Manualshelf

System information

ManualsBrandsCisco ManualsComputer equipment3005 - VPN Concentrator - Gateway
11121314151617181920
15
Release Notes for Cisco VPN 3000 Series Concentrator, Release 3.6 Through 3.6.8.B
OL-5637-02
Open Caveats for VPN 3000 Series Concentrator
Change to Network List Creation for LAN-to-LAN Configuration
The functionality that allows the administrator to create a network list from within a LAN-to-LAN
configuration page has changed.
In previous releases, the administrator could create a network list from within the LAN-to-LAN
configuration page. The new method for creating a network list uses a link on the LAN-to-LAN index
page to the network list configuration page.
This change was resolves a problem with Reverse Route Injection when the network lists are added from
within the LAN-to-LAN page. With the previous method, the routes, corresponding to the network lists
that were added via the LAN-to-LAN page, were not present in the routing table (CSCea13002,
CSCdz87573).
Open Caveats for VPN 3000 Series Concentrator
Caveats describe unexpected behavior or defects in Cisco software releases. The following list is sorted
by identifier number.
Note If you have an account with CCO, you can use Bug Navigator II to find caveats of any severity for any
release. To reach Bug Navigator II on CCO, select Software & Support: Online Technical Support:
Software Bug Toolkit or navigate to http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl.
The following problems exist with the VPN 3000 Series Concentrator, Release 3.6.8.
CSCds44095
L2TP over IPSec connections fail if going through a NAT device. During the connection
establishment, the VPN Client and the VPN 3000 Concentrator exchange IP addresses. When the
client sends what it believes to be the VPN 3000 Concentrator’s address (really the NATed address),
the VPN 3000 Concentrator releases the connection.
This is because the address assigned to the interface does not match the address coming in from the
client. The same issue exists on the client side. This will not be resolved until the Windows 2000
MS client supports UDP encapsulation.
CSCdt08303
When configuring a LAN-to-LAN connection with IOS or PIX, it is important to match the
keepalive configuration (both “ON” or both “OFF”). If the keepalive configuration is OFF for the
VPN 3000 Concentrator and ON for the IOS device, the tunnel will be established with data.
IOS tears down the tunnel because the VPN 3000 Concentrator does not respond to IOS style
keepalives if keepalives are configured to be OFF for the VPN 3000 Concentrator.
CSCdt96500
Multiple simultaneous connections from users behind a PAT (Port Address Translation) device can
work, but only if the PAT device uses a unique source port for each simultaneous user's IKE session.
Some PAT devices use UDP source = 500 for all IKE sessions even if there are multiple
simultaneous sessions. This will only allow 1 session to work since the second connection brought
up from behind this PAT device will cause the first session to be torn down.
This is unrelated to whether a PAT device supports “ESP” PAT or whether you are using the
IPSec/UDP (NAT) functionality.