Manualshelf

System information

ManualsBrandsCisco ManualsComputer equipment3005 - VPN Concentrator - Gateway
11121314151617181920
19
Release Notes for Cisco VPN 3000 Series Concentrator, Release 3.6 Through 3.6.8.B
OL-5637-02
Open Caveats for VPN 3000 Series Concentrator
CSCdz30124
The Client might fail to establish an IPsec session if the Concentrator has a larger certificate. TCP
encapsulation is used and there is a PAT router between the Concentrator and the Client.
CSCdz32718
If CPP, which allows local LAN access, is pushed from Concentrator, the Client allows any traffic
from/to the Internet.
CSCdz34686
With multiple authentication servers defined, if any are defined by DNS name, and the system fails
to resolve any of the servers, all incoming authentication requests will be held off for approximately
45 seconds. For example, the first server in the list was defined as an IP address and was working,
the second and third servers were defined as DNS names and did not exist on my network (testing
with a customer config). When trying to make a VPN Client IPSec connection, the first and second
connection attempts time out, the next 10 or so work, then repeat the time out cycle.
Testing with servers only defined by IP address did not exhibit this behavior. In fact, servers defined
by IP address that did not exist were recorded as being on-line in the event log
Workaround:
Remove the servers defined by DNS name.
CSCdz44060
VPN 3000 Concentrator version 3.6.3 sometimes leaves the RRI route in the Concentrator’s routing
table, even though the client is no longer connected.
CSCdz45586
When connecting a VPN 3015 Concentrator with Cisco VPN Client Software, the VPN connection
fails.
CSCdz66368
Windows XP becomes unreachable over IP after returning from standby mode if the “Stateful
Failover (Always On)” is enabled.
Workaround:
Disable “Stateful Failover (Always On)”.
CSCea04137
There is a problem with IPSEC SAs reestablishing after checkpoint initiates a soft reset.
CSCea07260
After the public IP address and default gateway have been changed, the VPN 3000 Concentrator
does not allow incoming data packets encapsulated by UDP(10000), even if an IPsec session is being
established correctly. If you use TCP encapsulation or no encapsulation the problem does not occur.
Workaround:
Reload the VPN 3000 Concentrator after IP address modification.
CSCea08566
Many “IPSEC ESP bad pad length (8) >= buffer length (8)” messages were logged in a syslog.
Using VPN3000 and PIX EzVPN:
Phase 2 SA recreation after an expiration of a SA because of an idle timeout (30min)
35 sec after a creation of a new SA after an old SA lifetime Expiration. (Duplicate of
CSCdz33769.)