Release Notes for Management Center for Firewalls 1.3.1 on Windows 2000

These release notes are for use with the CiscoWorks Management Center for Firewalls (Firewall MC) 1.3.1. Firewall MC is a web-based interface that enables you to configure new PIX Firewalls and Firewall Services Modules (FWSMs) and import configurations from existing firewalls. You can configure firewall device settings, access rules, and translations rules, and deploy these configurations to your network. Firewall MC also provides a powerful tool for controlling changes made to your network, showing configuration and status changes.

These release notes provide:

• New Features

• Product Documentation

• Related Documentation

• Known Problems

• Obtaining Documentation

• Documentation Feedback

• Obtaining Technical Assistance

• Obtaining Additional Publications and Information

New Features

Firewall MC 1.3.1 adds support for Firewall Services Module version 2.2.

Product Documentation

Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.

Table 1 describes the product documentation that is available.

Table 1 Product Documentation
Document Title	Available Formats
Release Notes for Management Center for Firewalls 1.3.1 on Windows 2000	•PDF on the product CD-ROM. •On Cisco.com at this URL: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_pix/fwmc131/index.htm.
Installing Management Center for Firewalls 1.3 on Windows 2000	•PDF on the product CD-ROM. •On Cisco.com at this URL: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_pix/fwmc131/index.htm. •Printed document available by order (part number DOC-7816034=).¹
Using Management Center for Firewalls 1.3	•PDF on the product CD-ROM. •On Cisco.com at this URL: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_pix/fwmc131/index.htm. •Printed document available by order (part number DOC-7816035=). 1
Supported Devices, OS Versions, and Commands for Management Center for Firewalls 1.3.1	On Cisco.com at this URL: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_pix/fwmc131/index.htm.
Context-sensitive online help	•Select an option from the navigation tree, then click Help. •Click the Help button in the dialog box.

¹See Obtaining Documentation.

Table 2 Related Documentation
Document Title	Description and Available Formats
Quick Start Guide for VPN/Security Management Solution 2.2	Describes the basic tasks involved in preparing and configuring network devices using Management Centers. This document is available in the following formats: •On Cisco.com at this URL: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/vpnman/vms_2_2/index.htm. •Printed document available by order.
Installation and Setup Guide for CiscoWorks Common Services 2.2 (includes CiscoView 5.5) on Windows	Describes the basic tasks involved in installing and configuring CiscoWorks Common Services 2.2. This document is available in the following formats: •On Cisco.com at this URL: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/ig_wincv/index.htm. •Printed document available by order.
User Guide for CiscoWorks Common Services 2.2	Describes how to use CiscoWorks Common Services 2.2. This document is available in the following formats: • On Cisco.com at this URL: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/usrguide/index.htm. •Printed document available by order.
Release Notes for CiscoWorks Common Services 2.2 on Windows 2000	Contains information on issues that affect Firewall MC. This document is available on Cisco.com at this URL: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/rel_note/index.htm.

Known Problems

This section contains the following problems known to exist in this release:

Caution

Undoing activities in which you have moved a device or group can cause undesired results, such as locked activities and lost data. For more information, see CSCsa10912 and CSCsa11632 in Table 4.

• Security Context Known Problems, Table 3

• Activity Management Known Problems, Table 4

• Authentication Known Problems, Table 5

• Configuration Known Problems, Table 6

• Database Known Problems, Table 7

• Deployment Known Problems, Table 8

• GUI Known Problems, Table 9

• Import Known Problems, Table 10

• Installation and Upgrade Known Problems, Table 11

• Reporting Known Problems, Table 12

• Firewall MC Server Known Problems, Table 13

• Known Problems with VMS that Affect Firewall MC, Table 14

Note•The problems in the following tables are known to affect Firewall MC 1.3. However, some of the problems were found in earlier releases of the product, so they might contain references to PIX MC and CiscoWorks2000. Any such references apply to Firewall MC and CiscoWorks as well.

•To obtain more information about known problems, use the Cisco Software Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl. (You will be prompted to log into Cisco.com.)

Table 3 Security Context Known Problems
Bug ID	Summary	Additional Information
CSCec23910	In transparent mode, Firewall MC allows routes to be configured and generated that are not in the same subnet as the management IP address.	In Configuration > Device Settings > Routing > Static Route page, Firewall MC allows you to define routes that are not in the same subnet as the management IP address. When you deploy the configuration file to the device from Firewall MC, you will receive deployment errors because the CLI does not support this configuration. To work around this problem, you should define the routes with the same subnet mask as the management IP address (Configuration > Device Settings >Transparent Firewall > Management IP).
CSCec52434	The Diff With Running Config option does not work in some cases.	In the Import Summary window (at the end of the device import process), the Diff With Running Config option sometimes does not show the configuration differences between the configuration imported into Firewall MC and the configuration on the device. The Diff result window is blank. This occurs when the configuration on the device contains commands that are unsupported in Firewall MC. To work around this problem, remove any unsupported commands from your configuration prior to importing. For more information, see Supported Devices, OS Versions, and Commands for Management Center for Firewalls 1.3.

Table 4 Activity Management Known Problems
Bug ID	Summary	Additional Information
CSCsa11789	Undoing & approving the same activity causes an error.	You might receive an error if two users simultaneously try to change the state of the Activity. For example, you might see this error if one user is trying to undo an activity at the same time another user is trying to approve the activity. To work around this problem, close the browser session and relogin.
CSCsa10912	Undoing an activity in which you move a group or device causes data loss.	If you undo an activity in which you moved a group or a device, you will lose the contents of either the group that you moved or the group into which you moved a device. There is no workaround. However, you can prevent losing the group, by moving the group or device back to the desired location instead of undoing the activity.
CSCsa11632	Moving a subgroup leaves source group locked.	If you move a subgroup out of one group and into another group, and then approve or undo the activity, the group from which you moved the subgroup will remain locked. The lock icon does not show, but you cannot make changes to that group. To work around this problem and remove the lock, perform the appropriate step: •If you approved the activity: –Create a job and deploy the activity in which you moved the group. –Go to the Admin > Maintenance page, change the Purge approved/discarded activities older than field to 0, and then click Purge Now. This will remove all discarded/approved activities, and should release the lock. •If you undid the activity, go to the Admin > Maintenance page, change the Purge approved/discarded activities older than field to 0, and then click Purge Now. This will remove all discarded/approved activities, and should release the lock.
CSCsa11362	If there is an apostrophe in a device or group name, then can't see activity in Take Over Changes.	If an activity locks a device or a group that has an apostrophe in the name, Firewall MC will not recognize the activity within the Take Over Changes feature and you will not find the activity listed. To work around this problem, remove the apostrophe from the device or group name.
CSCsa11332	No Workflow, clicking two buttons within a table creates two activities.	If you are not using workflow and your first action is to navigate to a rule table and click several buttons within the applet in rapid succession, Firewall MC may erroneously create two activities. You will not encounter this problem if you have performed any other action for which Firewall MC would have already created an activity. If Firewall MC does create two activities in such a situation, you could be locked out of the particular device or group that you were working in. To work around this problem, enable workflow and undo the activity causing the lock condition. You can then turn off workflow and proceed with your activities.
CSCsa10812	Group is locked by a discarded activity.	If you move a device in an activity prior to upgrading to Firewall MC 1.3, and then undo the activity after you upgrade, the source group will remain in a locked state by the discarded activity. To work around this problem, go to the Admin > Maintenance page, change the Purge approved/discarded activities older than field to 0, and then click Purge Now. This will remove all discarded/approved activities, and should release the lock.
CSCeb34681	Firewall MC delete privilege is system-wide.	If you are using ACS authentication, it is possible for a user to have the privilege to delete a device without having the privilege to edit the device. The delete privilege applies to all devices. The delete privilege should be assigned only to trusted users.
CSCdy17387	No audit log record for activity approval when AutoApprove is on.	If you enabled automatic approval of activities, submitting an activity does not create an audit log record for the approval action. The audit log contains only records for submitting. To work around this problem, interpret the submit audit records as you would separate submit and approval records.

Table 5 Authentication Known Problems
Bug ID	Summary	Additional Information
CSCsa08606	ACS - Firewall MC must not be in 'Not Assigned' Network Device Group.	For Firewall MC to work properly with Cisco Secure ACS for Windows (ACS), the Firewall MC server must be assigned to a Network Device Group, under Network Configuration in ACS, that has appropriate security associations, and must not be in the "Not Assigned" Network Device Group.
CSCsa09327	Need to investigate Help Desk Roles and what can be viewed via GUI.	A user with view only privileges, such as the Help Desk role, can see some sensitive information such as: •AAA Server Groups shared secret. •Any passwords/keys that are placed in the ending commands at import time, for example OSPF or NTP authentication keys. •LAN failover shared key. •IKE shared secret. •SNMP community string. These items are displayed on pages in the clear, so access to the page allows their direct viewing. There is no workaround.
CSCsa09292	Help Desk > VPN > IKE Options > Pre-shared Keys > View Keys null pointer.	If you access the VPN > IKE Options > Pre-shared Keys page and your permission settings do not allow you to modify settings on that page, you will receive an exception error if you click View Keys. To work around this problem, log in as a user that has adequate permissions.
CSCsa09289	Help Desk > Rules tables Edit, Copy, Cut & Delete active if rules exist.	In no-workflow mode, a user with view privileges, such as the Help Desk role, can modify the rule table. The user cannot, however, perform the Save, Generate, and Deploy option. To work around this problem, take over the changes of the Help Desk user from a privileged account, and then undo the changes.
CSCdy40186	Users with help desk role cannot view activity report.	If you have view-only permission, you cannot view the activity report. This is because all radio buttons and check boxes are disabled for users who have view-only permission. To work around this problem, log in under a different role with more privileges, or give additional permissions to users who require activity report access.
CSCeb16968	ACS shared profile components disappear after ACS upgrade.	After you upgrade from Cisco Secure ACS version 3.1 to version 3.2, authorization support for Management Center (MC) applications such as Management Center for Firewalls fails. In the Shared Profile Components section of the Cisco Secure ACS HTML interface, each MC that has registered with Cisco Secure ACS has a set of pages for configuring authorization components. If you access a page for editing or adding authorization components, you see an error message about a missing XML file. To work around this problem, log into the CiscoWorks desktop with admin privileges and perform the following steps: 1. Select Server Configuration > Setup > Security > Select Login Module. Configure CiscoWorks to use the CiscoWorks Local module, and then configure CiscoWorks to use the TACACS+ module. 2. Select VPN Security Management Solution > Administration > Common Services > Configuration > AAA Servers. Unregister all MCs, then reregister all MCs. 3. Log out of CiscoWorks.

Table 6 Configuration Known Problems
Bug ID	Summary	Additional Information
CSCsa20218	Firewall MC allows invalid PIX failover configuration generation.	When failover is configured for a PIX Firewall, all enabled interfaces must be configured for failover with an IP address. If an enabled interface is not configured with an IP address, then the generation will fail the first time you generate and Firewall MC will substitute 0.0.0.0 for the IP address. This substituted IP address is NOT caught during subsequent generations and the configuration will reflect the 0.0.0.0 address which will cause an error on device. To work around this problem, ensure that the failover IP addresses for all enabled interfaces are properly defined.
CSCsa17858	Deny NAT 0 ACL rules behave as `permit' rules in some rare cases.	In some rare cases, the translation logic will treat `deny' statements in NAT 0 ACLs as if they were `permit' statements during address translation calculations in Firewall MC 1.3.0 and 1.3.1. This problem occurs if there are two entries with the same source, destination, and service added. The address translation algorithm merges these rules into a single entry and the second entry's `deny' flag is ignored and instead the first entry's `permit' is used. Most address translation entries are `permit' entries. The only exception is NAT 0 ACL entries which can be either `permit' or `deny'. Therefore, this problem only affects NAT 0 access rules. There is no impact on the generation of the NAT 0 ACL itself. However, address translation might be incorrect in some cases because of the deny to permit switch. There is no workaround.
CSCsa16946	Translation entries might disappear in some rare conditions.	In some rare cases, it is possible that translation entries could be incorrectly removed from the translation algorithm. In Firewall MC 1.3, the translation logic uses an algorithm to store various translation-related data such as statics, NATs, identity static/NATs, routes, etc. When two entries are present with the same source, destination, and service, then they are modeled as a single entry and a list is created by the algorithm to identity each specific entry. In some cases, if a large entry gets added, an earlier smaller entry of the same type could get removed from the calculation. If this were to happen, the code incorrectly removes the entire list rather than just removing the one entry from the list. This could result in translation behaving erratically in these cases. There is no workaround.
CSCed75282	Failover enabled without correct IPs on each interface errors.	When the failover IP address is not on the same subnet as the interface IP address, a generate error occurs. When you click the View Errors link, you will not see any error messages in the generated configuration. To work around this problem, specify a failover IP address that is on the same subnet as the interface.
CSCsa11048	Different pre-shared key policies with same key not permitted/generated.	In some cases, it is possible to get errors while generating ISAKMP Preshared keys in a configuration even though the Tunnel Consistency panel in the GUI says the keys match on both ends of the tunnel. Specifically, if there is a tunnel between peers A and B, and A has a default preshared-key policy and B has a user-defined key for A's IP address, when you generate commands for A and B, Firewall MC will incorrectly generate errors saying there is no valid key present for the respective peer even if A's default keystring is identical to B's user-defined keystring for A. However, the Tunnel Consistency check panel for this tunnel will indicate there is no key mismatch. To work around this problem, set the same pre-shared key policy on both A and B. Either have user-defined keys on both ends, or have default keys on both ends.
CSCed65717	ICMP messages not optimized out.	The optimization code in Firewall MC 1.3 is not able to combine two ACEs when one has service icmp all and the other has service icmp <icmp-type>. Prior versions of Firewall MC were able to combine such ACEs into a single icmp all ACE. This will result in rules that are not optimized as well as they could be. However, the resulting rule set is still correct. There is no workaround.
CSCsa08680	There is no warning that vpnclient won't work when vpngroup missing.	Deploying partially configured Easy VPN Remote settings to a device does not issue a warning and the Easy VPN Remote is disabled on the device. The deployment transcript will show a message from the device that reads "Warning: No router certificate for key exchange. PIX Easy VPN Remote disabled." To work around this problem, make sure that the Group Name is entered on the Configuration > VPN > Remote Access > Easy VPN Remote.
CSCsa09822	Deleting firewall rules does not remove auto nat & static cmds - no edit.	If you set Identity Address Translation Rules to "Only" or "On" (Configuration > MC Settings > Management), Firewall MC will generate NAT or Static commands corresponding to addresses in both AAA rules and Firewall rules. To work around this problem, turn off Identity Address Translation Rules, which will also eliminate the generation of Identity Address Translation Rules for Firewall rules.
CSCsa09926	Interface wizard fails to detect if no password is entered for PPPoE.	When enabling PPPoE for the outside interface, the GUI fails to recognize the lack of a password. Upon generation, the command will be generated as vpdn username <username> password invalid-password. To work around this problem, edit the settings for the interface to include a user password.
CSCsa10157	Second level Group doesn't allow both to Inherit and to Enforce/Mandate.	On any Configuration > Device Settings page, the Inherit Settings and Enforce/Mandate check boxes cannot both be selected at the same time. When one check box is selected, the other one is disabled. Because of this limitation, you cannot inherit settings on a particular group while mandating that all children of that group use the same settings. There is currently no workaround.
CSCsa10862	Object groups still refer to deleted objects.	When you delete an object (service, service group, or network object) references to that object are not automatically removed from other object group definitions. If an object group with reference to a deleted object is used in a rule, generating a configuration that uses the rule results in a generation error. To work around this problem, manually remove all references to deleted objects.
CSCsa09481	Cannot turn off failover on interface.	If you define a failover IP address for an interface, but failover is not enabled, the generated commands will include the failover IP address. Some failover commands will always show up in the generated configuration, because the Failover page does not have a means to delete these failover IP addresses from the generated configuration. These commands will not affect the device's behavior when failover is disabled. On a device without a failover license, deploying failover commands will not cause a deployment error. The device ignores the commands. There is no workaround.
CSCsa04493	AAA Rules permits LOCAL authorization/accounting for invalid services.	AAA authorization and accounting using the LOCAL protocol is only permitted for console, cut-through authentication, and command authorization services. The LOCAL AAA protocol is only supported in PIX Firewall OS 6.3 and later. Services such as HTTP, FTP, and Telnet (cut-through proxy) can only be enabled for LOCAL AAA authentication and not for authorization and accounting and should not be enabled within Configuration > Access Rules > AAA Rules.
CSCsa06605	Deleting or renaming interface causes generation errors.	Some settings that refer to interface names cause generation errors when the interface is renamed or removed. These settings must be deleted or changed to reference the new name. The following settings refer to interfaces and must be changed to use the new name: •Failover •Static Routes •RIP •Proxy Arp •HTTPS (SSL) •Telnet •Secure Shell •SNMP •ICMP Interface Rules •Syslog •URL Filter Server •TFTP Server •IDS Policy •Anti-spoofing •Fragment To work around this problem, delete the settings resulting in generation errors or modify the settings to reflect the new interface name.
CSCsa04486	Fixup protocol esp-ike & isakmp enable <interface_name> cannot co-exist.	The following commands cannot coexist on the same firewall device: •fixup protocol esp-ike •isakmp enable <interface_name> However, Firewall MC allows you to configure both commands without generating an error. The error will be caught at the device and the deployment will fail with an error saying "PAT for ESP cannot be enabled since ISAKMP is enabled". To work around this problem, do not place these two commands in the same configuration.
CSCea14915	Deploy fails if number of interfaces in GUI and device differ.	When working in the Firewall MC GUI, sometimes the number of interfaces or their respective hardware IDs do not match those on the physical device. An example of this would be if you were to define only ethernet0 and ethernet1 in the GUI, when the device also has ethernet2. During deployment, Firewall MC would attempt to remove all configuration settings for the undefined interface, such as its IP address, which causes deployment errors and possibly traffic flow failure on that interface, depending on the settings you established regarding error handling. To work around this problem, make sure the interface configuration in the GUI matches the configuration on the device. This includes the number of interfaces and their hardware IDs.
CSCsa07223	Spoke-grp two S2S tunnels to Hub-dvc same intf unsupported auto-gen key.	When you have multiple tunnels between a pair of devices where the same interface is used as the endpoint on one of the two devices, Firewall MC will not accurately create pre-shared keys for automatically generated and default key policies. For example, consider two devices (A and B) with two tunnels (Tunnel-1 and Tunnel-2) between them: Tunnel-1: A:inside <------> B:outside Tunnel-2: A:outside <-----> B:outside In this example, both tunnels end on the same interface of device B, while ending on different interfaces on device A. In such cases, Firewall MC will automatically generate keys for one of the two tunnels, but not for both. To work around this problem, specify user-defined keys on both devices (A and B). On device A, specify a single key for B:outside. On device B, specify two keys, one for A:inside and one A:outside. All three key values should be identical.
CSCsa06656	Auto NAT settings can impact dual dynamic NAT.	PIX Firewall and FWSM implemented dual-NAT differently. Firewall MC follows the FWSM semantics. On the PIX Firewall, if a dynamic NAT rule is applied to an interface with a lower security level, then you must define static translation rules to enable outgoing traffic from all other networks attached to that interface. On FWSM, adding a dynamic translation rule does not require static translation rules to be defined for all other outgoing traffic (high to low security level interface traffic). Firewall MC does not allow you to use the Identity Address Translation feature to auto generate statics for outbound traffic when a dynamic translation rule exits on a lower security interface in a PIX Firewall configuration. You must manually define any such identity statics
CSCsa06655	For FWSM, all policy statics are higher priority than all old statics.	The evaluation order of the static address translation rules differs between PIX OS 6.3.x and FWSM 2.x. PIX OS 6.3.x evaluates in the following order: 1. Port-based statics (policy statics and original style statics intermixed) 2. Host-based statics (policy statics and original style statics intermixed) FWSM 2.x evaluates in the following order: 1. Port-based policy statics 2. Host-based policy statics 3. Port-based original style statics 4. Host-based original style statics Firewall MC models the PIX implementation. During import, Firewall MC assumes the PIX OS evaluation order. In most cases, this does not cause problems even for FWSM. If you view the existing configuration on a FWSM, all policy statics appear before the original style statics. In this case, as long as the port or host-based statics are not split between the two styles, Firewall MC accurately imports the static address translation rules. On generate, this represents no problem. Firewall MC either generates only original-style statics or policy statics followed by original-style statics (if the Identity Address Translation feature is enabled).
CSCsa05925	Internet Explorer hangs when you click away from page with applet before certificate dialog.	The Firewall MC window and CiscoWorks Desktop window might become unresponsive if you access the Configuration tab, and then click the Firewall MC window again before the certificate dialog appears. To work around this problem: 1. Open Windows Task Manager. 2. Click the Applications tab. 3. Select the Internet Explorer tasks that are not responding. 4. Click End Task. 5. Open a new browser, log in to CiscoWorks again, and then launch Firewall MC. 6. Click the Configuration tab, and then wait for the Certificate popup window to appear. 7. Accept the certificate.
CSCsa02803	View Config and Deploy Transcript displays preshared keys in clear text.	Pre-shared keys defined on the Configuration > VPN > IKE Options >Pre-shared Keys page are displayed in clear text in the View Config and View Transcript windows. Users with permission to view these pages can also view any pre-shared keys. No workaround is currently available.
CSCsa02754	Local User password and Confirm password should get cleared on error.	If you enter different values in the Password and Confirm Password fields of the Add User Information dialog box, accessed from Configuration > Device Settings > Firewall Device Administration > User Accounts, Firewall MC returns an error stating that the Password and Confirm Password do not match, and then resets the fields to a default value. If you click OK on the Add User Information dialog box without reentering the password, the user account is created with this default password. To work around this problem, delete the user, and then add the user again making sure the Password and Confirm Password fields match.
CSCsa02311	Failover settings cannot be inherited.	The Inheritance settings for the Failover Interfaces configuration table fails to display any inherited interfaces defined at the parent scope. No workaround is currently available.
CSCed19812	Policy NAT ACL on PIX Firewall contains alias addresses.	When importing a PIX Firewall configuration that uses policy NAT rules that are not generated by Firewall MC, it is possible that the rules retained in the GUI do not match the intended rules. No workaround is currently available.
CSCsa02734	Special characters are allowed in the IPSec Transform Set Name on the PIX Firewall, but Firewall MC returns an error when they are used.	If you are adding an IPSec Transform Set from Configuration > Building Blocks > IPSec Transform Sets and use certain special characters (&,<,>,",~,^,\|) in the transform set name, Firewall MC returns an error saying that these characters are not allowed even though these characters are valid on the PIX Firewall. To work around this problem, do not use these special characters in IPSec transform set names.
CSCdz39788	Include and exclude commands not supported.	Firewall MC does not support the forms of the AAA commands that use the keywords include and exclude. These commands cause an error whenever encountered regardless of how you indicated that Firewall MC should treat unknown commands. For a list of PIX Firewall and Firewall Services Module (FWSM) CLI commands supported by Firewall MC 1.3, see Supported Devices, OS Versions and Commands for Management Center for Firewalls 1.3 at http://www.cisco.com/en/US/products/sw/cscowork/ps3992/products_device_support_tables_list.html. To work around this problem, replace these commands with the match form of the commands.
CSCeb61418	Static port address translation (interface) not supported.	Firewall MC does not support the interface keyword in the static command. To work around this problem, avoid using the interface keyword in the static command. Use the actual address instead of the interface keyword. In a situation where the address is not known because DHCP is providing the address, no workaround exists.
CSCdz48293	PIX Interface command accepts VLAN as hardware ID.	When importing from file, Firewall MC allows the command interface vlan<n> [[<hw_speed> [shutdown]] to be issued or imported for PIX Firewall versions earlier than version 6.3 even though the VLAN is valid only for FWSMs and PIX Firewalls version 6.3 and later. To work around this problem, make sure the VLAN hardware identifier is used only for FWSMs and PIX Firewalls version 6.3 and later.
CSCea27335	Firewall MC limits DHCP server to inside interface only.	In PIX Firewall versions earlier than version 6.3, the dhcpd enable <intf> command accepts only the inside interface as an argument. PIX Firewall versions 6.3 and later do not have this restriction. However, Firewall MC will not allow you to enable the DHCP server on other interfaces. Importing the dhcp enable command for an interface other than inside causes an error. No work around is currently available.

Table 7 Database Known Problems
Bug ID	Summary	Additional Information
CSCed90704	User must log out during compact.	The CW2000 KRS database service is shut down while the database is being compacted and restarted when compaction is complete. If there are any instances of Firewall MC active when you compact the database, the connection to the database for those sessions will be terminated. To work around this problem, close all instances of Firewall MC before compacting the database. If any instances of Firewall MC were open when the database was compacted, you will need to close Firewall MC, and then log out and back in to the CiscoWorks Server before you can use Firewall MC.
CSCed12328	Cannot restore database from network drive.	If restoring the VMS database from a network drive (VPN/Security Management Solution -> Administration -> Common Services -> Restore Database), the restore client will freeze and generate errors. To work around this problem, copy the remote restore directory to a local drive and then initiate the restore from the local drive.
CSCea10128	Database deadlocks during checkpoint.	Under unusual circumstances, the Firewall MC database (fms.exe) might consume all of the CPU while performing a checkpoint. To work around this problem, restart the CW2000 Daemon Manager: 1. Log in as administrator. 2. Select Start > Settings > Control Panel > Administrative Tools > Services. 3. Right-click CiscoWorks Daemon Manager, and then click Restart.

Table 8 Deployment Known Problems
Bug ID	Summary	Additional Information
CSCsa20577	Firewall MC clears FWSM transparent firewall ethertype access-rules when deploying to device.	The Configuration > Management > Clear ACLs before deployment (FWSM only) setting currently works for FWSM version 1.1.x only. The result is that ethertype access rules get cleared on every deploy to device. However, the rules are reapplied to the device and there is no effect to the rule set. There is no workaround. This issue has no end effect to the ethertype rules applied to the FWSM.
CSCsa11422	Difference report shows repeated differences in access rules.	When you view a difference report (Configuration > View Config > Generate and View Difference With Last Deployed Config or Configuration > View Config > Generate and View Difference With Running Config), differences in access-list commands may appear twice. There is no workaround.
CSCsa09742	Deploying no isakmp client configuration address-pool local reboots PIX.	Deploying no isakmp client configuration address-pool local <poolname> <pifname> causes a PIX Firewall running 6.3(x) to crash and reboot. This is a problem with the PIX hardware. To obtain more information about this problem, go to the Cisco Software Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl and refer to bug ID CSCed57964. (You will be prompted to log into Cisco.com.) The affect on Firewall MC is that the deployment will not complete. Unfortunately, there is no workaround other than to do a clear isakmp on the device before deploying, and to configure Firewall MC to overwrite external changes by setting the Action on External Change to Device Config setting to Overwrite (Configuration > MC Settings > Management). However, this REMOVES all isakmp commands, both isakmp and isakmp policy, which will cause a temporary network outage. Firewall MC will reapply these commands.
CSCsa08905	Part of the deploy transcript is out of order.	The deploy transcript is out of order with version and checksum information. This might cause confusion when viewing the transcript. The checksum is actually obtained when the configuration is retrieved from the device before the deployment happens. No workaround is currently available.
CSCsa03828	Unable to stop deployment when deploying to one device.	Clicking Stop does not cancel a deployment. No workaround is currently available.
CSCdy29184	Misleading error during deploy to AUS without correct privileges.	If the AUS (Auto Update Server) user account on PIX MC does not have the API_View or API_Write privilege required to deploy to the AUS server, an error stating `STATUS_FAILED authentication failed!` appears when you deploy to AUS.
CSCea17787	AAA match statements are type dependent.	Deploying a AAA match statement might result in a deployment error if the ACL used in the match statement is not valid for AAA. For example, if the ACL used in a AAA accounting match command is `permit ip any any`, the deployment might result in an error state. The reason is that `ip any any` includes ICMP, which cannot be accounted for. To work around this problem, make sure the ACL used in AAA match statements is of the appropriate type.

Table 9 GUI Known Problems
Bug ID	Summary	Additional Information
CSCsa10913	Filter by traffic direction in translation exemptions table not working.	Filter by traffic direction in translation exemptions table not working. No workaround is currently available.
CSCea81016	GUI is not version aware.	Some commands apply only to specific PIX Firewall and FWSM OS releases. Firewall MC does not distinguish these command differences in the GUI. The OS specific command differences will be identified during generation, and the configurations will contain the commands specific to that OS only. There is no workaround.
CSCsa07112	Firewall MC does not generate failover bootstrap link or asterisk next to failover device.	There are two problems (labeled Problem A and Problem B) with the way that Firewall MC handles failover settings. Problem A If any LAN-based failover setting is changed, Firewall MC indicates to the user that bootstrapping is needed by putting an asterisk after the name in the generation summary page and providing a link to the bootstrap commands. However, Firewall MC does not check whether failover is enabled during this process. Consequently, after Firewall MC imports a device that has LAN-based failover enabled but failover disabled, bootstrap information is provided, but is not necessary and will mistakenly turn failover on if pasted to the device. To work around the problem, ignore the LAN-based failover bootstrapping information provided by Firewall MC if you do not have failover enabled on a device. Problem B If a FWSM 2.x device has the failover lan interface command configured but failover disabled, Firewall MC will turn its failover setting on and generate the failover command after importing this device. To work around the problem, either remove the failover lan interface command from the device before importing, or disable the Enable Failover check box before generating a new configuration.
CSCsa08703	View all hex value ethertype option shows blank value.	If you try to view or edit an Ethertype rule that has a hexadecimal Ether value, the Ether value on the Ethertype Rule window will be blank. To work around this problem, make note of the hexadecimal Ether value on the main Ethertype Rules table before viewing or editing the Ethertype rule. If you are editing the rule, you must enter this value before you click OK.
CSCed70305	Select all in rule table doesn't always select all.	If you try to select all rules in the access rules table while the table is still loading, not all rules will be selected. To work around this problem, wait until the table has fully loaded before you select all the rules.
CSCsa10544	User encounters blank or badly formatted page.	There are certain areas in Firewall MC where Javascript is used to refresh or reload the main page or a status window. Occasionally, the Internet Explorer browser can get stuck when executing this Javascript code. When this happens, one of the following symptoms might appear: 1. The browser goes to a white screen and sits there for minutes, and when it eventually loads the page, the formatting of the fonts and a lot of the layout is distorted, but the browser itself is still active. 2. The browser goes to a white screen and never recovers. In this case IE can be either active or inactive (locked up). To work around this problem, press F5 to reload the page. If the browser still does not recover, then close all windows for the Internet Explorer process, make sure the process itself is shutdown (IEXPLORE.exe in the task manager), and then launch a fresh Internet Explorer and restart Firewall MC.
CSCsa11281	Edit Rule during Rule Table load slow.	If you try to edit a rule while the table is loading a large rule set, it will take a long time to return to the rule table after clicking OK. To work around this problem, wait for the rules to complete loading in the table before you try to edit a rule.
CSCsa09446	Cut/Copy and paste of IPSec Tunnel Templates removes Transform Sets.	When you paste an IPSec Tunnel Template on the IPSec Tunnel Templates page (Configuration > Building Blocks > IPSec Tunnel Templates), the Transform Set used by the template is lost and its value is set to None. To work around this problem, you must edit the IPSec Tunnel Template, and then reselect the IPSec Transform Set for the template after pasting.
CSCsa09446	Filtering in the table should have dropdowns for certain fields.	The Permit column has icons to represent permit and deny. When filtering on this column, the user can also use the words "true" or "yes" for permit, and "false" or "no" for deny. If the user enters "y", then the filter will match on "deny". To work around this problem, spell out "true" or "yes" and "false" or "no" for filtering on this field.
CSCsa08562	With workflow, pressing Approve right after Reject throws null pointer.	In workflow mode, after an activity is submitted, it can be either approved or rejected. If a user presses the Reject button and then enters an activity transition comment, he will see the Approve button is still active. If he presses the Approve button while the rejection is still in progress, a null pointer exception will occur. To work around this problem, do not press the Approve button when an activity rejection is being processed.
CSCed70306	Cannot copy and paste rules in Expanded Rule Table.	If you copy and paste rules in the rule table after it has been detached from the Firewall MC window, the Firewall MC browser might stop responding. To work around this problem, close the browser and relaunch Firewall MC.
CSCed65692	MAC Address table setting doesn't override when timeout is blank.	On the MAC Address Table page (Configuration > Device Settings > Transparent Firewall > MAC Address Table) and DHCP Relay Server page (Configuration > Device Settings > Servers and Services > DHCP Relay Server), you cannot clear the timeout setting if the table of interfaces for the feature is empty and timeout value is specified at the parent scope. When you clear the timeout setting and click Apply, the Inherit settings check box is automatically selected and the parent value is inherited. To work around this problem, add a row to the table and then delete the row before you clear the timeout field. You can then clear the timeout field and click Apply without the parent value being inherited.
CSCsa10890	If using Netscape7.1, Firewall MC closes when you close an activity.	If you are accessing Firewall MC from a Netscape browser, and with workflow enabled you try to close an activity that is in the Edit_Open state by going to the Workflow > Activity Management page and clicking Close, the Firewall MC window will close and the activity will remain in the Edit_Open state. To work around this issue, do not close the activity from the Workflow > Activity Management page. Instead, if the Edit_Open state activity is the current activity in your session, click the Close icon on the Activity action bar located in the upper right corner of the Configuration tab. If the Edit_Open state activity is not the current activity in your session, you must first make it the current activity before you can close it: 1. Select the activity on the Activity Management page 2. If Require Activity Approval is enabled, click Submit. If not, click Approve. 3. Click cancel. 4. Click the Configuration tab. 5. Click the Close icon on the Activity action bar.
CSCec73144	Firewall MC occasionally crashes when changing scope.	There is a Windows performance setting that allows you to optimize performance for either applications or background services. If you have background services selected, then the browser might return exceptions or crash when you access the Object Selector. This behavior is very likely to happen if the client and server are on the same system. To work around this problem, make sure that the operating system response is optimized for applications and not for background services: 1. Select Start > Settings > Control Panel > System. 2. Click the Advanced tab. 3. Click Performance Options. 4. In the Application response box, make sure that the Applications radio button is selected. 5. Click OK.
CSCec76430	FWSM no longer supports periods in the hostname.	Firewall MC follows the PIX 6.x format for hostname, however, FWSM 2.x no longer supports periods in the hostname (for example, "my.pix.1"). Therefore, you will be able to define an erroneous hostname for FWSM 2.x in Firewall MC. This error will be caught by the FWSM 2.x device as a deployment error. To work around this problem, do not add a period to the hostname of an FWSM 2.x device.
CSCec90250	Modal dialog boxes intermittently stay open when using Netscape.	When using Netscape, form items in modal dialogs have focus problems if you attempt to select the parent window. After you click the parent window, you cannot select an item, using a mouse or by pressing Tab, within the form in the modal dialog. Text fields are particularly susceptible to this issue. To work around this issue, do one of the following: •Close or cancel out of the modal dialog. Re-open the modal dialog, and do not try to select the parent window. •Click on the help link in the modal dialog, and then close the help window. The items in the form should behave properly now. Do not try to gain focus on the parent window.
CSCsa04337	VLAN ID 4096 accepted in GUI and no error displayed after configuration generation.	Firewall MC allows a user to enter a VLAN ID greater than 4095 without generating an error. However, subsequent deployment of the generated configuration might fail because of this illegal VLAN ID. To work around this problem, do not enter a VLAN ID greater than 4095.
CSCsa04546	GUI should warn about duplicate IKE policies.	If a configuration has two IKE policies with different priority numbers but the exact same parameters, these two IKE policies can still be generated and deployed without warning, and the firewall device simply removes the duplicate policies when it receives deployment. To work around this problem, do not define two or more IKE policies with different priority numbers but the exact same parameters.
CSCec50276	Firewall MC 1.3 Interface Hardware ID should be grayed out in FWSM 2.x.	When you are configuring an interface for FWSM, certain Interface fields that are not used should be grayed out. No work around is currently available.
CSCsa07589	Incorrect GUI restriction for user-key for managed objects.	If you select a hub's outside interface and create a user-defined preshared key, you will not be able to create a second user-defined preshared key for the same hub's inside interface. An error results stating "User key with the same peer or with the same peer IP address already exists." To work around this problem, create a key based on IP address instead of a managed device interface.
CSCeb80454	Browser caching can cause Object Selector to not respond.	Under certain conditions, Firewall MC will not allow you to select a group or a Firewall using the Object Selector. Instead the scope remains at the Global level and cannot be changed. This is caused by the browser pulling from its local cache instead of the Firewall MC server. To work around this problem clear all temporary files on your browser: For Internet Explorer only: 1. Select Tools > Internet Options. 2. Under Temporary Internet files, select Delete Files. 3. Close down all browser windows, then re-open the browser. If the problem persists: 1. Clear out the Java JAR cached files. 2. Close down all browsers, then verify that JRE is shut down with the browser. (The Java icon in the system tray should be gone.) 3. Select Start > Settings > Control Panel > Java-Plug-In 1.3.1. 4. Select the Cache tab, then click Clear JAR Cache. 5. Apply the change, start up a new browser window, then try again.
CSCeb52284	Cannot add a rule using tear-off view if no rules exist.	The access rule table does not provide a popup menu unless there are rows in the table. If you expand a table that does not have rules, you cannot insert a rule because the popup menu cannot appear and there are no buttons at the bottom of the expanded table. To work around this problem, do not expand an empty table.
CSCdz66765	Using browser's refresh might cause unexpected results.	If you use your browser's refresh button (or press F5) instead of using the Refresh button available on some of the Firewall MC GUI pages, you might see error messages repeated or prompts to resend data. To work around this problem, use the Refresh button on the GUI, when available, instead of pressing F5 or using your browser's Refresh button.
CSCeb59538	Message window text blinks during backup and restore.	The message window that CiscoWorks displays during a backup or restore is blank except for an occasional status that appears and then quickly disappears. Mouse movement is also slow during the backup or restore. There is no workaround. This behavior does not reflect the success of the backup or restore. You should allow the action to conclude.
CSCeb63147	Activity report lists all fixup ports when only one was changed.	If you change any fixup settings, all fixups that are displayed on the Basic or Multimedia Fixup page and checked as active appear on the Activity report even though they were not changed. There is no workaround.
CSCeb24910	Activity report does not list deleted devices.	The Activity report does not include deleted devices if the parent group was also deleted in the same activity. There is no workaround.
CSCdx47739	Workflow does not stop multiple jobs from deploying to same device.	Firewall MC does not prevent you from putting the same device in more than one job. This could lead to a deployment error if more than one job tries to deploy to the same device at the same time. Also, you could inadvertently deploy an older approved configuration over a newer one, depending on the order in which the pending jobs are deployed. To work around this problem, avoid adding devices that are part of a pending job when you create new jobs.
CSCdy59201	Inherit settings from lists wrong group name when not inheriting.	If you deselect the Inherit settings check box, the text reads `Inherit setting from: Global,` instead of specifying the group from which the information would be inherited were this item selected. This is only a display problem. If you select the Inherit settings from check box, Firewall MC inherits correctly and the updated page shows the group from which you are inheriting. To work around this problem, use the object selector or the quick links next to SCOPE to walk up the group hierarchy towards Global to find out from where the settings would be inherited. The closest ancestor that has its own settings (not inheriting) is the one from which the setting would be inherited.

Table 10 Import Known Problems
Bug ID	Summary	Additional Information
CSCsa11338	Performance limitations to import and deploy.	Through the course of testing, we have found that performance on importing and deploying is affected by the number of rules in your configuration, such that importing a configuration with a large number of rules takes approximately one second for every eight rules, and deploying takes approximately one second for every four rules. For PIX 6.2(2) and FWSM 2.2 and later, the deploy performance is greatly improved using bulk deploy. To improve performance when deploying a configuration with a large number of rules, upgrade your firewall device to PIX 6.2(2) or FWSM 2.2.
CSCin54306	Multiuser import failed for directory import.	If multiple users try to import from a directory at the same time, the import fails. To work around this problem, avoid having multiple users import from a directory at the same time.

Table 11 Installation and Upgrade Known Problems
Bug ID	Summary	Additional Information
CSCsa07730	During install alphabetic characters are accepted in port number fields.	Port numbers are represented using number, not characters and symbols. If you define an invalid port number, the Firewall MC services will fail to start. To work around this problem, accept the default value or use numbers when defining your port. To correct an invalid port number, reinstall Firewall MC.
CSCeb70960	VMMC Installer does not install patch on first pass.	The VMS Management and Monitoring Centers (VMMC) installer does not install the CiscoWorks Common Services patches until you run the VMMC installer a second time. Under normal conditions this does not cause a problem since you must run it a second time to install the VMS applications. However, if you install CiscoWorks Common Services from the VMMC installer and Firewall MC from the website, the patches will not be applied. To work around this problem, run the VMMC installer a second time to apply the Service Pack 1 patches before you install Firewall MC.
CSCeb22044	Install aborted at 99% does not halt/remove/restart components.	Canceling an installation when it is 99% complete does not appropriately halt the installation, remove certain components, and restart critical services. To correct this problem, uninstall Firewall MC, reboot, and then reinstall Firewall MC.

Table 12 Reporting Known Problems
Bug ID	Summary	Additional Information
CSCsa19215	Configuration difference report fails to work in some cases.	When comparing a configuration in Firewall MC with one on a device, if there are ACLs in the device configuration that are not bound to an interface, then Firewall MC cannot match them with the ACLs in the Firewall MC configuration. To work around this problem, bind any unbound ACLs to an interface or remove them.
CSCsa10776	Activity Reports are blank for pre-upgrade activity.	When you upgrade Firewall MC, any activity reports for prior changes are lost. To work around this problem, save the activity reports to an XML file before you upgrade.
CSCsa10695	View All Static rules and translation rules has PAT/NAT statics reversed.	There are two problems associated with placement of PAT and NAT static rules in the Static Translation table: Problem 1 When you select Translation Rules > View All Translations or click View All on the Static Translation table, the Host translation statics (NAT statics) are listed before the Port translation statics (PAT statics), even though the order of evaluation on the firewall device is PAT statics before NAT statics. There is currently no workaround. Problem 2 If you edit static translation rule and change a PAT static to a NAT static, or change a NAT static to a PAT static, the rule should be repositioned in the table so that it is grouped with rules of the same type. However, when you do make such a change, the rule does not get positioned to the correct location. To work around this problem, remove the rule that you want to change and recreate it in the correct location, with the new desired values.
CSCsa09283	Activity Reports fails to display Add PPPoE Information parameters.	The activity report does not show detailed setting changes for an interface if the interface type is PPPoE. There is no workaround.
CSCsa09252	Activity Reports > FW Device Contact Info reported as Auto Update Server.	If you change settings on the Configuration > Device Settings > Firewall Device Administration > Firewall Device Contact Info page, the changes are incorrectly listed under Configuration > MC Settings > Auto Update Server Contact when you view the activity report. There is no workaround.
CSCsa09237	Activity report will not save to networked drive, user sees blank window.	You cannot write an Activity Report XML file to a network drive. To work around this problem, save the report to an accessible drive, and then log in and transfer that file to the network drive you want it to reside on.
CSCed66577	Ending commands are not retained in activity reports.	When you select the Inherit Settings check box on the Configuration > Device Settings > Config Additions > Ending Commands page, any information in Ending Commands at the current scope is removed. The information that was in Ending Commands is not retained in the activity report, and you will not be able to get this information back without undoing the activity. No workaround is currently available.

Table 13 Firewall MC Server Known Problems
Bug ID	Summary	Additional Information
CSCsa09355	If a JRE is not installed, Internet Explorer might take 5 minutes to prompt to install.	Internet Explorer sometimes takes an inordinate amount of time to determine the plug-in necessary to launch a Java applet, determine if it needs to obtain the plug-in, and finally actually initialize the download of the plug-in. To work around this problem, wait for Internet Explorer to install the JRE.
CSCea80500	Last detected version not in effect if config and device mismatch.	When you upgrade the PIX Firewall OS version on a device and Firewall MC is set to Last Detected Firewall OS Version (Configuration > Device Settings > Firewall OS Version), deployment will fail and you will receive an error message about version mismatch. To work around this problem, set the Firewall OS version manually, and then redeploy with this change.
CSCdw45096	Device Contact Info & AUS Contact settings not retained in jobs.	When you create a job, the PIX Device Contact Info and AUS Contact settings for each device in the job are not stored as a part of the job. When you deploy the job, the current values for these settings are used to deploy to a device, or to AUS. This means that changes made to these settings after a job is created will affect how a job operates when it is deployed. To work around this problem, deploy existing jobs before changing the PIX Device Contact Info and AUS Contact settings for any device in any undeployed jobs.
CSCdz64177	Client might be slow when connecting to a Firewall MC server without a DNS entry.	Remote access might be slow when you connect to a Firewall MC server without the appropriate DNS entry (Address and Pointer Records). To work around this problem, verify that a DNS entry was created.

Table 14 Known Problems with VMS that Affect Firewall MC
Bug ID	Summary
The following problems have been seen during Firewall MC testing. More information is available in the Release Notes for CiscoWorks Common Services at http://www.cisco.com/en/US/products/sw/cscowork/ps3996/prod_release_notes_list.html. Specific details are available from the Cisco Software Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl. (You will be prompted to log into Cisco.com.)
CSCin69274	CSA Agent queries upgrade of FWMC from 1.2.2 to 1.3
CSCdx74061	Scheduling future Backups and Compacts requires two steps.
CSCdx74308	Services do not start after reboot during installation.
CSCdy02949	Difficulty browsing CiscoWorks2000 desktop from server machine.
CSCdy06590	Restoring during scheduled backup requires reboot.
CSCdy25551	MDCSupport utility does not erase its temporary directory.
CSCdy26688	Cannot launch CW2K desktop after Common Services installed on system with netForensics.
CSCdy28951	Licensing error when SQL service is not started
CSCdy31988	Sybase service problem on Win2K server with Terminal Services on.
CSCeb11926	Hour and minute are not working for repeat backup database
CSCin11975	Changing the Windows password causes service startup to fail.
CSCin14028	CiscoWorks links do not work due to change in server IP address.

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

•Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool:

http://www.cisco.com/en/US/partner/ordering/index.shtml

•Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can send comments about technical documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.

Cisco Technical Support Website

The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool automatically provides recommended solutions. If your issue is not resolved using the recommended resources, your service request will be assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553 2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.

Severity 1 (S1)—Your network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

•Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

•The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://cisco.com/univercd/cc/td/doc/pcat/

•Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

http://www.ciscopress.com

•Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

•iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

•Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

•World-class networking training is available from Cisco. You can view current offerings at this URL:

http://www.cisco.com/en/US/learning/index.html

This document is to be used in conjunction with the documents listed in the "Product Documentation" section.

Table Of Contents