Release Notes for Cisco VPN 3000 Series Concentrator, Release 3.6 Through 3.6.8.B CCO Date: July 22, 2004 Part Number OL-5637-02 Introduction Note You can find the most current documentation for released Cisco VPN 3000 products at http://www.cisco.com or http://cco.cisco.com. These electronic documents might contain updates and changes made after the hard-copy documents were printed. These release notes are for Cisco VPN 3000 Series Concentrator Release 3.
System Requirements Usage Notes, page 11 Open Caveats for VPN 3000 Series Concentrator, page 15 Caveats Resolved in Release 3.6.8.B, page 23 Caveats Resolved in Release 3.6.8.A, page 24 Caveats Resolved in Release 3.6.8, page 24 Caveats Resolved in Release 3.6.7.H, page 25 Caveats Resolved in Release 3.6.7.G, page 25 Caveats Resolved in Release 3.6.7.F, page 26 Caveats Resolved in Release 3.6.7.E, page 26 Caveats Resolved in Release 3.6.7.D, page 26 Caveats Resolved in Release 3.6.7.
Upgrading to Release 3.6.x Caution Be sure you install the correct file for the platform you are upgrading. If you are using Internet Explorer, use version 5.0, Service Pack 2 or higher. Upgrading to Release 3.6.x This section contains information about upgrading from earlier releases to Release 3.6.x. When upgrading VPN 3000 Concentrator releases, you must clear the cache in your browser to ensure that all new screens display correctly when you are managing the VPN Concentrator.
New Features in Releases 3.6.3 Through 3.6.8 Use the following backup procedure to ensure that you have a ready backup configuration. Backing Up the Existing Configuration to the Flash 1. Go to Administration | File Management | Files. 2. Select the configuration file and click Copy. 3. Enter a name for the backup file (in 8.3 format; for example, name it CON368BK.TST) You have now backed up the existing configuration to the flash.
New Features in Release 3.6.1 New Features in Release 3.6.1 This section describes the new features in Release 3.6.1 of the VPN 3000 Series Concentrator. For detailed instructions about how to configure and use these features, see VPN 3000 Series Concentrator Reference Volume I: Configuration and VPN 3000 Series Concentrator Reference Volume II: Administration and Management.
New Features in Release 3.6.1 DHCP Relay for Wireless Operation (Includes Microsoft VPN Client Route List via DHCP) The DHCP Relay feature lets wireless clients obtain a network configuration from the corporate network before creating a VPN tunnel. This may be used with the VPN Client autoinitiation feature to obtain a network configuration and automatically connect to the secure gateway when a configured wireless LAN (WLAN) is detected. To add DHCP, go to Configuration | System | IP Routing.
New Features in Release 3.6.1 Note Versions of the VPN Client prior to Release 3.6.1 do not support NAT-T. If you have an older VPN Client, the VPN Concentrator determines that the client is incapable of NAT-T during tunnel establishment and the NAT-T setting has no effect for that particular tunnel. These clients, therefore, continue to work as they did previously. LAN-to-LAN NAT Traversal With Release 3.6.1, you can also enable NAT traversal for LAN-to-LAN sessions.
New Features in Release 3.6.1 CRL over HTTP You can now configure the VPN Concentrator to use the HTTP protocol to retrieve a certificate revocation list (CRL) from a distribution point. If you choose HTTP, you must assign HTTP rules to the public interface filter if you access your distribution points through the public interface. For example, enabling this feature supports the use of public key interfaces (PKI), such as Verisign, that require the use of HTTP.
New Features in Release 3.6.1 Dynamic DNS (DDNS Host Name Population) Dynamic DNS passes the host name to the central site device, which uses that name in the DHCP address request. This feature allows the DHCP server and DDNS to dynamically populate the DNS records. L2TP/IPSec Authentication Enhancements (EAP/TLS, EAP/SDI) Extensible Authentication Protocol (EAP) lets a VPN Concentrator proxy the authentication process to an authentication server.
New Features in Release 3.6.1 NAT over LAN-to-LAN Release 3.6.1 allows LANs with overlapping or same IP addresses between VPN 3000 Concentrators using static, dynamic, and PAT rules. To answer the need for hosts to communicate across overlapping LANs, the private address space must be translated (NATed). IPSec Fragmentation The IPSec fragmentation policy specifies how to treat packets that exceed the MTU setting when tunneling traffic through the public interface.
Usage Notes “Username@Group” Can Now Be Sent to Authentication Server When Strip Group Is Disabled Release 3.6.7.F adds the ability to send a “Group Lookup” username to the authentication server during user authentication. This feature restores the ability that was available as a side effect of having “Strip Realm” disabled and “Group Lookup” enabled with “@” delimiter. In Release 3.6.7 and earlier releases, the strip realm and group lookup feature overlapped when the group lookup delimiter was set to '@'.
Usage Notes Browser Interoperability Issues The following sections describe known behaviors and issues with the indicated Web browsers. VPN 3000 Concentrator Fully Supports Only Netscape and Internet Explorer Currently, the VPN 3000 Concentrator fully supports only Netscape and Internet Explorer. If you are using Internet Explorer, use version 5.0, Service Pack 2 or higher.
Usage Notes Administer Sessions Screen Shows Data for Wrong Group When an L2TP/IPSec connection is established, authentication should behave as follows: 1. The Tunnel Group is authenticated (using the OU field in the Certificate or using the Base Group). 2. The User should be authenticated (using the authentication method of the tunnel group. 3. The User's Group (as defined by the group delimiter option) should be authenticated.
Usage Notes SNMP Traps VRRPNotifications and cipSecMIBNotifications Are Not Supported The VPN 3000 Concentrator does not support the VRRPNotifications and cipSecMIBNotifications SNMP traps. You can configure VRRP for these SNMP traps without getting an error message, but the traps themselves are not supported, so no action occurs. The same is true of Cisco IPSec-flow MIB notifications (CSCdx44580).
Open Caveats for VPN 3000 Series Concentrator Change to Network List Creation for LAN-to-LAN Configuration The functionality that allows the administrator to create a network list from within a LAN-to-LAN configuration page has changed. In previous releases, the administrator could create a network list from within the LAN-to-LAN configuration page. The new method for creating a network list uses a link on the LAN-to-LAN index page to the network list configuration page.
Open Caveats for VPN 3000 Series Concentrator Workaround: – Use a PAT device that maps each additional simultaneous session to use unique UDP source ports. – Connect to different destination Concentrators from behind the PAT device for additional users. – Use IPSEC over TCP (cTCP) or IPSEC over UDP with NAT-T instead of simple IPSEC over UDP. In order to use either option, the feature needs to be enabled on the concentrator side. NAT-T and cTCP are available in 3.
Open Caveats for VPN 3000 Series Concentrator • CSCdy26161 The Microsoft L2TP/IPSec client for Windows 98, Windows ME, and Windows NT does not connect to the VPN 3000 Concentrator using digital certificates. Workaround: Use preshared keys. • CSCdy51295 When specifying the link rate for bandwidth management on an interface, the VPN 3000 Concentrator only permits specifying the range 1544000 - 100000000 bps. This renders the feature difficult to use properly when the Internet link is less than T1 speed.
Open Caveats for VPN 3000 Series Concentrator • CSCdy59580 Cannot perform xauth with a PDC emulator in an Active Directory (AD) environment, when NT is the authentication method from a VPN 30000 Concentrator. In a MIXED MODE environment for Windows 2000 AD setup, using a PDC emulator in the domain for authentication from a VPN 3000 Concentrator does not allow a user to authenticate from a PDC emulator if the length of password is more than 14 characters.
Open Caveats for VPN 3000 Series Concentrator • CSCdz30124 The Client might fail to establish an IPsec session if the Concentrator has a larger certificate. TCP encapsulation is used and there is a PAT router between the Concentrator and the Client. • CSCdz32718 If CPP, which allows local LAN access, is pushed from Concentrator, the Client allows any traffic from/to the Internet.
Open Caveats for VPN 3000 Series Concentrator • CSCea08995 A VPN 3000 Concentrator fails rekey with Microsoft's L2TP/IPSec client for Windows 95 or Windows 98 (oem'd from Safenet). Note This does not apply to the “native” MS L2TP/IPSec client, which is included with Win2000, XP, etc. This was determined to be a bug in the Microsoft client. The Concentrator always initiates rekeys. When phase 1 rekeys, we send the first main mode packet to the MS client.
Open Caveats for VPN 3000 Series Concentrator • CSCea48668 A VPN 3060 Concentrator running software Release 3.6(7)Rel: failed with Exception Type: 0x00000300/DSI. The Concentrator recovered itself after a while with no intervention. • CSCea50566 You can access the web admin GUI interface using a MAC OSX machine running IE 5.5 with all updates and java installed.
Open Caveats for VPN 3000 Series Concentrator This tunnel is used to sent the autodiscovered networks (via RIP). Steps 2 and 3 tell the Concentrator to NAT packets (to the NAT device's public interface) between the peer's public to its public. This is necessary because the peer directs its RIP packets to what the peer believes to be its peer (the NAT device). Since the filter rule was modified, the NATed Concentrator needs to NAT its RIP packet to match the modified filter rule.
Caveats Resolved in Release 3.6.8.B Workaround: Disable L2TP compression and/or EAP-TLS Auth. • CSCeb08162 Clicking apply on any LAN-to-LAN SA causes all LAN-to-LAN sessions to drop. • CSCeb09587 If you have a client user and an admin user with the same name, the client user might not be able to connect when the admin user is logged in and the client user has a simultaneous logins set to 1. This caveat has been closed because the VPN 3000 Concentrator has a flat namespace.
Caveats Resolved in Release 3.6.8.A • CSCea07260 After the public IP address and default gateway have been changed, the VPN Concentrator does not allow incoming data packets encapsulated by UDP (10000) even if an IPsec session is being established correctly. If you use TCP encapsulation or no encapsulation the problem does not occur. • CSCeb86598 Netscape 7.x E-Mail Client is unable to send mail via SMTPS E-Mail Proxy.
Caveats Resolved in Release 3.6.7.H Caveats Resolved in Release 3.6.7.H Release 3.6.7.H resolves the following issues: • CSCdz17373 A customer is connecting from a 3002 hardware client configured as a PPPoE client to a VPN 3000 Concentrator using an Internet Service Provider. According to the customer, this configuration was working fine until recently when ISP made a change on their side to use PAP instead of MS-CHAP v1 for PPPoE authentication. The customer sees same behavior whether they use 3.6.3, 3.
Caveats Resolved in Release 3.6.7.F Caveats Resolved in Release 3.6.7.F Release 3.6.7.F resolves the following issues: • CSCea45131 VPN 3002 Ethernet ports might hang intermittently when connected to a Centercom hub. • CSCea74732 Changing from DHCP to STATIC on an interface will not stop IP event logs 29 and 34 from showing in the filterable event log. Caveats Resolved in Release 3.6.7.E Release 3.6.7.
Caveats Resolved in Release 3.6.7.C • CSCea58142 A VPN 3000 Concentrator running Release 3.6.7 is not able to decode the objects in the CA certificate or in the VPN Client certificate. The VPN 3000 Concentrator accepts the CA certificate and the certificate for the Concentrator, but in Subject and Issuer, it shows Unknown. When the VPN Client connects, it always ends up in the base group, not in the group matching the OU or group match config.
Caveats Resolved in Release 3.6.7.C • CSCdz72398 Even when the master Concentrator is shutdown, VRRP messages are still sent out. As a result, the backup Concentrator never assumes the master role. • CSCdz78203 The following code Assertion might occur on a system using the SEP-E as tunnels are connecting and disconnecting. Assertion: “sa->refCnt >= 0” failed, in file fsmact.c, line 4462 • CSCdz82620 Cisco 501 with Individual User Authentication to Cisco ACS fails.
Caveats Resolved in Release 3.6.7.B • CSCea37929 When using Unit Authentication for 3002s connecting into a Load Balancing Cluster the connection will fail. Connecting to the individual concentrators within the cluster functions properly. This problem only occurs when connecting to the cluster address. • CSCea37992 The VPN 3002 cannot establish an IKE tunnel to a central-site PIX. • CSCea39673 Incorrect port number is displayed via CLI for VPN 3002 NAT-T connections.
Caveats Resolved in Release 3.6.7.B • CSCdz83301 If a simple password is configured under the OSPF tab in any of the interface configuration pages, the deleted entry reappears, even after deleting the password, selecting none for OSPF authentication, and clicking apply. • CSCdz84481 When a user fails authentication due to a restriction placed on the account at the Active Directory server, the Concentrator Events do not display the reason for the failure.
Caveats Resolved in Release 3.6.7.A To help troubleshoot Kerberos authentication problems, enable AUTHDECODE up to SEV=10, and you also see this Event: 117 02/25/2003 08:08:06.690 SEV=10 AUTHDECODE/43 RPT=8906 Kerberos: Error type: Client not found in Kerberos DB Caveats Resolved in Release 3.6.7.A Release 3.6.7.
Caveats Resolved in Release 3.6.7.A • CSCdy42970 The VPN 3002 IPSec tunnel fails to establish if using Perfect Forward Secrecy and NAT Traversal. • CSCdy67970 The customer cannot set the filter in a LAN-to-LAN connection to NONE. When we set it to NONE and save the configuration, then go back to LAN-to-LAN and apply a filter, NONE is no longer set. It appears that it inherits the filter from a VPN Group that has that filter applied. • CSCdy76174 After upgrade the CVPN3002 from 3.5.2 to 3.6.
Caveats Resolved in Release 3.6.7.A In Configuration | User Management | Groups | Authentication Servers, “Retries” must be set to zero for the problem to occur. The problem has been reported in Releases 3.5.5, 3.6.2 and 3.6.4 so far. The problem is confirmed NOT to be present in Release 3.5.2. When the Concentrator has not yet received the Node Secret from the ACE, it also fails to install it. On the ACE though, you see the messages “Passcode Accepted” and “Node Secret Sent” to the Concentrator.
Caveats Resolved in Release 3.6.7.A • CSCdz57411 The VPN 3000 Concentrator sends larger DHCP release packets than RFC 2131 specifications. This causes the external DHCP server drop the packets with “Malformed packets” error messages. In turn, the IP addresses are exhausted in the external server, and nobody is then able to obtain IP addresses from the DHCP server.
Caveat Resolved in Release 3.6.7 • CSCea04761 A VPN Concentrator with VPN Group configured with Radius with Expiry and “Simultaneous Logins” set to “1” allows more than one connection. • CSCea08807 SDI Servers go off line and do not recover. SDIN sockets remain open. This is a frequent but intermittent problem. • CSCin30722 Any text When the MIB variable alSepModuleStatsSlotNum is queried on a VPN 3000 Concentrator with a SEP card, it returns a “No Such Instance” SNMP error.
Caveats Resolved in Release 3.6.6 • CSCdy55655 When using Netscape 7.0 with the VPN 3000 Concentrator, after logging in and then trying to configure something, you are returned to the login screen. • CSCdy74252 For a VPN 3002 Hardware Client, v3.6 & v3.6.1, you can change PPPoE settings (for example, password) from Quick Configuration, but the changed setting cannot be saved. When you make the PPPoE change and return to the PPPoE setting screen, the Static IP Addressing is checked.
Caveats Resolved in Release 3.6.5 Caveats Resolved in Release 3.6.5 Release 3.6.5 resolves the following caveats. • CSCdy86096 A VPN 3000 Concentrator, upon a DHCP renewal, sends the request to the router's address instead of the IP address of the DHCP server. • CSCdz18271 Potential buffer overrun in MPPC decompression. MPPC decompression requires additional error handling. • CSCdz21459 A VPN 3000 Concentrator crashes when a new virtual interface is created for L2TP and PPTP connections.
Caveats Resolved in Release 3.6.3 • CSCdy40109 When a VPN Client (version 3.6) connects to a VPN 3000 Concentrator (running 3.6 code as well), using Entrust Entelligence (version 6.0) certificates, the username is not displayed under Administration | Administer Sessions and/or Monitoring | Sessions. This behavior occurs only when using a certificate serial number with a name in the CN field. For example, CN=First Lastname + serial number...
Caveats Resolved in Release 3.6.3 • CSCdx74374 Release 3.5.2/3.5.3 of the VPN 3000 Concentrator does not work with the NETWARE DHCP server. In 3.5.x, when the VPN 3000 Concentrator receives the same IP address from the DHCP server, it never sends the reject; it just fails the connection. On the other hand, in Release 3.02, when the VPN 3000 Concentrator receives the same IP for the second client, it sends a reject to the DHCP server and successfully retrieves a second, unique IP address.
Caveats Resolved in Release 3.6.3 • CSCdy35638 IP Phone_a is talking to IP Phone_b. When IP Phone_a mutes the conversation, it stops transmitting packets as the codec goes into receive-only mode. IP Phone_b continues to transmit to IP Phone_a. However, after 5 seconds, IP Phone_b can no longer be heard at IP Phone_a, because the PIX firewall has stopped transmitting packets from the outside to inside interface, and this was caused by the TCP windows being exceeded.
Caveats Resolved in Release 3.6.3 • CSCdy41307 Internet Explorer does not display any remote access users in the admin or monitoring session tables if any user specifies a domain upon connecting. The table is displayed in Netscape but the separating '\' is not displayed. For example: User: test Domain: Lab.com should be displayed in the table as Lab.com\test, but Netscape displays it as Lab.comtest. • CSCdy49334 The VPN 3000 Concentrator might fail with an out-of-memory error during heavy memory usage.
Caveats Resolved in Release 3.6.1 Caveats Resolved in Release 3.6.1 Release 3.6.1 addresses multiple vulnerabilities for the VPN 3000 Series Concentrators and VPN 3002 Hardware Client. Please refer to the following URL for the details on the vulnerabilities addressed. http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml Release 3.6.1 contains the same fixes as Release 3.6, listed in the following section. Caveats Resolved in Release 3.6 This section lists caveats resolved since Release 3.5.
Caveats Resolved in Release 3.6 • CSCdx54510 The HTML management interface allows an administrator to enter an invalid Router address when configuring Static Routes. The administrator should verify addressing when entering Static Route information. • CSCdx59201 Full implementation of bandwidth management statistics has not been completed for this first beta release and should not be tested.
Caveats Resolved in Release 3.6 • CSCdx66535 The VPN concentrator reboots if an L2TP connection is attempted to the concentrator with Bandwidth management enabled. • CSCdx66566 When the sorting tabs are clicked on in admin/sessions, while both RAS and LAN-to-LAN sessions are being displayed, the LAN-to-LAN summaries table appears distorted. Specifically, the LAN-to-LAN entries lose the Bytes Received column and the “Action” entries are shifted two columns to the left.
Documentation Updates • CSCdy08702 When a RADIUS server is configured to Authenticate a Group and return Group attributes, the VPN 3000 Concentrator does not check for illegal characters in the attribute “Split-DNS-Names”. So, when configuring multiple Split-DNS-names in the RADIUS server, you must separate multiple names with a comma without any spaces or other illegal characters.
Documentation Updates 63801 VPN 3015 - 3080 Change to VPN 3000 Series Concentrator Reference Volume I: Configuration The VPN 3000 Concentrator now supports syslog servers on both Windows and UNIX (Linux and Solaris) operating system platforms. In VPN 3000 Series Concentrator Reference Volume I: Configuration, Chapter 10, “Events,” and in the corresponding online Help, the text and the screen captures refer to UNIX syslog servers.
Service and Support Related Documentation • VPN Client User Guide for Windows • VPN Client Administrator Guide • VPN 3002 Hardware Client Getting Started • VPN 3002 Hardware Client Reference • VPN 3002 Hardware Client Quick Start Card Service and Support For service and support for a product purchased from a reseller, contact the reseller, who offers a wide variety of Cisco service and support programs described in “Service and Support” in Cisco Information Packet shipped with your product.
Documentation Feedback Ordering Documentation You can find instructions for ordering documentation at this URL: http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm You can order Cisco documentation in these ways: • Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool: http://www.cisco.com/en/US/partner/ordering/index.shtml • Nonregistered Cisco.
Obtaining Additional Publications and Information Submitting a Service Request Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool automatically provides recommended solutions.
Obtaining Additional Publications and Information • The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL: http://cisco.com/univercd/cc/td/doc/pcat/ • Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications.
