Release Notes for Management Center for Firewalls 1.2 on Windows 2000
These release notes are for use with the CiscoWorks Management Center for Firewalls 1.2 (Firewall MC). Firewall MC is a web-based interface that enables you to configure new PIX Firewalls and Firewall Services Modules (FWSM) and import configurations from existing firewalls. You can configure firewall device settings, access rules, and translations rules, and deploy these configurations to your network. Firewall MC also provides a powerful tool for controlling changes made to your network, showing configuration and status changes.
Management Center for Firewalls 1.2 contains the following new or improved features:
Object group enhancements. You can now import object groups from a device; they are automatically populated under the Building Blocks area. They are also preserved in command generation unless you configure them otherwise. Service groups can be imported but are not preserved in this release.
Object group discovery feature. You can create groups based on existing ACL rules to minimize the number of rules required to enforce the defined policy.
Enhanced rule tables. New rule-table control enables you to select multiple items, supports cut, copy, and paste, and includes support for categories and filtering. Filtering support enables you to filter rules based on rule attributes, such as by interfaces, category, or color.
Enhanced NAT support. Firewall MC now supports NAT 0 ACLs and dual NAT rules.
New VLAN support for PIX Firewalls.
User guide is now organized according to a recommended task order.
User interface enhancements. All AUS settings are in one location: Configuration > Device Settings > AUS Settings. Global Firewall MC settings are in one location: Configuration > MC Settings.
New reports. The Settings report summarizes the value of each setting defined under Configuration > Device Settings for devices or groups. The Configuration Differences report identifies differences between the configuration defined in Firewall MC and the configuration running on a firewall device.
Syslog message filtering. You can now refine generated syslog messages on a per-message ID basis, and you can require that a firewall device generate a syslog message when an ACL is applied to a session request.
New client support. Firewall MC 1.2 GUI has been tested on Netscape Navigator 7.0.2 and 7.1 for Windows and Netscape Navigator 7.0.2 for Solaris; however, all Netscape client support requires an upcoming CiscoWorks Common Services patch release, which provides support for Java Plug-in version 1.4.1_02. This patch will be distributed as part of a broader VMS patch. Please check the website for the latest information, and be sure to use the CiscoWorks VMS Management and Monitoring Centers (VMMC) installer to install any patches to Common Services.
Note For information on using Netscape 7.0 on Solaris, including installation
instructions and recommended patches, see the readme file that
accompanied Netscape 7.0.
Versioning page now Feature Tracking. This page defines the responses for commands that are not supported by a specific OS version running on a device.
Support for vpnclient management and vpnclient mac-exempt subcommands.
Support for DHCP relay agent/server.
New OSPF support via Ending Commands.
Product Documentation
Note We sometimes update the printed and electronic documentation after original
publication. Therefore, you should also review the documentation on Cisco.com
for any updates.
Table 1describes the product documentation that is available.
Table 1 Product Documentation
Installing Management Center for Firewalls 1.2 on Windows 2000
PDF on the product CD-ROM.
On Cisco.com:
a. Log into Cisco.com.
b. Select Products & Services > Network Management CiscoWorks > CiscoWorks Management Center for Firewalls > Technical Documentation > Installation Guides.
Printed document available by order (part number DOC-7815712=).1
Using Management Center for Firewalls 1.2
PDF on the product CD-ROM.
On Cisco.com:
a. Log into Cisco.com.
b. Select Products & Services > Network Management CiscoWorks > CiscoWorks Management Center for Firewalls > Technical Documentation > User Guides.
Printed document available by order (part number DOC-7815713=).1
Supported Devices, OS Versions and Commands for Management Center for Firewalls 1.2.
1. Log into Cisco.com.
2. Select Products & Services > Network Management CiscoWorks > CiscoWorks Management Center for Firewalls > Technical Documentation > Device Support Tables.
Context-sensitive online help
Select an option from the navigation tree, then click Help.
Note We sometimes update the printed and electronic documentation after original
publication. Therefore, you should also review the documentation on Cisco.com
for any updates.
The following additional documentation is available:
Quick Start Guide for VPN/Security Management Solution 2.2
This document describes the basic tasks involved in preparing and configuring network devices using Management Centers. This document is available in the following formats:
The following instructions supplement the installation information described in Installing Management Center for Firewalls 1.2 on Windows 2000. See Product Documentation.
The CiscoWorks VMS Management and Monitoring Centers (VMMC) installer does not install the CiscoWorks Common Services patches until you run the VMMC installer a second time. Under normal conditions this does not cause a problem since the user will run it a second time to install the VMS applications. However, if the user installs CiscoWorks Common Services from the VMMC installer and Firewall MC 1.2 from the website, the patches will not be applied.
To work around this problem, run the VMMC installer a second time to apply the CiscoWorks Common Services patches before you install Firewall MC 1.2.
Note To obtain the correct version of CiscoWorks Common Services 2.2 and
patches, you should order the VMS 2.2 product. We recommend that you
do not use the evaluation version.
If you are upgrading to Firewall MC 1.2 from a previous version, we recommend that you back up your database before performing an upgrade.
To avoid errors during installation, you must stop the CW2000 Daemon Manager after installation as instructed by the VMMC installer.
If you installed the Management Center for Cisco Security Agents and are upgrading from VMS 2.2, the installer does not stop the CSAgent service. This causes a large number of files to be locked. Make sure that you shut down the CSAgent service manually when you upgrade from a previous version or do a fresh installation.
If you try to abort an installation when it is 99% complete, the installer does not appropriately halt the installation, remove certain components, and restart critical services. To correct this problem, uninstall Firewall MC, reboot, and then reinstall Firewall MC.
If you run the VMMC installer or uninstaller on a system that is infected with a virus or has an Internet Explorer process that has stopped responding, the installer or uninstaller may stop unexpectedly. Make sure you disinfect your system and end any Internet Explorer processes that are not responding before installation.
Firewall MC 1.2 has been tested on Netscape Navigator 7.0.2 and 7.1 for Windows and Netscape Navigator 7.0.2 for Solaris; however, all Netscape client support requires an upcoming CiscoWorks Common Services patch release, which provides support for Java Plug-in version 1.4.1_02. This patch will be distributed as part of a broader VMS patch. Please check the website for the latest information, and be sure to use the CiscoWorks VMS Management and Monitoring Centers (VMMC) installer to install any patches to Common Services.
System Requirements
The following updated system requirements supersede the requirements listed in Installing Management Center for Firewalls 1.2 on Windows 2000. This section contains:
1 See your system administrator to set this value manually.
Client Requirements
You can access all product features from a client that fulfills the hardware, software, and browser requirements shown in Table 3.
Table 3 Hardware and Software Requirements
Hardware and software
IBM PC-compatible computer with 300 MHz or faster Pentium processor running one of the following:
Windows 98.
Windows NT 4.0.
Windows 2000 Server or Professional Edition with Service Pack 2 or later.
Available disk drive space
400 MB virtual memory.
Available memory
256 MB minimum.
Browser
One of the following:
On Windows 2000 and Windows XP clients:
Microsoft Internet Explorer 6.0 (version 6.0.2600.0000), or 6.0 with Service Pack 1 (version 6.0.2800.1106),
Java Virtual Machine (JVM) versions 5.1.3182 1
Note Firewall MC 1.2 has been tested on Netscape Navigator 7.0.2 and 7.1 for Windows and Netscape Navigator 7.0.2 for Solaris; however, all Netscape client support requires an upcoming CiscoWorks Common Services patch release, which provides support for Java Plug-in version 1.4.1_02. This patch will be distributed as part of a broader VMS patch. Please check the website for the latest information, and be sure to use the CiscoWorks VMS Management and Monitoring Centers (VMMC) installer to install any patches to Common Services.
Resolved Problems in Firewall MC 1.2
Table 4 lists problems resolved since the last release of Firewall MC.
Table 4 Resolved Problems
Bug ID
Summary
CSCea14603
Deploy errors are reported for OSPF epilog commands.
CSCdy54803
Changing an interface name causes generate and deployment errors.
CSCea43613
Failure to remove LAN failover commands causes deploy error.
CSCea22252
Remove dhcpd ip address <pool-range> treated as error during deploy.
CSCin33388
Applet for access rules doesn't load after enabling SSL for CW2K desktop.
CSCea02913
global [(if_name)] number interface not removed during deployment.
CSCdz34603
Serial parameter for aaa commands should be removed.
CSCdz84317
Serial failover on secondary unit fails to start w/o failover cmd.
CSCdz65349
Incorrect password reset results in no password change.
CSCea61336
No warning of invalid firewall version for AUS.
CSCdy70897
Settings might be duplicated after a crash during an import.
CSCea05761
Adding a space after a Failover IP address causes an error.
CSCea20069
Not specifying mask in HTTPS causes http 0.0.0.0 0.0.0.0 <intf>
CSCea81701
Deploy fails if interfaces and IP addresses not set on PIX 6.3(1).
CSCea25218
Device Agent Framework crashes after activity submit or approval.
CSCdy04737 or CSCdy22303
When approval disabled, submit privs required to use Approve button.
CSCeb00577
Changed element in addr trans pool does not appear in report.
CSCea86727
Activity report does not name the network object that was changed.
CSCea92486
Activity report is empty after ICMP service change.
CSCdz59416
Conduits and Outbound List Conversion Tool does not ignore unsupported commands.
CSCea01936
Implementation of IDS Policy default attack and information actions have no effect.
CSCea16773
Device import of a CSV file formatted for interfaces causes errors.
CSCea53404
Restart during deployment leaves activity in deploying state.
CSCea70811
Service groups cannot be attached to web filter rules.
CSCea59389
IP address/mask can become empty when you paste rules.
CSCea60951
Deleting a rule can corrupt other rules.
CSCea45355
Duplicate building block service name and service-group name.
CSCea56582 or CSCdz87319
Editing/adding service should not require port entry.
CSCea52602
Importing multiple devices from CSV causes exception error.
CSCea56958
Select all rules in access table does not take effect fast enough.
CSCea50234
Disabled interface requires IP address.
CSCea46055
Cannot fix incorrect IP address or subnet mask on interface.
CSCea52311
Service group added in pix-a, showed up in pix-b.
CSCdy50342
Deleting a device before deployment causes an error.
CSCea66457
Abbreviated nameif sec does not import.
CSCdz43238
Can not import from devices with AAA authentication
The problems in the following tables are known to affect Firewall MC 1.1.2. However, some of the problems were found in earlier releases of the product, so they might contain references to PIX MC and CiscoWorks2000. Any such references apply to Firewall MC and CiscoWorks as well.
No audit log record for activity approval when AutoApprove is on.
If you enabled automatic approval of activities, submitting an activity does not create an audit log record for the approval action. The audit log contains only records for submitting.
To work around this problem, interpret the submit audit records as you would separate submit and approval records.
CSCdy19285
Activity Mgmt page should show error msg if cmd generation fails.
When you submit an activity (or approve an activity if the required approval is disabled), new configurations are generated for the affected devices. After a successful generation, the activity enters the submitted state (or approved if required approval is disabled). If an error occurs during configuration generation, the activity will not be submitted (or approved) and the description for the activity is finish generating configuration. You are not told of the error.
To work around this problem, select the activity from the Activity Management page and click Status. A popup window displays the generation status for each device. You can review any errors from this page.
CSCdz66789
System may fail if database maintenance occurs during product use.
If you compact or restore the database while another user is performing an operation with PIX MC, the user performing the operation might receive a null pointer exception.
To work around this problem, restart the CW2000 Daemon Manager and repeat the operation again after the database compact or restore is complete.
Table 6 Authentication Known Problems
Bug ID
Summary
Additional Information
CSCeb32704 or CSCeb34681
Firewall MC delete privilege is system-wide.
If you are using ACS authentication, it is possible for a user to have the privilege to delete a device without having the privilege to edit the device. The delete privilege applies to all devices.
Delete privilege should be assigned only to trusted users.
CSCdy40186
Users with help desk role cannot view activity report.
If you have view-only permission, you cannot view the activity report. This is because all radio buttons and check boxes are disabled for users who have view-only permission.
To work around this problem, log in under a different role with more privileges, or give additional permissions to users who require activity report access.
CSCeb16968
ACS shared profile components disappear after ACS upgrade.
After you upgrade from Cisco Secure ACS version 3.1 to version 3.2, authorization support for Management Center (MC) applications such as Management Center for Firewalls fails. In the Shared Profile Components section of the Cisco Secure ACS HTML interface, each MC that has registered with Cisco Secure ACS has a set of pages for configuring authorization components. If you access a page for editing or adding authorization components, you see an error message about a missing XML file.
To work around this problem, log into the CiscoWorks desktop with admin privileges and perform the following steps:
1. Select Server Configuration > Setup > Security > Select Login Module. Configure CiscoWorks to use the CiscoWorks Local module, and then configure CiscoWorks to use the TACACS+ module.
2. Select VPN Security Management Solution > Administration > Common Services > Configuration > AAA Servers. Unregister all MCs and then reregister all MCs.
3. Log out of CiscoWorks.
CSCeb16875
Integration between VMS MCs and ACS does not work with HTTPS.
In versions of Cisco Secure ACS earlier than version 3.2, Cisco Secure ACS can accept both HTTP and HTTPS connections for administration. In version 3.2, however, Cisco Secure ACS allows either HTTP or HTTPS, but not both.
The VMS Management Centers can register with Cisco Secure ACS only by using HTTP. This causes the Management Center registration to fail on Cisco Secure ACS 3.2 if you are using HTTPS.
To work around this problem, use HTTP on the Cisco Secure ACS server.
Table 7 Configuration Known Problems
Bug ID
Summary
Additional Information
CSCdz39788
Include and exclude commands not supported.
Firewall MC does not support the forms of the AAA commands that use the keywords include and exclude. These commands cause an error whenever encountered regardless of how you indicated that Firewall MC should treat unknown commands.
For a list of PIX Firewall and Firewall Services Module (FWSM) CLI commands supported by Firewall MC 1.2, see Supported Devices, OS Versions and Commands for Management Center for Firewalls 1.2 at http://www.cisco.com/en/US/products/sw/cscowo rk/ps3992/products_device_support_tables_list.html.
To work around this problem, replace these commands with the match form of the commands.
CSCeb61418
Static port address translation (interface) not supported.
Firewall MC does not support the interface keyword in the static command.
To work around this problem, avoid using the interface keyword in the static command. Use the actual address instead of the interface keyword. In a situation where the address is not known because DHCP is providing the address, no workaround exists.
Firewall MC does not recognize traceroute as an ICMP message type.
Firewall MC supports only documented ICMP message literal names and numbers. It does not support ICMP messages expressed as raw numbers in the range of 0 to 255 that do not correspond to literal names. As a result, there is no workaround.
CSCeb32564
FWSM no longer supports the no failover ip address command.
If an interface is disabled in the GUI and does not have a failover IP address defined for it in the failover IP address table, Firewall MC will send a no failover ip if_name ip_address command for this interface during deployment. FWSM 1.1(1) and 1.1(2) silently ignore this command and do not reset the failover IP address to 0.0.0.0.
No workaround is needed. Because the interface is disabled, the failover IP address is harmless even though it is not reset to all zeros.
CSCdz48293
PIX Interface command accepts VLAN as hardware ID.
Firewall MC occasionally allows the command interface vlan<n> [[<hw_speed> [<shutdown>]] to be issued or imported for PIX Firewall versions earlier than version 6.3 even though the VLAN is valid only for FWSMs and PIX Firewalls version 6.3 and later.
To work around this problem, make sure the VLAN hardware identifier is used only for FWSMs and PIX Firewalls version 6.3 and later.
CSCea27335
PIX Firewall 6.3 removes restrictions on DHCP server.
In PIX Firewall versions earlier than version 6.3, the dhcpd enable<intf> command accepts only the inside interface as an argument. PIX Firewall versions 6.3 and later do not have this restriction. However, Firewall MC allows you to enable the DHCP server on the inside interface only. Importing the dhcp enable command on another interface causes an error.
There is no workaround.
Table 8 Database Known Problems
Bug ID
Summary
Additional Information
CSCeb19542
Restoring from a previous database appears to hang system.
If you restore a backup file from an earlier version of Firewall MC and the data requires an upgrade, the restore progress bar moves quickly to 25%, stays there until the data upgrade is finished, and then moves quickly to 100%. The progress bar does not move during the upgrade portion of the restore, which can take from several minutes to an hour, depending on the number of items that need to be upgraded.
There is no workaround.
CSCea69470
Null pointer exception occurs after database is compacted.
Under unusual circumstances, the database might get corrupted after it is compacted.
To work around this problem, back up the database before compacting and make sure all Firewall MC windows are closed while compacting.
CSCdy77377
PIX MC database fails when disk space or virtual memory is low.
When the PIX MC database (fms.exe process) runs out of virtual memory or disk space, it shuts down and logs an error message in the Windows Event Viewer.
To detect this problem, check the Windows Event Viewer to learn whether the fms.exe process shuts down due to running out of disk space or because virtual memory is low. To work around this problem, shut down the CW2000 Daemon Manager while you free up the appropriate resources, and then restart the CW2000 Daemon Manager.
CSCea10128
Database deadlocks during checkpoint.
Under unusual circumstances, the PIX MC database (fms.exe) might consume all of the CPU while performing a checkpoint.
To work around this problem, restart the CW2000 Daemon Manager.
Table 9 Deployment Known Problems
Bug ID
Summary
Additional Information
CSCeb57736
No dhcprelay server x.x.x.x [nameif] causes deploy error.
If all DHCP relay servers and DHCP relay agents are disabled from the GUI, you might receive the following error when deploying to a device:
(Error)Sent:no dhcprelay server 20.20.20.20 outside Received:DHCPRA:
Deleting last server while DHCPRA is running. No relaying will be done.
This is a harmless error. The deployment will succeed and the device will have the desired configuration after deployment.
CSCeb41589
Firewall MC should ignore domain name changes.
If you change the domain name on a firewall device, you receive the warning %Key pair with hostname ...(old hostname) will be invalid. Firewall MC does not understand the message and therefore treats it as a deployment error.
To work around this problem, either cut the domain-name command from Ending Commands and paste it directly into the firewall device console before you deploy, or configure Firewall MC to continue despite deployment errors (see Configuration > MC Settings > Management).
CSCdy29184
Misleading error during deploy to AUS without correct privileges.
If the AUS (Auto Update Server) user account on PIX MC does not have the API_View or API_Write privilege required to deploy to the AUS server, an error stating STATUS_FAILED authentication failed! appears when you deploy to AUS.
CSCdz39446
You cannot view transcript when deployment fails.
If deployment fails before PIX MC can send any commands to the device, you cannot get a deployment transcript. This failure might occur due to an invalid device contact IP address, an incorrect password, or something similar.
To work around this problem, identify its cause by looking at the error message text in the deployment task status page, fix the error, and then redeploy.
CSCdz64763 or CSCdy72146
Deployment, import, or generate operations remain in waiting state.
During the deployment of devices, the status might change to STATUS_WAITING and stay at that state indefinitely.
To work around this problem, restart the CW2000 Daemon Manager service. This should cause the deployment to resume and finish.
CSCea14915 or CSCeb63443
Deploy fails if number of interfaces in GUI and device differ.
Sometimes the number of interfaces or their respective hardware IDs defined in the GUI does not match those on the physical device. An example of this is if you were to define only ethernet0 and ethernet1 in the GUI, when the device also contains ethernet2. During deployment, PIX MC tries to remove all configuration settings for the undefined interface, such as its IP address, which causes deployment errors and possibly failure, depending on the meta settings you established regarding error handling.
To work around this problem, make sure your configuration of hardware interfaces matches those which are on the device. This includes the number of interfaces and their hardware IDs.
CSCea17787
AAA match statements mishandled during deploy to device
Deploying a AAA match statement might result in a deployment error if the ACL used in the match statement is not valid for AAA. For example, if the ACL used in a AAA accounting match command is permit ip any any, the deployment might result in an error state. The reason is that ip any any includes ICMP, which cannot be accounted for.
To work around this problem, make sure the ACL used in AAA match statements is of the appropriate type.
Table 10 Documentation Known Problems
Bug ID
Summary
Additional Information
CSCdx18147 See also CSCdy01919
PIX MC forces you to enter an enable password for each device.
PIX MC requires an enable password that contains at least one character (this field cannot be left empty), even though PIX Firewall does not. Although the tool will import a configuration from a PIX Firewall that has an empty enable password, you must supply an enable password before completing the activity in which the import is performed.
Requiring an enable password enhances enterprise security.
Table 11 Generate Known Problems
Bug ID
Summary
Additional Information
CSCea71537
Generation should not take place if there are no changes.
When you are not using workflow, clicking the Save and Deploy icon triggers the generation status page even if there are no changes to any devices. This can happen if you click Save and Deploy without making changes or if you make changes to settings in a group that contains no devices.
To work around this problem, click Resume Edit to resume editing and leave any locks in place, or click Deploy Later, if available, to release locks and resume editing.
CSCdz59302
Global settings cause problems for devices with no outside interface.
Default setting populations assume that an outside interface is present. If you rename the outside interface or import a configuration without an outside interface, the configuration generation fails when it generates the anti-spoofing command.
To work around this problem:
1. Override the Anti-spoofing page at the device level.
2. Deselect the outside interface.
3. Select the new name for the outside interface.
4. Click Apply.
Table 12 GUI Known Problems
Bug ID
Summary
Additional Information
CSCeb67310
Popup windows fail to display if NS 7.1 is set to block popups.
Netscape Navigator 7.1 contains a feature for blocking popup windows. If the Popup Manager feature is enabled on any client you use to access the Firewall MC server, then popup windows used by Firewall MC are blocked.
To work around this problem, make sure that the Popup Manager feature is disabled on all clients you use to access the Firewall MC server. If the Popup Manager feature is enabled, you must disable it.
1. In the browser, select Tools > Popup Manager > Allow Popups From This Site.
The Allowed Web Sites dialog box appears with the Firewall MC server listed in the Allow popups from the following web sites field.
2. Click Add
The Firewall MC server is added to the list of allowed web sites.
3. Click OK.
CSCeb52284
Cannot add a rule using tear-off view if no rules exist.
The access rule table does not provide a popup menu unless there are rows in the table. If you expand a table that does not have rules, you cannot insert a rule because the popup menu cannot appear and there are no buttons at the bottom of the expanded table.
To work around this problem, do not expand an empty table.
CSCdz66765
Using browser's refresh might cause unexpected results.
If you use your browser's refresh button (or press F5) instead of using the Refresh button available on some of the Firewall MC GUI pages, you might see error messages repeated or prompts to resend data.
To work around this problem, use the Refresh button on the GUI, when available, instead of pressing F5 or using your browser's Refresh button.
CSCdz76713
Blank screen when multiple users access Firewall MC concurrently.
When multiple users are using Firewall MC, you might occasionally get a blank screen.
To work around this problem, close the browser, log back in to Firewall MC, and retry the operation.
CSCeb60586
Cannot save Mandate setting on the anti-spoofing setting page.
If you select the Enforce/Mandate settings for children check box on the Configuration > Device Settings > Advanced Security > Anti-spoofing page and then click OK, the Enforce/Mandate settings for children check box is cleared after the screen refreshes.
To work around this problem, verify that the settings you want to enforce are being inherited at the device level, and are not being overwritten.
If you enable Easy VPN Remote and you modify settings in Configuration > Device Settings > Easy VPN Management, then the Enable Easy VPN Remote check box is deselected.
Note The Configuration > Device Settings > Easy VPN Remote and the Configuration > Device Settings > Easy VPN Management panels are part of the same setting group.
To work around this problem, reselect the Enable Easy VPN Remote check box under Configuration > Device Settings > Easy VPN Remote after you modify Easy VPN Management settings.
The Interfaces page might not detect duplicate hardware IDs. Duplicate hardware IDs will result in errors during generation.
To work around this problem, do not use duplicate hardware IDs.
CSCeb59538
Message window text blinks during backup and restore.
The message window that CiscoWorks displays during a backup or restore is blank except for an occasional status that appears and then quickly disappears. Mouse movement is also slow during the backup or restore.
There is no workaround. This behavior does not reflect the success of the backup or restore. You should allow the action to conclude.
CSCeb63147
Activity report lists all fixup ports when only one was changed.
If you change any fixup settings, all fixups that are displayed on the Basic or Multimedia Fixup page and checked as active appear on the Activity report even though they were not changed.
There is no workaround.
CSCeb24910
Activity report does not list deleted devices.
The Activity report does not include deleted devices if the parent group was also deleted in the same activity.
There is no workaround.
CSCea25725
Error encountered when attempting to open an activity.
You might receive an error when you try to open a previously created activity.
To work around this problem, click Back.
CSCea55970
Blank screen appears during backup stress tests.
When two users are logged into the system, with one user doing Firewall MC operations and another user doing a database backup, the first user might get a blank screen.
To work around this problem, wait until the backup is complete, close all browsers, and start Firewall MC again. It is best to back up the system when no one else is using it.
CSCeb11850
Workflow elimination fails to display LAN failover bootstrap link.
If workflow is disabled and you configure LAN failover, the link to the window that contains the bootstrap configuration for the failover pair does not show up during deployment.
To work around this problem, use the view configuration feature (Configuration > View Config) to view the bootstrap commands and then paste those commands.
Note Before you paste the failover bootstrap configuration, you must remove the comment indicator (colon) in front of the commands. If you do not remove the comment indicator, the commands are ignored.
CSCdv77516
PIX MC supports only a single browser page.
PIX MC supports only a single browser page. However, Internet Explorer does not prevent you from creating multiple browser pages. If you use multiple pages on one client computer to contact the same PIX MC server, the results are unpredictable.
To work around this problem, use only a single browser page to contact the PIX MC server on each client.
CSCdw37546
or
CSCdx05082
You must click Apply before you leave a GUI page to save changes.
You lose edits in a settings page if you click a navigation link before clicking Apply. No warning is displayed before this loss occurs.
To work around this problem, you should always click Apply.
CSCdx47739
Workflow does not stop multiple jobs from deploying to same device.
PIX MC does not prevent you from putting the same device in more than one job. This could lead to a deployment error if more than one job tries to deploy to the same device at the same time. Also, you could inadvertently deploy an older approved configuration over a newer one, depending on the order in which the pending jobs are deployed.
To work around this problem, avoid adding devices that are part of a pending job when you create new jobs.
CSCdx95909
Problems using Back button of browser after completing a wizard.
If you click Finish on a wizard and then navigate back to a page in the wizard using the browser back function, clicking Finish again could cause an error or strange navigation.
To work around this problem, never use the back function of the browser in a PIX MC page.
CSCdy01919 See also CSCdx18147
PIX MC unable to import from devices with blank enable passwords.
When importing from a device, you must enter a non-empty enable password in the PIX MC import wizard. This prevents you from importing from devices with empty enable passwords.
To work around this problem, write the device configuration to a file and then import it from a file or set a non-empty enable password in the device.
CSCdy05391
Device names shown in GUI might change during imports.
When you import from a file, the device name used in the Import Status page is the same as the filename from which the configuration is imported. However, the Submit/Approve wizard, the Generate Status page (the one that appears after you click Finish in the Submit/Approve wizard or after you click Status in the Activity Management for the Generate_Open/Submitted/Approved activity) and the Object Selector use the hostname in the configuration as the device name, if one is present. (If the hostname is missing, the filename is used.)
To work around this problem, make sure that the filename for each configuration matches the hostname specified in the configuration file.
CSCdy25929
GUI allows incorrect PAT specs yielding incorrect device configs.
The global address pool that is used for a dynamic PAT can be specified to use the interface keyword on the PIX Firewall. An undocumented restriction of the PIX Firewall is that only one global pool per interface on the PIX Firewall is allowed to use the interface keyword. If multiple global pools for a given interface on a PIX Firewall use the interface keyword, the PIX Firewall responds with an obscure error (the syntax of the command).
Firewall MC does not check to ensure that the interface keyword is used only once per interface for a given device.
To work around this problem, make sure that the interface keyword is used only once per interface per device.
CSCdy35048
Import of a configuration file with special characters hangs.
If you try to import a configuration file that contains illegal characters, for example, ctrl-C, the import hangs and the status for each device being imported remains in the STATUS_INITIALIZING state. The overall task status remains at STATUS_UNKNOWN.
To work around this problem, make sure configuration files contain only legal characters. If an import does hang due to illegal characters in a configuration file, cancel the import, correct the problem, and try the import again.
CSCdy59201
Inherit settings from lists wrong group name when not inheriting.
Whenever you do not select the Inherit settings from a check box, the text reads Inherit setting from: Global, instead of specifying the group from which the information would be inherited where this item selected. This is only a display problem. If you select the Inherit check box, PIX MC inherits correctly and the updated page shows the group from which you are inheriting.
To work around this problem, use the object selector or the quick links next to SCOPE to walk up the group hierarchy towards Global to find out from where the setting is inherited. The closest ancestor that has its own settings (not inheriting) is the one from which the setting would be inherited.
CSCea22527
Toggling Use-Local without reentering vpdn pwd sends * to device.
When you edit the PPPoE information for an interface, you must reenter the vpdn password after enabling and then disabling the Use Local feature. Otherwise PIX MC will try to set the password to a string of asterisks (*****). This results in an error on the firewall device.
To work around this problem, always reenter the vpdn password after clearing the Use Local check box for an interface.
Table 13 Import Known Problems
Bug ID
Summary
Additional Information
CSCea51440
Interface import using CSV file only supports FWSM.
In Configuration > Device Settings > Interfaces, the import feature for importing multiple interfaces from a CSV file supports FWSMs, but not PIX Firewalls.
To work around this problem, define PIX Firewall interfaces manually or import the configuration from the device.
Table 14 Installation Known Problems
Bug ID
Summary
Additional Information
CSCeb70960
VMMC Installer does not install patch on first pass.
The VMS Management and Monitoring Centers (VMMC) installer does not install the CiscoWorks Common Services patches until you run the VMMC installer a second time. Under normal conditions this does not cause a problem since you must run it a second time to install the VMS applications. However, if you install CiscoWorks Common Services from the VMMC installer and Firewall MC 1.2 from the website, the patches will not be applied.
To work around this problem, run the VMMC installer a second time to apply the Service Pack 1 patches before you install Firewall MC 1.2.
CSCeb51991
Internal server error seen after running VMMC installer.
After running the VMS Management and Monitoring Centers (VMMC) installer, you might see the following error message if you generate a firewall configuration and then click Deploy Later:
Internal Server Error
The Server encountered an internal error or misconfiguration and was not able to complete your request.
Please contact the server administrator, admin@domain.com and inform them of the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
To work around this problem, make sure that you stop the CW2000 Daemon Manager after installation.
CSCin49477 or CSCin49479
Shut down CSAgent required when upgrading to VMS 2.2.x.
If you installed the Management Center for Cisco Security Agents and are upgrading from VMS 2.2, the installer stops the CW2000 Daemon Manager, but does not stop the CSAgent service. This causes a large number of files to be locked.
To work around this problem, shut down the CSAgent service manually when you upgrade from a previous version or do a fresh installation.
CSCeb55669
Installer and uninstaller do not run.
If you run the CiscoWorks installer or uninstaller on a system that is infected with a virus or has an Internet Explorer process that has stopped responding, the installer or uninstaller may stop unexpectedly.
To work around this problem, disinfect your system and end any Internet Explorer processes that are not responding.
CSCeb22044
Install aborted at 99% does not halt/remove/restart components.
Canceling an installation when it is 99% complete does not appropriately halt the installation, remove certain components, and restart critical services.
To correct this problem, uninstall Firewall MC, reboot, and then reinstall Firewall MC.
CSCea26266
File copy window should not have cancel button.
Clicking Cancel during the file copy portion of the PIX MC installation causes the installation to become corrupt.
This is not a problem when you perform a clean install because PIX MC 1.1 reinstalls over an incomplete previous installation with no difficulty. However, if you are upgrading from an earlier release to release 1.1, you might be unable to use the previous version of PIX MC without uninstalling and reinstalling Common Services and CiscoWorks2000.
To work around this problem, back up your database before performing an upgrade.
Table 15 Firewall MC Server Known Problems
Bug ID
Summary
Additional Information
CSCeb44973
Import and generate is slow on certain configurations.
If you import or generate configurations with ACLs that use very large service groups (for example, hundreds of services in each service group), the import or generation might take a few minutes to complete.
Specifically, this happens in cases where nat 0 ACLs are present. Since service groups are not imported in release 1.2, they are flattened before any translations are performed, which slows the import.
There is no workaround. This is strictly a performance issue caused by large service groups.
CSCeb62315
Error deleting an imported FWSM VLAN interface.
If you try to delete a Firewall Services Module VLAN that was imported through the interface CSV import feature, you might receive a null pointer error.
To work around this problem, edit the VLAN interface before you delete it. You do not need to change any values when you complete the edit wizard.
CSCea62476
Firewall MC allows deploy to AUS with unique identity undefined.
If you do not define the Unique Identity page for a device, you can still deploy the configuration to the Auto Update Server, but the necessary auto-update command that the device needs to contact the AUS is not generated in the configuration.
To work around this problem, select Configuration > Settings > Firewall Device Administration > Unique Identity, and then enter the unique identity information so the auto update feature can work correctly.
CSCea80500
Last detected version not in effect if config and device mismatch.
When you upgrade a PIX Firewall OS version, the configuration is not regenerated correctly if no other changes occurred in the policy for that device. Therefore, when you deploy the device, you receive an erroneous message about version mismatch.
To work around this problem, make a temporary configuration change for the firewall device. This marks the device as needing to have a new configuration generated. When the new configuration is generated, the new OS version will be used.
To make a temporary change:
Change a setting, and then click Apply.
Change the setting back, and then click Apply again.
CSCea80936
NTP server cmd on device returns an error when deployed to device.
If the command ntp server <ip_address> source <interface_name> exists on a firewall device, and the device configuration is imported and later deployed back to the same device, the transcript returns an error.
To work around this problem, remove the NTP server command from the Ending Commands section after import.
CSCdw45096
Device Contact Info & AUS Contact settings not retained in jobs.
When you create a job, the PIX Device Contact Info and AUS Contact settings for each device in the job are not stored as a part of the job. When you deploy the job, the current values for these settings are used to deploy to a device, or to AUS. This means that changes made to these settings after a job is created will affect how a job operates when it is deployed.
To work around this problem, deploy existing jobs before changing the PIX Device Contact Info and AUS Contact settings for any device in any undeployed jobs.
CSCdx11318
Modifying routes might disconnect communication with PIX Firewalls.
Before PIX MC can manage any PIX Firewall, you must bootstrap the device with the right routes and http settings so that PIX MC can communicate with it. Any changes in PIX MC to the routes that affect connectivity between PIX MC and the device could cause a deployment to the device to fail.
To work around this problem, correct the routes in PIX MC and redo the boostrapping process on the PIX Firewall if you are disconnected.
CSCdy82136
Job Status/View Config pages are not checked for privileges.
If you use PIX MC with Cisco Secure ACS, and use the ACS Network Device Groups feature to assign permissions to a device or group, PIX MC does not check permissions for the View Config and View Transcript functions in the Job Status popup window. However, the permissions are correct in the Configuration pages. When the device is deployed, unauthorized users can see the status of the job that deployed the device, can access the configuration with the View Config function, or see the transcript with View Transcript.
There is no workaround.
CSCdz64177
Client might be slow when connecting to a PIX MC server remotely.
Remote access might be slow when you connect to a PIX MC server without the appropriate DNS entry (Address and Pointer Records).
To work around this problem, verify that a DNS entry was created.
Table 16 Known Problems with CiscoWorks Common Services that Affect Firewall MC
Bug ID
Summary
Additional Information
CSCdx36716
User is not notified of failure when shutting down during restore.
Hour and minute are not working for repeat backup database
The VMS Backup client does not display the current set values. Even though the backup client is configured for scheduled backups, the current values are not reflected and the client displays the default values. These values include a greyed out Schedule area and Immediate is checked.
The scheduled backups work as designed. To work around this problem, do not check Apply when you return to the backup client page unless you intend to reset the values.
CSCin11975
Changing the Windows password causes service startup to fail.
Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation on the World Wide Web at this URL:
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription.
Registered Cisco.com users can order a single Documentation CD-ROM (product number DOC-CONDOCCD=) through the Cisco Ordering tool:
Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).
Documentation Feedback
You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page.
You can e-mail your comments to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883
We appreciate your comments.
Obtaining Technical Assistance
Cisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) website, as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from the Cisco TAC website. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC website, including TAC tools and utilities.
Cisco.com
Cisco.com offers a suite of interactive, networked services that let you access Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.
Cisco.com provides a broad range of features and services to help you with these tasks:
Streamline business processes and improve productivity
Resolve technical issues with online support
Download and test software packages
Order Cisco learning materials and merchandise
Register for online skill assessment, training, and certification programs
To obtain customized information and service, you can self-register on Cisco.com at this URL:
The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two types of support are available: the Cisco TAC website and the Cisco TAC Escalation Center. The type of support that you choose depends on the priority of the problem and the conditions stated in service contracts, when applicable.
We categorize Cisco TAC inquiries according to urgency:
Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration. There is little or no impact to your business operations.
Priority level 3 (P3)—Operational performance of the network is impaired, but most business operations remain functional. You and Cisco are willing to commit resources during normal business hours to restore service to satisfactory levels.
Priority level 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operations are negatively impacted by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Priority level 1 (P1)—An existing network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Cisco TAC Website
The Cisco TAC website provides online documents and tools to help troubleshoot and resolve technical issues with Cisco products and technologies. To access the Cisco TAC website, go to this URL:
All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website require a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:
If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC website, you can open a case online at this URL:
If you have Internet access, we recommend that you open P3 and P4 cases online so that you can fully describe the situation and attach any necessary files.
Cisco TAC Escalation Center
The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:
Before calling, please check with your network operations center to determine the Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:
Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:
Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:
iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:
Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL: