Table Of Contents
Release Notes for Management Center for Firewalls 1.3.2 on Windows 2000 and Solaris 2.8
New and Changed Features
Product Documentation
Related Documentation
Resolved Problems
Known Problems
Obtaining Documentation
Cisco.com
Ordering Documentation
Documentation Feedback
Obtaining Technical Assistance
Cisco Technical Support Website
Submitting a Service Request
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for Management Center for Firewalls 1.3.2 on Windows 2000 and Solaris 2.8
These release notes are for use with the CiscoWorks Management Center for Firewalls (Firewall MC) 1.3.2. Firewall MC is a web-based interface that enables you to configure new PIX Firewalls and Firewall Services Modules (FWSMs) and to import configurations from existing firewalls. You can configure firewall device settings, access rules, and translations rules, and deploy these configurations to your network. Firewall MC is also a powerful tool for controlling changes made to your network, showing configuration and status changes.
This document might be updated at any time; the most recent revision is always available on Cisco.com.
These release notes provide:
•
New and Changed Features
• Product Documentation
• Related Documentation
• Resolved Problems
• Known Problems
• Obtaining Documentation
• Documentation Feedback
• Obtaining Technical Assistance
• Obtaining Additional Publications and Information
New and Changed Features
If you are a previous user of Firewall MC and you upgraded to Firewall MC 1.3.2, you will experience new functionality. Release 1.3.2 contains the following new and changed features:
•(New/Changed) Firewall MC for Solaris includes full feature parity with Firewall MC for Windows. To see lists of the new and changed features that were implemented for Windows in Firewall MC releases 1.3 and 1.3.1, go to the following URLs:
– http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_pix/fwmc_1_3/rne13win.htm#wp1153393
– http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_pix/fwmc131/rn131win.htm#wp1008528
•(New) Firewall MC includes operating system support for PIX OS 6.2(4), PIX OS 6.3(4), and FWSM 1.1(4).
•(New) Any changes that you make to the names of device interfaces are propagated automatically to all rules, settings, and building blocks that reference the old interface name.
•(New) When you create a named pool of IP addresses for dynamic assignment to remote VPN clients, you can specify subnet mask information for devices that use PIX Firewall OS 6.3(4) or later.
•(New) You have the option to clear all existing ACLs from an FWSM before you deploy access control lists (ACLs) to it. By using this option, you reduce the risk of out-of memory errors on the network processor when too many ACLs are active.
•(New) AAA fallback is supported, which provides the ability for authentication requests to fall back to the local user database on a PIX Firewall or FWSM if the primary AAA server fails. More specifically, AAA fallback is supported in these Firewall MC 1.3.2 features:
–Building blocks, including AAA server groups.
–VPN settings, including XAuth/Mode.
–Device-level settings, including AAA admin authentication.
•(New) Firewall MC supports the FWSM 2.2 features that allow you to configure the maximum number of UDP sessions for a given host. Earlier versions of FWSM allowed you to configure only the maximum number of sessions for TCP.
•(Changed) There is a group setting for device contact information.
•(Changed) You can select your preferred way of defining port ranges for service definitions and you have greater flexibility in determining which ports define the ends of a range.
Product Documentation
Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.
Table 1 describes the product documentation that is available.
Related Documentation
Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.
Table 2 describes the additional documentation that is available.
Resolved Problems
Table 3 lists problems that have been resolved since the last release of Firewall MC.
Note To obtain more information about known problems, access the Cisco Software Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl. (You will be prompted to log into Cisco.com.)
Table 3 Resolved Problems in Firewall MC 1.3.2
Bug ID
|
Headline
|
CSCed70306
|
Can not copy and paste rules in Expanded Rule Table
|
CSCee48337
|
Incorrect interpretation of PPTP rules, 1732 instead of 1723
|
CSCee68755
|
Page blank while viewing a activity report
|
CSCsa02754
|
Local User Password and Confirm password should get cleared on error
|
CSCsa06605
|
Deleting or renaming interface causes generation errors
|
CSCsa08606
|
ACS - Firewall MC must not be in 'Not Assigned' Network Device Group
|
CSCsa09237
|
Activity report won't save to networked drive, user sees blank window
|
CSCsa09252
|
Activity Reports > FW Device Contact Info reported as Auto Update Server
|
CSCsa10695
|
View All Static rules and translation rules has PAT/NAT statics reversed
|
CSCsa10890
|
Netscape7.1: On closing the Activity ,pixmc got disappered
|
CSCsa10912
|
Undoing an activity in which you move a group or device causes data loss
|
CSCsa10913
|
Filter by traffic direction in translation exemptions table not working
|
CSCsa11338
|
Performance limitations to import and deploy
|
CSCsa11632
|
Moving a subgroup leaves source group locked
|
CSCsa14222
|
Upgrade 1.2.2 to 1.3 (98) failed
|
CSCsa16292
|
FWMC does not support Filter ** Except commands
|
CSCsa18033
|
Apostrophe in activity comments causes blank activity management page
|
Known Problems
This section contains the following problems known to exist in this release:
• Security Context Known Problems, Table 4
• Activity Management Known Problems, Table 5
• Authentication Known Problems, Table 6
• Configuration Known Problems, Table 7
• Database Known Problems, Table 8
• Deployment Known Problems, Table 9
• GUI Known Problems, Table 10
• Import Known Problems, Table 11
• Installation and Upgrade Known Problems, Table 12
• Reporting Known Problems, Table 13
• Firewall MC Server Known Problems, Table 14
• Known Problems with CiscoWorks Common Services that Affect Firewall MC, Table 15
• Known Problems with VMS that Affect Firewall MC, Table 16
Note•The problems in the following tables are known to affect Firewall MC 1.3.2. However, some of the problems were found in earlier releases of the product, so they might contain references to PIX MC and CiscoWorks2000. Any such references apply to Firewall MC and CiscoWorks as well.
•To obtain more information about known problems, use the Cisco Software Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl. (You will be prompted to log into Cisco.com.)
Table 4 Security Context Known Problems
Bug ID
|
Headline
|
Additional Information
|
CSCec52434
|
The Diff With Running Config option does not work in some cases.
|
In the Import Summary window (at the end of the device import process), the Diff With Running Config option sometimes does not show the configuration differences between the configuration imported into Firewall MC and the configuration on the device. The Diff result window is blank. This occurs when the configuration on the device contains commands that are unsupported in Firewall MC.
To work around this problem, remove any unsupported commands from your configuration prior to importing. For more information, see Supported Devices, OS Versions, and Commands for Management Center for Firewalls 1.3.2.
|
Table 5 Activity Management Known Problems
Bug ID
|
Headline
|
Additional Information
|
CSCsa11789
|
Undoing and approving the same activity causes an error.
|
An error message might be displayed if two users try simultaneously to change the state of an open activity. For example, you might see an error if one user tries to undo an activity at the same time another user tries to approve the activity.
To work around this problem, log out of your server, then log in again.
|
CSCsa11362
|
If there is an apostrophe in a device or group name, then can't see activity in Take Over Changes.
|
If an activity locks a device or a group that has an apostrophe in the name, Firewall MC will not recognize the activity within the Take Over Changes feature and you will not find the activity listed.
To work around this problem, remove the apostrophe from the device or group name.
|
CSCsa11332
|
No Workflow, clicking two buttons within a table creates two activities.
|
If you are not using workflow and your first action is to navigate to a rule table and click several buttons within the applet in rapid succession, Firewall MC might erroneously create two activities. You will not have this problem if you performed any other action for which Firewall MC would have already created an activity.
If Firewall MC does create two activities in such a situation, you could be locked out of the particular device or group that you were working in.
To work around this problem, enable workflow and undo the activity causing the lock. You can then turn off workflow and proceed with your activities.
|
Table 6 Authentication Known Problems
Bug ID
|
Headline
|
Additional Information
|
CSCee04957
|
Partial support for changing AAA authentication server for HTTP.
|
You see the following message if you try to change AAA authentication server settings for HTTP:
Directly changing AAA authentication
settings for HTTP is currently not
supported! It's recommended to disable
AAA authentication first and deploy the
change, then turn it on and deploy again
with the new settings.
To work around this problem, do the following:
1. Select Configuration > Device Settings > AAA Admin Authentication, then disable AAA authentication for HTTP and save your changes.
2. Select Configuration > Device Settings > Firewall Device Contact Info.
3. Enter the enable password as the future contact.
4. Deploy the changes.
5. Select Configuration > Device Settings > AAA Admin Authentication, then reenable AAA authentication for HTTP.
6. (Optional) Make other planned server changes, at your discretion.
7. Enter the AAA username and password as the future contact, then deploy your changes.
|
CSCsa09292
|
Help Desk > VPN > IKE Options > Pre-shared Keys > View Keys null pointer.
|
If you access the VPN > IKE Options > Pre-shared Keys page and your permission settings do not allow you to modify settings on that page, you receive an exception error if you click View Keys.
To work around this problem, log in as a user who has adequate permissions.
|
CSCsa09289
|
Help Desk > Rules tables Edit, Copy, Cut & Delete active if rules exist.
|
In no-workflow mode, a user with view-only privileges, such as the Help Desk role, can modify the rule table. The user cannot, however, perform the Save, Generate, and Deploy option.
To work around this problem, take over the changes of the Help Desk user from a privileged account, and then undo the changes.
|
CSCdy40186
|
Users with help desk role cannot view activity report.
|
If you have view-only permission, you cannot view the activity report. This is because all radio buttons and check boxes are disabled for users who have view-only permission.
To work around this problem, log in under a different role with more privileges, or give additional permissions to users who require activity report access.
|
Table 7 Configuration Known Problems
Bug ID
|
Headline
|
Additional Information
|
CSCsa18286
|
VPN > IKE Options > FQDN/IP Exceptions - cannot edit created setting.
|
Firewall MC allows you to enable XAuth and Mode Config simultaneously. No error message is displayed in the GUI. These commands are mutually exclusive and errors occur when you try to deploy the flawed configuration to the device.
The only workaround is to select either XAuth or Mode Config, but not both, then regenerate the configuration and redeploy it.
|
CSCsa09822
|
Deleting firewall rules does not remove auto nat & static cmds - no edit.
|
If you set Identity Address Translation Rules to "Only" or "On" (Configuration > MC Settings > Management), Firewall MC generates NAT or static commands corresponding to addresses in both AAA rules and firewall rules.
To work around this problem, turn off Identity Address Translation Rules, which will also disable address translation for firewall rules.
|
CSCsa08703
|
View all hex value ethertype option shows blank value.
|
If you try to view or edit an Ethertype rule that has a hexadecimal Ether value, the Ether value on the Ethertype Rule window will be blank.
To work around this problem, note the hexadecimal Ether value on the main Ethertype Rules table before viewing or editing the Ethertype rule. If you are editing the rule, you must enter this value before you click OK.
|
CSCsa20218
|
Firewall MC allows invalid PIX failover configuration generation.
|
When failover is configured for a PIX Firewall, all enabled interfaces must be configured for failover with an IP address. If an enabled interface is not configured with an IP address, then the generation fails the first time you generate and Firewall MC will substitute 0.0.0.0 for the IP address. This substituted IP address is not caught during later generations and the configuration reflects the 0.0.0.0 address, which causes an error on device.
To work around this problem, ensure that the failover IP addresses for all enabled interfaces are properly defined.
|
CSCed75282
|
Failover enabled without correct IPs on each interface errors.
|
When the failover IP address is not on the same subnet as the interface IP address, a generate error occurs. When you click the View Errors link, you do not see any error messages in the generated configuration.
To work around this problem, specify a failover IP address that is on the same subnet as the interface.
|
CSCsa11048
|
Different pre-shared key policies with same key not permitted/generated.
|
In some cases, it is possible to get errors while generating ISAKMP Preshared keys in a configuration even though the Tunnel Consistency panel in the GUI says the keys match on both ends of the tunnel.
Assume there is a tunnel between peers A and B, and A has a default preshared-key policy and B has a user-defined key for A's IP address. When you generate commands for A and B, Firewall MC will incorrectly generate errors saying no valid key is present for the respective peer even if A's default keystring is identical to B's user-defined keystring for A. However, the Tunnel Consistency check panel for this tunnel shows there is no key mismatch.
To work around this problem, set the same pre-shared key policy on both A and B. Either have user-defined keys on both ends, or have default keys on both ends.
|
CSCsa08680
|
There is no warning that vpnclient won't work when vpngroup missing.
|
Deploying partially configured Easy VPN Remote settings to a device does not issue a warning and the Easy VPN Remote is disabled on the device. The deployment transcript shows a message from the device that reads: Warning: No router certificate for key exchange. PIX Easy VPN
Remote disabled.
To work around this problem, make sure that the Group Name is entered on the Configuration > VPN > Remote Access > Easy VPN Remote.
|
CSCsa10157
|
Second level Group doesn't allow both to Inherit and to Enforce/Mandate.
|
On any Configuration > Device Settings page, the Inherit Settings and Enforce/Mandate check boxes cannot be selected at the same time. When one check box is selected, the other one is disabled. Because of this limitation, you cannot inherit settings on a group while mandating that all children of that group use the same settings.
There is no workaround.
|
CSCsa10862
|
Object groups still refer to deleted objects.
|
When you delete an object (service, service group, or network object), references to that object are not automatically removed from other object group definitions. If an object group with reference to a deleted object is used in a rule, generating a configuration that uses the rule results in a generation error.
To work around this problem, manually remove all references to deleted objects.
|
CSCsa09481
|
Cannot turn off failover on interface.
|
If you define a failover IP address for an interface, but failover is not enabled, the generated commands include the failover IP address. Some failover commands always show up in the generated configuration, because the Failover page does not have a means to delete these failover IP addresses from the generated configuration.
These commands do not affect the device's behavior when failover is disabled. On a device without a failover license, deploying failover commands does not cause a deployment error. The device ignores the commands.
There is no workaround.
|
CSCsa04493
|
AAA Rules permits LOCAL authorization/accounting for invalid services.
|
AAA authorization and accounting using the LOCAL protocol is permitted only for console, cut-through authentication, and command authorization services. The LOCAL AAA protocol is supported only in PIX Firewall OS 6.3 and later.
Services such as HTTP, FTP, and Telnet (cut-through proxy) can be enabled only for LOCAL AAA authentication and not for authorization and accounting and should not be enabled within Configuration > Access Rules > AAA Rules.
|
CSCsa04486
|
Fixup protocol esp-ike & isakmp enable <interface_name> cannot co-exist.
|
The following commands cannot coexist on a firewall device:
•fixup protocol esp-ike
•isakmp enable <interface_name>
However, Firewall MC enables you to configure both commands without generating an error.
The error is caught at the device and the deployment fails with an error saying:
PAT for ESP cannot be enabled since
ISAKMP is enabled.
To work around this problem, do not place these two commands in the same configuration.
|
CSCea14915
|
Deploy fails if number of interfaces in GUI and device differ.
|
When working in the Firewall MC GUI, sometimes the number of interfaces or their respective hardware IDs do not match those on the physical device. An example of this is if you were to define only ethernet0 and ethernet1 in the GUI when the device also has ethernet2. During deployment, Firewall MC tries to remove all configuration settings for the undefined interface, such as its IP address, which causes deployment errors and possibly traffic flow failure on that interface, depending on the settings you established for error handling.
To work around this problem, make sure the interface configuration in the GUI matches the configuration on the device. This includes the number of interfaces and their hardware IDs.
|
CSCsa07223
|
Spoke-grp two S2S tunnels to Hub-dvc same intf unsupported auto-gen key.
|
When you have multiple tunnels between a pair of devices where the same interface is used as the endpoint on one of the two devices, Firewall MC does not accurately create pre-shared keys for automatically generated and default key policies.
For example, consider two devices (A and B) with two tunnels (Tunnel-1 and Tunnel-2) between them:
Tunnel-1: A:inside <------> B:outside
Tunnel-2: A:outside <-----> B:outside
In this example, both tunnels end on the same interface of device B, while ending on different interfaces on device A. In such cases, Firewall MC automatically generates keys for one of the two tunnels, but not for both.
To work around this problem, specify user-defined keys on both devices (A and B). On device A, specify a single key for B:outside. On device B, specify two keys, one for A:inside and one A:outside. These key values should be identical.
|
CSCsa06656
|
Auto NAT settings can impact dual dynamic NAT.
|
PIX Firewall and FWSM implemented dual-NAT differently. Firewall MC follows the FWSM semantics.
On the PIX Firewall, if a dynamic NAT rule is applied to an interface with a lower security level, then you must define static translation rules to enable outgoing traffic from all other networks attached to that interface.
On FWSM, adding a dynamic translation rule does not require static translation rules to be defined for all other outgoing traffic (high to low security level interface traffic).
Firewall MC does not allow you to use the Identity Address Translation feature to auto-generate statics for outbound traffic when a dynamic translation rule exits on a lower security interface in a PIX Firewall configuration. You must manually define any such identity statics.
|
CSCsa06655
|
For FWSM, all policy statics are higher priority than all old statics.
|
The evaluation order of the static address translation rules differs between PIX OS 6.3.x and FWSM 2.x.
PIX OS 6.3.x evaluates in the following order:
1. Port-based statics (policy statics and original style statics intermixed)
2. Host-based statics (policy statics and original style statics intermixed)
FWSM 2.x evaluates in the following order:
1. Port-based policy statics
2. Host-based policy statics
3. Port-based original style statics
4. Host-based original style statics
Firewall MC models the PIX implementation. During import, Firewall MC assumes the PIX OS evaluation order. In most cases, this does not cause problems for FWSM. If you view the existing configuration on an FWSM, all policy statics appear before the original style statics. In this case, as long as the port or host-based statics are not split between the two styles, Firewall MC accurately imports the static address translation rules.
On generate, this presents no problem. Firewall MC generates only original-style statics or policy statics followed by original-style statics (if the Identity Address Translation feature is enabled).
|
CSCsa05925
|
Internet Explorer hangs when you click away from page with applet before certificate dialog.
|
The Firewall MC window and CiscoWorks Desktop window might become unresponsive if you access the Configuration tab, then click the Firewall MC window again before the certificate dialog appears.
To work around this problem:
1. Open Windows Task Manager.
2. Click the Applications tab.
3. Select the Internet Explorer tasks that are not responding.
4. Click End Task.
5. Open a new browser, log in to CiscoWorks again, and then launch Firewall MC.
6. Click the Configuration tab, and then wait for the Certificate popup window to appear.
7. Accept the certificate.
|
CSCsa02311
|
Failover settings cannot be inherited.
|
The Inheritance settings for the Failover Interfaces configuration table fails to display any inherited interfaces defined at the parent scope.
No workaround is available.
|
CSCed19812
|
Policy NAT ACL on PIX Firewall contains alias addresses.
|
When you import a PIX Firewall configuration that uses policy NAT rules that are not generated by Firewall MC, the rules retained in the GUI might not match the intended rules.
No workaround is available.
|
CSCsa02734
|
Special characters are allowed in the IPSec Transform Set Name on the PIX Firewall, but Firewall MC returns an error when they are used.
|
If you are adding an IPSec transform set from Configuration > Building Blocks > IPSec Transform Sets and you use certain special characters (&,<,>,",~,^,|) in the transform set name, Firewall MC returns an error saying that these characters are not allowed, even though they are valid on a PIX Firewall.
To work around this problem, do not use these special characters in IPSec transform set names.
|
CSCeb61418
|
Static port address translation (interface) not supported.
|
Firewall MC does not support the interface keyword in the static command.
To work around this problem, avoid using the interface keyword in the static command. Use the actual address instead of the interface keyword. In a situation where the address is not known because DHCP is providing the address, no workaround exists.
|
CSCdz48293
|
PIX Interface command accepts VLAN as hardware ID.
|
When importing from file, Firewall MC allows the command interface vlan<n> [[<hw_speed> [shutdown]] to be issued or imported for PIX Firewall versions earlier than version 6.3 even though the VLAN is valid only for FWSMs and PIX Firewalls version 6.3 and later.
To work around this problem, make sure the VLAN hardware identifier is used only for FWSMs and PIX Firewalls version 6.3 and later.
|
Table 8 Database Known Problems
Bug ID
|
Headline
|
Additional Information
|
CSCsa10812
|
Group is locked by a discarded activity.
|
After you upgrade or restore a database that you saved from a pre-1.3 release of Firewall MC, an activity that you discard might leave a device group locked if the activity moved a device to or from that group.
To work around this problem, you must prune the discarded activity:
1. Select Admin > Maintenance.
2. In the Purge Approved/Discarded Activities Older Than field, enter the numeral 0.
3. Click Purge Now.
|
CSCeb73547
|
Benign database errors appear in log files.
|
The following messsage, seen in various log files, is innocuous: Persistence Error - slot read failed for non-determinable reason, 308, Persistence, Unknown, DEBUG.
This message might appear in the install log, operation log, or Tomcat stdout.log files. This message might appear at the time of installation or in the course of ordinary system operation.
No workaround is required.
|
Table 9 Deployment Known Problems
Bug ID
|
Headline
|
Additional Information
|
CSCsa17120
|
Firewall MC generates a false warning for IP verify reverse-path command.
|
If you enable anti-spoofing at either the global or group level, Firewall MC might generate this false warning: The inherited feature Anti Spoofing is not supported in this firewall OS version.
You can safely ignore this false warning.
|
CSCsa06265
|
PIX OS 6.3(3)112 new cmd access-list object-group-search deploy issues.
|
Firewall MC does not fully support the PIX OS command access-list name object-group-search.
You can use this command in the ending commands if you know the name of the access list.
When you deploy to a file or to AUS, the generated name is the name of the access list.
When you deploy to the device, if the access list must be modified, then Firewall MC uses the generated name or a variant that is the generated name with a suffix in the form _#.
|
CSCsa15105
|
Erroneous message in Tomcat error log.
|
At least one Failed to generate preshared keys error is logged in the /opt/CSCOpx/MDC/tomcat/logs/stdout.log file in Solaris when you generate and deploy a configuration that does not include any VPN tunnels. The message is erroneous.
No workaround is required.
|
CSCsa28528
|
Deploy failure could leave unbound ACLs on the device.
|
Deployment fails and the transcript shows that failure occurred at an arbitrary point, possibly while deploying ACL entry commands.
When several deployments fail, unbound ACLs might remain on the target device. These access lists are ignored during future deployments but might affect memory usage and lead to an out-of-memory condition for a future deployment.
To work around this problem, inspect the configuration on the device to see which access lists are in use and which access lists are defined. Remove the unused access lists with the command no access-list unused_name.
|
CSCsa09742
|
Deploying no isakmp client configuration address-pool local reboots PIX.
|
Deploying no isakmp client configuration address-pool local <poolname> <pifname> causes a PIX Firewall running 6.3(x) to crash and reboot.
This is a problem with the PIX hardware. To obtain more information about this problem, go to the Cisco Software Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl and refer to bug ID CSCed57964. (You will be prompted to log into Cisco.com.)
The effect on Firewall MC is that the deployment is not completed.
There is no workaround other than to do a clear isakmp on the device before deploying, and to configure Firewall MC to overwrite external changes by setting the Action on External Change to Device Config setting to Overwrite (Configuration > MC Settings > Management). However, this removes all isakmp commands—both isakmp and isakmp policy—which causes a temporary network outage. Firewall MC then reapplies these commands.
|
CSCsa08905
|
Part of the deploy transcript is out of order.
|
The deploy transcript is out of order with version and checksum information. This might cause confusion when you view the transcript. The checksum is actually obtained when you retrieve the configuration from the device before deployment.
No workaround is available.
|
Table 10 GUI Known Problems
Bug ID
|
Headline
|
Additional Information
|
CSCsa24123
|
No error occurs when an incorrect support file path is provided.
|
In the Support Info page, an absolute pathname is required when you define the target directory for the mdcsupportinformation.zip file. If you enter a relative path using only " \ " or " / " or you enter "temp" as a plain directory name with no directory-level context, the support file is not created and no error message is displayed.
To work around this problem, use an absolute pathname when you define the target directory for the mdcsupportinformation.zip file, such as:
•Windows— d:\temp
•Solaris— /temp
|
CSCsa09926
|
Interfaces > PPPoE wizard fails to detect missing password.
|
When you enable PPPoE for an outside interface, the GUI fails to recognize whether you provided a password. Upon generation, the command is generated as vpdn username username password invalid-password.
To work around this problem, edit the settings for the interface to include a user password.
|
CSCsa09006
|
Firewall MC and CiscoWorks handle login name case sensitivity differently.
|
A Firewall MC message might tell you that the Global object is locked by a user with your current username, capitalized differently. This occurs when you log out without closing your activity, then log back in and capitalize your CiscoWorks username in a different way.
A CiscoWorks Server does not differentiate between uppercase and lowercase characters in usernames. It enforces case sensitivity for passwords only. Firewall MC distinguishes between differently-capitalized usernames so that, for example, ADMIN, Admin, and admin are considered different user accounts.
To work around this problem, never capitalize any letter in your CiscoWorks username when you log in.
|
CSCsa23846
|
Firewall MC should not allow the user to change the inside interface name.
|
When you import a PIX device into Firewall MC and use the GUI to change the name of the PIX inside interface, then deploy the name change to the PIX device, the device does not accept the name change. The Firewall MC GUI displays no error and no warning.
The inside interface on the PIX device must have a security level of 100. This is a requirement of the device.
There is no workaround.
|
CSCsa17645
|
Service Groups table is hidden after a failed paste.
|
If the GUI displays an error message after you try to paste a copied service group into the building blocks Service Groups page, and you dismiss the error message, the service groups table is no longer visible.
To work around this problem, click Service Groups in the TOC.
|
CSCsa15368
|
Can't change FWSM version and use Failover.
|
If you change the OS version of an FWSM device from 1.x to 2.x, or from 2.x to 1.x, an error message is displayed when you try to access the Failover page for that device.
To work around this problem:
1. Select Devices > Managing Groups.
2. Select the group that contains the FWSM device for which you changed the OS version, then click Edit.
3. Click Next on each page without changing any attributes, then click Finish on the final wizard page.
|
CSCsa09327
|
Help Desk GUI view privilege concerns.
|
A user with view-only privileges, such as the Help Desk role, can see some sensitive information, such as:
•AAA server groups shared secret.
•Any passwords/keys that are placed in the ending commands at import time, for example OSPF or NTP authentication keys.
•LAN failover shared key.
•IKE shared secret.
•SNMP community string.
These items are displayed on pages in the clear, so access to the page allows their direct viewing.
There is no workaround.
|
CSCsa26637
|
Firewall OS field is blank when accessing Firewall MC in Solaris Netscape 7.0 browser.
|
Some lists in the Firewall OS Version page (Configuration > Device Settings > Firewall OS Version) display no information until you click them.
This problem affects Firewall MC 1.3.2 for Solaris only, with Netscape 7.0 as the client.
To work around this problem, click a list and select an option from it.
|
CSCsa07112
|
Firewall MC does not generate failover bootstrap link or asterisk next to failover device.
|
There are two problems (labeled Problem A and Problem B) in the way that Firewall MC handles failover settings.
Problem A
If any LAN-based failover setting is changed, Firewall MC indicates that bootstrapping is needed by putting an asterisk after the name in the generation summary page and providing a link to the bootstrap commands. However, Firewall MC does not check whether failover is enabled during this process. Consequently, after Firewall MC imports a device that has LAN-based failover enabled but failover disabled, bootstrap information is provided, but is not necessary and mistakenly turns failover on if pasted to the device.
To work around the problem, ignore the LAN-based failover bootstrapping information provided by Firewall MC if you do not have failover enabled on a device.
Problem B
If a FWSM 2.x device has the failover lan interface command configured but failover disabled, Firewall MC turns its failover setting on and generates the failover command after importing this device.
To work around the problem, either remove the failover lan interface command from the device before importing, or disable the Enable Failover check box before generating a new configuration.
|
CSCed70305
|
Select all in rule table doesn't always select all.
|
If you try to select all rules in the access rules table while the table is still loading, not all rules will be selected.
To work around this problem, wait until the table is fully loaded before you select all the rules.
|
CSCsa10544
|
User encounters blank or badly formatted page.
|
There are certain areas in Firewall MC where Javascript is used to refresh or reload the main page or a status window. Occasionally, the Internet Explorer browser gets stuck when executing this Javascript code. When this happens, one of the following symptoms might appear:
•The browser goes to a white screen and sits there for minutes, and when it eventually loads the page, the formatting of the fonts and a lot of the layout is distorted, but the browser itself is still active.
•The browser goes to a white screen and never recovers. In this case, Internet Explorer can be either active or inactive (locked up).
To work around this problem, press F5 to reload the page. If the browser does not recover, then close all Internet Explorer windows, make sure the process itself is shut down (IEXPLORE.exe in the Task Manager), and then launch a fresh Internet Explorer and restart Firewall MC.
|
CSCsa11281
|
Edit Rule during Rule Table load slow.
|
If you try to edit a rule while the table is loading a large rule set, it takes a long time to return to the rule table after you click OK.
To work around this problem, wait for the rules to load completely in the table before you try to edit a rule.
|
CSCsa09551
|
Cut, copy and paste of IPSec tunnel templates removes transform sets.
|
When you paste an IPSec Tunnel Template on the IPSec Tunnel Templates page (Configuration > Building Blocks > IPSec Tunnel Templates), the Transform Set used by the template is lost and its value is set to None.
To work around this problem, you must edit the IPSec Tunnel Template, and then reselect the IPSec Transform Set for the template after pasting.
|
CSCsa08562
|
With workflow, pressing Approve right after Reject throws null pointer.
|
In workflow mode, after an activity is submitted, the activity can be either approved or rejected. If you press the Reject button and then enter an activity transition comment, you see that the Approve button is still active. If you press the Approve button while the rejection is in progress, a null pointer exception occurs.
To work around this problem, do not press the Approve button when an activity rejection is being processed.
|
CSCed65692
|
MAC Address table setting doesn't override when timeout is blank.
|
On the MAC Address Table page (Configuration > Device Settings > Transparent Firewall > MAC Address Table) and DHCP Relay Server page (Configuration > Device Settings > Servers and Services > DHCP Relay Server), you cannot clear the timeout setting if the table of interfaces for the feature is empty and timeout value is specified at the parent scope. When you clear the timeout setting and click Apply, the Inherit settings check box is automatically selected and the parent value is inherited.
To work around this problem, add a row to the table and then delete the row before you clear the timeout field. You can then clear the timeout field and click Apply without the parent value being inherited.
|
CSCec73144
|
Firewall MC occasionally crashes when changing scope.
|
A Windows performance setting enables you to optimize performance for either applications or background services. If you have background services selected, then the browser might return exceptions or crash when you access the Object Selector. This behavior is very likely to happen if the client and server are on the same system.
To work around this problem, make sure that the operating system response is optimized for applications and not for background services:
1. Select Start > Settings > Control Panel > System.
2. Click the Advanced tab.
3. Click Performance Options.
4. In the Application response box, make sure that the Applications radio button is selected.
5. Click OK.
|
CSCec76430
|
FWSM no longer supports periods in the hostname.
|
Firewall MC follows the PIX 6.x format for hostnames; however, FWSM 2.x no longer supports periods in the hostname (for example, "my.pix.1"). Therefore, you will be able to define an erroneous hostname for FWSM 2.x in Firewall MC. The FWSM 2.x device will catch this error as a deployment error.
To work around this problem, do not add a period to the hostname of an FWSM 2.x device.
|
CSCec90250
|
Modal dialog boxes intermittently stay open when using Netscape.
|
When using Netscape, form items in modal dialog boxes have focus problems if you attempt to select the parent window. (A modal dialog box is one in which you must make a selection or click a button before you can continue.) After you click the parent window, you cannot select an item, by using a mouse or by pressing Tab, within the form in the modal dialog box. Text fields are particularly susceptible to this issue.
To work around this issue, do one of the following:
•Close or cancel out of the modal dialog box. Reopen the modal dialog box, and do not try to select the parent window.
•Click the help link in the modal dialog, then close the help window. The items in the form should behave properly now. Do not try to gain focus on the parent window.
|
CSCsa04337
|
VLAN ID 4096 accepted in GUI and no error displayed after configuration generation.
|
Firewall MC allows a user to enter a VLAN ID greater than 4095 without generating an error. However, subsequent deployment of the generated configuration might fail because of this illegal VLAN ID.
To work around this problem, do not enter a VLAN ID greater than 4095.
|
CSCsa04546
|
GUI should warn about duplicate IKE policies.
|
If a configuration has two IKE policies with different priority numbers but the same parameters, these two IKE policies can still be generated and deployed without warning, and the firewall device simply removes the duplicate policies when it receives deployment.
To work around this problem, do not define two or more IKE policies with different priority numbers but the same parameters.
|
CSCsa07589
|
Incorrect GUI restriction for user-key for managed objects.
|
If you select a hub's outside interface and create a user-defined preshared key, you are not able to create a second user-defined preshared key for the same hub's inside interface. An error results stating: User key with the same peer or with the same peer IP address already exists.
To work around this problem, create a key based on an IP address instead of a managed device interface.
|
CSCeb52284
|
Cannot add a rule using tear-off view if no rules exist.
|
The access rule table does not provide a popup menu unless there are rows in the table. If you expand a table that does not have rules, you cannot insert a rule because the popup menu cannot appear and there are no buttons at the bottom of the expanded table.
To work around this problem, do not expand an empty table.
|
CSCdz66765
|
Using browser's refresh might cause unexpected results.
|
If you use your browser's Refresh button (or press F5) instead of using the Refresh button available on some of the Firewall MC GUI pages, you might see error messages repeated or prompts to resend data.
To work around this problem, use the Refresh button on the GUI, when available, instead of pressing F5 or using your browser's Refresh button.
|
CSCeb63147
|
Activity report lists all fixup ports when only one was changed.
|
If you change any fixup settings, all fixups that are displayed on the Basic or Multimedia Fixup page and checked as active appear on the Activity report even though they were not changed.
There is no workaround.
|
CSCeb24910
|
Activity report does not list deleted devices.
|
The Activity report does not include deleted devices if the parent group was also deleted in the same activity.
There is no workaround.
|
CSCdy59201
|
Inherit settings from lists wrong group name when not inheriting.
|
If you deselect the Inherit settings check box, the text reads Inherit setting from: Global, instead of specifying the group from which the information would be inherited were this item selected. This is only a display problem. If you select the Inherit settings from check box, Firewall MC inherits correctly and the updated page shows the group from which you inherit.
To work around this problem, use the object selector or the links next to Scope to advance through the hierarchy toward Global and learn from where the settings are inherited. The closest ancestor that has its own settings (not inherited) is the one from which settings are inherited.
|
Table 11 Import Known Problems
Bug ID
|
Headline
|
Additional Information
|
CSCsa24914
|
A high number of NAT 0 and Route commands slows import and generation.
|
When many route entries (in the order of thousands) exist and when the number of access-group ACLs is also high, Firewall MC import and generate performance suffers. It takes a long time (potentially a few hours) to import or generate such configurations.
This problem happens when an extraordinarily high number of route statements (thousands) in a configuration that has a large set of access rules exists. If the routes are few (tens or even low hundreds), the performance is acceptable.
To work around this problem, manually remove superfluous NAT 0 and Route commands.
|
CSCsa24222
|
Generate and import hang if config contains a high number of statics.
|
If you import or generate a device configuration with thousands of static translations, Firewall MC requires an extended amount of time to check if statics overlap and complete the operation.
This situation occurs when you import a configuration that contains a large number of identity statics that were created to permit traffic going from low to high security interfaces.
To work around this problem, simply remove the identity statics from the imported configuration, or from the GUI. Firewall MC can recreate them as needed, if the Auto-NAT meta-setting is enabled.
|
CSCsa08178
|
Firewall MC generates unnecessary warning messages for static translation padding.
|
The generation of valid PIX configurations might trigger spurious warning messages about overlapping global addresses.
If you import a PIX configuration that contains end-point padding for identity statics, then generate it, Firewall MC might generate warning messages for the padded endpoint statics, even though they are not incorrect.
To work around this problem, you can either ignore such warning messages or you can remove identity statics from the GUI after import, then enable the Firewall MC Auto-NAT feature.
|
CSCsa29076
|
Multiuser stalls at initialization for simultaneous import by 5+ users.
|
If five or more Firewall MC users try to import configuration files from a directory at the same time, the import fails.
This problem affects Firewall MC 1.3.2 for Solaris only.
To work around this problem, avoid having more than three users import configuration files from a directory at the same time.
|
Table 12 Installation and Upgrade Known Problems
Bug ID
|
Headline
|
Additional Information
|
CSCsa17047
|
Back up database before Solaris upgrade.
|
When you upgrade from Firewall MC 1.2.2 on Solaris, the following message should appear, but does not:
Install will upgrade the database to the
new version. You should perform a backup
prior to upgrading. For detailed
database backup instructions, see
http://www.cisco.com/en/US/products/sw
/cscoworks/ps3996/product_user_guide.
Are you ready to continue with the
upgrade?
To work around this problem, you must perform a backup before you upgrade because the upgrade will always reinitialize (erase) the database.
|
CSCsa07730
|
During install alphabetic characters are accepted in port number fields.
|
Port numbers are represented using numbers, not characters and symbols. If you define an invalid port number, the Firewall MC services will fail to start.
To work around this problem, accept the default value or use numbers when defining your port. To correct an invalid port number, reinstall Firewall MC.
|
Table 13 Reporting Known Problems
Bug ID
|
Headline
|
Additional Information
|
CSCsa09283
|
Activity Reports fails to display Add PPPoE Information parameters.
|
The activity report does not show detailed setting changes for an interface if the interface type is PPPoE.
There is no workaround.
|
CSCsa10776
|
VMS2.2-BT: Activity Report shows no change-data for pre-upgrade activity.
|
When you upgrade Firewall MC, any activity reports for prior changes are lost.
To work around this problem, save the activity reports to an XML file before you upgrade.
|
CSCsa13690
|
AAA Server Group Name is live in Activity and Device Setting Report.
|
If you change a AAA Server group within an activity, this change is captured in the activity report. One of the entries in the report is the AAA Server Group name. Currently, even after the activity has been approved, the AAA Server group name in the report always reflects the name in the live system, not the one created in the activity. Thus, the new server group name is applied retroactively in reports.
To work around this problem, save the activity report to a file after the activity has been approved.
|
CSCsa19215
|
Configuration difference report fails to work in some cases.
|
When comparing a configuration in Firewall MC with one on a device, if there are ACLs in the device configuration that are not bound to an interface, then Firewall MC cannot match them with the ACLs in the Firewall MC configuration.
To work around this problem, bind any unbound ACLs to an interface or remove them.
|
CSCed66577
|
Ending commands are not retained in activity reports.
|
When you select the Inherit Settings check box on the Configuration > Device Settings > Config Additions > Ending Commands page, any information in Ending Commands at the current scope is removed. The information that was in Ending Commands is not retained in the activity report, and you will not be able to get this information back without undoing the activity.
No workaround is currently available.
|
Table 14 Firewall MC Server Known Problems
Bug ID
|
Headline
|
Additional Information
|
CSCee93803
|
FWSM generates benign SSL_SYSCALL_ERRORs when busy processing traffic.
|
Firewall MC sometimes displays SSL_SYSCALL_ERRORs for an FWSM during a Firewall MC deployment when the FWSM is busy processing traffic.
These errors were determined to be benign during testing. However, if Firewall MC reaches 500 such errors, the deployment fails.
To work around this problem, deploy when the FWSM is less busy.
|
CSCsa09355
|
If a JRE is not installed, Internet Explorer might take 5 minutes to prompt to install.
|
Internet Explorer sometimes takes an inordinate amount of time to determine the plug-in necessary to launch a Java applet, determine if it needs to obtain the plug-in, and finally actually initialize the download of the plug-in.
To work around this problem, wait for Internet Explorer to install the JRE.
|
CSCea80500
|
Last detected version not in effect if config and device mismatch.
|
When you upgrade the PIX Firewall OS version on a device and Firewall MC is set to Last Detected Firewall OS Version (Configuration > Device Settings > Firewall OS Version), deployment fails and you receive an error message about version mismatch.
To work around this problem, set the Firewall OS version manually, and then redeploy with this change.
|
Table 15 Known Problems with CiscoWorks Common Services that Affect Firewall MC
Bug ID
|
Headline
|
|
The following problem was seen during Firewall MC testing. More information is available in the Release Notes for CiscoWorks Common Services at http://www.cisco.com/en/US/products/sw/cscowork/ps3996/prod_release_notes_list.html. Specific details are available from the Cisco Software Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl. (You will be prompted to log into Cisco.com.)
|
CSCsa25877
|
View config page failed to show all the rules on Solaris.
|
Configuration data in the View Configuration page is truncated for configurations that contain more than 56 Kb of data.
This is only a display problem, and it affects Firewall MC 1.3.2 for Solaris only.
To work around this problem, deploy to a file and verify that configuration data is intact.
|
Table 16 Known Problems with VMS that Affect Firewall MC
Bug ID
|
Headline
|
The following problems have been seen during Firewall MC testing. More information is available in the Release Notes for CiscoWorks Common Services at http://www.cisco.com/en/US/products/sw/cscowork/ps3996/prod_release_notes_list.html. Specific details are available from the Cisco Software Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl. (You will be prompted to log into Cisco.com.)
|
CSCin69274
|
CSA Agent queries upgrade of FWMC from 1.2.2 to 1.3
|
CSCdx74061
|
Scheduling future Backups and Compacts requires two steps.
|
CSCdx74308
|
Services do not start after reboot during installation.
|
CSCdy02949
|
Difficulty browsing CiscoWorks2000 desktop from server machine.
|
CSCdy06590
|
Restore requires reboot.
|
CSCdy25551
|
MDCSupport utility does not erase its temporary directory.
|
CSCdy26688
|
Cannot launch CW2K desktop after Common Services installed on system with netForensics.
|
CSCdy28951
|
Licensing error when SQL service is not started
|
CSCeb11926
|
Hour and minute are not working for repeat backup database
|
CSCin11975
|
Changing the Windows password causes service startup to fail.
|
CSCin14028
|
CiscoWorks links do not work due to change in server IP address.
|
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
http://www.cisco.com
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
•Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool:
http://www.cisco.com/en/US/partner/ordering/index.shtml
•Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).
Documentation Feedback
You can send comments about technical documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.
Cisco Technical Support Website
The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool automatically provides recommended solutions. If your issue is not resolved using the recommended resources, your service request will be assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553 2447
For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.
Severity 1 (S1)—Your network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:
http://www.cisco.com/go/marketplace/
•The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:
http://cisco.com/univercd/cc/td/doc/pcat/
•Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:
http://www.ciscopress.com
•Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:
http://www.cisco.com/packet
•iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:
http://www.cisco.com/go/iqmagazine
•Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
•World-class networking training is available from Cisco. You can view current offerings at this URL:
http://www.cisco.com/en/US/learning/index.html
This document is to be used in conjunction with the documents listed in the "Product Documentation" section.
Copyright © 2002-2004 Cisco Systems, Inc.
All rights reserved.
