Release Notes for Cisco Router and Security Device Manager Version 2.1.1

These release notes support Cisco Router and Security Device Manager version 2.1.1. They should be used with the documents listed in the " Related Documentation" section. These release notes are updated as needed.

Introduction

Cisco Router and Security Device Manager (SDM) is a web-based configuration tool that allows you to configure LAN and WAN interfaces, routing, Network Address Translation (NAT), firewalls, Intrusion Prevention System (IPS), Virtual Private Networks (VPNs), and other features on the router. SDM version 2.1 and later can be installed on a PC, or in router memory. Earlier versions of SDM can be installed only in router memory. If you have a router listed in the "Hardware Supported" section, SDM may be preinstalled in router memory, or may be shipped on a CD with the router.

System Requirements

Memory Requirements

A minimum of 6 MB of free router memory is required to support Cisco SDM files. 2 MB of router memory is required to support Cisco SDM Express files. The Wireless Management application requires an additional 1.7 MB.

Table 2 lists the files that are included with Cisco SDM, Cisco SDM Express, and the Wireless Management application.

Hardware Supported

Cisco Routers

Supported Network Modules, WICs, Port Adapters, and Service Adapters

PC System Requirements

SDM is designed to run on a personal computer that has a Pentium III or faster processor.

Software Supported

Cisco IOS Images

Note SDM supports the IOS Intrusion Prevention System (IPS). In order to be able to use SDM to configure IOS-IPS, the router must run an IOS image of Release 12.3(8)T4 or later.

Table 1 SDM-Supported Routers and Cisco IOS Releases
SDM-Supported Routers	SDM-Supported Cisco IOS Releases
Cisco SB101 Cisco SB106 Cisco SB107	•12.3(8)YG
Cisco 831 Cisco 837	•12.2(13)ZH or later •12.3(2)XA or later •12.3(2)T or later
Cisco 836	•12.2(13)ZH or later •12.3(2)XA or later •12.3(4)T or later
Cisco 851 Cisco 857	•12.3(8)YI
Cisco 871 Cisco 876 Cisco 877 Cisco 878	•12.3(8)YI
Cisco 1701	•12.2(13)ZH or later •12.3(2)XA or later (SDM does not support Cisco IOS release 12.3(2)XF.) •12.3(4)T or later
Cisco 1711 Cisco 1712	•12.2(15)ZL or later •12.3(2)XA or later (SDM does not support Cisco IOS release 12.3(2)XF.)
Cisco 1710 Cisco 1721 Cisco 1751 Cisco 1751-v Cisco 1760 Cisco 1760-v	•12.2(13)ZH or later •12.3(2)XA or later (SDM does not support Cisco IOS release 12.3(2)XF.) •12.2(13)T3 or later •12.3(2)T or later •12.3(1)M or later •12.2(15)ZJ3 (not available for the Cisco 1710 or Cisco 1721)
Cisco 1801 Cisco 1802 Cisco 1803 Cisco 1811	•12.3(8)YI
Cisco 1812	•12.3(8)YH or later
Cisco 1841	•12.3(8)T4 or later
Cisco 2610XM Cisco 2611XM Cisco 2620XM Cisco 2621XM Cisco 2650XM Cisco 2651XM Cisco 2691	•12.2(11)T6 or later •12.3(2)T or later •12.3(1)M or later •12.3(4)XD •12.2(15)ZJ3
Cisco 2801 Cisco 2811 Cisco 2821 Cisco 2851	•12.3(8)T4 or later
Cisco 3640 Cisco 3661 Cisco 3662	•12.2(11)T6 or later •12.3(2)T or later •12.3(1)M or later •12.3(4)XD •12.2(15)ZJ3
Cisco 3620	•12.2(11)T6 or later •12.3(1)M or later
Cisco 3640A	•12.2(13)T3 or later •12.3(2)T or later •12.3(1)M or later •12.3(4)XD •12.2(15)ZJ3
Cisco 3725 Cisco 3745	•12.2(11)T6 or later •12.3(2)T or later •12.3(1)M or later •12.3(4)XD •12.2(15)ZJ3
Cisco 3825 Cisco 3845	•12.3(11)T or later
Cisco 7204VXR Cisco 7206VXR	•12.3(2)T or later •12.3(1)M or later SDM does not support B, E, or S train releases on the Cisco 7000 routers.
Cisco 7301	•12.3(2)T or later •12.3(3)M or later SDM does not support B, E, or S train releases on the Cisco 7000 routers.

Determining the Cisco IOS Software Version

To determine the Release of Cisco IOS software currently running on your Cisco router, log in to the router and enter the show version EXEC command. The following sample output from the show version command indicates the version number on the second output line:

Web Browser Versions and Java Runtime Environment Versions

SDM requires Sun Java Runtime Environment (JRE) version 1.4.2_05 or later, or Java Virtual Machine (JVM) 5.0.0.3810.

PC Operating System Versions

Japanese, Simplified Chinese, French, German, Spanish and Italian language support is available on these operating systems:

New and Changed Information

This section contains information that is new or that has changed since the previous release.

New Features Supported in SDM Version 2.1.1

•

New Hardware Support—SDM supports the following new platforms: Cisco SB100 series, Cisco 850 series, Cisco 870 series, Cisco 180x routers, and Cisco 181x routers.

•

Integrated Wireless Management—SDM Express lets you create a basic configuration for your wireless network. The web-based Wireless Management application allows you to customize the configuration and make security settings based on your site requirements.

•

IPS Provisioning Improvement—IPS supports the new files 128MB.sdf and 256MB.sdf, enabling you to deploy signatures based on router capabilities.

SDM File List

Table 2 SDM File List
File Name	Size	Description
sdm.tar	3 MB	SDM application file.
ips.tar	1.21 MB	Intrusion Prevention System (IPS) application file.
es.tar	762 KB	SDM Express application file.
wlanui.tar	1.8 MB	Wireless Application
home.tar	114 KB	SDM and SDM Express support file.
common.tar	821 KB	SDM and SDM Express support file.
home.shtml	2 KB	SDM and SDM Express support file.
attack-drop.sdf	91 KB	Signature Definition File (SDF) used by IPS.
128MB.sdf	493 KB	Signature Definition File (SDF) used by IPS.
256MB.sdf	732 KB	Signature Definition File (SDF) used by IPS.
sdmconfig-modelnum.cfg For example: sdmconfig-180x.cfg	2 KB	Default configuration file.

Installation Notes

This section contains important information regarding installation and upgrades to SDM.

Cisco 1700 Routers Running ITS/CCME and Cisco IOS Release 12.2(13)T

If you are installing SDM on a router that already has the Internet Telephony Service (ITS) or Cisco Call Manager Express (CCME) application installed in flash memory, you may exceed the number of files allowed in flash memory by installing SDM. Cisco 1700 routers using a Cisco IOS Release 12.2(13)T image cannot have more than 32 files in flash memory.

Before installing SDM, you must delete any unneeded files from flash memory. If no files can be deleted, do not install SDM on the router.

Downloading SDM from Cisco.com and Installing It on the Router

If SDM is not currently installed on the router, the document Downloading and Installing Cisco Router and Security Device Manager (SDM) explains how to download SDM from Cisco.com and install it on the router. To obtain this document, go to the following URL:

Upgrading to a New SDM Release

If a version of SDM later than version 1.0 is already installed on the router, you should use the SDM automatic update feature to install the latest files on the router. SDM automatically checks Cisco.com for more recent versions of SDM, downloads them to your PC, removes the old SDM files from memory, runs the squeeze flash: command if necessary, and copies the latest files to the router. The update feature is available from the Tools menu. Choose Tools > Update SDM > Update from CCO.

If you are currently using SDM version 1.0, you must download the file SDM-Vnn.zip at the following URL:

The document Downloading and Installing Cisco Router and Security Device Manager (SDM) explains how to install SDM and all related files on the router. This document is available at the following URL:

Uninstalling SDM Files

If you want to remove SDM from flash memory or from a router disk file system, you can do so by logging onto the router and completing the following steps in EXEC mode:

Replace N with the actual number of the disk. Use the slot keyword instead of the disk keyword if necessary.

Step 2

Use the delete command to remove the SDM files. The example below deletes the file sdm.tar:

Step 3

Use the delete command to remove the remaining SDM files. The "SDM File List" section lists the files used by SDM.

It is not necessary to use the squeeze flash: command on DOS-based file systems.

SDM version 2.1 or later can be installed on your PC. To remove SDM from your PC, complete the following steps:

Step 1

Click Start > Programn> Cisco Systems > Cisco SDM > Uninstall to launch the Uninstall program.

Step 2

When the message "Do you want to remove the selected applications and all of its features?" appears, click Yes.

Step 3

When the Uninstallation Complete screen is displayed, click Finish.

Restrictions and Limitations

SDM Minimum Screen Resolution

Restrictions for Cisco 7204VXR, 7206VXR, and 7301 Routers

The following restrictions apply to SDM running on Cisco 7204VXR, 7206VXR, and 7301 Routers:

•

WAN configuration is not supported. SDM supports configuration of Ethernet and Fast Ethernet interfaces.

Important Notes

Popup Blockers Disable SDM IPS and SDM Online Help

If you have enabled popup blockers in the browser you use to run SDM or SDM IPS, SDM IPS will not launch, and SDM online help will not appear when you click the help button. To prevent this from happening, you must disable the popup blocker when you run SDM or SDMIPS. Popup blockers may be enabled in search engine toolbars, or may be standalone applications integrated with the web browser.

Microsoft Windows XP with Service Pack 2 blocks popups by default. In order to turn off popup blocking in Internet Explorer, go to Tools > Pop-up Blocker > Turn Off Pop-up Blocker.

If you have not installed and enabled pop up blockers, go to Tools >Internet Options > Privacy, and uncheck the Block popups checkbox.

Disable Proxy Settings

SDM will not start when run under Internet Explorer using JRE plug-in versions 1.4.2_05 and proxy settings are enabled. To correct this problem, choose Internet Options from the Tools menu, click the Connections tab, and then click the LAN settings button. In the LAN Settings window, disable the proxy settings.

Routers Shipped with SDM Do Not Execute the Standard Cisco IOS Startup Sequence

Because a default configuration file is provided on a router shipped with SDM, the router will not execute the standard Cisco IOS startup sequence. If you are expecting to use the Cisco IOS setup utility, a TFTP/BOOTP configuration download, or other features available through the standard Cisco IOS startup, you will need to erase the configuration file.

To erase the existing configuration and take advantage of the Cisco IOS startup sequence, perform the following steps. This will leave SDM on the router if you later decide you want to use it, but you will need to configure the router manually before you can begin using SDM. Please refer to the router quick start guide and to the SDM FAQ (available at http://www.cisco.com/go/sdm) for information about the minimum configuration required for using SDM.

Step 1

Connect the light blue console cable, included with the router, from the blue console port on the router to a serial port on your PC. See the router hardware installation guide for instructions.

Step 2

Connect the power supply to the router, plug the power supply into a power outlet, and turn on the router. See the router quick start guide for instructions.

Step 3

Use a terminal emulation program on your PC, with the terminal emulation settings 9600 baud, 8 data bits, no parity, 1 stop bit, and no flow control, to connect to the router.

Step 4

At the prompt, enter the enable command, and enter the password cisco.

After the router completes the reload operation, it enters into the standard Cisco IOS startup sequence. You can use the startup sequence to give the router a configuration manually, or to copy a configuration file from the network. If you later decide you want to use SDM to change an existing configuration, refer to the instructions on starting SDM included in the quick start guide for the router.

Unable to Perform "squeeze flash:" Operation

If the router is using a Cisco IOS image earlier than release 12.3T, or release 12.2(13)ZH, it may be necessary to use the squeeze flash: command to reclaim flash memory after repeated use of SDM. If this becomes necessary, SDM will inform you that the squeeze flash: command must be used, and will execute the command upon your confirmation.

However, the squeeze flash: command will not work if an erase flash: command has never been executed on the router. If this is the case you will receive an "Unable to perform `squeeze flash'" warning message, and you will need to run the erase flash: command to enable the use of the squeeze flash: command.

Executing the erase flash: command removes SDM and the Cisco IOS image from the router flash memory, and you will lose your connection to the router. Complete the following steps to save files in flash memory, execute erase flash:, and copy the files back so you can reconnect to SDM.

Step 1

Ensure that the router will not lose power. If the router loses power after an erase flash: operation, there will be no Cisco IOS image in memory.

Step 2

Prepare a TFTP server to which you can save files and copy them over to the router. You must have write access to the TFTP server. Your PC can be used for this purpose if it has a TFTP server program.

Step 4

Save the router's running configuration to the startup configuration by entering the command copy running-config startup-config.

Step 5

Use the copy tftp command to copy the Cisco IOS image, and the SDM files from flash memory to a TFTP server:

Tip

If you prefer to download a Cisco IOS image, and the SDM-Vnn.zip file, follow these instructions to use an Internet connection to download an SDM-supported Cisco IOS image, and the SDM-Vnn.zip file.

Click the following link to obtain a Cisco IOS image from the Cisco Software Center:

Obtain an image that supports the features you want on the Cisco 12.2(11)T release or later. Save the file to the TFTP server that is accessible from the router.

Step 6

From the PC, log in to the router using Telnet, and enter Enable mode.

Step 7

Enter the command erase flash:, and confirm. The router's IOS image, configuration file, and the SDM files are removed from flash memory.

Step 8

Use the copy tftp command to copy the IOS image and the SDM files from the TFTP server to the router:

Step 9

Start your web browser, and reconnect to SDM, using the same IP address you used when you started the SDM session.

Now that an erase flash: operation has been performed on the router, you will be able to execute the squeeze flash: command when necessary.

Security Alert Dialog May Remain After SDM Launches

When SDM is launched using HTTPS, a security alert dialog box that informs you of possible security problems and asks you if you want to proceed with program launch may appear. This can happen if the router does not have the following global configuration command in the running configuration:

Caveats

Caveats describe unexpected behavior in SDM. Severity 1 caveats are the most serious caveats, severity 2 caveats are less serious, and severity 3 caveats are the least serious of these three severity levels.

Open Caveats—Release 2.1.1

VPN status in the Monitor windows do not show IPSec security association (SA) parameters for DMVPN whenCLI status commands report that the crypto tunnels are up and traffic is passing through. The DMVPN tunnel is shown as established in the IKE SA tab.

This problem is encountered on routers running Cisco IOS image c3825-advsecurityk9-mz.123-10.2. If an ATM interface is configured on routers running this image, WAN troubleshooting may display inconsistent results. PVC connections may be shown as UP when they are DOWN.

When both SDM and IPS are open, an open dialog box requiring an OK or Cancel in one application will prevent the user from working in the other application.

Workaround: Complete the work in the dialog box and click OK, or click Cancel to close the dialog box before switching to the other application.

If multiple instances of SDM are run under Netscape version 7.1 using the Java Virtual Machine (JVM) or the Java plug-in, and the user shuts down one instance of SDM, then all other open instances of SDM on that PC are shut down.

This problem occurs because Netscape version 7.1 uses only one instance of the JVM or the Java plug-in, even when multiple instances of Netscape are launched. As a result, when one instance of SDM is shut down, Netscape shuts down the JVM or the Java plug-in, and all other instances of SDM are also shut down.

Workaround: If SDM is run under Netscape version 7.1, open only one instance of SDM . Using Internet Explorer is advised when multiple instances of SDM must be opened, such as when the user must configure multiple routers at the same time.

When the crypto identity ca command is used, the Loopback0 interface is shown as having no configured IP address in the Edit Interfaces and Connections window when an IP address has been configured.

Workaround: Disregard the IP address information in the Interfaces and Connections window. If you need to view the IP address, choose the interface and click the Edit button.

This problem is caused by the Cisco IOS caveat CSCef46305. After an Easy VPN Remote connection has been brought up after a successful user authentication (Xauth), the remote peer may not be listed in the Easy VPN Remote Edit screen if SDM is refreshed or reinvoked. If this problem occurs, Easy VPN Remote troubleshooting might not behave as expected for this connection.

This problem will occur only when the Easy VPN server sends Xauth challenges to the Easy VPN remote at the same time that the Easy VPN remote is trying to establish a tunnel with the VPN server.

When an Easy VPN Server is configured using Digital Certificates for authentication, and an Easy VPN Remote connection is configured on another router, the client statistics for the Easy VPN server are all shown as 0 in the VPN Status window.

Workaround: To view client statistics, choose Tools > Telnet. Log in to the router, and issue the show crypto session command.

When adding a new signature to the ATOMIC.ICMP engine, you may see the error message "[Enum(xxx)-StorageKey-ATOMIC.ICMP] the value AaBb is not a valid value."

Workaround: In the Add Signature window, go to the parameter StorageKey, and click the green square to enable editing for this parameter. the green square icon will change to a red diamond icon. Choosing any value from the drop down box will fix this problem.

This problem is caused by the Cisco IOS caveat CSCef64124. When the user unchecks the Save Xauth username and password on the router check box in the Edit Easy VPN Remote dialog box and clicks OK, the command is delivered to the router, but SDM shows the check box as checked, and the corresponding command is still shown in the running configuration if SDM is refreshed.

This occurs when the user wants to remove the saved Xauth username and password in Easy VPN Remote.

If an Easy VPN Remote configuration has connections to more than one Easy VPN server configured, VPN troubleshooting decaveatging may report troubleshooting results for only one VPN server or give incorrect recommendations. This issue is seen only in some Cisco IOS images.

Invoking SDM with a user associated with SDM_Monitor view adds a PKI trust point and an Easy VPN profile. This behavior does not affect the running configuration.

Workaround: Invoke SDM with a user associated with a different CLI view, or with a user of privilege level 15.

SDM filenames are case sensitive. If the SDM files are copied from the PC hard disk to a flash card, File Explorer changes the names to uppercase. When this happens, SDM cannot be invoked from this flash card.

Workaround: Before removing the flash card from the PC, restore the filenames to lowercase.

When the router is running a Cisco IOS image that does not support the show pppoe session command, WAN troubleshooting may not report any reasons for failure or recommended actions for PPPoE connections that are found to be down.

If a firewall is configured for an interface which already has a Management Access policy associated with it, choosing Replace in the Merge/Replace dialog box might prevent access to certain networks.

This occurs because choosing Replace causes the policy access control entries (ACEs) to be disassociated from the interface but not from the vty or HTTP line.

Workaround: When running Firewall wizard on an interface configured with Management Access policy, choose Merge option instead of Replace and proceed.

VPN troubleshooting may report a possible Maximum Transmission Unit (MTU) problem in the passthrough network when the tunnel is up. If the VPN interface is a dialer interface configured on an asynchronous interface, this problem may not always exist, and the displayed recommended action will have no effect.

Due to a problem with Cisco IOS, if a custom protocol is mapped to a port and the same custom protocol is specified for matching under a classmap, and then the mapping of the custom protocol is deleted from the configuration , Cisco IOS does not give any warning message that the user should first delete the match protocol custom-01 commands that make use of the custom protocol mapping.

–

Remove all the match protocol statements that reference the custom protocol that you configured.

This problem is caused by Cisco IOS caveat CSCef52919. A user with privilege level 1 who is associated with a view may be able to log in to SDM with a privilege level of 15. This occurs when authentication authorization and accounting (AAA) is enabled, and a vty line is configured with privilege level 2 through 15.

Workaround: Do not configure privilege 1-level users. The problem does not occur when users of higher privilege levels are configured.

When you update SDM, if any of the uploaded SDM files shows a size of zero bytes when show flash is invoked, no operations such as copy or delete can be performed on flash memory. This problem rarely occurs.

Workaround: Restart the router to be able to perform operations on flash memory. If files of zero bytes are shown in a show flash display, restart the router before starting SDM.

Router does not reload with default configuration when a' user executes a Reset To Factory Defaults operation in SDM.

If the router is running Cisco IOS Release 12.2(11)T6, and the last 4 bits of the config-register value are set to 0, for example 0x2100 or 0x1100, the router does not reload when the user performs a Reset To Factory Defaults. SDM indicates that it has sent a reload command to the router and shuts down, and the default configuration is copied to the startup-config, but the reload command has not executed, and the router is still using the running configuration that was present before the Reset To Factory Defaults operation.

Workaround: Use the CLI config-register command to ensure that the last 4 bits of the config register are not set to 0 (zero).

If you delete a WAN connection that you created, an ip nat inside command may still remain in a LAN interface configuration.

Workaround: To delete the ip nat inside command from the LAN interface configuration, go t o Edit Interfaces and Connections, choose the LAN interface, click Edit, and delete the association in the Association tab.

Enabling AES encryption or IP compression in the Add/Edit IKE Policy or Add/Edit Transform Set windows might not work even though the Cisco IOS image running on the router supports AES encryption or IP Compression. This may happen in the following circumstances:

–

The router has a VPN module that does not support AES encryption or IP compression.

–

Disable hardware encryption by adding the no crypto engine accelerator command to the configuration file using the CLI interface. This command tells the router to use Cisco IOS software for encryption instead of using the encryption provided by the VPN module.

When configuring static routing, if a virtual-template interface is configured as the next hop interface in a static route, SDM generates corresponding CLI commands. Delivering such commands to the router may fail on some platforms.

Workaround: Do not configure a virtual-template interface as a next hop interface if it is not supported on the router.

When SDM runs with a Cisco IOS image of a release earlier than 12.3T, or earlier than Release 12.2(13)ZH, the HTTP server appends unnecessary characters to names of files it displays. As a result, when SDM is started, the web browser displays the warning "Content does not match the signature."

When an Easy VPN tunnel is active, using SDM to apply a NAT configuration to the Easy VPN inside and outside interfaces will deliver ip nat inside and ip nat outside commands to the router, but the running configuration will not be changed. SDM displays no error message when this is attempted.

Workaround: To apply a NAT configuration to interfaces that have been designated as Easy VPN inside or outside interfaces, complete the following steps in SDM:

–

Choose the Easy VPN tunnel in the VPN Connections window and click Disconnect. If the Connect/Disconnect button is disabled, choose the interface in the Interfaces and Connections window, open the Association tab for that connection and change the Easy VPN association to None.

–

Open the NAT window, click Designate NAT Interfaces, and designate NAT inside and NAT outside interfaces.

–

Select the Easy VPN tunnel, and click Connect. If you had to disassociate the Easy VPN tunnel from the connection, return to the Association tab, and choose the Easy VPN connection name again.

SDM will not start on a Cisco 831 router with 32 MB of memory if run from Netscape. An exception will be displayed in the Java console window, and in the router console window indicating a memory allocation failure.

Workaround: Run SDM using Internet Explorer version 5.5 or later. Or, if you want to continue to use Netscape, log in to the router CLI and enter the following memory-size command in global configuration mode:

XAuth authentication intermittently fails, and Easy VPN tunnels cannot be established using SDM on routers running Cisco IOS Release 12.3(4)T. When the user attempts to do an Xauth authentication in SDM, the following error message is displayed:

This message is followed by another indicating that the connect command was delivered to the router, but that the tunnel was not established.

Workaround: In the VPN Connections window, choose the Easy VPN tunnel configuration and click the Reset Tunnel button to clear the tunnel and reconnect it. If this does not bring up the tunnel, use the Login button, more than once if necessary, to bring up the tunnel.

When SDM Express runs with Cisco IOS image of Release 12.2(15)T, it fails to download the configuration file from the CNS server through the SDM Express wizard. See CSCin65539 for more details. This issue occurs only with Cisco IOS Release 12.2(15)T.

On Cisco 7x00 routers, the SDM Update feature is supported if the current SDM files were loaded onto the router flash disk or CompactFlash disk. However, the SDM Updates feature fails to upload new SDM files to the router if the current SDM files were installed in flash memory. The SDM Updates feature uses RCP protocol to upload the new SDM files to the router, but the RCP Server misinterprets the "flag" sent by the RCP Client for the above mentioned file systems.

Workaround: If the current SDM files were loaded into flash memory, update to the new SDM version by manually copying the new SDM files to the file system of the router using a TFTP server. To make use of the automatic SDM Update feature, always install SDM files on the flash disk or CompactFlash disks (disk0, disk1, disk2).

SDM should not get invoked from boot images such as kboot images on 72xx routers. Such boot images are a subset of the Cisco IOS software and do not support all router functions.

Workaround: Boot the router with an SDM-supported Cisco IOS image, and then invoke SDM. See Table 1 for the Cisco IOS releases that SDM supports.

On 72xx platforms, encryption is not supported on PA-4T port adapters. Because the CLI does not support crypto maps for these types of interfaces, SDM will fail to assign crypto maps to these interfaces. The PA-4T port adapter will not support future compression and encryption features.

Whenever any unconfigured interface contains the description $FW_INSIDE$, on a router configured with a firewall, adding a new NTP server will not modify the firewall ACLs to allow NTP passthrough traffic. Instead, when the user edits the firewall's outside interface in the Interfaces and Connections window, SDM prompts the user to add the NTP passthrough traffic.

Workaround: Use the CLI to manually remove the description $FW_INSIDE$ from the unconfigured interface.

If the interface used for the primary backup connection is configured for PPPoE encapsulation, the backup connection will not function properly if the next hop address is specified during configuration. A Cisco IOS caveat (CSCin64336) has been filed for this problem. If the interface used for the primary backup connection is an Ethernet interface configured without encapsulation, the backup connection will not function properly if the next hop address is not specified during configuration.

–

For PPPoE connections: Do not provide the next hop IP address when you configure the primary backup connection.

–

For Ethernet connections without encapsulation: Do provide the next hop IP address when you configure the primary backup connection.

If the WAN wizard is used to configure an analog modem connection as a primary backup connection, and the analog modem connection is deleted, SDM may report that the interface contains unsupported configuration parameters.

The Interfaces and Connections window may display the Backup option in disabled state for asynchronous interfaces on Cisco 831 and Cisco 837 routers. This will occur when the following operations have been performed:

–

The interface used for the primary backup connection is configured with an SDM-supported IP address type.

–

The asynchronous interface is configured as the backup for a primary interface.

When the IP address of the primary interface is changed, SDM displays a Yes or No warning popup asking if you want to remove the backup configuration. If you choose Yes, SDM removes the backup configuration, but the Interfaces and Connections window still shows the backup option as disabled, preventing you from choosing the asynchronous interface as a backup interface.

Workaround: Delete the asynchronous interface configuration using the Interfaces and Connections window.

When the router is configured to use PPPoE, users may not be able to download a file using FTP or display web pages from Internet hosts that they are able to ping or access using telnet. This can happen if SDM is being used on a router with interfaces that SDM does not support, such as Token Ring or VLAN interfaces. SDM does not deliver the command ip tcp adjust-mss 1452 to unsupported interfaces.

Workaround: Use the CLI to add the ip tcp adjust-mss 1452 command to the VLAN or Token Ring interface configuration. Use Telnet to access the router and enter the following command in VLAN or Token Ring interface configuration mode:

The SDM Express wizard may not deliver the configuration to a Cisco 2691 router running Cisco IOS images of Release 12.2(15)T or 12.2(15)ZJ when SSH is used to communicate between SDM Express and the router. When SDM Express is invoked using the string https://router-IP-address, it uses SSH.

Workaround: When launching SDM Express, click Cancel in the SSH credentials window. SDM Express will use the Telnet protocol to communicate with the router. Enter the login ID and password in the Telnet credentials window.

When launching the Dynamic Multipoint Virtual Private Network (DMVPN) Hub and Spoke wizard, SDM may take up to 12 seconds to display the first wizard window. This latency may occur if a JRE plug-in of any version is running in the browser, or if SDM is using the SSH or Telnet communications module.

SDM may take several seconds to display screens in the DMVPN wizard. This latency may occur if a Java plug-in is running in the browser.

Using anIP unnumbered interface as a DMVPN tunnel source may cause Cisco IOS to crash. An interface configured as IP unnumbered uses the IP address of another interface on the router. This Cisco IOS problem does not always occur.

Workaround: Instead of using an IP unnumbered interface as the DMVPN tunnel source, use the interface that is referenced in the ip unnumbered command. If you are configuring a hub, the interface must have a static IP address.

The router reloads when an NHRP tunnel interface is removed. This is a Cisco IOS caveat which you may encounter when deleting a DMVPN tunnel. This caveat duplicates CSCed41641.

If an Analog Modem or ISDN connection is deleted using SDM, the dialer interface may not be deleted from the configuration and the router may reload. This is due to a Cisco IOS caveat, CSCin69090. This occurs on routers using Cisco IOS images of Release 12.3(4)XG or later, or Cisco IOS Release 12.3(7)T.

On routers running Cisco IOS Release 12.3(6), Cisco IOS may reload if SDM is started using HTTPS.

Workaround: Start SDM by entering http://ip-address. Do not use https://ip-address.

The SDM Express wizard may fail if the router is running Cisco IOS Release 12.3(9) and there is not sufficient space in NVRAM to save the startup configuration. This problem should not occur with new routers.

Workaround: If this problem occurs, use the CLI to remove unneeded files from NVRAM.

SDM does not issue the ntp update-calendar Cisco IOS command on Cisco 7200 routers if there are no new settings to enter and if the Network Time Protocol (NTP) server was configured using the CLI, only one NTP server IP address was provided and no ntp update-calendar Cisco IOS command was present in the running configuration.

Workaround: Use SDM to delete the NTP server configuration entry, click Refresh, and then re-create the entry, or make changes to the existing NTP server entry.

Because of a Cisco IOS issue (CSCee63313), if SDM is used to enable IPS on an interface, and then used to disable IPS on that interface, the router crashes.

Due to a Cisco IOS issue (refer to CSCee58000), SDM is unable to configure a virtual auxiliary port on Cisco 831, 836, or 837 routers running Cisco IOS Release 12.3(7)XR1.

Workaround: Load the rebuilt Cisco Release 12.3(7)XR2 image on the router when it becomes available and then use SDM to configure a virtual auxiliary port.

When SDM is installed on a PC, it cannot be launched if run from Netscape 7.1 or 7.2 and popup blockers have been enabled.

Workaround: In Netscape, go to Edit > Preferences > Privacy and Security > Popup Windows. In the Popup Windows section, uncheck Block unrequested popup windows, and then click Apply. Relaunch SDM.

A download exception message may appear in the Java console when SDM is launched on a PC running Japanese Windows 2000, or Japanese Windows XP. This problem does not prevent SDM from starting or from being used.

The SDM installation program does not use HTTPS to back up files from the router.

When SDM is invoked from SDM Express, and SDM Express has been started under a nondefault browser, you must reenter router username and password before SDM will start.

When SDM is installed on a PC running Windows XP with Service Pack 2, Internet Explorer will display a message bar at the top of the browser window stating: "To help protect your security, Internet Explorer has restricted this file from showing active content that access your computer. Click here for options..." Clicking Allow blocked content does not enable SDM to launch.

Workaround: In Internet Explorer, go to Tools > Internet Options > Advanced. Then scroll to the Security section, check Allow active content to run in files on my computer, and click Apply. Then relaunch SDM.

When SDM is run with certain Cisco IOS images, the number of Open Shortest Path First (OSPF) processes created can be greater than the number of interfaces in the administratively UP state. However, the running configuration does not display the value of the area configured for these additional networks. Thus, SDM is unable to display the networks for these additional OSPF processes. This problem has been reported with the following Cisco IOS images:

If signatures are imported using SDM IPS on a router running Cisco IOS Release 12.3(11)T3, systemvariables parameters are ignored by Cisco IOS.

The SDM Update from PC feature will not operate when the SDM-Vnn.zip file is placed in a shared folder with read-only access.

Workaround: Do not place the SDM-Vnn.zip file in a folder with read-only access.

Because of a problem with Cisco IOS (CSCeg63077), VPN troubleshooting will not detect the IKE mismatch in site-to-site VPN configuration. Instead it will give a generic recommendation to apply the mirror configuration generated by SDM which would solve this problem.

Workaround: Follow the recommendation displayed in the VPN troubleshooting windowo to apply mirror configuration on both the devices.

Table Of Contents