|
|
Table Of Contents
Release Notes for Cisco
VPN 3000 Series Concentrator, Release 3.6.7Downgrading from Release 3.6.7
New Features in Releases 3.6.3 Through 3.6.7
DHCP Relay for Wireless Operation (Includes Microsoft VPN Client Route List via DHCP)
Ratified IPSec/UDP Implementation (NAT Traversal)
Advanced Encryption Standard (AES)
Support for Diffie-Hellman Group 5
Backup CRL Distribution Points
SDI Upgrade (ACE/Agent Enhancements)
Dynamic DNS (DDNS Host Name Population)
L2TP/IPSec Authentication Enhancements (EAP/TLS, EAP/SDI)
LAN-to-LAN Filters on the VPN 3000 Concentrator
Management Interface Enhancements
IPSec Backup Servers Feature Now Applies to the VPN Client
Disable Group Lock When Using SDI or NT Domain Authentication
Password Expiry Does Not Change User Profile for LAN
Browser Interoperability Issues
VPN Client Used with Zone Labs Integrity Agent Uses Port 5054
Administer Sessions Screen Shows Data for Wrong Group
Long Initialization for SNMP Traps in Releases 3.0, 3.5, and 3.5.1
Accessing Online Glossary Requires Connection to Cisco.com
SNMP Traps VRRPNotifications and cipSecMIBNotifications Are Not Supported
RSA Allows a CA to Issue Only One Certificate with any DN
Rebooting after Installing New Hardware
Reauthentication on Rekey Interval
Open Caveats for VPN 3000 Series Concentrator
Caveat Resolved in Release 3.6.7
Caveats Resolved in Release 3.6.6
Caveats Resolved in Release 3.6.5
Caveats Resolved in Release 3.6.4
Caveats Resolved in Release 3.6.3
Caveats Resolved in Release 3.6.1
Caveats Resolved in Release 3.6
VPN 3000 Concentrator Documentation Updates
Software Configuration Tips on the Cisco TAC Home Page
Obtaining Technical Assistance
Copyright and Trademark Information
Release Notes for Cisco
VPN 3000 Series Concentrator, Release 3.6.7
CCO Date: December 18, 2002
Part Number 78-15217-04
Introduction
Note
You can find the most current documentation for released Cisco VPN 3000 products at http://www.cisco.com or http://cco.cisco.com. These electronic documents might contain updates and changes made after the hard-copy documents were printed.
These release notes are for Cisco VPN 3000 Series Concentrator Release 3.6 and for its incremental "point" releases through Release 3.6.7 software. Please note that product release numbers are not necessarily consecutive. These release notes describe new features, limitations and restrictions, interoperability notes, and related documentation. They also list issues you should be aware of and the procedures you should follow before loading this release. The section, "Usage Notes," describes interoperability considerations and other issues you should be aware of when installing and using the VPN 3000 Series Concentrator. Read these release notes carefully prior to installing this release.
Contents
These release notes describe the following topics:
New Features in Releases 3.6.3 Through 3.6.7
Open Caveats for VPN 3000 Series Concentrator
Caveat Resolved in Release 3.6.7
Caveats Resolved in Release 3.6.6
Caveats Resolved in Release 3.6.5
Caveats Resolved in Release 3.6.4
Caveats Resolved in Release 3.6.3
Caveats Resolved in Release 3.6.1
Obtaining Technical Assistance
System Requirements
This section describes the system requirements for Release 3.6.7.
Hardware Supported
Cisco VPN 3000 Series Concentrator software Release 3.6.7 supports the following hardware platforms:
•
•
Platform Files
Release 3.6.7 contains two binary files, one for each of two platforms:
•
•
Caution
Upgrading to Release 3.6.7
This section contains information about upgrading from earlier releases to Release 3.6.7.
When upgrading VPN 3000 Concentrator releases, you must clear the cache in your browser to ensure that all new screens display correctly when you are managing the VPN Concentrator.
Note
Upgrading to a new version of the VPN 3000 Concentrator software does not automatically overwrite the existing configuration file. Configuration options for new features (for example, IKE proposals) are not automatically saved to the configuration file on an upgrade. The HTML Manager displays "Save Needed" (rather than "Save") to indicate that the configuration needs to be saved. If the configuration is not saved, then on the next reboot, the new configuration options are added again. If you need to send the configuration file to the TAC, save the running configuration to the configuration file first.
Before You Begin
Before you upgrade to this release, back up your existing configuration to the flash and to an external server. This ensures that you can return to the previous configuration and software if you need to.
Be aware of the following considerations before you upgrade. These are known product behaviors, and your knowing about them at the beginning of the process should expedite your product upgrade experience. Where appropriate, the number of the caveat documenting the issue appears at the end of the item. See Open Caveats for VPN 3000 Series Concentrator for a description of using this number to locate a particular caveat.
Release 3.6.7 of the VPN 3000 Concentrator software contains several features that interact with corresponding new features in the Release 3.6.x versions of the VPN Client and VPN 3002 Hardware Client software. To get the full benefit of this release you should upgrade your client software as well as your concentrator software. The VPN 3000 Concentrator software, Release 3.6.7, does operate with VPN Client and VPN 3002 Hardware Client versions 3.0 and higher, but you should upgrade these, too, to take full advantage of the new features.
•
•
•
Use the following backup procedure to ensure that you have a ready backup configuration.
Backing Up the Existing Configuration to the Flash
1.
2.
3.
You have now backed up the existing configuration to the flash.
Backing Up the Existing Configuration to an External Server
You should also back up the configuration to a server. You can do this in many ways, one of which is to download the file using your Web Browser from the HTML interface (VPN Manager).
You can now upgrade the software with assurance that you can return to your previous firmware using your previous configuration.
Note
Downgrading from Release 3.6.7
If you need to return to a release prior to Release 3.6.7, do the following:
Step 1
Step 2
Step 3
Step 4
Step 5
Your prior firmware and image are restored.
New Features in Releases 3.6.3 Through 3.6.7
These releases update the VPN 3000 Series Concentrator software to resolve several outstanding caveats. Refer to the appropriate "Caveats Resolved in Release 3.6.x" section of these Release Notes for details for each release.
Note
New Features in Release 3.6.1
This section describes the new features in Release 3.6.1 of the VPN 3000 Series Concentrator. For detailed instructions about how to configure and use these features, see VPN 3000 Series Concentrator Reference Volume I: Configuration and VPN 3000 Series Concentrator Reference Volume II: Administration and Management.
Network Extension Per Group
Network extension per group lets a network administrator restrict the use of network extension mode on the VPN 3002 Hardware Client. You enable the use of network extension mode for clients on a group basis.
Bandwidth Management
Bandwidth management provides a throttling mechanism to all tunneled traffic that limits the maximum amount of bandwidth allowed per group/user (policing) or provides a minimum amount of bandwidth allowed per group/user (bandwidth reservation).
•
•
Policies containing both bandwidth reservation and policing apply on the interface and group level. You must create a policy before enabling bandwidth management. For an overview of bandwidth management, see Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add or Modify in the VPN 3000 Series Concentrator Reference Vol. I: Configuration.
To configure bandwidth policies, go to Configuration | Policy Management | Traffic Management | Bandwidth Policies.
To enable bandwidth management on the public interface, go to Configuration | Interfaces | Public Interface and select the Bandwidth Management tab. Check the Bandwidth Management check box, set the Link Rate, and apply a policy to the interface. The policy applied to the public interface is considered the default or global policy for all groups/users that do not have a bandwidth policy applied to their group.
The defined Link Rate must be based on available Internet bandwidth and not on the physical LAN connection rate. For example, if the Internet router in front of the VPN Concentrator has a T1 connection to the Internet, leave the Link Rate set on the VPN Concentrator at the default value of 1544 kbps.
To configure bandwidth policies on a group, go to Configuration | User Management | Groups | Assign Bandwidth Policy. Select the public interface and apply a policy. This page also has an option to reserve a specific amount of bandwidth per group.
To configure a bandwidth policy for a LAN-to-LAN connection, go to Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN and apply a policy.
DHCP Relay for Wireless Operation (Includes Microsoft VPN Client Route List via DHCP)
The DHCP Relay feature lets wireless clients obtain a network configuration from the corporate network before creating a VPN tunnel. This may be used with the VPN Client autoinitiation feature to obtain a network configuration and automatically connect to the secure gateway when a configured wireless LAN (WLAN) is detected.
To add DHCP, go to Configuration | System | IP Routing.
To configure DHCP Relay, go to Configuration | System | IP Routing | DHCP Relay.
To enable DHCP Relay, you must also assign proper rules to filters in the Configuration | Policy Management | Traffic Management | Filters screen
DHCP Intercept
DHCP Intercept uses DHCP to provide a Microsoft L2TP/IPSec Client with a Subnet Mask, Domain Name, and Classless Static Routes.
This feature allows the VPN Concentrator to reply directly to the Microsoft Client DHCP Inform message. This is useful in environments in which using a DHCP server for this purpose is not advantageous.
You configure this feature on a per-group basis on the Client Config tab of either the Configuration | User Management | Base Group screen or the Configuration | User Management | Groups | Add or Modify screen.
Ratified IPSec/UDP Implementation (NAT Traversal)
Release 3.6.1 adds support for NAT Traversal (NAT-T), the new IPSec over UDP encapsulation IETF IPSec Working Group draft standard specification (draft-ietf-ipsec-nat-t-ike-02).
NAT-T lets IPSec peers establish a LAN-to-LAN connection through a NAT device. It does this by encapsulating IPSec traffic in UDP datagrams, thereby providing NAT devices with port information. Multiple IPSec clients behind a NAT/PAT device can connect to the same VPN Concentrator, except Microsoft L2TP/IPSec clients (as noted in the following list). NAT-T auto-detects any NAT devices and encapsulates IPSec traffic only when necessary.
NAT-T has the following limitations and requirements:
•
•
•
To configure NAT-T globally, go to the Configuration | System | Tunneling Protocols | IPSec | NAT Transparency screen and check the IPSec over NAT-T check box.
Note
LAN-to-LAN NAT Traversal
With Release 3.6.1, you can also enable NAT traversal for LAN-to-LAN sessions. For a LAN-to-LAN connection, you must also check the IPSec over NAT-T check box in the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add or Modify screen.
LAN-to-LAN NAT Traversal has the following limitations and requirements:
•
•
Advanced Encryption Standard (AES)
Release 3.6.1 adds support for Advanced Encryption Standard (AES), which is more secure than DES and more efficient than triple DES. It also adds:
•
•
•
If you configure AES on a VPN 3000 Concentrator group, only clients that support AES (such as the VPN Client, Release 3.6.1) can connect to that group.
To configure AES to the Encryption parameter in Tunneling, go to Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN or Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN.
Note
Support for Diffie-Hellman Group 5
Release 3.6.1 adds support for Diffie-Hellman Group 5 for use with LAN-to-LAN connections or VPN Client connections with digital certificates. You can use DH Group 5 with 3DES.
To configure DH 5 and AES, go to Configuration | System | Tunneling Protocols | IPSec | IKE Proposals.
To add DH 5 and AES to the Perfect Forward Secrecy parameter, go to Configuration | Policy Management | Traffic Management | Security Associations.
CRL over HTTP
You can now configure the VPN Concentrator to use the HTTP protocol to retrieve a certificate revocation list (CRL) from a distribution point. If you choose HTTP, you must assign HTTP rules to the public interface filter if you access your distribution points through the public interface. For example, enabling this feature supports the use of public key interfaces (PKI), such as Verisign, that require the use of HTTP.
To configure CRL over HTTP, go to Configuration | System | Management Protocols | HTTP/HTTPS.
CRL Caching
You can configure the VPN 3000 Concentrator to store certificate revocation list (CRL) information in volatile memory (RAM). CRL caching can potentially speed up the process of verifying the revocation status of certificates. With CRL caching enabled, when the VPN Concentrator needs to check the revocation status of a certificate, it first checks whether the required CRL exists in the cache and has not expired. Then the VPN Concentrator checks the serial number of the certificate against a list of the serial numbers in the CRL. If a match exists, the authentication fails.
To configure CRL caching, go to Administration | Certificate Management | Configure CA Certificate.
Backup CRL Distribution Points
You can now configure the VPN Concentrator to retrieve the CRL from the distribution points specified in the certificate being checked, from a user-specified list of up to five static distribution points, or from a combination of these.During IKE negotiation, if CRL checking is enabled, the VPN Concentrator verifies the revocation status of the IKE peer certificate before allowing the tunnel to be established. CRLs exist on external servers maintained by Certificate Authorities. If you configure retrieval of the CRL from a list of distribution points, the VPN Concentrator tries each in turn until it either finds the relevant CRL or exhausts the list.
To configure backup CRL distribution points, go to Administration | Certificate Management and select the Configure option on the appropriate CA certificate.
SDI Upgrade (ACE/Agent Enhancements)
Release 3.6.1 updates the implementation of the RSA ACE/Agent on the VPN Concentrator to the RSA/ACE Agent 5.0 release. It supports ACE/Server Replicas (a more advanced primary/backup feature than what was in earlier versions), two-step authentication, load balancing, and group-based support for multiple node secrets.
Split DNS
Split DNS lets an internal DNS server resolve a list of centrally-defined Local Domain Names (LDN), while ISP-assigned DNS servers resolve all other DNS requests. This feature is used in a split-tunneling connection. You configure LDNs on a Base Group/Group basis.
Dynamic DNS (DDNS Host Name Population)
Dynamic DNS passes the host name to the central site device, which uses that name in the DHCP address request. This feature allows the DHCP server and DDNS to dynamically populate the DNS records.
L2TP/IPSec Authentication Enhancements (EAP/TLS, EAP/SDI)
Extensible Authentication Protocol (EAP) lets a VPN Concentrator proxy the authentication process to an authentication server. This feature supports additional authentication options for the Microsoft VPN Client (L2TP/IPSec), including CHAP (EAP/MD5), Smartcards (EAP/TLS), and RSA SecurID (SDI).
Supporting EAP pass-through on the VPN Concentrator means that Microsoft native IPSec clients can authenticate users through Smartcards or SDI tokens.
To configure EAP, go to Configuration | User Management | Base Group or Configuration | User Management | Groups.
Note
MTU Interface Configuration
You can now configure the Maximum Transmission Unit (MTU) to be a value in the range from 68 through 1500 bytes. To configure the MTU, go to Configuration | Interface | Ethernet 123, General tab.
Secure Copy (SCP)
You can now do secure file transfers using the SCP (Secure CoPy) function over an SSH session. To enable SCP, go to Configuration | System | Management Protocols | SSH and check "Enable SCP".
LAN-to-LAN Filters on the VPN 3000 Concentrator
Release 3.6.1 lets you configure a filter to apply to the traffic that is tunneled through an IPSec LAN-to-LAN connection. To configure LAN-to-LAN filters, go to Configuration | System| Tunneling Protocols | IPSec LAN-to-LAN.
Management Interface Enhancements
Release 3.6.1 lets you view version and operating system information (when available) for connected clients and connected user session information. You can also sort by any of the columns in the table. To view these enhancements, go to the Administration | Administer Sessions screen and the Monitoring | Sessions screen.
NAT over LAN-to-LAN
Release 3.6.1 allows LANs with overlapping or same IP addresses between VPN 3000 Concentrators using static, dynamic, and PAT rules. To answer the need for hosts to communicate across overlapping LANs, the private address space must be translated (NATed).
IPSec Fragmentation
The IPSec fragmentation policy specifies how to treat packets that exceed the MTU setting when tunneling traffic through the public interface. This feature provides a way to handle cases where a router or NAT device between the VPN Concentrator and the VPN Client rejects or drops IP fragments. There are three options:
•
•
•
To configure this option, go to Configuration | Interface | Ethernet 123 | General tab. VPN 3000 Series Concentrator Reference Volume 1: Configuration explains these options and gives an example of their use.
Certificate DN Group Matching
In release 3.6.1, you can define rules to match a user's certificate to a permission group based on fields in the Distinguished Name (DN). To specify a policy for group matching by rules, you must define the rules and enable each rule for a selected group that already exists in the configuration. For more information, refer to the description of the Configuration | Policy Management | Certificate Group Matching screen in VPN 3000 Series Concentrator Reference Volume 1: Configuration.
IPSec Backup Servers Feature Now Applies to the VPN Client
The description of the IPSec Backup Servers feature in the VPN 3000 Concentrator Series Reference documentation indicates that it applies only to the VPN3002 Hardware Client. The feature now applies to the Software Client as well. For information about this feature and how to configure it, on the VPN Concentrator, see VPN Client Administrator Guide, Chapter 1. For information about how to configure Backup Servers in the VPN Client, see VPN Client User Guide (CSCdy09630).
Online Help Enhancements
Online help is now easier to use. Release 3.6.1 provides a global help Table of Contents that lets you view and navigate all available help topics. It also offers a search engine, an index, and a glossary.
Usage Notes
This section lists interoperability considerations and other issues to consider before installing and using Release 3.6.7 of the VPN 3000 Series Concentrator software.
Online Documentation
The online documentation might not be accessible when using Internet Explorer with Adobe Acrobat, Version 3.0.1. To resolve this issue, upgrade to Acrobat 4.0 or higher. The latest version of Adobe Acrobat is available at the Adobe web site: http://www.adobe.com.
Disable Group Lock When Using SDI or NT Domain Authentication
Password Expiry Does Not Change User Profile for LAN
You must enable Start Before Logon on the VPN Client and possibly may need to make sure that DNS and WINS servers are properly configured (CSCdv73252).
Browser Interoperability Issues
The following sections describe known behaviors and issues with the indicated Web browsers.
VPN 3000 Concentrator Fully Supports Only Netscape and Internet Explorer
Currently, the VPN 3000 Concentrator fully supports only Netscape and Internet Explorer. Using other browsers might cause unacceptable behavior; for example, if you attempt to use an unsupported Web Browser to manage the VPN 3000 Concentrator, clicking any of the links might return you to the login screen. (CSCdx87630).
Internet Explorer 4.x Browser Issues
The following are known issues with Internet Explorer 4.X and the VPN Concentrator Manager (the HTML management interface). To avoid these problems, use the latest version of Internet Explorer.
•
•
•
After adding a new SSL certificate, you might have to restart the browser to use the new certificate.
VPN Client Used with Zone Labs Integrity Agent Uses Port 5054
VPN Clients, when used with the Zone Labs Integrity Agent, are put into a "restricted state" upon connection to the Integrity Server if a port other than 5054 is used. The restricted state simply means the VPN Client is able to communicate only with the Integrity Server; all other traffic is blocked (CSCdw50994).
Workaround:
Do one of the following:
•
•
Administer Sessions Screen Shows Data for Wrong Group
When an L2TP/IPSec connection is established, authentication should behave as follows:
1.
2.
3.
This all works properly, but in the Administration | Administer Sessions screen, the Tunnel Group displays instead of the User's Group (CSCdy00360).
Long Initialization for SNMP Traps in Releases 3.0, 3.5, and 3.5.1
In Releases 3.0, 3.5, and 3.5.1 of the VPN 3000/3002 products, the SNMP task takes 3-5 minutes to complete initialization after a device reboot. Traps being processed during this interval are queued and sent to the SNMP Management station after SNMP task initialization completes.
However, the cold start trap, normally sent as a result of a device rebooting, is never sent.
In Release 2.5.X, the cold start trap is properly sent to the SNMP Manager after a device reboots (CSCdt01583).
Windows NT Authentication Servers Can't Follow Other Server Types in the a Prioritized Authentication Server List
If an Windows NT server follows a non-NT server in the prioritized authentication server list, and the non-NT server becomes unavailable for some reason, the VPN 3000 Concentrator detects this and falls back to the Windows NT server. If the tunnel being established is PPTP or L2TP, the authentication attempt to the Windows NT server also fails.
Therefore, when configuring PPTP or L2TP connections, do not place Windows NT authentication servers behind other types of servers in the applicable authentication server list (CSCdy07226).
Accessing Online Glossary Requires Connection to Cisco.com
The Glossary button at the top of all Help screens tries to contact univercd at www.cisco.com (the Cisco documentation site). This connection requires connectivity to Cisco's main web site. If your PC does not have a corporate Internet connection or your firewall blocks access, the following error appears when you attempt to access the Glossary:
"The page cannot be displayed."
To access the Glossary, you must be connected to www.cisco.com (CSCdy14238).
SNMP Traps VRRPNotifications and cipSecMIBNotifications Are Not Supported
The VPN 3000 Concentrator does not support the VRRPNotifications and cipSecMIBNotifications SNMP traps. You can configure VRRP for these SNMP traps without getting an error message, but the traps themselves are not supported, so no action occurs. The same is true of Cisco IPSec-flow MIB notifications (CSCdx44580).
RSA Allows a CA to Issue Only One Certificate with any DN
The rekey option to renew an SSL certificate from the RSA CA results in a rejection of the request.
The resubmit/renew feature does work with RSA as long as the certificate being rekeyed or renewed is first deleted from the CA database. RSA does not allow a CA to issue more than 1 certificate with any particular DN (CSCdv27743).
Rebooting after Installing New Hardware
Delays of about 3-50 seconds in making a VPN connection have occurred on Windows XP Professional Edition and Windows 2000 Professional Edition after adding a new NIC card. If you see problems of this nature, reboot the PC after the initial installation of the NIC card (CSCdv27743).
Reauthentication on Rekey Interval
If you have enabled the Reauthentication on Rekey feature, the VPN Concentrator prompts users to enter an ID and password during Phase 1 IKE negotiations and also prompts for user authentication whenever a rekey occurs. Reauthentication provides additional security.
If the configured rekey interval is very short, users might find repeated authorization requests inconvenient. In this case, disable reauthentication. To check your VPN Concentrator's configured rekey interval, see the Lifetime Measurement, Data Lifetime, and Time Lifetime fields on the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Add or Modify screen.
Note
Open Caveats for VPN 3000 Series Concentrator
Caveats describe unexpected behavior or defects in Cisco software releases. The following list is sorted by identifier number.
Note
The following problems exist with the VPN 3000 Series Concentrator, Release 3.6.7.
•
L2TP over IPSec connections fail if going through a NAT device. During the connection establishment, the VPN Client and the VPN 3000 Concentrator exchange IP addresses. When the client sends what it believes to be the VPN 3000 Concentrator's address (really the NATed address), the VPN 3000 Concentrator releases the connection.
This is because the address assigned to the interface does not match the address coming in from the client. The same issue exists on the client side. This will not be resolved until the Windows 2000 MS client supports UDP encapsulation.
•
When configuring a LAN-to-LAN connection with IOS or PIX, it is important to match the keepalive configuration (both "ON" or both "OFF"). If the keepalive configuration is OFF for the VPN 3000 Concentrator and ON for the IOS device, the tunnel will be established with data.
IOS tears down the tunnel because the VPN 3000 Concentrator does not respond to IOS style keepalives if keepalives are configured to be OFF for the VPN 3000 Concentrator.
•
In some cases, the Zone Labs Integrity Agent may not properly update on the Windows NT version 4.0 operating system while the VPN Client is connected, policy is changed and re-deployed, and the connection is up. Specifically, if you "Block Internet Servers" under the Firewall Security Rules in the Policy and then Deploy that new policy, a PC running Windows NT version 4.0 receives the updated policy, but it might not put the "Block Internet Servers" setting of that policy into effect.
Workaround:
Reboot the operating system.
•
Due to a Microsoft bug, Windows XP PCs are not capable of receiving a large number of Classless Static Routes (CSR). The VPN 3000 Concentrator limits the number of CSRs that are inserted into a DHCP INFORM message response when configured to do so.
The VPN 3000 Concentrator limits the number of routes to 28-42, depending on the class.
•
The Concentrator may display the following events during a VPN Client connection. These events were found to be due to the client being behind a Linksys Cable/DSL router that was incorrectly modifying the Client's packets, causing them to fail authentication when received by the VPN Concentrator. The problem is more prominent if LZS compression is used.
Events:
131500 06/20/2002 17:08:34.300 SEV=4 IPSEC/4 RPT=4632
IPSec ESP Tunnel Inb: Packet authentication failed, username: gray, SPI:
4e01db67, Seq Num: 0000850f. Dump of failed hash follows.
Linksys has been notified about the problem.
Workaround:
Although no workaround currently exists, disabling LZS compression on the Concentrator helps reduce the number of events. To disable LZS compression on the Concentrator set the "IPComp" setting on the IPSec tab of the group configuration to "none".
•
The description of the IPSec Backup Servers feature in the VPN 3000 Concentrator Series Reference documentation indicates that it applies only to the VPN3002 Hardware Client. The feature now applies to the Software Client as well. For information about this feature and how to configure it, on the VPN Concentrator, see VPN Client Administrator Guide, Chapter 1. For information about how to configure Backup Servers in the VPN Client, see VPN Client User Guide.
•
If a LAN-to-LAN tunnel between a VPN 3000 Concentrator and an IOS device is misconfigured and repeatedly fails to establish, then the VPN 3000 Concentrator could enter a state where a reboot is required.
One way to encounter this problem is to try to setup IOS to handle both LAN-to-LAN tunnels and Remote Access tunnels on the same interface, without breaking the IOS interface into V-LANs. This is a misconfiguration and is not supported by IOS, but it can lead to problems with the VPN 3000 Concentrator.
This configuration is not supported because IOS does not allow the same crypto map to be used to terminate both LAN-to-LAN tunnels and Remote Access tunnels. In addition, IOS only allows one crypto map to be applied per interface.
Consequently, if both types of tunnels must be terminated on a single physical interface, that interface must be broken out into V-LANs. Dividing the physical interface in this way enables a different crypto map to be applied to each virtual interface. This in turn enables both types of tunnels to be terminated on the same physical interface while maintaining a valid configuration.
•
The Microsoft L2TP/IPSec client for Windows 98, Windows ME, and Windows NT does not connect to the VPN 3000 Concentrator using digital certificates.
Workaround:
Use Preshared keys.
•
When viewing bandwidth management statistics via the CLI, with Bandwidth Management enabled and multiple users connected, all user sessions scroll through on the screen without the user being prompted to press space to continue or Q to quit.
•
The Assigned IP address for a PIX-501 in Network Extension Mode appears on the VPN 3000 Concentrator as 0.0.0.0 until the first IPSec/Phase 2 rekey takes place. After the Phase 2 rekey completes, the Assigned IP address is correctly set to the PIX-501's private interface network address.
•
Documentation for the Bandwidth Management feature in Release 3.6.1 refers to a configuration option in which bandwidth aggregation is automatically applied to a LAN-to-LAN connection when a bandwidth reservation policy is applied to a LAN-to-LAN connection. This feature is not available in Release 3.6.1.
To ensure that bandwidth is always available for a LAN-to-LAN connection via the HTML interface, navigate to Configuration | User Management | Groups. Highlight the LAN-to-LAN group, and select the Assign Bandwidth Policies button. Select the public interface, and next to the Bandwidth Aggregation parameter, enter the amount of bandwidth to reserve from the total available bandwidth for this connection.
If bandwidth aggregation is not set for a LAN-to-LAN connection, a situation might occur where there is not enough bandwidth available for the tunnel to be established.
Caveat Resolved in Release 3.6.7
Release 3.6.7 resolves the following issue:
•
A defect was introduced in the 3.6.6 Release of the VPN3000 Concentrator that will cause the Concentrator to stop accepting new connections after 40 cumulative connection failures. On the 3005 & 3015 platforms the threshold is 15 cumulative failures.
Once the cumulative failure total is hit, then no more IKE requests are processed. Current sessions are not immediately effected, butare not be able to rekey.
Only a system reboot will reset the cumulative counter.
This issue only exists in the 3.6.6 Release.
Caveats Resolved in Release 3.6.6
Release 3.6.6 resolves the following caveats.
•
When using Quick Config on the VPN3002 to change IP address and enable DHCP, the user is locked out from management access as soon as the IP address is changed.
•
When you use the Monitoring Sessions screen or the Administer Sessions screen to configure a VPN 3000 Concentrator with a LAN-to-LAN tunnel to any device through the Private Interface, the tunnel shows up under the MANAGEMENT SESSIONS as VCA/IPSEC, rather than under the LAN-to-LAN Tunnels, as should be the case. The tunnel works fine, as expected.
•
Using the Mozilla 1.0 Web Browser to manage the VPN 3000 Concentrator, clicking any of the links always returns you to the login screen. Currently, the VPN 3000 Concentrator only fully supports Netscape and Internet Explorer.
•
The VPN 3000 Concentrator failed while freeing memory after telnet session was closed.
•
When using Netscape 7.0 with the VPN 3000 Concentrator, after logging in and then trying to configure something, you are returned to the login screen.
•
For a VPN 3002 Hardware Client, v3.6 & v3.6.1, you can change PPPoE settings (for example, password) from Quick Configuration, but the changed setting cannot be saved. When you make the PPPoE change and return to the PPPoE setting screen, the Static IP Addressing is checked.
Changing PPPoE settings is not possible. However, if you change the PPPoE settings from Configuration -> Interface, then you have no problem changing the PPPoE setting.
•
The Linux Web browser Mozilla is not compatible with the VPN 3000 Concentrator or the VPN 3002 Hardware Client Web interface.
•
If an EZVPN Client does not properly disconnect its tunnel to a VPN3000 Concentrator, its IKE SA is not cleared from the Concentrator. The result is that each lingering IKE SA retains an address out of the address pool.
This occurs only if the Client connects without xauth authentication.
•
When using a Windows XP client connecting to a VPN 3000 Concentrator using split tunneling with EAP, the networks specified in your network list are not passed down and installed into the client computer.
•
The XML import did not accept an OSPF router ID of 0.0.0.0, even though OSPF was not enabled. This issue was found when downloading a full configuration to a device via an XML config file import.
•
The VPN3000 Concentrator might return fragments of Ethernet packet data within PPP reject messages. This behavior occurs only when a decryption error occurs. The reject message might contain data fragments from other Ethernet packets processed by the VPN 3000 Concentrator.
•
The VPN 3000 Concentrator failed when exporting XML file under File Management with L2L with Auto discovery configured.
•
The VPN 3000 Concentrator continually requests the node secret from the RSA server. These requests are considered as failed login attempts by the RSA server; therefore, the user's account is disabled. This problem occurs under the following conditions:
–
–
Caveats Resolved in Release 3.6.5
Release 3.6.5 resolves the following caveats.
•
A VPN 3000 Concentrator, upon a DHCP renewal, sends the request to the router's address instead of the IP address of the DHCP server.
•
Potential buffer overrun in MPPC decompression. MPPC decompression requires additional error handling.
•
A VPN 3000 Concentrator crashes when a new virtual interface is created for L2TP and PPTP connections.
This issue was introduced by the fix for CSCdv71158 (Disabling VRRP on a VPN 3000 Concentrator does not refresh the interface MAC address).
Caveats Resolved in Release 3.6.4
Release 3.6.4 resolves the following caveats.
•
Load Balancing Cluster Address should reply to pings for troubleshooting purposes.
•
When a VPN 3000 Concentrator is configured for redundancy (VRRP), and then the IP address of an interface is changed, and VRRP disabled afterwards, then the MAC address of the changed interface remains the VRRP address instead of changing to the physical MAC address.
To avoid this issue, disable VRRP before changing the IP address of an interface, and re-enable it afterwards.
•
If a default gateway is not defined on the VPN 3000 Concentrator, the following event is generated:
73 10/18/2001 11:53:52.430 SEV=4 IKE/2 RPT=13 82.171.0.5
Filter missing on interface 0, IKE data from Peer xx.xx.xx.xx dropped
This may not be the only thing that causes this event to be generated, but it is one of the scenarios.
•
If you create a rule with TCP port of 138 NetBIOS, then you save the rule, and then go back and in and view the rule, you will see that the rule has changed the port to TCP Port 137 NetBIOS Name Service.
•
AAA authentication for an admin account fails using TACACS+ if Simultaneous Logins in the Base Group is set to "0". It works fine if it is set to any positive number. The default is 3.
•
When a VPN Client (version 3.6) connects to a VPN 3000 Concentrator (running 3.6 code as well), using Entrust Entelligence (version 6.0) certificates, the username is not displayed under Administration | Administer Sessions and/or Monitoring | Sessions.
This behavior occurs only when using a certificate serial number with a name in the CN field. For example, CN=First Lastname + serial number...
If the CN field includes only the Name (without a serial number), the username is displayed correctly under Administration | Administer Sessions and/or Monitoring | Sessions.
•
Rare, intermittent VPN 3000 Concentrator failures without any patterns occur during IKE negotiation.
•
After upgrading VPN3000 Concentrator to release 3.6.3, tunnels do not negotiate to AES.
•
VPN Client logon to a VPN 3000 Concentrator running Release 3.6.1, using RADIUS for authentication, fails when the VPN 3000 Concentrator assigns the IP address, and the RADIUS server passes back a Framed-IP-Netmask of 255.255.255.255. The error message is:
"Bad refCnt (1) or invalid assigned ip address received (x.x.x.x)."
Hardware clients are able to connect. Local authentication works.
All address allocation is via static pools configured for each group, no addressing comes from the RADIUS server. Under 3.6.x, the user is phase2 authenticated, but then authentication fails.
•
Cisco VPN 3000 Concentrator can not connect with some third-party devices; for example: Furukawa Denko FITELnet-F40. The VPN 3000 Concentrator required that the third Aggressive mode packet be encrypted. In versions prior to 3.6.Rel, this was not required. The VPN 3000 Concentrator now accepts the third Aggressive mode packet, either encrypted or unencrypted.
Caveats Resolved in Release 3.6.3
•
SNMPv2 traps miss the standard snmpTrapOID.0 object.
•
The VPN Client might fail to connect to a load-balanced VPN 3000 Concentrator if it receives out-of-order packets from the VPN 3000 Concentrator.
•
With local authentication or split-tunneling enabled, a VPN 3002 stops passing voice traffic after about 9-15 hours of normal operation. All other traffic passes through without a problem.
•
In VPN 3000 Concentrator software, v3.5, the word "VPN" can not be used as group name. The tunnel fails to establish. There is no such problem in the v3.0 software. Any other name, even one using "Vpn" or a similar upper/lower case variant works.
•
Release 3.5.2/3.5.3 of the VPN 3000 Concentrator does not work with the NETWARE DHCP server. In 3.5.x, when the VPN 3000 Concentrator receives the same IP address from the DHCP server, it never sends the reject; it just fails the connection. On the other hand, in Release 3.02, when the VPN 3000 Concentrator receives the same IP for the second client, it sends a reject to the DHCP server and successfully retrieves a second, unique IP address.
•
When obtaining an IP address and DNS server attributes via PPPoE, the VPN 3002 might fail to resolve DNS host names, causing the VPN 3002 PING utility to fail, and IPSec VPN tunnels to fail to negotiate.
•
A view-only administrator session can lock the configuration on a VPN 3000 Concentrator, not allowing an administrator with authority to make a change for a certain time period. To avoid this issue, reboot the VPN 3000 Concentrator or locate the view-only session and log it off.
•
Maximum connect timeout value does not work.
After setting the maximum connect tim out value to 6 hours, the VPN Client connections do not terminate. They are seen to be live for more than 6 hours.
The maximum connect timeout applies only to each SA. This leads to the issue where SAs started at different times (for example, during split-tunneling) would prevent the connection from terminating. The connection terminates only when the last SA is torn down.
The code has been adjusted to reduce an SAs lifetime by the current uptime for the connection, so no new SAs are permitted after max connect is exceeded. This causes all SAs to expire at max connect.
•
The VPN 3002 might ignore some Cisco Discovery Protocol (CDP) messages because of checksum errors. The VPN 3002 uses the CDP messages to detect IP Phones on its private network.
This occurs because of an error in the checksum algorithm in the CDP packet with respect to odd length packets.
The error checksum algorithm is now part of the standard, so the VPN 3002 should be updated to this algorithm.
•
An HTTP 401 Unauthorized error appears on the console when trying to access the VPN 3000 Concentrator through a web browser using admin access, even when administrative rights are given to admin user.
The two events HTTP/9 and HTTP/10 might appear when a user connects to the login page. These are not errors but HTTP status information. As a result, their severity will be lowered from warning(3) to informational(5).
•
Automatic backup of log files through FTP is failing to a 3COM FTP/TFTP server. The resolution for caveat CSCdy20464 did not solve the problem. Customer is using 3COM 3CDAEMON version 2.0 release 10 and the FTP server is still rejecting the binary command.
•
IP Phone_a is talking to IP Phone_b. When IP Phone_a mutes the conversation, it stops transmitting packets as the codec goes into receive-only mode. IP Phone_b continues to transmit to IP Phone_a. However, after 5 seconds, IP Phone_b can no longer be heard at IP Phone_a, because the PIX firewall has stopped transmitting packets from the outside to inside interface, and this was caused by the TCP windows being exceeded.
•
The range displayed in the error message for IPSec SA Lifetime Time is wrong. It displays "IPSec Time Lifetime out of range. (10 - 2147483647)".
The range should be "IPSec Time Lifetime out of range. (60 - 2147483647)". It was displaying Lifetime KB range.
•
IKE rekey may fail if IKE rekey is set to 60 seconds.
•
In very rare situations, when connecting via HTTP or HTTPS (SSL) management session, LAN to LAN sessions and Remote Access Sessions are not displayed under Administration | Administer Sessions and/or Monitoring | Sessions. This appears to happen for sessions with SINGLE QUOTES (') in the name.
Telnet, SSH, or console connections successfully display the remote access and LAN to LAN sessions. Remove the SINGLE QUOTE (') from the site name.
•
With the Mac OS X IE browser, when looking at logged in users under the session management screen, 127.255.255.255 is seen instead of the correct IP address in some cases.
•
VPN Hardware Client 3002 with version 3.6 does not negotiate the correct MRU that is configured in the interface configuration. It always tries to adjust the MRU to 1492.
•
When a VPN 3002 is placed behind a PIX firewall with IPSec over TCP connection to a VPN 3000 Concentrator, we cannot bring the connection up once the VPN 3002 is rebooted.
This occurs because PIX firewall has an active TCP connection which was never reset; when the 3002 comes up it uses the same source and destination port number to make the new connection. The sequence number for the packets does not match the previously active connection, and PIX drops the packets. To avoid this issue, clear the connection on the PIX using the clear xlate command.
•
When users try to enroll a VPN 3000 Concentrator or VPN 3002 Hardware Client to a Verisign Onsite CA using a file-based method, the Verisign enrollment application complains about the PKCS10 request generated by the VPN 3000 concentrator (the error ID on Verisign enrollment page is 105).
The issue is reported only in versions 3.5.4 and 3.6. Downgrading the VPN 3000 Concentrator or VPN 3002 Hardware Client to a version earlier than 3.5.4 and enrolling to the CA works fine. After the enrollment, the VPN concentrators then can be upgraded to higher version if needed.
•
Internet Explorer does not display any remote access users in the admin or monitoring session tables if any user specifies a domain upon connecting.
The table is displayed in Netscape but the separating '\' is not displayed.
For example: User: test Domain: Lab.com
should be displayed in the table as Lab.com\test, but Netscape displays it as Lab.comtest.
•
The VPN 3000 Concentrator might fail with an out-of-memory error during heavy memory usage. During heavy memory usage, memory was not being properly freed.
The crashdump exhibits the following symptoms:
–
–
•
VPN 3000 Concentrator can fail with cTCP client and a large network list.
•
Cannot Set Access Session Timeout to 0, although the error message says that 0 is within the acceptable range.
•
The VPN 3000 Concentrator fails to install CA chains if any two of the certificates are identical in the first 4 bytes of their serial numbers.
•
Given the following setup:
NT PDC---vpn3k---Internet
When we configure a group with the same name as a domain username and then test the authentication against the NTPDC, it fails.
This is not a valid configuration. Users and groups cannot share common names.
CSCdy62382
When the administrator enters username/password after configuring TACACS authentication for Administrator access to the GUI, the VPN 3000 Concentrator fails.
This occurs if other TACACS attributes are assigned besides "priv-lvl".
•
A VPN 3000 Concentrator, renewing DHCP, sends the request to the broadcast address (255.255.255.255) instead of the IP address of the DHCP server.
•
In version 3.6, int_12, under session details (3060) for a remote access session (Hardware or software client), the Auth mode for the IKE session displays "other" when it should be "Preshared Keys - XAUTH". The session details under CLI correctly displays 'Pre-XTH.
Caveats Resolved in Release 3.6.1
Release 3.6.1 addresses multiple vulnerabilities for the VPN 3000 Series Concentrators and VPN 3002 Hardware Client. Please refer to the following URL for the details on the vulnerabilities addressed.
http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml
Release 3.6.1 contains the same fixes as Release 3.6, listed in the following section.
Caveats Resolved in Release 3.6
This section lists caveats resolved since Release 3.5. If you have an account on CCO you can check the status of any caveat by using Bug Navigator II.
•
Packets coming through a tunnel from a client to a host on the public interface network exit through the Public Interface.
•
When using RADIUS authentication, if you are running RIP routing on the Private network, the NAS-IP-Address in the RADIUS Authentication is the IP address of the Private Interface on the Concentrator.
If you are running OSPF Routing on the Private network, the NAS-IP-Address in the RADIUS Authentication is the IP address of the Public Interface on the Concentrator.
If you are using OSPF, the NAS-IP-Address is set to the interface with the IP address that has the highest numeric value. For example, if the Private Interface of the VPN Concentrator has the IP address 192.168.10.1, and the Public interface has the IP address 193.111.20.8, the NAS-IP-Address is set to the public interface.
•
The phase 1 rekey interval is missing from session management on the VPN3000 series concentrator for Site-to-Site tunnels that are established against IOS devices, if the IOS Device initiates the tunnel.
•
Older versions of Netscape (v4.xx) might not properly display the session table from the Monitoring | Sessions link.
•
The session management tables might display slowly if there are thousands of users in the VPN Concentrator. HTML pages might take up to a minute or more to display. We are attempting to improve this performance prior to release.
•
Full bandwidth availability to a single user (bandwidth stealing) does not yet function to full capacity. User will only be given the amount of bandwidth reserved or policed in their policies.
•
The HTML management interface allows an administrator to enter an invalid Router address when configuring Static Routes. The administrator should verify addressing when entering Static Route information.
•
Full implementation of bandwidth management statistics has not been completed for this first beta release and should not be tested.
•
Bandwidth management statistics for a PPTP user are set to all zeros if bandwidth management is disabled.
•
Using Auto-initiate to connect the client before logging into a domain on Windows 95 may result in no VPN Client tray icon appearing (yellow padlock). The client is connected and can be launched from the start menu to view status or disconnect.
•
When sorting the session table from HTML management, the Web-browser sometimes stops responding if there are a lot of sessions in the table. (>1000) This behavior may require restarting the browser or, in rare instances, rebooting the management PC.
•
The concentrator may assert in memory.c line 554 during a very heavy load of calls connecting and disconnecting while using CRLs and doing a dial-hang test.It is unlikely that a beta site will see this unless the load on the box is very high.
•
In version 3.6.1, disabling DHCP Proxy from the following VPN Concentrator management page will also disable the Concentrators ability to retrieve an address off the network using DHCP.
Configuration | System | IP Routing | DHCP Proxy
If the Concentrator is using DHCP on any of its interfaces do not disable DHCP Proxy at this page. If DHCP Proxy must be disabled, simply uncheck the "Use DHCP" option form the Address Assignment page located at.
Configuration | System | Address Assignment | Assignment
•
A very heavy load of calls connecting and disconnecting while using CRLs and doing a dial-hang test might cause the Concentrator to fail. It is unlikely that a beta site will see this unless the load on the box is very high.
•
Starting and stopping FTP Proxy sessions over LAN-to-LAN-NAT tunnels may cause the VPN 3000 to reset, if using static and dynamic rules.
•
If you set the reserved bandwidth for a group equal to the link rate, the result is that no tunnels are established to the VPN Concentrator for that group.
•
Interface NAT rule configuration via CLI doesn't automatically disable FTP Proxy when disabling TCP Proxy. Use HTML to disable TCP/FTP Proxy.
•
The VPN concentrator reboots if an L2TP connection is attempted to the concentrator with Bandwidth management enabled.
•
When the sorting tabs are clicked on in admin/sessions, while both RAS and LAN-to-LAN sessions are being displayed, the LAN-to-LAN summaries table appears distorted. Specifically, the LAN-to-LAN entries lose the Bytes Received column and the "Action" entries are shifted two columns to the left.
•
HTML quick config allows the administrator to configure DHCP address pool assignment without specifying a DHCP server. This does not work, because DHCP broadcasts are not supported. All DHCP requests must be directed.
•
The session management tables may show very large summary statistics at the top of the html page after a reset of statistics followed by a refresh. The number is in the vicinity of 4.3 billion. This is due to the fact that the number of calls has gone down after resetting the counter to zero. We do not currently display negative numbers for current call count statistics, so negative numbers are erroneously being displayed as large positive numbers.
of the route; if more are configured they are not be sent.
•
Occasionally a client connects and cannot receive any data back from the concentrator. If you see this problem, it usually clears when the client disconnects and reconnects.
•
If you change the default pre-fragmentation setting on the public interface on the VPN Concentrator, pre-Release 3.6.1 clients (Unity and 3002) fail to pass large packets after a Phase 1 followed by a Phase II rekey. To correct this problem, disconnect and re-establish the tunnel.
•
The remote access session table is not properly displayed when using Netscape 4.78 or 6.2 and viewing the admin sessions table.
•
In Release 3.6.1, the VPN 3000 Concentrator software implementation changed the way that the VPN 3000 Concentrator sends its phase 1 ID. This ID consists of a bundle of information including IP address, protocol and port number. The change is that the port is now set to ZERO, whereas before, it was set to 500.
Technically, this is legal because it is up to the peer's policy to enforce whether a port=0 (ignore) is allowed.
•
Enabling bandwidth management with client tunnels already established is not supported in the Beta 2 release.
•
You may see the following message on the Concentrator console when a VPN client is attempting a connection:
"RMLogError: bad state=5/event=4 combination".
•
When a RADIUS server is configured to Authenticate a Group and return Group attributes, the VPN 3000 Concentrator does not check for illegal characters in the attribute "Split-DNS-Names". So, when configuring multiple Split-DNS-names in the RADIUS server, you must separate multiple names with a comma without any spaces or other illegal characters.
Documentation Updates
The Cisco VPN 3000 Series Concentrator documentation set has been revised for this release and is available online through Cisco Connection Online (CCO). This section contains any changes and corrections to the documentation that occurred after the documentation was published.
Documentation Changes
The following documents require modifications, reflecting product changes, as noted in the following sections:
•
•
Change to VPN 3000 Series Concentrator Getting Started
The method of attaching the feet to the VPN 3000 Series Concentrator has changed. The following illustrations replace those in Figure 2-3, page 2-7 of the VPN 3000 Series Concentrator Getting Started book, version 3.6.
VPN 3005
VPN 3015 - 3080
Change to VPN 3000 Series Concentrator Reference Volume I: Configuration
The VPN 3000 Concentrator now supports syslog servers on both Windows and UNIX (Linux and Solaris) operating system platforms. In VPN 3000 Series Concentrator Reference Volume I: Configuration, Chapter 10, "Events," and in the corresponding online Help, the text and the screen captures refer to UNIX syslog servers. This restriction on the type of syslog server operating environment no longer exists.
VPN 3000 Concentrator Documentation Updates
In addition to these Release Notes, the following documents are new or have been updated for Release 3.6. They have not been changed for the subsequent "point" releases (such as 3.6.6):
•
•
•
•
Related Documentation
•
•
•
•
•
Service and Support
For service and support for a product purchased from a reseller, contact the reseller, who offers a wide variety of Cisco service and support programs described in "Service and Support" in Cisco Information Packet shipped with your product.
Note
For service and support for a product purchased directly from Cisco, use CCO.
Software Configuration Tips on the Cisco TAC Home Page
The Cisco TAC home page includes technical tips and configuration information for the VPN 3000 Concentrator and client. Find this information at:
http://www.cisco.com/warp/public/707/#vpn3000.
Obtaining Documentation
This section describes how to obtain the documentation on the Web or how to access the documentation on CD-ROM.
Note
World Wide Web
Documentation for this product and for all Cisco products is available on the World Wide Web. You can access the most current Cisco documentation at: http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
Ordering documentation
Nonregistered CCO users can order documentation through a local account representative by calling Cisco's corporate headquarters (California, USA) at 408 526-4000 or, in North America, call 800 553-NETS (6387).
Obtaining Technical Assistance
Cisco provides Cisco Connection Online (CCO) as a starting point for all technical assistance. Warranty or maintenance contract customers can use the Technical Assistance Center. All customers can submit technical feedback on Cisco documentation using the web, e-mail, a self-addressed stamped response card included in many printed docs, or by sending mail to Cisco.
Cisco Connection Online
Cisco continues to revolutionize how business is done on the Internet. Cisco Connection Online (CCO) is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.
CCO's broad range of features and services helps customers and partners to streamline business processes and improve productivity. Through CCO, you will find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online support services, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on CCO to obtain additional personalized information and services. Registered users can order products, check on the status of an order and view benefits specific to their relationships with Cisco.
You can access CCO in the following ways:
•
•
–
–
You can e-mail questions about using CCO to cco-team@cisco.com.
Copyright and Trademark Information
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
CCIP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That's Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0208R)
Copyright © 2002, Cisco Systems, Inc.
All rights reserved.
Posted: Fri May 7 06:37:42 PDT 2004
All contents are Copyright © 1992--2004 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
