|
Note You can find the most current documentation for the Cisco VPN 3002 on CCO. |
These release notes are for Cisco VPN 3002 Hardware Client Release 4.0 software. These release notes describe new features, limitations and restrictions, interoperability notes, and related documentation. They also list the caveats you should be aware of and the procedures you should follow before loading this release. Read these release notes carefully prior to installation.
These release notes include the following topics:
Obtaining Technical Assistance
The Cisco VPN 3002 Hardware Client (referred to in these Release Notes as the VPN 3002) communicates with a VPN 3000 Series Concentrator to create a virtual private network across a TCP/IP network (such as the Internet). It can also establish IPSec connections to other IPSec security gateways, including the Cisco PIX firewall, and Cisco IOS routers. IPSec provides the most complete architecture for VPN tunnels, and it is perceived as the most secure protocol.
The secure connection between the VPN 3002 and the headend is called a tunnel. The VPN 3002 uses the IPSec protocol to negotiate security parameters, create and manage tunnels, encapsulate packets, transmit or receive them through the tunnel, and unencapsulate them. It can support a single IP network.
The VPN 3002 Hardware Client provides an alternative to deploying the VPN Client software to PCs at remote locations. Like the software client, the VPN 3002 is located at a remote site, and provides a secure connection to an IPSec device at a central site. It is important to understand that the VPN 3002 is a hardware client, and that you configure it as a client, not as a site-to-site connection.
For complete installation information, refer to the VPN 3002 Hardware Client Getting Started guide. To install and configure the VPN 3002 using default values, see the VPN 3002 Quick Start card, which ships with the VPN 3002.
You must meet the following requirements to configure the VPN 3002.
To interoperate with a VPN 3002, the VPN 3000 Series Concentrator to which it connects must:
See Chapter 3, "Quick Configuration using the VPN 3002 Hardware Client Manager," in the VPN 3002 Hardware Client Getting Started manual for step-by-step Quick Configuration instructions.
An interactive multimedia piece explains the differences between Client (PAT) mode and Network Extension mode. To view it, go to this url:
http://www.cisco.com/mm/techsnap/VPN3002_techsnap.html
Your web browser must be equipped with a current version of the Macromedia Flash Player to view the content. If you are unsure whether your browser has the most recent version, you may want to download and install a free copy from:
http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash
The following section describes software features new in Release 4.0.
LEAP (Lightweight Extensible Authentication Protocol) Bypass lets LEAP packets from wireless devices behind a VPN 3002 travel across a VPN tunnel prior to individual user authentication, when enabled. This lets workstations using wireless access point devices establish LEAP authentication. Then they authenticate again per individual user authentication.
Administrators enable LEAP Bypass on a group basis at the central site, via a checkbox on the VPN Concentrator HW Client tab on the Group configuration page.
Administrators can create a banner on the VPN 3000 Concentrator and push it to the VPN 3002. This gives organizations the ability to provide information to users about their network, terms for use, liability, and other issues.
The VPN Concentrator now sends reasons for VPN Concentrator-initiated disconnects or reboots to both software clients and VPN 3002 hardware clients. The client displays disconnect notices in the event log, and reboot status in the both the HTML and CLI interfaces.
Similarly, when the VPN 3002 initiates a disconnect or reboot, it sends a message to alert the VPN Concentrator to which it connects about the disconnect and its reason.
This feature is active by default; users can disable it.
The VPN 3002 hardware client now lets you monitor memory usage in terms of block size and free and used blocks.
This section lists the issues to consider before installing Release 4.0 of the VPN 3002 Hardware Client software.
The following sections describe known behaviors and issues with VPN 3002 software.
The online documentation might not be accessible when using Internet Explorer with Adobe Acrobat, Version 3.0.1. To resolve this issue, upgrade to Acrobat 4.0 or higher. The latest version of Adobe Acrobat is available at the Adobe web site: http://www.adobe.com.
The VPN 3002 DHCP server sometimes assigns addresses that are not in sequence, skipping addresses that are free for use (CSCdt38841).
When the VPN 3002 is configured for 10 Mbps and the duplex mode is configured for auto, the duplex mode may be incorrectly displayed as half duplex even though it is running at full duplex (CSCdu57255).
Using the rekey option to renew an SSL certificate from the RSA CA results in a rejection of the request.
The resubmit/renew feature does work with RSA as long as the certificate being rekeyed or renewed is first deleted from the CA database. RSA does not allow a CA to issue more than one certificate with any particular DN (CSCdv27743).
If there are more than 150 networks in a network list used for split tunneling on the central site VPN Concentrator, when a VPN 3002 using this group connects to the VPN Concentrator and attempts to establish an SA to all of the networks within that network list, it may cause a reboot. We recommend that a network list that applies to a VPN 3002 contain 150 or fewer networks (CSCdv50669).
With an active tunnel between a VPN 3002 and VPN Concentrator, occasionally the event IPSec input - discarding packet with no NAT rule
displays. No negative operational issues have been observed
(CSCdv69320).
When Netscape Navigator or Internet Explorer is configured for auto proxy configuration and you use the browser to try to log in as a user to the VPN 3002, the web redirect tries to set up the proxy settings for the browser. Proxy servers and Individual User Authentication are not compatible (CSCdw69363).
If a VPN 3002 cannot establish a tunnel to the central-site Concentrator, it keeps trying to connect. This can cause sufficient traffic to result in denial of service for other VPN clients during peak traffic hours. The probable cause is a configuration error. The workaround is to disconnect the VPN 3002 and correct the configuration (CSCdw77824).
Configured VPN 3002 DHCP server options are sent to a DHCP client only if those options are specified in the Parameters Request List of the DHCPDISCOVER and DHCPREQUEST messages (CSCdy29626).
If you are using an Accounting Server with Interactive Hardware Client Authentication and Individual User Authentication enabled, some session information specific to the level of data activity (number of octets and packets sent and received) back to the Accounting Server is not tracked (CSCdv82830).
Note This information is tracked if Interactive Hardware Client Authentication is not enabled. |
When the VPN 3002 uses digital certificates to authenticate, it is unable to establish a connection to a PIX device unless the PIX device is running a version of code that corrects this problem. See PIX CSCdy05141 to determine which PIX releases include this correction (CSCdy05498).
The following sections describe known behaviors and issues with Web browsers.
The following are known issues with Internet Explorer 4.X and the VPN 3002 Hardware Client Manager (the HTML management interface). To avoid these problems, use the version of Internet Explorer on the Cisco VPN 3002 software distribution media.
When connecting to the VPN 3002 using SSL with Internet Explorer 4.0 (v4.72.2106.8), you might receive a message box saying, "This page contains both secure and non-secure items. Do you want to download the non-secure items?" Select Yes. There really are no non-secure items on the page and the problem is with Internet Explorer 4.0. If you upgrade to Internet Explorer 4.0 Service Pack 1 or Service Pack 2, you should not see this error message again.
After adding a new SSL certificate, you might have to restart the browser to use the new certificate.
Caveats describe unexpected behavior or defects in Cisco software releases.
Note If you have an account with CCO, you can use Bug Navigator II to find caveats of any severity for any release. To reach Bug Navigator II on CCO, select Software & Support: Online Technical Support: Software Bug Toolkit or navigate to http://www.cisco.com/support/bugtools. |
The following problems exist with VPN 3002 Hardware Client, Release 4.0.
With split tunneling enabled, if a PC on the private interface of the VPN 3002 sends an ICMP Echo Request (PING) packet to the VPN 3002's IKE peer, that Echo Request packet travels unencrypted. The IKE peer sends the Echo Reply packet back to the VPN 3002 encrypted; therefore, the PING fails.
Users behind a VPN 3002 may have trouble accessing Active Directory shares or servers, especially if the VPN 3002 is behind a PAT device that does not handle fragmentation assembly properly. The workaround is to set up Kerberos to use TCP instead of UDP.
The VPN 3002 does not connect to the PIX when Perfect Forward Secrecy (Group 2) is set in the IPSec SA configuration on the PIX.
The VPN 3002 does not clean up the peer SA after the failed attempt. It keeps trying to bring up the connection: IKE completes, the IPSec SA between the peers is attempted, but then fails. When the tunnel fails, the VPN 3002 does not delete it.
Packet authentication errors occur when the VPN 3002 is in network extension mode. Traffic passes normally.
A Windows XP computer behind a VPN 3002 cannot access certain sites on the Internet. The workaround is to edit the Windows registry to add or adjust the MTU value of 1300 decimal. This is the path:
HKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\Services\Tcpip\Parameters \Interfaces\Select the appropriate interface.
Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems
VPN 3002 documentation includes the following:
You can access the most current Cisco documentation on the World Wide Web at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
International Cisco websites can be accessed from this URL:
http://www.cisco.com/public/countries_languages.shtml
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription.
Registered Cisco.com users can order a single Documentation CD-ROM (product number DOC-CONDOCCD=) through the Cisco Ordering tool:
http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_tool_launch.html
All users can order monthly or quarterly subscriptions through the online Subscription Store:
http://www.cisco.com/go/subscription
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
http://www.cisco.com/en/US/partner/ordering/index.shtml
You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page.
You can e-mail your comments to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
Cisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) website, as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from the Cisco TAC website. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC website, including TAC tools and utilities.
Cisco.com offers a suite of interactive, networked services that let you access Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.
Cisco.com provides a broad range of features and services to help you with these tasks:
To obtain customized information and service, you can self-register on Cisco.com at this URL:
http://tools.cisco.com/RPF/register/register.do
The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two types of support are available: the Cisco TAC website and the Cisco TAC Escalation Center. The type of support that you choose depends on the priority of the problem and the conditions stated in service contracts, when applicable.
We categorize Cisco TAC inquiries according to urgency:
The Cisco TAC website provides online documents and tools to help troubleshoot and resolve technical issues with Cisco products and technologies. To access the Cisco TAC website, go to this URL:
All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website require a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:
http://tools.cisco.com/RPF/register/register.do
If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC website, you can open a case online at this URL:
http://www.cisco.com/tac/caseopen
If you have Internet access, we recommend that you open P3 and P4 cases online so that you can fully describe the situation and attach any necessary files.
The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
Before calling, please check with your network operations center to determine the Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
http://www.cisco.com/en/US/products/products_catalog_links_launch.html
http://www.cisco.com/go/packet
http://www.cisco.com/go/iqmagazine
http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html
http://www.cisco.com/en/US/learning/le31/learning_recommended_training_list.html
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Net Readiness Scorecard, Networking Academy, and ScriptShare are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0403R)
Copyright © 2003 Cisco Systems, Inc. All rights reserved.
Posted: Sun Apr 6 18:25:28 PDT 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.