall version for AUS.


Settings might be duplicated after a crash during an import.


Adding a space after a Failover IP address causes an error.


Not specifying mask in HTTPS causes http <intf>


Deploy fails if interfaces and IP addresses not set on PIX 6.3(1).


Device Agent Framework crashes after activity submit or approval.

CSCdy04737 or CSCdy22303

When approval disabled, submit privs required to use Approve button.


Changed element in addr trans pool does not appear in report.


Activity report does not name the network object that was changed.


Activity report is empty after ICMP service change.


Conduits and Outbound List Conversion Tool does not ignore unsupported commands.


Implementation of IDS Policy default attack and information actions have no effect.


Device import of a CSV file formatted for interfaces causes errors.


Restart during deployment leaves activity in deploying state.


Service groups cannot be attached to web filter rules.


IP address/mask can become empty when you paste rules.


Deleting a rule can corrupt other rules.


Duplicate building block service name and service-group name.

CSCea56582 or CSCdz87319

Editing/adding service should not require port entry.


Importing multiple devices from CSV causes exception error.


Select all rules in access table does not take effect fast enough.


Disabled interface requires IP address.


Cannot fix incorrect IP address or subnet mask on interface.


Service group added in pix-a, showed up in pix-b.


Deleting a device before deployment causes an error.


Abbreviated nameif sec does not import.


Can not import from devices with AAA authentication


Canceled imports create incorrect device settings.


Cannot add element to existing addr pool first time.


IP address comparison will not work.


Static command problem if interface name same as named IP.


Need Ending Commands file support for the access-list (ospf) cmd.


The command no rip parses incorrectly.


AUS contact info may require change after device import.


Access rules might reference deleted network objects.


Direct authentication fails due to password length.


Deleting an interface can cause generation errors.


Different user discarding an activity might cause problems.


Abbreviated interface names cause problems.


The Approve button might not be active after an activity is submitted for approval.


Problems might occur if multiple users deploy jobs concurrently.


Click Apply before Insert, Edit, Delete on various settings pages.

Known Problems

This section contains the following problems known to exist in this release:


Table 5   Activity Management Known Problems

Bug ID  Summary  Additional Information 


No audit log record for activity approval when AutoApprove is on.

If you enabled automatic approval of activities, submitting an activity does not create an audit log record for the approval action. The audit log contains only records for submitting.

To work around this problem, interpret the submit audit records as you would separate submit and approval records.


Activity Mgmt page should show error msg if cmd generation fails.

When you submit an activity (or approve an activity if the required approval is disabled), new configurations are generated for the affected devices. After a successful generation, the activity enters the submitted state (or approved if required approval is disabled). If an error occurs during configuration generation, the activity will not be submitted (or approved) and the description for the activity is finish generating configuration. You are not told of the error.

To work around this problem, select the activity from the Activity Management page and click Status. A popup window displays the generation status for each device. You can review any errors from this page.


System may fail if database maintenance occurs during product use.

If you compact or restore the database while another user is performing an operation with PIX MC, the user performing the operation might receive a null pointer exception.

To work around this problem, restart the CW2000 Daemon Manager and repeat the operation again after the database compact or restore is complete.

Table 6   Authentication Known Problems

Bug ID  Summary  Additional Information 


Firewall MC delete privilege is system-wide.

If you are using ACS authentication, it is possible for a user to have the privilege to delete a device without having the privilege to edit the device. The delete privilege applies to all devices.

Delete privilege should be assigned only to trusted users.


Users with help desk role cannot view activity report.

If you have view-only permission, you cannot view the activity report. This is because all radio buttons and check boxes are disabled for users who have view-only permission.

To work around this problem, log in under a different role with more privileges, or give additional permissions to users who require activity report access.


ACS shared profile components disappear after ACS upgrade.

After you upgrade from Cisco Secure ACS version 3.1 to version 3.2, authorization support for Management Center (MC) applications such as Management Center for Firewalls fails. In the Shared Profile Components section of the Cisco Secure ACS HTML interface, each MC that has registered with Cisco Secure ACS has a set of pages for configuring authorization components. If you access a page for editing or adding authorization components, you see an error message about a missing XML file.

To work around this problem, log into the CiscoWorks desktop with admin privileges and perform the following steps:

1. Select Server Configuration > Setup > Security > Select Login Module. Configure CiscoWorks to use the CiscoWorks Local module, and then configure CiscoWorks to use the TACACS+ module.

2. Select VPN Security Management Solution > Administration > Common Services > Configuration > AAA Servers. Unregister all MCs and then reregister all MCs.

3. Log out of CiscoWorks.


Integration between VMS MCs and ACS does not work with HTTPS.

In versions of Cisco Secure ACS earlier than version 3.2, Cisco Secure ACS can accept both HTTP and HTTPS connections for administration. In version 3.2, however, Cisco Secure ACS allows either HTTP or HTTPS, but not both.

The VMS Management Centers can register with Cisco Secure ACS only by using HTTP. This causes the Management Center registration to fail on Cisco Secure ACS 3.2 if you are using HTTPS.

To work around this problem, use HTTP on the Cisco Secure ACS server.

Table 7   Configuration Known Problems

Bug ID  Summary  Additional Information 


Include and exclude commands not supported.

Firewall MC does not support the forms of the AAA commands that use the keywords include and exclude. These commands cause an error whenever encountered regardless of how you indicated that Firewall MC should treat unknown commands.

For a list of PIX Firewall and Firewall Services Module (FWSM) CLI commands supported by Firewall MC 1.2, see Supported Devices, OS Versions and Commands for Management Center for Firewalls 1.2 at rk/ps3992/products_device_support_tables_list.html.

To work around this problem, replace these commands with the match form of the commands.


Static port address translation (interface) not supported.

Firewall MC does not support the interface keyword in the static command.

To work around this problem, avoid using the interface keyword in the static command. Use the actual address instead of the interface keyword. In a situation where the address is not known because DHCP is providing the address, no workaround exists.


icmp permit ip_address mask [icmp_type] if_name cmd fails import.

Firewall MC does not recognize traceroute as an ICMP message type.

Firewall MC supports only documented ICMP message literal names and numbers. It does not support ICMP messages expressed as raw numbers in the range of 0 to 255 that do not correspond to literal names. As a result, there is no workaround.


FWSM no longer supports the no failover ip address command.

If an interface is disabled in the GUI and does not have a failover IP address defined for it in the failover IP address table, Firewall MC will send a no failover ip if_name ip_address command for this interface during deployment. FWSM 1.1(1) and 1.1(2) silently ignore this command and do not reset the failover IP address to

No workaround is needed. Because the interface is disabled, the failover IP address is harmless even though it is not reset to all zeros.


PIX Interface command accepts VLAN as hardware ID.

Firewall MC occasionally allows the command interface vlan<n> [[<hw_speed> [<shutdown>]] to be issued or imported for PIX Firewall versions earlier than version 6.3 even though the VLAN is valid only for FWSMs and PIX Firewalls version 6.3 and later.

To work around this problem, make sure the VLAN hardware identifier is used only for FWSMs and PIX Firewalls version 6.3 and later.


PIX Firewall 6.3 removes restrictions on DHCP server.

In PIX Firewall versions earlier than version 6.3, the dhcpd enable <intf> command accepts only the inside interface as an argument. PIX Firewall versions 6.3 and later do not have this restriction. However, Firewall MC allows you to enable the DHCP server on the inside interface only. Importing the dhcp enable command on another interface causes an error.

There is no workaround.

Table 8   Database Known Problems

Bug ID  Summary  Additional Information 


Restoring from a previous database appears to hang system.

If you restore a backup file from an earlier version of Firewall MC and the data requires an upgrade, the restore progress bar moves quickly to 25%, stays there until the data upgrade is finished, and then moves quickly to 100%. The progress bar does not move during the upgrade portion of the restore, which can take from several minutes to an hour, depending on the number of items that need to be upgraded.

There is no workaround.


Null pointer exception occurs after database is compacted.

Under unusual circumstances, the database might get corrupted after it is compacted.

To work around this problem, back up the database before compacting and make sure all Firewall MC windows are closed while compacting.


PIX MC database fails when disk space or virtual memory is low.

When the PIX MC database (fms.exe process) runs out of virtual memory or disk space, it shuts down and logs an error message in the Windows Event Viewer.

To detect this problem, check the Windows Event Viewer to learn whether the fms.exe process shuts down due to running out of disk space or because virtual memory is low. To work around this problem, shut down the CW2000 Daemon Manager while you free up the appropriate resources, and then restart the CW2000 Daemon Manager.


Database deadlocks during checkpoint.

Under unusual circumstances, the PIX MC database (fms.exe) might consume all of the CPU while performing a checkpoint.

To work around this problem, restart the CW2000 Daemon Manager.

Table 9   Deployment Known Problems

Bug ID  Summary  Additional Information 


No dhcprelay server x.x.x.x [nameif] causes deploy error.

If all DHCP relay servers and DHCP relay agents are disabled from the GUI, you might receive the following error when deploying to a device:

(Error)Sent:no dhcprelay server outside Received:DHCPRA:

Deleting last server while DHCPRA is running. No relaying will be done.

This is a harmless error. The deployment will succeed and the device will have the desired configuration after deployment.


Firewall MC should ignore domain name changes.

If you change the domain name on a firewall device, you receive the warning %Key pair with hostname ...(old hostname) will be invalid. Firewall MC does not understand the message and therefore treats it as a deployment error.

To work around this problem, either cut the domain-name command from Ending Commands and paste it directly into the firewall device console before you deploy, or configure Firewall MC to continue despite deployment errors (see Configuration > MC Settings > Management).


Misleading error during deploy to AUS without correct privileges.

If the AUS (Auto Update Server) user account on PIX MC does not have the API_View or API_Write privilege required to deploy to the AUS server, an error stating STATUS_FAILED authentication failed! appears when you deploy to AUS.


You cannot view transcript when deployment fails.

If deployment fails before PIX MC can send any commands to the device, you cannot get a deployment transcript. This failure might occur due to an invalid device contact IP address, an incorrect password, or something similar.

To work around this problem, identify its cause by looking at the error message text in the deployment task status page, fix the error, and then redeploy.

CSCdz64763 or CSCdy72146

Deployment, import, or generate operations remain in waiting state.

During the deployment of devices, the status might change to STATUS_WAITING and stay at that state indefinitely.

To work around this problem, restart the CW2000 Daemon Manager service. This should cause the deployment to resume and finish.


Deploy fails if number of interfaces in GUI and device differ.

Sometimes the number of interfaces or their respective hardware IDs defined in the GUI does not match those on the physical device. An example of this is if you were to define only ethernet0 and ethernet1 in the GUI, when the device also contains ethernet2. During deployment, PIX MC tries to remove all configuration settings for the undefined interface, such as its IP address, which causes deployment errors and possibly failure, depending on the meta settings you established regarding error handling.

To work around this problem, make sure your configuration of hardware interfaces matches those which are on the device. This includes the number of interfaces and their hardware IDs.


AAA match statements mishandled during deploy to device

Deploying a AAA match statement might result in a deployment error if the ACL used in the match statement is not valid for AAA. For example, if the ACL used in a AAA accounting match command is permit ip any any, the deployment might result in an error state. The reason is that ip any any includes ICMP, which cannot be accounted for.

To work around this problem, make sure the ACL used in AAA match statements is of the appropriate type.

Table 10   Documentation Known Problems

Bug ID  Summary  Additional Information 

CSCdx18147 See also CSCdy01919

PIX MC forces you to enter an enable password for each device.

PIX MC requires an enable password that contains at least one character (this field cannot be left empty), even though PIX Firewall does not. Although the tool will import a configuration from a PIX Firewall that has an empty enable password, you must supply an enable password before completing the activity in which the import is performed.

Requiring an enable password enhances enterprise security.

Table 11   Generate Known Problems

Bug ID  Summary  Additional Information 


Generation should not take place if there are no changes.

When you are not using workflow, clicking the Save and Deploy icon triggers the generation status page even if there are no changes to any devices. This can happen if you click Save and Deploy without making changes or if you make changes to settings in a group that contains no devices.

To work around this problem, click Resume Edit to resume editing and leave any locks in place, or click Deploy Later, if available, to release locks and resume editing.


Global settings cause problems for devices with no outside interface.

Default setting populations assume that an outside interface is present. If you rename the outside interface or import a configuration without an outside interface, the configuration generation fails when it generates the anti-spoofing command.

To work around this problem:

1. Override the Anti-spoofing page at the device level.

2. Deselect the outside interface.

3. Select the new name for the outside interface.

4. Click Apply.

Table 12   GUI Known Problems

Bug ID  Summary  Additional Information 


Popup windows fail to display if NS 7.1 is set to block popups.

Netscape Navigator 7.1 contains a feature for blocking popup windows. If the Popup Manager feature is enabled on any client you use to access the Firewall MC server, then popup windows used by Firewall MC are blocked.

To work around this problem, make sure that the Popup Manager feature is disabled on all clients you use to access the Firewall MC server. If the Popup Manager feature is enabled, you must disable it.

1. In the browser, select Tools > Popup Manager > Allow Popups From This Site.

The Allowed Web Sites dialog box appears with the Firewall MC server listed in the Allow popups from the following web sites field.

2. Click Add

The Firewall MC server is added to the list of allowed web sites.

3. Click OK.


Cannot add a rule using tear-off view if no rules exist.

The access rule table does not provide a popup menu unless there are rows in the table. If you expand a table that does not have rules, you cannot insert a rule because the popup menu cannot appear and there are no buttons at the bottom of the expanded table.

To work around this problem, do not expand an empty table.


Using browser's refresh might cause unexpected results.

If you use your browser's refresh button (or press F5) instead of using the Refresh button available on some of the Firewall MC GUI pages, you might see error messages repeated or prompts to resend data.

To work around this problem, use the Refresh button on the GUI, when available, instead of pressing F5 or using your browser's Refresh button.


Blank screen when multiple users access Firewall MC concurrently.

When multiple users are using Firewall MC, you might occasionally get a blank screen.

To work around this problem, close the browser, log back in to Firewall MC, and retry the operation.


Cannot save Mandate setting on the anti-spoofing setting page.

If you select the Enforce/Mandate settings for children check box on the Configuration > Device Settings > Advanced Security > Anti-spoofing page and then click OK, the Enforce/Mandate settings for children check box is cleared after the screen refreshes.

To work around this problem, verify that the settings you want to enforce are being inherited at the device level, and are not being overwritten.


Changing Easy VPN Management setting resets Easy VPN Remote.

If you enable Easy VPN Remote and you modify settings in Configuration > Device Settings > Easy VPN Management, then the Enable Easy VPN Remote check box is deselected.

Note The Configuration > Device Settings > Easy VPN Remote and the Configuration > Device Settings > Easy VPN Management panels are part of the same setting group.

To work around this problem, reselect the Enable Easy VPN Remote check box under Configuration > Device Settings > Easy VPN Remote after you modify Easy VPN Management settings.


Interfaces page might allow duplicate hardware IDs.

The Interfaces page might not detect duplicate hardware IDs. Duplicate hardware IDs will result in errors during generation.

To work around this problem, do not use duplicate hardware IDs.


Message window text blinks during backup and restore.

The message window that CiscoWorks displays during a backup or restore is blank except for an occasional status that appears and then quickly disappears. Mouse movement is also slow during the backup or restore.

There is no workaround. This behavior does not reflect the success of the backup or restore. You should allow the action to conclude.


Activity report lists all fixup ports when only one was changed.

If you change any fixup settings, all fixups that are displayed on the Basic or Multimedia Fixup page and checked as active appear on the Activity report even though they were not changed.

There is no workaround.


Activity report does not list deleted devices.

The Activity report does not include deleted devices if the parent group was also deleted in the same activity.

There is no workaround.


Error encountered when attempting to open an activity.

You might receive an error when you try to open a previously created activity.

To work around this problem, click Back.


Blank screen appears during backup stress tests.

When two users are logged into the system, with one user doing Firewall MC operations and another user doing a database backup, the first user might get a blank screen.

To work around this problem, wait until the backup is complete, close all browsers, and start Firewall MC again. It is best to back up the system when no one else is using it.


Workflow elimination fails to display LAN failover bootstrap link.

If workflow is disabled and you configure LAN failover, the link to the window that contains the bootstrap configuration for the failover pair does not show up during deployment.

To work around this problem, use the view configuration feature (Configuration > View Config) to view the bootstrap commands and then paste those commands.

Note Before you paste the failover bootstrap configuration, you must remove the comment indicator (colon) in front of the commands. If you do not remove the comment indicator, the commands are ignored.


PIX MC supports only a single browser page.

PIX MC supports only a single browser page. However, Internet Explorer does not prevent you from creating multiple browser pages. If you use multiple pages on one client computer to contact the same PIX MC server, the results are unpredictable.

To work around this problem, use only a single browser page to contact the PIX MC server on each client.




You must click Apply before you leave a GUI page to save changes.

You lose edits in a settings page if you click a navigation link before clicking Apply. No warning is displayed before this loss occurs.

To work around this problem, you should always click Apply.


Workflow does not stop multiple jobs from deploying to same device.

PIX MC does not prevent you from putting the same device in more than one job. This could lead to a deployment error if more than one job tries to deploy to the same device at the same time. Also, you could inadvertently deploy an older approved configuration over a newer one, depending on the order in which the pending jobs are deployed.

To work around this problem, avoid adding devices that are part of a pending job when you create new jobs.


Problems using Back button of browser after completing a wizard.

If you click Finish on a wizard and then navigate back to a page in the wizard using the browser back function, clicking Finish again could cause an error or strange navigation.

To work around this problem, never use the back function of the browser in a PIX MC page.

CSCdy01919 See also CSCdx18147

PIX MC unable to import from devices with blank enable passwords.

When importing from a device, you must enter a non-empty enable password in the PIX MC import wizard. This prevents you from importing from devices with empty enable passwords.

To work around this problem, write the device configuration to a file and then import it from a file or set a non-empty enable password in the device.


Device names shown in GUI might change during imports.

When you import from a file, the device name used in the Import Status page is the same as the filename from which the configuration is imported. However, the Submit/Approve wizard, the Generate Status page (the one that appears after you click Finish in the Submit/Approve wizard or after you click Status in the Activity Management for the Generate_Open/Submitted/Approved activity) and the Object Selector use the hostname in the configuration as the device name, if one is present. (If the hostname is missing, the filename is used.)

To work around this problem, make sure that the filename for each configuration matches the hostname specified in the configuration file.


GUI allows incorrect PAT specs yielding incorrect device configs.

The global address pool that is used for a dynamic PAT can be specified to use the interface keyword on the PIX Firewall. An undocumented restriction of the PIX Firewall is that only one global pool per interface on the PIX Firewall is allowed to use the interface keyword. If multiple global pools for a given interface on a PIX Firewall use the interface keyword, the PIX Firewall responds with an obscure error (the syntax of the command).

Firewall MC does not check to ensure that the interface keyword is used only once per interface for a given device.

To work around this problem, make sure that the interface keyword is used only once per interface per device.


Import of a configuration file with special characters hangs.

If you try to import a configuration file that contains illegal characters, for example, ctrl-C, the import hangs and the status for each device being imported remains in the STATUS_INITIALIZING state. The overall task status remains at STATUS_UNKNOWN.

To work around this problem, make sure configuration files contain only legal characters. If an import does hang due to illegal characters in a configuration file, cancel the import, correct the problem, and try the import again.


Inherit settings from lists wrong group name when not inheriting.

Whenever you do not select the Inherit settings from a check box, the text reads Inherit setting from: Global, instead of specifying the group from which the information would be inherited where this item selected. This is only a display problem. If you select the Inherit check box, PIX MC inherits correctly and the updated page shows the group from which you are inheriting.

To work around this problem, use the object selector or the quick links next to SCOPE to walk up the group hierarchy towards Global to find out from where the setting is inherited. The closest ancestor that has its own settings (not inheriting) is the one from which the setting would be inherited.


Toggling Use-Local without reentering vpdn pwd sends * to device.

When you edit the PPPoE information for an interface, you must reenter the vpdn password after enabling and then disabling the Use Local feature. Otherwise PIX MC will try to set the password to a string of asterisks (*****). This results in an error on the firewall device.

To work around this problem, always reenter the vpdn password after clearing the Use Local check box for an interface.

Table 13   Import Known Problems

Bug ID  Summary  Additional Information 


Interface import using CSV file only supports FWSM.

In Configuration > Device Settings > Interfaces, the import feature for importing multiple interfaces from a CSV file supports FWSMs, but not PIX Firewalls.

To work around this problem, define PIX Firewall interfaces manually or import the configuration from the device.

Table 14   Installation Known Problems

Bug ID  Summary  Additional Information 


VMMC Installer does not install patch on first pass.

The VMS Management and Monitoring Centers (VMMC) installer does not install the CiscoWorks Common Services patches until you run the VMMC installer a second time. Under normal conditions this does not cause a problem since you must run it a second time to install the VMS applications. However, if you install CiscoWorks Common Services from the VMMC installer and Firewall MC 1.2 from the website, the patches will not be applied.

To work around this problem, run the VMMC installer a second time to apply the Service Pack 1 patches before you install Firewall MC 1.2.


Internal server error seen after running VMMC installer.

After running the VMS Management and Monitoring Centers (VMMC) installer, you might see the following error message if you generate a firewall configuration and then click Deploy Later:

Internal Server Error

The Server encountered an internal error or misconfiguration and was not able to complete your request.

Please contact the server administrator, and inform them of the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

To work around this problem, make sure that you stop the CW2000 Daemon Manager after installation.


Shut down CSAgent required when upgrading to VMS 2.2.x.

If you installed the Management Center for Cisco Security Agents and are upgrading from VMS 2.2, the installer stops the CW2000 Daemon Manager, but does not stop the CSAgent service. This causes a large number of files to be locked.

To work around this problem, shut down the CSAgent service manually when you upgrade from a previous version or do a fresh installation.


Installer and uninstaller do not run.

If you run the CiscoWorks installer or uninstaller on a system that is infected with a virus or has an Internet Explorer process that has stopped responding, the installer or uninstaller may stop unexpectedly.

To work around this problem, disinfect your system and end any Internet Explorer processes that are not responding.


Install aborted at 99% does not halt/remove/restart components.

Canceling an installation when it is 99% complete does not appropriately halt the installation, remove certain components, and restart critical services.

To correct this problem, uninstall Firewall MC, reboot, and then reinstall Firewall MC.


File copy window should not have cancel button.

Clicking Cancel during the file copy portion of the PIX MC installation causes the installation to become corrupt.

This is not a problem when you perform a clean install because PIX MC 1.1 reinstalls over an incomplete previous installation with no difficulty. However, if you are upgrading from an earlier release to release 1.1, you might be unable to use the previous version of PIX MC without uninstalling and reinstalling Common Services and CiscoWorks2000.

To work around this problem, back up your database before performing an upgrade.

Table 15   Firewall MC Server Known Problems

Bug ID  Summary  Additional Information 


Import and generate is slow on certain configurations.

If you import or generate configurations with ACLs that use very large service groups (for example, hundreds of services in each service group), the import or generation might take a few minutes to complete.

Specifically, this happens in cases where nat 0 ACLs are present. Since service groups are not imported in release 1.2, they are flattened before any translations are performed, which slows the import.

There is no workaround. This is strictly a performance issue caused by large service groups.


Error deleting an imported FWSM VLAN interface.

If you try to delete a Firewall Services Module VLAN that was imported through the interface CSV import feature, you might receive a null pointer error.

To work around this problem, edit the VLAN interface before you delete it. You do not need to change any values when you complete the edit wizard.


Firewall MC allows deploy to AUS with unique identity undefined.

If you do not define the Unique Identity page for a device, you can still deploy the configuration to the Auto Update Server, but the necessary auto-update command that the device needs to contact the AUS is not generated in the configuration.

To work around this problem, select Configuration > Settings > Firewall Device Administration > Unique Identity, and then enter the unique identity information so the auto update feature can work correctly.


Last detected version not in effect if config and device mismatch.

When you upgrade a PIX Firewall OS version, the configuration is not regenerated correctly if no other changes occurred in the policy for that device. Therefore, when you deploy the device, you receive an erroneous message about version mismatch.

To work around this problem, make a temporary configuration change for the firewall device. This marks the device as needing to have a new configuration generated. When the new configuration is generated, the new OS version will be used.

To make a temporary change:

  • Change a setting, and then click Apply.
  • Change the setting back, and then click Apply again.


NTP server cmd on device returns an error when deployed to device.

If the command ntp server <ip_address> source <interface_name> exists on a firewall device, and the device configuration is imported and later deployed back to the same device, the transcript returns an error.

To work around this problem, remove the NTP server command from the Ending Commands section after import.


Device Contact Info & AUS Contact settings not retained in jobs.

When you create a job, the PIX Device Contact Info and AUS Contact settings for each device in the job are not stored as a part of the job. When you deploy the job, the current values for these settings are used to deploy to a device, or to AUS. This means that changes made to these settings after a job is created will affect how a job operates when it is deployed.

To work around this problem, deploy existing jobs before changing the PIX Device Contact Info and AUS Contact settings for any device in any undeployed jobs.


Modifying routes might disconnect communication with PIX Firewalls.

Before PIX MC can manage any PIX Firewall, you must bootstrap the device with the right routes and http settings so that PIX MC can communicate with it. Any changes in PIX MC to the routes that affect connectivity between PIX MC and the device could cause a deployment to the device to fail.

To work around this problem, correct the routes in PIX MC and redo the boostrapping process on the PIX Firewall if you are disconnected.


Job Status/View Config pages are not checked for privileges.

If you use PIX MC with Cisco Secure ACS, and use the ACS Network Device Groups feature to assign permissions to a device or group, PIX MC does not check permissions for the View Config and View Transcript functions in the Job Status popup window. However, the permissions are correct in the Configuration pages. When the device is deployed, unauthorized users can see the status of the job that deployed the device, can access the configuration with the View Config function, or see the transcript with View Transcript.

There is no workaround.


Client might be slow when connecting to a PIX MC server remotely.

Remote access might be slow when you connect to a PIX MC server without the appropriate DNS entry (Address and Pointer Records).

To work around this problem, verify that a DNS entry was created.

Table 16   Known Problems with CiscoWorks Common Services that Affect Firewall MC

Bug ID  Summary  Additional Information 


User is not notified of failure when shutting down during restore.

For details, see rk/ps3996/prod_release_note09186a00800e3dc2.html#xtocid5.


Restore freezes during management/monitoring center command generation.

For details, see rk/ps3996/prod_release_note09186a00800e3dc2.html#xtocid5.


Scheduling future Backups and Compacts requires two steps

While defining a schedule for a Backup or Compact job the scheduling fields do not automatically select the displayed value.

The affected panels are:

  • VPN/Security Management Solution > Administration > Common Services > Compact Database
  • VPN/Security Management Solution > Administration > Common Services > Backup Database

To work around this problem, the values that you want to select must be highlighted. To select a value, you must:

1. Scroll to the desired value.

2. Click the value. When selected, the value is highlighted.


Services do not start after reboot during installation.

For details, see rk/ps3996/prod_release_note09186a00800e3dc2.html#xtocid5.


Difficulty browsing CiscoWorks2000 desktop from server machine.

For details, see rk/ps3996/prod_release_note09186a00800e3dc2.html#xtocid5.


Restoring during scheduled backup requires reboot.

For details, see rk/ps3996/prod_release_note09186a00800e3dc2.html#xtocid5.


MDCSupport utility does not erase its temporary directory.

For details, see rk/ps3996/prod_release_note09186a00800e3dc2.html#xtocid5.


Cannot launch CW2K desktop after Common Services installed on system with netForensics.

For details, see rk/ps3996/prod_release_note09186a00800e3dc2.html#xtocid5.


Licensing error when SQL service is not started

For details, see rk/ps3996/prod_release_note09186a00800e3dc2.html#xtocid5.


Sybase service problem on Win2K server with Terminal Services on.

For details, see rk/ps3996/prod_release_note09186a00800e3dc2.html#xtocid5.


Hour and minute are not working for repeat backup database

The VMS Backup client does not display the current set values. Even though the backup client is configured for scheduled backups, the current values are not reflected and the client displays the default values. These values include a greyed out Schedule area and Immediate is checked.

The scheduled backups work as designed. To work around this problem, do not check Apply when you return to the backup client page unless you intend to reset the values.


Changing the Windows password causes service startup to fail.

For details, see rk/ps3996/prod_release_note09186a00800e3dc2.html#xtocid5.


CiscoWorks links do not work due to change in server IP address.

For details, see rk/ps3996/prod_release_note09186a00800e3dc2.html#xtocid5.

Obtaining Documentation

Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

You can access the most current Cisco documentation on the World Wide Web at this URL:

You can access the Cisco website at this URL:

International Cisco websites can be accessed from this URL:

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription.

Registered users can order a single Documentation CD-ROM (product number DOC-CONDOCCD=) through the Cisco Ordering tool:

All users can order monthly or quarterly subscriptions through the online Subscription Store:

Ordering Documentation

You can find instructions for ordering documentation at this URL:

You can order Cisco documentation in these ways:

Documentation Feedback

You can submit comments electronically on On the Cisco Documentation home page, click Feedback at the top of the page.

You can e-mail your comments to

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

Cisco provides, which includes the Cisco Technical Assistance Center (TAC) website, as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from the Cisco TAC website. registered users have complete access to the technical support resources on the Cisco TAC website, including TAC tools and utilities. offers a suite of interactive, networked services that let you access Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world. provides a broad range of features and services to help you with these tasks:

To obtain customized information and service, you can self-register on at this URL:

Technical Assistance Center

The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two types of support are available: the Cisco TAC website and the Cisco TAC Escalation Center. The type of support that you choose depends on the priority of the problem and the conditions stated in service contracts, when applicable.

We categorize Cisco TAC inquiries according to urgency:

Cisco TAC Website

The Cisco TAC website provides online documents and tools to help troubleshoot and resolve technical issues with Cisco products and technologies. To access the Cisco TAC website, go to this URL:

All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website require a login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:

If you are a registered user, and you cannot resolve your technical issues by using the Cisco TAC website, you can open a case online at this URL:

If you have Internet access, we recommend that you open P3 and P4 cases online so that you can fully describe the situation and attach any necessary files.

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:

Before calling, please check with your network operations center to determine the Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources. protocol_journal.html _list.html

This document is to be used in conjunction with the documents listed in the "Product Documentation" section.

Copyright © 2003, Cisco Systems, Inc.
All rights reserved.

Posted: Mon Aug 18 17:35:50 PDT 2003
All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.