Manualshelf

System information

ManualsBrandsCisco ManualsComputer equipment3005 - VPN Concentrator - Gateway
31323334353637383940
32
Release Notes for Cisco VPN 3000 Series Concentrator, Release 3.6 Through 3.6.8.B
OL-5637-02
Caveats Resolved in Release 3.6.7.A
CSCdy42970
The VPN 3002 IPSec tunnel fails to establish if using Perfect Forward Secrecy and NAT Traversal.
CSCdy67970
The customer cannot set the filter in a LAN-to-LAN connection to NONE. When we set it to NONE
and save the configuration, then go back to LAN-to-LAN and apply a filter, NONE is no longer set.
It appears that it inherits the filter from a VPN Group that has that filter applied.
CSCdy76174
After upgrade the CVPN3002 from 3.5.2 to 3.6.1, every user gets a script error message, and some
users are no longer able to use the Outlook email application.
CSCdy81949
When using Certificate Group Matching as described in:
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/3_6/config/polmgt.htm#xtocid145
it appears that in the instance of having a number of distinguished names to match on, such as
multiple OUs, we only try to match the rules on the last attribute (OU). Earlier OU's are ignored.
This occurs when you are using Certificate Group Matching and have multiple OUs in the same
certificate.
If you have a Client certificate with multiple OUs under the “Subject”, such as:
OU=12345678
OU=http://www.cisco.com
and you have defined rules like this:
ou*12345678
ou*http
then messages similar to these appear in the Concentrator logs (class=CERT):
1 10/02/2002 12:10:21.510 SEV=5 IKE/21 RPT=18 192.168.1.1
No Group found by matching IP Address of Cert peer 192.168.1.1
2 10/02/2002 12:10:21.510 SEV=5 CERT/110 RPT=19
Group match for cert peer 192.168.1.1 failed using rule ou*“12345678”
3 10/02/2002 12:10:21.510 SEV=5 CERT/110 RPT=20
Group match for cert peer 192.168.1.1 succeeded using rule ou*“http”
4 10/02/2002 12:10:21.510 SEV=5 CERT/105 RPT=4
Group [TEST-GROUP] found for cert peer 192.168.1.1 by group match rule ou*“http”
If you remove the first rule, you also (trivially) succeed, matching “http” against the second OU.
If you remove the second rule, the connection fails, because 1234578 is not a pattern inside the last
OU (http://www.cisco.com)
CSCdz08568
If an IPsec policy containing DES appears after policies containing AH, the DES policy is not found.
The Concentrator appears to stop matching policies once one containing AH is found.
CSCdz23351
VPN 3000 Concentrator may not successfully authenticate users that are externally authenticated
with SDI to an RSA ACE Server when the number of retries for the SDI server is configured to 0 on
the Concentrator.