Note You can find the most current documentation for the VPN Client at http://www.cisco.com or
http://cco.cisco.com. These electronic documents may contain updates and changes made after the hard
copy documents were printed.
These release notes support VPN Client software Release 3.7 for the Linux, Solaris, and Mac OS X operating systems and for the incremental "point" release, Release 3.7.2. Please note that there is no Release 3.7.1. These release notes are updated as needed to describe new features, product and procedure changes, caveats, and related documentation. Please read the release notes carefully prior to installation.
Release 3.7.2 fixes a number of caveats that were outstanding in Release 3.7. There are no new features in this release. The features in the following list were introduced in Release 3.7.
Release 3.7 adds a graphical user interface for managing the VPN Client for Mac OS X, in addition to the command-line interface. Refer to the Cisco VPN Client User Guide for Mac OS, Release 3.7 for more information.
The installer for the VPN Client for Solaris is now packaged as a single installation file for all supported Sun platforms.
The VPN Client for Linux now supports ISDN connections in addition to PPP and Ethernet.
The VPN Client on the Sun Solaris platform now supports PPPoE, PPP Version 4.0, and Solaris Version 9.
System Requirements
The VPN Client supports:
Red Hat Version 6.2 or later Linux (Intel), or compatible libraries with glibc Version 2.1.1-6 or later, using kernel Versions 2.2.12 or later.
Note The VPN Client for Linux does not support kernel Version 2.5 or SMP (multiprocessor) kernels.
UltraSPARC computer running a 32-bit or 64-bit Solaris kernel OS Version 2.6 or later.
Macintosh computer running OS X Version 10.1.0 or later.
Supported Hardware
The Cisco VPN Client supports the following Cisco VPN devices:
Cisco IOS software devices that support Easy VPN server functionality
VPN 3000 series concentrators
Cisco PIX Firewall series, Version 6.2 or later
Caveats Fixed in This Release
This section describes the caveats resolved in the Cisco VPN Client Version 3.7.2 for Solaris and Mac OS X. There are no new fixes for the Linux platform.
While using a VPN Client for Solaris, over a period of heavy traffic, the workstation locked up or panicked. This condition was usually caused by certain traffic types that unexpectedly caused problems with the workstations stack. The file transfer protocols NFS and SCP have been known to cause this issue.
CSCdy44907
In rare circumstances, users of the VPN Client for Solaris, Release 3.6, experienced system failures after creating a VPN tunnel and passing an indeterminate amount of traffic when running in 32- or 64-bit mode.
CSCdz48205
VPNClient version 3.7.2did not support the ipdptp dialup interface on Solaris platforms. This ipdptp interface is used for dialup connections on the Solaris 6, 7, and 8 platforms. Solaris 8 can be upgraded with a standard patch from SUN. This allows them to use the new pppd 4.0 driver, which is still supported by the VPN Client. Newer Solaris 8 installations and Solaris 9 use pppd 4.0 as their standard dialup and pppoe driver.
The certificate enrollment dialogue was very tall. On 800x600 screens, it was slightly larger than the desktop.
CSCdy74476
Text labels on buttons could not be clicked on. You had to click on the actual button icon.
CSCdz03183
The Simple GUI allowed resizing, but it should not do so.
CSCdz12816
If the VPN Client disconnected, the MTU was not reset to its pre-connected value. For example, if the MTU was 1500 before the connection, the VPN Client reduced it to 1356 upon connecting. If the connection was lost, due to an interface going down or the Macintosh going to sleep, the MTU stayed at 1356, rather than being reset to 1500, as was expected.
CSCdz13444
Connection attempts using a VPN Client for Mac OS X failed when the VPN Concentrator was configured for load balancing.
This condition appeared only when the VPN Client is attempting to connect using TCP NAT (TunnelingMode=1). This issue was introduced in Release 3.6.2; it had been working in previous versions. However, Mac OS X 10.2.x did not allow TCP NAT connections in previous versions and was limited in which interfaces were functional in earlier versions. Mac OS X 10.1.x is fully functional in earlier versions supporting Mac OS X.
CSCdz25443
IPSec over TCP (cTCP) worked inconsistently with Release 3.7 of the Cisco VPN Client when running on Mac OS X 10.2. You could usually get TCP to connect the first time you tried, but after that it would not connect unless you restarted the VPN Client. Tried this via dial-up and via broadband (wireless and wired).
CSCdz27760
Uninstaller from the Applications folder appeared to do nothing. Running the command line uninstaller failed with the following errors:
[labusers-Computer:~] labuser% cd /Applications/Uninstall\ Cisco\ VPN\ Client.app/Contents/MacOS/
[labusers-Computer:Uninstall Cisco VPN Client.app/Contents/MacOS] labuser% ls
Uninstall Cisco VPN Client
[labusers-Computer:Uninstall Cisco VPN Client.app/Contents/MacOS] labuser% ls -l total 16
An unresolved symbol error no longer appears when the VPN Client builds the driver during the installation. Previously, this occurred because the get_fast_time function, required by the VPN Client, was removed from the Linux kernel API in the 2.4.18 release.
CSCdw87223
The VPN Client for Linux now binds only to supported interfaces (asynchronous serial PPP and Ethernet).
CSCdy38606
When you install the VPN Client for Linux on a Mandrake Linux, the installer script now looks for the ID in the previous default location usr/bin/id and the new default location usr/id.
CSCdy49082
The VPN Client now supports the new Linux distributions that use Version 3.2 + of the GCC compiler.
The VPN Client for Solaris install script now properly identifies the 10-MB Ethernet network interface and provides the correct entry in the /etc/iu.ap file.
Connection reliability issues no longer occur when you use the VPN Client for Mac OS X configured for cTCP NAT (TunnelingMode=1).
CSCdy48192
You can now configure a VPN Client for IPSec over TCP when running Mac OS Version 10.2.
CSCdy51818
Split tunneling now functions properly for a VPN Client running Mac OS Version 10.2.
CSCdy59183
A VPN Client running Mac OS Version 10.2 no longer fails to connect to a VPN device if IPv6 is enabled.
CSCdy81700
You can now pass nontunneled traffic (other than ICMP) with split tunneling enabled on a VPN Client for Mac OS X and with OS Version 10.2.x on your workstation.
A VPN Client configured to use IPSec over TCP for NAT Transparency (TunnelingMode=1) can now use backup servers during connection attempts.
CSCdv75911
If you use a large certificate for authentication (such as one created by a Microsoft CA), a VPN Client configured to use IPSec over TCP for NAT Transparency (Tunneling Mode=1) can now establish a connection using PPP or Ethernet.
CSCdy41127
The VPN Client now works correctly on interface en1 (Apple AirPort WiFi) card when running Mac OS Version 10.2.
If you issue the cisco_cert_manager command or any associated command operations, numerical error codes that cannot be interpreted without a translation table no longer appear.
CSCdu76408, CSCdv53430, CSCdv90944
The VPN Client for Linux can now establish a connection using certificates generated by a Microsoft Certificate Authority (CA).
CSCdv43364
The Simple Certificate Enrollment Protocol (SCEP) option is now available from the VPN Client cisco_cert_mgr -E -op enroll command.
CSCdv53367
The VPN Client can now pass large packets over a PPP connection if the client is configured to use IPSec over TCP or UDP for NAT transparency.
CSCdv61653
When you import a certificate, the password prompt now prompts you for an import password instead of a password to clarify which password to enter.
CSCdv66465
NFS file systems and directories are no longer unusable when the VPN Client is connected.
CSCdv82220
If IP masquerading is enabled on your workstation, you no longer experience difficulty using certain applications after the VPN Client is installed.
CSCdv86262
If you issue the kill -9 command to the VPN Client or the cvpnd process, the tunnel is properly closed.
The documentation for the VPN Client for Solaris has been updated to more accurately reflect the certificate enrollment process and now contains certificate troubleshooting tips.
CSCdv53358
The VPN Client can now use large certificates (such as one created by a Microsoft CA) over a PPP connection and when it is configured to use IPSec over TCP for NAT transparency.
The VPN Client can now upload large packets to a VPN 3000 concentrator over a PPP or Ethernet connection if NAT transparency is enabled on both ends of the tunnel.
CSCdu58641
If the VPN Client is shut down improperly, the /etc/rc.d/init.d/vpnclient_init stop command now correctly unloads the client kernel module.
CSCdu66280
During the installation process, the VPN Installer now correctly unloads a currently running VPN module.
CSCdu66791
FTP downloads performed using IPSec/UDP are no longer slower than FTP downloads performed using IPSec Protocol 50 (ESP).
CSCdu66993
The VPN Client no longer becomes inoperable if your Version 2.4 kernel is compiled with CONFIG_NETFILTER enabled.
CSCdu67913
Systems behind a device using port address translation (PAT) are now able to access web pages when the VPN Client is loaded on a workstation, but not in use.
CSCdu81881
The host name on the computer running the VPN Client is now resolved in DNS. Previously, this occurred on a Mandrake Version 8.0 system running Version 2.4.7 kernel.
CSCdu82424
The VPN Client module is now built properly on Redhat Version 7.1.
CSCdv04430
When you use the VPN Client with Redhat Version 6.2 with the Enable Backup feature enabled, you can now pass traffic when it is redirected to a backup server or a load balancing server.
CSCdv10084, CSCdv13171
When LZS Compression is enabled on the VPN Client, DNS names are resolved and you can access internal web pages.
CSCdv49427
The VPN Client now has the capability to fragment large certificates and establish an IPSec over TCP connection with a VPN 3000 concentrator using Software Version 3.5.
Open Caveats
The following sections describe known issues for the VPN Client Version 3.7.
Open Caveats for Linux
CSCdv73541
The make module process fails during installation of the VPN Client.
Workaround: The module build process must use the same configuration information as your running kernel.
If you are running the kernels from Redhat, you must install the corresponding kernel-sources rpm. On a Redhat system with kernel-sources installed, there is a symlink from /lib/modules/2.4.2-2/build to the source directory. The VPN Client looks for this link first, and it appears as the default value at the kernel source prompt.
If you are running your own kernel, you must use the build tree from the running kernel to build the VPN Client. Merely unpacking the source code for the version of the kernel you are running is insufficient.
CSCdw60694
The VPN Client does not function if it is installed on a Linux system using hotplug.
No workaround.
CSCdx33045
A Linux workstation becomes inoperable when you use the VPN Client with a PPP connection and configured to use SecurID for authentication. This occurs using kernel revision 2.4.7 to 2.4.17 on Red Hat.
No workaround.
CSCdy89047
The VPN Client does not support Wireless LAN Ethernet cards.
The VPN Client does not provide a 30-day warning when your certificate is near expiration or when your user identity certificate is near expiration. If your certificate expires, the following message appears:
Unable to contact security gateway.
Workaround: Confirm your expiration date on the Certificates tab in the Validity field.
CSCdz04238
The progress bar for the VPN Client for Mac OS X installer does not accurately reflect the progress of the installation process, which takes an inordinate amount of time.
If an IP firewall is installed on your workstation, the reboot after installation of the VPN Client takes an inordinate amount of time. This is caused by a conflict between the VPN Client kernel module cipsec and the ipfilter firewall kernel module.
Workaround: Disable the ipfilter firewall kernel module before you install the VPN Client.
CSCdy30098
If you use the VPN Client for Solaris with the pppd Version 4.0 driver over PPPoE, the client can establish a VPN connection, but cannot pass traffic. This occurs because the client is unable to pass traffic if used with a PPPoE connection exclusively. The VPN Client must first attempt an hme connection, even a failed one, to properly prepare for the PPPoE connection.
Workaround:
a. Restart the Solaris workstation.
b. Attempt a VPN connection while the PPPoE link is down. You might be required to assign a false address to the hme interface if it does not have one. It is not necessary for this connection attempt to succeed.
c. When the connection times out, restore the PPPoE connection.
VPN traffic should pass normally. If you restart your workstation for any reason, you must repeat this process.
Obtaining Documentation
These sections explain how to obtain documentation from Cisco Systems.
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.
Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).
You can submit comments electronically on Cisco.com. In the Cisco Documentation home page, click the Fax or Email option in the "Leave Feedback" section at the bottom of the page.
You can e-mail your comments to bug-doc@cisco.com.
You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address:
Cisco Systems Attn: Document Resource Connection 170 West Tasman Drive San Jose, CA 95134-9883
Obtaining Technical Assistance
Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.
Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you with these tasks:
Streamline business processes and improve productivity
Resolve technical issues with online support
Download and test software packages
Order Cisco learning materials and merchandise
Register for online skill assessment, training, and certification programs
If you want to obtain customized information and service, you can self-register on Cisco.com. To access Cisco.com, go to this URL:
The Cisco Technical Assistance Center (TAC) is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC Web Site and the Cisco TAC Escalation Center.
Cisco TAC inquiries are categorized according to the urgency of the issue:
Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.
Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.
Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.
Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.
The Cisco TAC resource that you choose is based on the priority of the problem and the conditions of service contracts, when applicable.
You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to this URL:
All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:
If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC Web Site, you can open a case online by using the TAC Case Open tool at this URL:
The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:
Before calling, check with your network operations center to determine the level of Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, have your service agreement number and your product serial number available.
