cc/td/doc/product/rtrmgmt/cw2000/mgt_pix
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

Release Notes for Management Center for Firewalls 1.3 on Windows 2000

New Features

Product Documentation

Related Documentation

Resolved Problems

Known Problems

Obtaining Documentation

Cisco.com

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco TAC Website

Opening a TAC Case

TAC Case Priority Definitions

Obtaining Additional Publications and Information


Release Notes for Management Center for Firewalls 1.3 on Windows 2000


These release notes are for use with the CiscoWorks Management Center for Firewalls (Firewall MC) 1.3. Firewall MC is a web-based interface that enables you to configure new PIX Firewalls and Firewall Services Modules (FWSMs) and import configurations from existing firewalls. You can configure firewall device settings, access rules, and translations rules, and deploy these configurations to your network. Firewall MC also provides a powerful tool for controlling changes made to your network, showing configuration and status changes.

These release notes contain:

New Features

Product Documentation

Related Documentation

Resolved Problems

Known Problems

Obtaining Documentation

Obtaining Technical Assistance

Obtaining Additional Publications and Information

New Features

If you are a previous user of Firewall MC and you upgraded to Firewall MC 1.3, you will notice the following new design enhancements and features:

You can now create or edit building blocks for network objects, service definitions, and service groups from Access Rule tables.

You can now define these additional web filter rules: Filter Java, Filter ActiveX, Filter HTTPS, Filter FTP, and Filter URL Except. With the addition of Filter Java and Filter ActiveX, support for working with N2H2 URL servers has also been added. We also now support the long-url option for Filter URL and you can define actions to be taken based on the type of traffic for specific filter rules.

Support for dynamic and static policy NAT—You can now define policy translation rules that match on the source and destination conditions of network packets. Although these rules are not visible in the Firewall MC GUI (by default), you can change the default setting to display the rules in the translation tables.

In addition, the order of evaluation has changed. Previous versions of Firewall MC optimized translation rules around a "best match" scheme. As of this release (1.3) Firewall  MC defaults to the firewall device logic, which uses a "first match" scheme for all rule types other than dynamic NAT.

Easy VPN Server—The Easy VPN Server feature allows you to configure a PIX Firewall to operate as an Easy VPN Server that can push a VPN configuration to any Easy VPN Remote device, greatly simplifying configuration and administration. The Easy VPN Server feature is available with software PIX OS Version 6.2 and later.

IPSec tunnels—You can use Firewall MC to configure and manage the IPSec features of Cisco PIX Firewalls to create VPN tunnels for site-to-site and remote user access.

Extended ACLs—Support has been added for "Extended ACL" for version checking during configuration generation. The keyword "extended" is supported from the CLI. OSPF ACLs are now augmented with a classification keyword "standard" in the CLI, but are still sent as ending commands in Firewall MC.

Object grouping—You can specify how Firewall MC handles object groups during device import and configuration generation.

Syslog by ACL is supported—Logging options can be specified in the GUI. ACL logging global parameters deny-flow-max and alert-interval are also supported.

Logging message levels—You can now disable logging for an individual message, and the logging level for a certain message can now be customized.

AAA local database—You can now add users to a local database on a firewall device to be used for AAA authentication.

Failover—The Failover GUI has been modified to reflect failover requirements based on firewall device OS version being recognized.

Management access—You can now enable or disable the Management Access feature for a single interface.

Feature tracking—You can specify how Firewall MC handles commands for features that are not supported by the OS version running on a specific device.

Taking over changes feature—You can now take over a lock held by another user when workflow is disabled.

New Telnet timeouts have been added.

1-60 for PIX Firewalls

1-1440 for FWSMs

New timeouts have been added:

Timeout ICMP

Timeout H225 (migrated from PIX Firewall)

MGCP (migrated from PIX Firewall)

New fixups have been added:

Fixup ICMP error

MGCP

TFTP

DNS

Fixup RPC (supported as an ending command)

An update to Firewall MC 1.3 will be required to support the forthcoming Firewall Services Module 2.2 release. The following features are available for early field trial customers only and not recommended for production use:

FWSM Security Context (virtual firewall support)—You can now configure a single FWSM to behave as multiple virtual firewalls.

Standby option for IP addresses—The failover standby IP addresses configured through a security context CLI do not trigger an import error in Firewall MC; they are ignored.

Transparent firewall—You can now define a Virtual Local Area Network (VLAN) interface in transparent mode (L2 Mode). When the FWSM is in transparent mode, it acts as a Layer 2 firewall.

You can now configure access rules to filter traffic according to the value in the ethertype field of a Layer 2 packet. This applies to FWSM in transparent mode.

VLAN alias—The new FWSM 2.1 alias feature for developing portable VLAN-based ACLs is now supported.

Layer 2 (transparent mode) and Layer 3 (routed mode) firewall support—You can now enable traffic between firewall devices located in different networks (routed mode) and within the same subnet or bridged network (transparent mode).

Same security interfaces—You can now enable traffic between interfaces that are configured with the same security level.

The following features are not supported in this release and related commands can be moved to the ending commands section:

Outbound ACLs—The "out" keyword in the access-group command is not currently supported.

Ability to create and delete security contexts—Use CLI, PIX Device Manager (PDM), or CiscoView to create and delete security contexts.

Transparent mode firewall support—Platform support for this feature does not currently exist. Support will be provided in the forthcoming Firewall Services Module 2.2 release. While all attempts have been made to ensure Firewall MC 1.3 compatibility with FWSM 2.2, refer to the release notes for FWSM 2.2 to determine actual compatibility.

Split around—In Firewall MC 1.0-1.2.2, Firewall MC provided a split-around feature for NAT rules to avoid overlapping addresses. As of this release (1.3), this feature is no longer supported. Instead, a warning message is issued for overlapping addresses.

Product Documentation


Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.


Table 1 describes the product documentation that is available.

Table 1 Product Documentation 

Document Title
Available Formats

Installing Management Center for Firewalls 1.3 on Windows 2000

PDF on the product CD-ROM.

On Cisco.com at http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_pix/fwmc_1_3/index.htm.

Printed document available by order (part number DOC-7816034=).1

Using Management Center for Firewalls 1.3

PDF on the product CD-ROM.

On Cisco.com at http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_pix/fwmc_1_3/index.htm.

Printed document available by order (part number DOC-7816035=). 1

Supported Devices, OS Versions, and Commands for Management Center for Firewalls 1.3.

On Cisco.com at http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_pix/fwmc_1_3/index.htm.

Context-sensitive online help

Select an option from the navigation tree, then click Help.

Click the Help button in the dialog box.

1 See Obtaining Documentation.


Related Documentation

Product support documentation is located in the Documentation subdirectory (fwmc\documentation) on the product CD-ROM.


Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.


The following additional documentation is available:

Quick Start Guide for VPN/Security Management Solution 2.2

This document describes the basic tasks involved in preparing and configuring network devices using Management Centers. It is available in the following formats:

On Cisco.com at http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/vpnman/vms_2_2/index.htm.

Printed document available by order.

Installation and Setup Guide for CiscoWorks Common Services 2.2 (includes CiscoView 5.5) on Windows

This document describes the basic tasks involved in installing and configuring CiscoWorks Common Services 2.2. It is available in the following formats:

On Cisco.com at http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/ig_wincv/index.htm.

Printed document available by order.

User Guide for CiscoWorks Common Services 2.2

This document describes how to use CiscoWorks Common Services 2.2. It is available in the following formats:

On Cisco.com at http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/usrguide/index.htm.

Printed document available by order.

Release Notes for CiscoWorks Common Services 2.2 on Windows 2000

This document contains information on issues that affect Firewall MC. It is available on Cisco.com at http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/rel_note/index.htm.

Resolved Problems

Table 2 lists problems resolved since the last release of Firewall MC.

Table 2 Resolved Problems 

Bug ID
Summary

CSCdv77516

PIX MC supports only a single browser page.

CSCdw37546/CSCdx05082

You must click Apply before you leave a GUI page to save changes.

CSCdx11318

Modifying routes might disconnect communication with PIX Firewalls.

CSCdx95909

Problems using Back button of browser after completing a wizard.

CSCdy05391

Device names shown in GUI might change during imports.

CSCdy19285

Activity Mgmt page should show error msg if cmd generation fails.

CSCdy25929

GUI allows incorrect PAT specs yielding incorrect device configs.

CSCdy35048

Import of a configuration file with special characters hangs.

CSCdy77377

PIX MC database fails when disk space or virtual memory is low.

CSCdy82136

Job Status/View Config pages are not checked for privileges.

CSCdz39446

You cannot view transcript when deployment fails.

CSCdz59302

Global settings cause problems for devices with no outside interface.

CSCea22527

Toggling Use-Local without reentering vpdn pwd sends * to device.

CSCea51440

Interface import using CSV file only supports FWSM.

CSCea62476

Firewall MC allows deploy to AUS with unique identity undefined.

CSCea71537

Generation should not take place if there are no changes.

CSCea80936

NTP server cmd on device returns an error when deployed to device.

CSCeb11850

Workflow elimination fails to display LAN failover bootstrap link.

CSCeb19542

Restoring from a previous database appears to hang system.

CSCeb41589

Firewall MC should ignore domain name changes.

CSCeb42271

icmp permit ip_address mask [icmp_type] if_name cmd fails import.

CSCeb55669

Installer and uninstaller do not run.

CSCeb57736

No dhcprelay server x.x.x.x [nameif] causes deploy error.

CSCeb59567

Changing Easy VPN Management setting resets Easy VPN Remote.

CSCeb60586

Cannot save Mandate setting on the anti-spoofing setting page.

CSCeb67310

Popup windows fail to display if NS 7.1 is set to block popups.

CSCec17135

Unable to disable unsupported DHCP Relay feature for FWSM.

CSCin49477/CSCin49479

Shut down CSAgent required when upgrading to VMS 2.2.x.

CSCsa06669

Auto-generated preshared keys between two managed peers should not report a key conflict.


Known Problems

This section contains the following problems known to exist in this release:


Caution Undoing activities in which you have moved a device or group can cause undesired results, such as locked activities and lost data. For more information, see CSCsa10912 and CSCsa11632 in Table 4.

Security Context Known Problems, Table 3

Activity Management Known Problems, Table 4

Authentication Known Problems, Table 5

Configuration Known Problems, Table 6

Database Known Problems, Table 7

Deployment Known Problems, Table 8

GUI Known Problems, Table 9

Import Known Problems, Table 10

Installation and Upgrade Known Problems, Table 11

Reporting Known Problems, Table 12

Firewall MC Server Known Problems, Table 13

Known Problems with VMS that Affect Firewall MC, Table 14


NoteThe problems in the following tables are known to affect Firewall MC 1.3. However, some of the problems were found in earlier releases of the product, so they might contain references to PIX MC and CiscoWorks2000. Any such references apply to Firewall MC and CiscoWorks as well.

To obtain more information about known problems, go to the Cisco Software Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl. (You will be prompted to log into Cisco.com.)


Table 3 Security Context Known Problems 

Bug ID
Summary
Additional Information

CSCec23910

In transparent mode, Firewall MC allows routes to be configured and generated that are not in the same subnet as the management IP address.

In Configuration > Device Settings > Routing > Static Route page, Firewall MC allows you to define routes that are not in the same subnet as the management IP address. When you deploy the configuration file to the device from Firewall MC, you will receive deployment errors because the CLI does not support this configuration.

To work around this problem, you should define the routes with the same subnet mask as the management IP address (Configuration > Device Settings >Transparent Firewall > Management IP).

CSCec52434

The Diff With Running Config option does not work in some cases.

In the Import Summary window (at the end of the device import process), the Diff With Running Config option sometimes does not show the configuration differences between the configuration imported into Firewall MC and the configuration on the device. The Diff result window is blank. This occurs when the configuration on the device contains commands that are unsupported in Firewall MC.

To work around this problem, remove any unsupported commands from your configuration prior to importing. For more information, see Supported Devices, OS Versions, and Commands for Management Center for Firewalls 1.3.


Table 4 Activity Management Known Problems 

Bug ID
Summary
Additional Information

CSCsa10912

Undoing an activity in which you move a group or device causes data loss.

If you undo an activity in which you moved a group or a device, you will lose the contents of either the group that you moved or the group into which you moved a device.

There is no workaround. However, you can prevent losing the group, by moving the group or device back to the desired location instead of undoing the activity.

CSCsa11632

Moving a subgroup leaves source group locked.

If you move a subgroup out of one group and into another group, and then approve or undo the activity, the group from which you moved the subgroup will remain locked. The lock icon does not show, but you cannot make changes to that group.

To work around this problem and remove the lock, perform the appropriate step:

If you approved the activity:

Create a job and deploy the activity in which you moved the group.

Go to the Admin > Maintenance page, change the Purge approved/discarded activities older than field to 0, and then click Purge Now.

This will remove all discarded/approved activities, and should release the lock.

If you undid the activity, go to the Admin > Maintenance page, change the Purge approved/discarded activities older than field to 0, and then click Purge Now.

This will remove all discarded/approved activities, and should release the lock.

CSCsa11362

If there is an apostrophe in a device or group name, then can't see activity in Take Over Changes.

If an activity locks a device or a group that has an apostrophe in the name, Firewall MC will not recognize the activity within the Take Over Changes feature and you will not find the activity listed.

To work around this problem, remove the apostrophe from the device or group name.

CSCsa11332

No Workflow, clicking two buttons within a table creates two activities.

If you are not using workflow and your first action is to navigate to a rule table and click several buttons within the applet in rapid succession, Firewall MC may erroneously create two activities. You will not encounter this problem if you have performed any other action for which Firewall MC would have already created an activity.

If Firewall MC does create two activities in such a situation, you could be locked out of the particular device or group that you were working in.

To work around this problem, enable workflow and undo the activity causing the lock condition. You can then turn off workflow and proceed with your activities.

CSCsa10812

Group is locked by a discarded activity.

If you move a device in an activity prior to upgrading to Firewall MC 1.3, and then undo the activity after you upgrade, the source group will remain in a locked state by the discarded activity.

To work around this problem, go to the Admin > Maintenance page, change the Purge approved/discarded activities older than field to 0, and then click Purge Now. This will remove all discarded/approved activities, and should release the lock.

CSCeb34681

Firewall MC delete privilege is system-wide.

If you are using ACS authentication, it is possible for a user to have the privilege to delete a device without having the privilege to edit the device. The delete privilege applies to all devices.

The delete privilege should be assigned only to trusted users.

CSCdy17387

No audit log record for activity approval when AutoApprove is on.

If you enabled automatic approval of activities, submitting an activity does not create an audit log record for the approval action. The audit log contains only records for submitting.

To work around this problem, interpret the submit audit records as you would separate submit and approval records.


Table 5 Authentication Known Problems 

Bug ID
Summary
Additional Information

CSCsa08606

ACS - Firewall MC must not be in 'Not Assigned' Network Device Group.

For Firewall MC to work properly with Cisco Secure ACS for Windows (ACS), the Firewall MC server must be assigned to a Network Device Group, under Network Configuration in ACS, that has appropriate security associations, and must not be in the "Not Assigned" Network Device Group.

CSCsa09327

Need to investigate Help Desk Roles and what can be viewed via GUI.

A user with view only privileges, such as the Help Desk role, can see some sensitive information such as:

AAA Server Groups shared secret.

Any passwords/keys that are placed in the ending commands at import time, for example OSPF or NTP authentication keys.

LAN failover shared key.

IKE shared secret.

SNMP community string.

These items are displayed on pages in the clear, so access to the page allows their direct viewing.

There is no workaround.

CSCsa09292

Help Desk > VPN > IKE Options > Pre-shared Keys > View Keys null pointer.

If you access the VPN > IKE Options > Pre-shared Keys page and your permission settings do not allow you to modify settings on that page, you will receive an exception error if you click View Keys.

To work around this problem, log in as a user that has adequate permissions.

CSCsa09289

Help Desk > Rules tables Edit, Copy, Cut & Delete active if rules exist.

In no-workflow mode, a user with view privileges, such as the Help Desk role, can modify the rule table. The user cannot, however, perform the Save, Generate, and Deploy option.

To work around this problem, take over the changes of the Help Desk user from a privileged account, and then undo the changes.

CSCdy40186

Users with help desk role cannot view activity report.

If you have view-only permission, you cannot view the activity report. This is because all radio buttons and check boxes are disabled for users who have view-only permission.

To work around this problem, log in under a different role with more privileges, or give additional permissions to users who require activity report access.

CSCeb16968

ACS shared profile components disappear after ACS upgrade.

After you upgrade from Cisco Secure ACS version 3.1 to version 3.2, authorization support for Management Center (MC) applications such as Management Center for Firewalls fails. In the Shared Profile Components section of the Cisco Secure ACS HTML interface, each MC that has registered with Cisco Secure ACS has a set of pages for configuring authorization components. If you access a page for editing or adding authorization components, you see an error message about a missing XML file.

To work around this problem, log into the CiscoWorks desktop with admin privileges and perform the following steps:

1. Select Server Configuration > Setup > Security > Select Login Module. Configure CiscoWorks to use the CiscoWorks Local module, and then configure CiscoWorks to use the TACACS+ module.

2. Select VPN Security Management Solution > Administration > Common Services > Configuration > AAA Servers. Unregister all MCs, then reregister all MCs.

3. Log out of CiscoWorks.


Table 6 Configuration Known Problems 

Bug ID
Summary
Additional Information

CSCed75282

Failover enabled without correct IPs on each interface errors.

When the failover IP address is not on the same subnet as the interface IP address, a generate error occurs. When you click the View Errors link, you will not see any error messages in the generated configuration.

To work around this problem, specify a failover IP address that is on the same subnet as the interface.

CSCsa11048

Different pre-shared key policies with same key not permitted/generated.

In some cases, it is possible to get errors while generating ISAKMP Preshared keys in a configuration even though the Tunnel Consistency panel in the GUI says the keys match on both ends of the tunnel.

Specifically, if there is a tunnel between peers A and B, and A has a default preshared-key policy and B has a user-defined key for A's IP address, when you generate commands for A and B, Firewall MC will incorrectly generate errors saying there is no valid key present for the respective peer even if A's default keystring is identical to B's user-defined keystring for A. However, the Tunnel Consistency check panel for this tunnel will indicate there is no key mismatch.

To work around this problem, set the same pre-shared key policy on both A and B. Either have user-defined keys on both ends, or have default keys on both ends.

CSCed65717

ICMP messages not optimized out.

The optimization code in Firewall MC 1.3 is not able to combine two ACEs when one has service icmp all and the other has service icmp <icmp-type>. Prior versions of Firewall MC were able to combine such ACEs into a single icmp all ACE. This will result in rules that are not optimized as well as they could be. However, the resulting rule set is still correct.

There is no workaround.

CSCsa08680

There is no warning that vpnclient won't work when vpngroup missing.

Deploying partially configured Easy VPN Remote settings to a device does not issue a warning and the Easy VPN Remote is disabled on the device. The deployment transcript will show a message from the device that reads "Warning: No router certificate for key exchange. PIX Easy VPN
Remote disabled."

To work around this problem, make sure that the Group Name is entered on the Configuration > VPN > Remote Access > Easy VPN Remote.

CSCsa09822

Deleting firewall rules does not remove auto nat & static cmds - no edit.

If you set Identity Address Translation Rules to "Only" or "On" (Configuration > MC Settings > Management), Firewall MC will generate NAT or Static commands corresponding to addresses in both AAA rules and Firewall rules.

To work around this problem, turn off Identity Address Translation Rules, which will also eliminate the generation of Identity Address Translation Rules for Firewall rules.

CSCsa09926

Interface wizard fails to detect if no password is entered for PPPoE.

When enabling PPPoE for the outside interface, the GUI fails to recognize the lack of a password. Upon generation, the command will be generated as vpdn username <username> password invalid-password.

To work around this problem, edit the settings for the interface to include a user password.

CSCsa10157

Second level Group doesn't allow both to Inherit and to Enforce/Mandate.

On any Configuration > Device Settings page, the Inherit Settings and Enforce/Mandate check boxes cannot both be selected at the same time. When one check box is selected, the other one is disabled. Because of this limitation, you cannot inherit settings on a particular group while mandating that all children of that group use the same settings.

There is currently no workaround.

CSCsa10862

Object groups still refer to deleted objects.

When you delete an object (service, service group, or network object) references to that object are not automatically removed from other object group definitions. If an object group with reference to a deleted object is used in a rule, generating a configuration that uses the rule results in a generation error.

To work around this problem, manually remove all references to deleted objects.

CSCsa09481

Cannot turn off failover on interface.

If you define a failover IP address for an interface, but failover is not enabled, the generated commands will include the failover IP address. Some failover commands will always show up in the generated configuration, because the Failover page does not have a means to delete these failover IP addresses from the generated configuration.

These commands will not affect the device's behavior when failover is disabled. On a device without a failover license, deploying failover commands will not cause a deployment error. The device ignores the commands.

There is no workaround.

CSCsa04493

AAA Rules permits LOCAL authorization/accounting for invalid services.

AAA authorization and accounting using the LOCAL protocol is only permitted for console, cut-through authentication, and command authorization services. The LOCAL AAA protocol is only supported in PIX Firewall OS 6.3 and later.

Services such as HTTP, FTP, and Telnet (cut-through proxy) can only be enabled for LOCAL AAA authentication and not for authorization and accounting and should not be enabled within Configuration > Access Rules > AAA Rules.

CSCsa06605

Deleting or renaming interface causes generation errors.

Some settings that refer to interface names cause generation errors when the interface is renamed or removed. These settings must be deleted or changed to reference the new name.

The following settings refer to interfaces and must be changed to use the new name:

Failover

Static Routes

RIP

Proxy Arp

HTTPS (SSL)

Telnet

Secure Shell

SNMP

ICMP Interface Rules

Syslog

URL Filter Server

TFTP Server

IDS Policy

Anti-spoofing

Fragment

To work around this problem, delete the settings resulting in generation errors or modify the settings to reflect the new interface name.

CSCsa04486

Fixup protocol esp-ike & isakmp enable <interface_name> cannot co-exist.

The following commands cannot coexist on the same firewall device:

fixup protocol esp-ike

isakmp enable <interface_name>

However, Firewall MC allows you to configure both commands without generating an error.

The error will be caught at the device and the deployment will fail with an error saying "PAT for ESP cannot be enabled since ISAKMP is enabled".

To work around this problem, do not place these two commands in the same configuration.

CSCea14915

Deploy fails if number of interfaces in GUI and device differ.

When working in the Firewall MC GUI, sometimes the number of interfaces or their respective hardware IDs do not match those on the physical device. An example of this would be if you were to define only ethernet0 and ethernet1 in the GUI, when the device also has ethernet2. During deployment, Firewall MC would attempt to remove all configuration settings for the undefined interface, such as its IP address, which causes deployment errors and possibly traffic flow failure on that interface, depending on the settings you established regarding error handling.

To work around this problem, make sure the interface configuration in the GUI matches the configuration on the device. This includes the number of interfaces and their hardware IDs.

CSCsa07223

Spoke-grp two S2S tunnels to Hub-dvc same intf unsupported auto-gen key.

When you have multiple tunnels between a pair of devices where the same interface is used as the endpoint on one of the two devices, Firewall MC will not accurately create pre-shared keys for automatically generated and default key policies.

For example, consider two devices (A and B) with two tunnels (Tunnel-1 and Tunnel-2) between them:

Tunnel-1: A:inside <------> B:outside

Tunnel-2: A:outside <-----> B:outside

In this example, both tunnels end on the same interface of device B, while ending on different interfaces on device A. In such cases, Firewall MC will automatically generate keys for one of the two tunnels, but not for both.

To work around this problem, specify user-defined keys on both devices (A and B). On device A, specify a single key for B:outside. On device B, specify two keys, one for A:inside and one A:outside. All three key values should be identical.

CSCsa06656

Auto NAT settings can impact dual dynamic NAT.

PIX Firewall and FWSM implemented dual-NAT differently. Firewall MC follows the FWSM semantics.

On the PIX Firewall, if a dynamic NAT rule is applied to an interface with a lower security level, then you must define static translation rules to enable outgoing traffic from all other networks attached to that interface.

On FWSM, adding a dynamic translation rule does not require static translation rules to be defined for all other outgoing traffic (high to low security level interface traffic).

Firewall MC does not allow you to use the Identity Address Translation feature to auto generate statics for outbound traffic when a dynamic translation rule exits on a lower security interface in a PIX Firewall configuration. You must manually define any such identity statics

CSCsa06655

For FWSM, all policy statics are higher priority than all old statics.

The evaluation order of the static address translation rules differs between PIX OS 6.3.x and FWSM 2.x.

PIX OS 6.3.x evaluates in the following order:

1. Port-based statics (policy statics and original style statics intermixed)

2. Host-based statics (policy statics and original style statics intermixed)

FWSM 2.x evaluates in the following order:

1. Port-based policy statics

2. Host-based policy statics

3. Port-based original style statics

4. Host-based original style statics

Firewall MC models the PIX implementation. During import, Firewall MC assumes the PIX OS evaluation order. In most cases, this does not cause problems even for FWSM. If you view the existing configuration on a FWSM, all policy statics appear before the original style statics. In this case, as long as the port or host-based statics are not split between the two styles, Firewall MC accurately imports the static address translation rules.

On generate, this represents no problem. Firewall MC either generates only original-style statics or policy statics followed by original-style statics (if the Identity Address Translation feature is enabled).

CSCsa05925

Internet Explorer hangs when you click away from page with applet before certificate dialog.

The Firewall MC window and CiscoWorks Desktop window might become unresponsive if you access the Configuration tab, and then click the Firewall MC window again before the certificate dialog appears.

To work around this problem:

1. Open Windows Task Manager.

2. Click the Applications tab.

3. Select the Internet Explorer tasks that are not responding.

4. Click End Task.

5. Open a new browser, log in to CiscoWorks again, and then launch Firewall MC.

6. Click the Configuration tab, and then wait for the Certificate popup window to appear.

7. Accept the certificate.

CSCsa02803

View Config and Deploy Transcript displays preshared keys in clear text.

Pre-shared keys defined on the Configuration > VPN > IKE Options >Pre-shared Keys page are displayed in clear text in the View Config and View Transcript windows. Users with permission to view these pages can also view any pre-shared keys.

No workaround is currently available.

CSCsa02754

Local User password and Confirm password should get cleared on error.

If you enter different values in the Password and Confirm Password fields of the Add User Information dialog box, accessed from Configuration > Device Settings > Firewall Device Administration > User Accounts, Firewall MC returns an error stating that the Password and Confirm Password do not match, and then resets the fields to a default value. If you click OK on the Add User Information dialog box without reentering the password, the user account is created with this default password.

To work around this problem, delete the user, and then add the user again making sure the Password and Confirm Password fields match.

CSCsa02311

Failover settings cannot be inherited.

The Inheritance settings for the Failover Interfaces configuration table fails to display any inherited interfaces defined at the parent scope.

No workaround is currently available.

CSCed19812

Policy NAT ACL on PIX Firewall contains alias addresses.

When importing a PIX Firewall configuration that uses policy NAT rules that are not generated by Firewall MC, it is possible that the rules retained in the GUI do not match the intended rules.

No workaround is currently available.

CSCsa02734

Special characters are allowed in the IPSec Transform Set Name on the PIX Firewall, but Firewall MC returns an error when they are used.

If you are adding an IPSec Transform Set from Configuration > Building Blocks > IPSec Transform Sets and use certain special characters (&,<,>,",~,^,|) in the transform set name, Firewall MC returns an error saying that these characters are not allowed even though these characters are valid on the PIX Firewall.

To work around this problem, do not use these special characters in IPSec transform set names.

CSCdz39788

Include and exclude commands not supported.

Firewall MC does not support the forms of the AAA commands that use the keywords include and exclude. These commands cause an error whenever encountered regardless of how you indicated that Firewall MC should treat unknown commands.

For a list of PIX Firewall and Firewall Services Module (FWSM) CLI commands supported by Firewall MC 1.3, see Supported Devices, OS Versions and Commands for Management Center for Firewalls 1.3 at http://www.cisco.com/en/US/products/sw/cscowork/ps3992/products_device_support_tables_list.html.

To work around this problem, replace these commands with the match form of the commands.

CSCeb61418

Static port address translation (interface) not supported.

Firewall MC does not support the interface keyword in the static command.

To work around this problem, avoid using the interface keyword in the static command. Use the actual address instead of the interface keyword. In a situation where the address is not known because DHCP is providing the address, no workaround exists.

CSCdz48293

PIX Interface command accepts VLAN as hardware ID.

When importing from file, Firewall MC allows the command interface vlan<n> [[<hw_speed> [shutdown]] to be issued or imported for PIX Firewall versions earlier than version 6.3 even though the VLAN is valid only for FWSMs and PIX Firewalls version 6.3 and later.

To work around this problem, make sure the VLAN hardware identifier is used only for FWSMs and PIX Firewalls version 6.3 and later.

CSCea27335

Firewall MC limits DHCP server to inside interface only.

In PIX Firewall versions earlier than version 6.3, the dhcpd enable <intf> command accepts only the inside interface as an argument. PIX Firewall versions 6.3 and later do not have this restriction. However, Firewall MC will not allow you to enable the DHCP server on other interfaces. Importing the dhcp enable command for an interface other than inside causes an error.

No work around is currently available.


Table 7 Database Known Problems 

Bug ID
Summary
Additional Information

CSCed90704

User must log out during compact.

The CW2000 KRS database service is shut down while the database is being compacted and restarted when compaction is complete. If there are any instances of Firewall MC active when you compact the database, the connection to the database for those sessions will be terminated.

To work around this problem, close all instances of Firewall MC before compacting the database. If any instances of Firewall MC were open when the database was compacted, you will need to close Firewall MC, and then log out and back in to the CiscoWorks Server before you can use Firewall MC.

CSCed12328

Cannot restore database from network drive.

If restoring the VMS database from a network drive (VPN/Security Management Solution -> Administration -> Common Services -> Restore Database), the restore client will freeze and generate errors.

To work around this problem, copy the remote restore directory to a local drive and then initiate the restore from the local drive.

CSCea10128

Database deadlocks during checkpoint.

Under unusual circumstances, the Firewall MC database (fms.exe) might consume all of the CPU while performing a checkpoint.

To work around this problem, restart the CW2000 Daemon Manager:

1. Log in as administrator.

2. Select Start  >  Settings > Control Panel > Administrative Tools > Services.

3. Right-click CiscoWorks Daemon Manager, and then click Restart.


Table 8 Deployment Known Problems 

Bug ID
Summary
Additional Information

CSCsa11422

Difference report shows repeated differences in access rules.

When you view a difference report (Configuration > View Config > Generate and View Difference With Last Deployed Config or Configuration > View Config > Generate and View Difference With Running Config), differences in access-list commands may appear twice.

There is no workaround.

CSCsa09742

Deploying no isakmp client configuration address-pool local reboots PIX.

Deploying no isakmp client configuration address-pool local <poolname> <pifname> causes a PIX Firewall running 6.3(x) to crash and reboot.

This is a problem with the PIX hardware. To obtain more information about this problem, go to the Cisco Software Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl and refer to bug ID CSCed57964. (You will be prompted to log into Cisco.com.)

The affect on Firewall MC is that the deployment will not complete.

Unfortunately, there is no workaround other than to do a clear isakmp on the device before deploying, and to configure Firewall MC to overwrite external changes by setting the Action on External Change to Device Config setting to Overwrite (Configuration > MC Settings > Management). However, this REMOVES all isakmp commands, both isakmp and isakmp policy, which will cause a temporary network outage. Firewall MC will reapply these commands.

CSCsa08905

Part of the deploy transcript is out of order.

The deploy transcript is out of order with version and checksum information. This might cause confusion when viewing the transcript. The checksum is actually obtained when the configuration is retrieved from the device before the deployment happens.

No workaround is currently available.

CSCsa03828

Unable to stop deployment when deploying to one device.

Clicking Stop does not cancel a deployment.

No workaround is currently available.

CSCdy29184

Misleading error during deploy to AUS without correct privileges.

If the AUS (Auto Update Server) user account on PIX MC does not have the API_View or API_Write privilege required to deploy to the AUS server, an error stating STATUS_FAILED authentication failed! appears when you deploy to AUS.

CSCea17787

AAA match statements are type dependent.

Deploying a AAA match statement might result in a deployment error if the ACL used in the match statement is not valid for AAA. For example, if the ACL used in a AAA accounting match command is permit ip any any, the deployment might result in an error state. The reason is that ip any any includes ICMP, which cannot be accounted for.

To work around this problem, make sure the ACL used in AAA match statements is of the appropriate type.


Table 9 GUI Known Problems 

Bug ID
Summary
Additional Information

CSCsa10913

Filter by traffic direction in translation exemptions table not working.

Filter by traffic direction in translation exemptions table not working.

No workaround is currently available.

CSCea81016

GUI is not version aware.

Some commands apply only to specific PIX Firewall and FWSM OS releases. Firewall MC does not distinguish these command differences in the GUI. The OS specific command differences will be identified during generation, and the configurations will contain the commands specific to that OS only.

There is no workaround.

CSCsa07112

Firewall MC does not generate failover bootstrap link or asterisk next to failover device.

There are two problems (labeled Problem A and Problem B) with the way that Firewall MC handles failover settings.

Problem A

If any LAN-based failover setting is changed, Firewall MC indicates to the user that bootstrapping is needed by putting an asterisk after the name in the generation summary page and providing a link to the bootstrap commands. However, Firewall MC does not check whether failover is enabled during this process. Consequently, after Firewall MC imports a device that has LAN-based failover enabled but failover disabled, bootstrap information is provided, but is not necessary and will mistakenly turn failover on if pasted to the device.

To work around the problem, ignore the LAN-based failover bootstrapping information provided by Firewall MC if you do not have failover enabled on a device.

Problem B

If a FWSM 2.x device has the failover lan interface command configured but failover disabled, Firewall MC will turn its failover setting on and generate the failover command after importing this device.

To work around the problem, either remove the failover lan interface command from the device before importing, or disable the Enable Failover check box before generating a new configuration.

CSCsa08703

View all hex value ethertype option shows blank value.

If you try to view or edit an Ethertype rule that has a hexadecimal Ether value, the Ether value on the Ethertype Rule window will be blank.

To work around this problem, make note of the hexadecimal Ether value on the main Ethertype Rules table before viewing or editing the Ethertype rule. If you are editing the rule, you must enter this value before you click OK.

CSCed70305

Select all in rule table doesn't always select all.

If you try to select all rules in the access rules table while the table is still loading, not all rules will be selected.

To work around this problem, wait until the table has fully loaded before you select all the rules.

CSCsa10544

User encounters blank or badly formatted page.

There are certain areas in Firewall MC where Javascript is used to refresh or reload the main page or a status window. Occasionally, the Internet Explorer browser can get stuck when executing this Javascript code. When this happens, one of the following symptoms might appear:

1. The browser goes to a white screen and sits there for minutes, and when it eventually loads the page, the formatting of the fonts and a lot of the layout is distorted, but the browser itself is still active.

2. The browser goes to a white screen and never recovers. In this case IE can be either active or inactive (locked up).

To work around this problem, press F5 to reload the page. If the browser still does not recover, then close all windows for the Internet Explorer process, make sure the process itself is shutdown (IEXPLORE.exe in the task manager), and then launch a fresh Internet Explorer and restart Firewall MC.

CSCsa11281

Edit Rule during Rule Table load slow.

If you try to edit a rule while the table is loading a large rule set, it will take a long time to return to the rule table after clicking OK.

To work around this problem, wait for the rules to complete loading in the table before you try to edit a rule.

CSCsa09446

Cut/Copy and paste of IPSec Tunnel Templates removes Transform Sets.

When you paste an IPSec Tunnel Template on the IPSec Tunnel Templates page (Configuration > Building Blocks > IPSec Tunnel Templates), the Transform Set used by the template is lost and its value is set to None.

To work around this problem, you must edit the IPSec Tunnel Template, and then reselect the IPSec Transform Set for the template after pasting.

CSCsa09446

Filtering in the table should have dropdowns for certain fields.

The Permit column has icons to represent permit and deny. When filtering on this column, the user can also use the words "true" or "yes" for permit, and "false" or "no" for deny. If the user enters "y", then the filter will match on "deny".

To work around this problem, spell out "true" or "yes" and "false" or "no" for filtering on this field.

CSCsa08562

With workflow, pressing Approve right after Reject throws null pointer.

In workflow mode, after an activity is submitted, it can be either approved or rejected. If a user presses the Reject button and then enters an activity transition comment, he will see the Approve button is still active. If he presses the Approve button while the rejection is still in progress, a null pointer exception will occur.

To work around this problem, do not press the Approve button when an activity rejection is being processed.

CSCed70306

Cannot copy and paste rules in Expanded Rule Table.

If you copy and paste rules in the rule table after it has been detached from the Firewall MC window, the Firewall MC browser might stop responding.

To work around this problem, close the browser and relaunch Firewall MC.

CSCed65692

MAC Address table setting doesn't override when timeout is blank.

On the MAC Address Table page (Configuration > Device Settings > Transparent Firewall > MAC Address Table) and DHCP Relay Server page (Configuration > Device Settings > Servers and Services > DHCP Relay Server), you cannot clear the timeout setting if the table of interfaces for the feature is empty and timeout value is specified at the parent scope. When you clear the timeout setting and click Apply, the Inherit settings check box is automatically selected and the parent value is inherited.

To work around this problem, add a row to the table and then delete the row before you clear the timeout field. You can then clear the timeout field and click Apply without the parent value being inherited.

CSCsa10890

If using Netscape7.1, Firewall MC closes when you close an activity.

If you are accessing Firewall MC from a Netscape browser, and with workflow enabled you try to close an activity that is in the Edit_Open state by going to the Workflow > Activity Management page and clicking Close, the Firewall MC window will close and the activity will remain in the Edit_Open state.

To work around this issue, do not close the activity from the Workflow > Activity Management page. Instead, if the Edit_Open state activity is the current activity in your session, click the Close icon on the Activity action bar located in the upper right corner of the Configuration tab.

If the Edit_Open state activity is not the current activity in your session, you must first make it the current activity before you can close it:

1. Select the activity on the Activity Management page

2. If Require Activity Approval is enabled, click Submit. If not, click Approve.

3. Click cancel.

4. Click the Configuration tab.

5. Click the Close icon on the Activity action bar.

CSCec73144

Firewall MC occasionally crashes when changing scope.

There is a Windows performance setting that allows you to optimize performance for either applications or background services. If you have background services selected, then the browser might return exceptions or crash when you access the Object Selector. This behavior is very likely to happen if the client and server are on the same system.

To work around this problem, make sure that the operating system response is optimized for applications and not for background services:

1. Select Start > Settings > Control Panel > System.

2. Click the Advanced tab.

3. Click Performance Options.

4. In the Application response box, make sure that the Applications radio button is selected.

5. Click OK.

CSCec76430

FWSM no longer supports periods in the hostname.

Firewall MC follows the PIX 6.x format for hostname, however, FWSM 2.x no longer supports periods in the hostname (for example, "my.pix.1"). Therefore, you will be able to define an erroneous hostname for FWSM 2.x in Firewall MC. This error will be caught by the FWSM 2.x device as a deployment error.

To work around this problem, do not add a period to the hostname of an FWSM 2.x device.

CSCec90250

Modal dialog boxes intermittently stay open when using Netscape.

When using Netscape, form items in modal dialogs have focus problems if you attempt to select the parent window. After you click the parent window, you cannot select an item, using a mouse or by pressing Tab, within the form in the modal dialog. Text fields are particularly susceptible to this issue.

To work around this issue, do one of the following:

Close or cancel out of the modal dialog. Re-open the modal dialog, and do not try to select the parent window.

Click on the help link in the modal dialog, and then close the help window. The items in the form should behave properly now. Do not try to gain focus on the parent window.

CSCsa04337

VLAN ID 4096 accepted in GUI and no error displayed after configuration generation.

Firewall MC allows a user to enter a VLAN ID greater than 4095 without generating an error. However, subsequent deployment of the generated configuration might fail because of this illegal VLAN ID.

To work around this problem, do not enter a VLAN ID greater than 4095.

CSCsa04546

GUI should warn about duplicate IKE policies.

If a configuration has two IKE policies with different priority numbers but the exact same parameters, these two IKE policies can still be generated and deployed without warning, and the firewall device simply removes the duplicate policies when it receives deployment.

To work around this problem, do not define two or more IKE policies with different priority numbers but the exact same parameters.

CSCec50276

Firewall MC 1.3 Interface Hardware ID should be grayed out in FWSM 2.x.

When you are configuring an interface for FWSM, certain Interface fields that are not used should be grayed out.

No work around is currently available.

CSCsa07589

Incorrect GUI restriction for user-key for managed objects.

If you select a hub's outside interface and create a user-defined preshared key, you will not be able to create a second user-defined preshared key for the same hub's inside interface. An error results stating "User key with the same peer or with the same peer IP address already exists."

To work around this problem, create a key based on IP address instead of a managed device interface.

CSCeb80454

Browser caching can cause Object Selector to not respond.

Under certain conditions, Firewall MC will not allow you to select a group or a Firewall using the Object Selector. Instead the scope remains at the Global level and cannot be changed. This is caused by the browser pulling from its local cache instead of the Firewall MC server.

To work around this problem clear all temporary files on your browser:

For Internet Explorer only:

1. Select Tools > Internet Options.

2. Under Temporary Internet files, select Delete Files.

3. Close down all browser windows, then re-open the browser.

If the problem persists:

1. Clear out the Java JAR cached files.

2. Close down all browsers, then verify that JRE is shut down with the browser. (The Java icon in the system tray should be gone.)

3. Select Start > Settings > Control Panel > Java-Plug-In 1.3.1.

4. Select the Cache tab, then click Clear JAR Cache.

5. Apply the change, start up a new browser window, then try again.

CSCeb52284

Cannot add a rule using tear-off view if no rules exist.

The access rule table does not provide a popup menu unless there are rows in the table. If you expand a table that does not have rules, you cannot insert a rule because the popup menu cannot appear and there are no buttons at the bottom of the expanded table.

To work around this problem, do not expand an empty table.

CSCdz66765

Using browser's refresh might cause unexpected results.

If you use your browser's refresh button (or press F5) instead of using the Refresh button available on some of the Firewall MC GUI pages, you might see error messages repeated or prompts to resend data.

To work around this problem, use the Refresh button on the GUI, when available, instead of pressing F5 or using your browser's Refresh button.

CSCeb59538

Message window text blinks during backup and restore.

The message window that CiscoWorks displays during a backup or restore is blank except for an occasional status that appears and then quickly disappears. Mouse movement is also slow during the backup or restore.

There is no workaround. This behavior does not reflect the success of the backup or restore. You should allow the action to conclude.

CSCeb63147

Activity report lists all fixup ports when only one was changed.

If you change any fixup settings, all fixups that are displayed on the Basic or Multimedia Fixup page and checked as active appear on the Activity report even though they were not changed.

There is no workaround.

CSCeb24910

Activity report does not list deleted devices.

The Activity report does not include deleted devices if the parent group was also deleted in the same activity.

There is no workaround.

CSCdx47739

Workflow does not stop multiple jobs from deploying to same device.

Firewall MC does not prevent you from putting the same device in more than one job. This could lead to a deployment error if more than one job tries to deploy to the same device at the same time. Also, you could inadvertently deploy an older approved configuration over a newer one, depending on the order in which the pending jobs are deployed.

To work around this problem, avoid adding devices that are part of a pending job when you create new jobs.

CSCdy59201

Inherit settings from lists wrong group name when not inheriting.

If you deselect the Inherit settings check box, the text reads Inherit setting from: Global, instead of specifying the group from which the information would be inherited were this item selected. This is only a display problem. If you select the Inherit settings from check box, Firewall MC inherits correctly and the updated page shows the group from which you are inheriting.

To work around this problem, use the object selector or the quick links next to SCOPE to walk up the group hierarchy towards Global to find out from where the settings would be inherited. The closest ancestor that has its own settings (not inheriting) is the one from which the setting would be inherited.


Table 10 Import Known Problems 

Bug ID
Summary
Additional Information

CSCsa11338

Performance limitations to import and deploy.

Through the course of testing, we have found that performance on importing and deploying is affected by the number of rules in your configuration, such that importing a configuration with a large number of rules takes approximately one second for every eight rules, and deploying takes approximately one second for every four rules.

For PIX 6.2(2) and FWSM 2.2 and later, the deploy performance is greatly improved using bulk deploy.

To improve performance when deploying a configuration with a large number of rules, upgrade your firewall device to PIX 6.2(2) or FWSM 2.2.

CSCin54306

Multiuser import failed for directory import.

If multiple users try to import from a directory at the same time, the import fails.

To work around this problem, avoid having multiple users import from a directory at the same time.


Table 11 Installation and Upgrade Known Problems 

Bug ID
Summary
Additional Information

CSCsa07730

During install alphabetic characters are accepted in port number fields.

Port numbers are represented using number, not characters and symbols. If you define an invalid port number, the Firewall MC services will fail to start.

To work around this problem, accept the default value or use numbers when defining your port. To correct an invalid port number, reinstall Firewall MC.

CSCeb70960

VMMC Installer does not install patch on first pass.

The VMS Management and Monitoring Centers (VMMC) installer does not install the CiscoWorks Common Services patches until you run the VMMC installer a second time. Under normal conditions this does not cause a problem since you must run it a second time to install the VMS applications. However, if you install CiscoWorks Common Services from the VMMC installer and Firewall MC from the website, the patches will not be applied.

To work around this problem, run the VMMC installer a second time to apply the Service Pack 1 patches before you install Firewall MC.

CSCeb22044

Install aborted at 99% does not halt/remove/restart components.

Canceling an installation when it is 99% complete does not appropriately halt the installation, remove certain components, and restart critical services.

To correct this problem, uninstall Firewall MC, reboot, and then reinstall Firewall MC.


Table 12 Reporting Known Problems 

Bug ID
Summary
Additional Information

CSCsa10776

Activity Reports are blank for pre-upgrade activity.

When you upgrade Firewall MC, any activity reports for prior changes are lost.

To work around this problem, save the activity reports to an XML file before you upgrade.

CSCsa10695

View All Static rules and translation rules has PAT/NAT statics reversed.

There are two problems associated with placement of PAT and NAT static rules in the Static Translation table:

Problem 1

When you select Translation Rules > View All Translations or click View All on the Static Translation table, the Host translation statics (NAT statics) are listed before the Port translation statics (PAT statics), even though the order of evaluation on the firewall device is PAT statics before NAT statics.

There is currently no workaround.

Problem 2

If you edit static translation rule and change a PAT static to a NAT static, or change a NAT static to a PAT static, the rule should be repositioned in the table so that it is grouped with rules of the same type. However, when you do make such a change, the rule does not get positioned to the correct location.

To work around this problem, remove the rule that you want to change and recreate it in the correct location, with the new desired values.

CSCsa09283

Activity Reports fails to display Add PPPoE Information parameters.

The activity report does not show detailed setting changes for an interface if the interface type is PPPoE.

There is no workaround.

CSCsa09252

Activity Reports > FW Device Contact Info reported as Auto Update Server.

If you change settings on the Configuration > Device Settings > Firewall Device Administration > Firewall Device Contact Info page, the changes are incorrectly listed under Configuration > MC Settings > Auto Update Server Contact when you view the activity report.

There is no workaround.

CSCsa09237

Activity report will not save to networked drive, user sees blank window.

You cannot write an Activity Report XML file to a network drive.

To work around this problem, save the report to an accessible drive, and then log in and transfer that file to the network drive you want it to reside on.

CSCed66577

Ending commands are not retained in activity reports.

When you select the Inherit Settings check box on the Configuration > Device Settings > Config Additions > Ending Commands page, any information in Ending Commands at the current scope is removed. The information that was in Ending Commands is not retained in the activity report, and you will not be able to get this information back without undoing the activity.

No workaround is currently available.


Table 13 Firewall MC Server Known Problems 

Bug ID
Summary
Additional Information

CSCsa09355

If a JRE is not installed, Internet Explorer might take 5 minutes to prompt to install.

Internet Explorer sometimes takes an inordinate amount of time to determine the plug-in necessary to launch a Java applet, determine if it needs to obtain the plug-in, and finally actually initialize the download of the plug-in.

To work around this problem, wait for Internet Explorer to install the JRE.

CSCea80500

Last detected version not in effect if config and device mismatch.

When you upgrade the PIX Firewall OS version on a device and Firewall MC is set to Last Detected Firewall OS Version (Configuration > Device Settings > Firewall OS Version), deployment will fail and you will receive an error message about version mismatch.

To work around this problem, set the Firewall OS version manually, and then redeploy with this change.

CSCdw45096

Device Contact Info & AUS Contact settings not retained in jobs.

When you create a job, the PIX Device Contact Info and AUS Contact settings for each device in the job are not stored as a part of the job. When you deploy the job, the current values for these settings are used to deploy to a device, or to AUS. This means that changes made to these settings after a job is created will affect how a job operates when it is deployed.

To work around this problem, deploy existing jobs before changing the PIX Device Contact Info and AUS Contact settings for any device in any undeployed jobs.

CSCdz64177

Client might be slow when connecting to a Firewall MC server without a DNS entry.

Remote access might be slow when you connect to a Firewall MC server without the appropriate DNS entry (Address and Pointer Records).

To work around this problem, verify that a DNS entry was created.


Table 14 Known Problems with VMS that Affect Firewall MC 

Bug ID
Summary

The following problems have been seen during Firewall MC testing. More information is available in the Release Notes for CiscoWorks Common Services at http://www.cisco.com/en/US/products/sw/cscowork/ps3996/prod_release_notes_list.html. Specific details are available from the Cisco Software Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl. (You will be prompted to log into Cisco.com.)

CSCin69274

CSA Agent queries upgrade of FWMC from 1.2.2 to 1.3

CSCdx74061

Scheduling future Backups and Compacts requires two steps.

CSCdx74308

Services do not start after reboot during installation.

CSCdy02949

Difficulty browsing CiscoWorks2000 desktop from server machine.

CSCdy06590

Restoring during scheduled backup requires reboot.

CSCdy25551

MDCSupport utility does not erase its temporary directory.

CSCdy26688

Cannot launch CW2K desktop after Common Services installed on system with netForensics.

CSCdy28951

Licensing error when SQL service is not started

CSCdy31988

Sybase service problem on Win2K server with Terminal Services on.

CSCeb11926

Hour and minute are not working for repeat backup database

CSCin11975

Changing the Windows password causes service startup to fail.

CSCin14028

CiscoWorks links do not work due to change in server IP address.


Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

International Cisco websites can be accessed from this URL:

http://www.cisco.com/public/countries_languages.shtml

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool:

http://www.cisco.com/en/US/partner/ordering/index.shtml

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can submit e-mail comments about technical documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour-a-day, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance. If you do not hold a valid Cisco service contract, please contact your reseller.

Cisco TAC Website

The Cisco TAC website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year. The Cisco TAC website is located at this URL:

http://www.cisco.com/tac

Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:

http://tools.cisco.com/RPF/register/register.do

Opening a TAC Case

Using the online TAC Case Open Tool is the fastest way to open P3 and P4 cases. (P3 and P4 cases are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using the recommended resources, your case will be assigned to a Cisco TAC engineer. The online TAC Case Open Tool is located at this URL:

http://www.cisco.com/tac/caseopen

For P1 or P2 cases (P1 and P2 cases are those in which your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.

To open a case by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

For a complete listing of Cisco TAC contacts, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

TAC Case Priority Definitions

To ensure that all cases are reported in a standard format, Cisco has established case priority definitions.

Priority 1 (P1)—Your network is "down" or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Go to this URL to visit the company store:

http://www.cisco.com/go/marketplace/

The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://cisco.com/univercd/cc/td/doc/pcat/

Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

http://www.ciscopress.com

Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

Training—Cisco offers world-class networking training. Current offerings in network training are listed at this URL:

http://www.cisco.com/en/US/learning/index.html


hometocprevnextglossaryfeedbacksearchhelp

Posted: Thu Dec 30 05:39:53 PST 2004
All contents are Copyright © 1992--2004 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.