Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Release Notes for Version 4.2.0b15 Cisco 11000

Release Notes for Version 4.2.0b15 Cisco 11000
Series Secure Content Accelerator: SCA/SCA2
CCO Date 06/27/2003
Note
The most current Cisco documentation for released products is available at http://www.cisco.com. The
online documents may contain updates and modifications made after the hardcopy documents were
printed.
Contents
This release note applies to the Cisco 11000 Series Secure Content Accelerator, SCA and SCA2
versions. The note supplements information found in the Cisco 11000 Series Secure Content Accelerator
Configuration Guide distributed with firmware version 4.2.0b15. The SCA2 offers significantly higher
performance than the other SCA device.
This release note contains the following sections:
•
System Requirements
•
New and Changed Information
•
Operational Notes
•
Caveats
•
FIPS Mode Changes
•
Firmware Version 4.2.0b15 Command Changes
•
Documentation Updates
•
Obtaining Documentation
•
Obtaining Technical Assistance
•
Obtaining Additional Publications and Information
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Copyright © 2003 Cisco Systems, Inc. All rights reserved.
System Requirements
System Requirements
Hardware Supported
This release note applies to the Cisco 11000 Series Secure Content Accelerator, SCA and SCA2
versions. The Web management GUI requires a minimum display resolution of SVGA (800x600
resolution). For best results, use XGA (1024x768 resolution).
Software Compatibility
The Web management GUI requires Microsoft® Internet Explorer version 5.x or later, or Netscape®
Navigator 4.77 or later or 6.x or later.
Determining the Current Firmware Version
Use the appropriate method listed below to determine the currently installed firmware version. If the text
“4.1” is returned, refer to section “Upgrading to a New Firmware Release” for upgrade instructions.
Serial Console CLI Instructions
1.
Connect to the Secure Content Accelerator via a serial management session at 9600 baud, N81.
2.
Check the firmware version by using the show device command. The returned text should contain
“MaxOS 4.1”.
Telnet CLI Instructions
1.
Connect to the Secure Content Accelerator using the IP address previously assigned to it.
2.
Check the firmware version by using the show device command. The returned text should contain
“MaxOS 4.1”.
1.
Open a Web browser and connect to the Secure Content Accelerator.
2.
Click General to activate the General tabs.
3.
The Release panel should contain the text“4.1”.
GUI Instructions
Upgrading to a New Firmware Release
This release updates SCA and SCA2 products using firmware 4.1.x and prior versions.
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
2
78-14640-05
System Requirements
Upgrade Paths
Table 1 lists the upgrade paths from previous version of SCA and SCA2 firmware.
Table 1
SCA/SCA2 Upgrade Paths to 4.2.0b15
SCA Hardware
Version
Installed Firmware
Version
Upgrade to This Version
Firmware Image File Name
SCA
2.0.x/3.0.5
3.0.6
cisco.phr
3.0.x
3.1.0.x
css-sca-2fe-k9.phz
3.0.x/3.1.0.x
3.2.0.x
css-sca-2fe-k9.phz
3.1.0.x/3.2.0.x
4.1.0.x
css-sca-2fe-k9-3_2-to-4_1.phz
4.1.0.x
4.2.0.x
css-sca-2fe-k9.phz
4.0.x
4.1.0.x
css-sca2-2fe-k9.phz
4.0.x/4.1.0.x
4.2.0.x
css-sca2-2fe-k9.phz
SCA2
The recommended upgrade path for the SCA is 2.0.1 to 3.0.6 to 3.1.0 to 4.1 to 4.2.
For additional information, see the Release Note accompanying each firmware release. These are
available on the Cisco Web site.
Note
When upgrading an SCA from 3.1 or 3.2 to 4.1 you must use an unsigned image. This is a different
firmware image than that used when reflashing a device with 4.1 firmware. The image used for
reflashing is a signed image.
Serial Console CLI Instructions
Note
When flashing the SCA, use the file css-sca-2fe-k9.phz. When flashing the SCA2, use the
file css-sca2-2fe-k9.phz.
1.
Copy the firmware image to an HTTP, FTP, or TFTP server on the same LAN as the Secure Content
Accelerator. An FTP URL is preferable.
2.
Connect to the Secure Content Accelerator via a serial management session at 9600 baud, N81.
3.
Enter these commands to load the firmware image, where protocol is HTTP, FTP, or TFTP; serverip
is the IP address of the server; path is the path to the firmware image file; and filename is the
appropriate filename as listed in the note above.
enable
copy to flash protocol://serverip/path/filename
reload
4.
Wait for several minutes for the device to reload and reboot.
5.
Check the firmware version by using the show device command. The returned text should contain
“MaxOS 4.2”.
6.
Continue with configuration as desired.
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
78-14640-05
3
System Requirements
Telnet CLI Instructions
Note
When flashing the SCA, use the file css-sca-2fe-k9.phz. When flashing the SCA2, use the
file css-sca2-2fe-k9.phz.
1.
Copy the firmware image to an HTTP, FTP, or TFTP server on the same LAN as the Secure Content
Accelerator. An FTP URL is preferable.
2.
Connect to the Secure Content Accelerator using the IP address previously assigned to it.
3.
Enter these commands to load the firmware image, where protocol is HTTP, FTP, or TFTP; serverip
is the IP address of the server; path is the path to the firmware image file; and filename is the
appropriate filename as listed in the note above.
enable
copy to flash protocol://serverip/path/filename
reload
4.
You will see a status message stating the connection to the device was lost. Wait for several minutes
for the device to reload and reboot.
5.
Reconnect to the device using a telnet management session.
6.
Check the firmware version by using the show device command. The returned text should contain
“MaxOS 4.2”.
7.
Continue with configuration as desired.
GUI Instructions
Note
When flashing the SCA, use the file css-sca-2fe-k9.phz. When flashing the SCA2, use the
file css-sca2-2fe-k9.phz..
1.
Open a Web browser and connect to the Secure Content Accelerator.
2.
Ensure that the General>Status page is displayed.
3.
Click Tools to activate the Tools tabs.
4.
Click the Firmware tab.
5.
Type the path and firmware image file name or URL in the Upload Firmware text box, or click
Browse and navigate to and select the firmware image file from the local file system.
6.
Click Upload to load the firmware image into the GUI.
7.
Click Install Image next to the file information in the Installable Firmware Images panel.
8.
After the new firmware has uploaded, click the Restart tab.
9.
Click Reboot to reload the device. Wait several minutes for the device to reboot.
10. Reconnect to the device using the GUI and the IP address assigned to it.
11. Click General to activate the General tabs.
12. The Release panel should contain “4.2”.
13. Continue with configuration as desired.
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
4
78-14640-05
New and Changed Information
New and Changed Information
New Firmware Features in Release 4.2.0b15
Certificate Revocation List (CRL)
A URL-based list of revoked certificates checked at user-definable intervals can be used for client
authentication. The list at the specified URL is checked at intervals to ensure the list on the device is
current. A CRL can be set independently for each normal SSL server. The example below demonstrates
how to enable a CRL with an existing server.
1.
Open a management session with the device.
2.
Enter Privileged, Configuration, SSL, and Server modes.
SCA2> enable
SCA2# configure
<config[SCA2]># ssl
<config-ssl[SCA2]># server myServer
<config-ssl-server[myServer]>#
3.
Specify the URL to be used for revocation list comparison. Then enable revocation list comparison.
<config-ssl-server[myServer]># crl url “http://www.mycomp.com/crl.txt”
<config-ssl-server[myServer]># crl enable
<config-ssl-server[myServer]>#
Make sure that client authentication is configured and enabled. Any certificate revocation-related errors
encountered are processed as specified with the clientauth error command. Use the show ssl server
command to view CRL configuration information. See the Configuration Guide for examples of client
authentication configuration. Additional CRL-related commands are listed in Table 5.
URL Rewrite Uses HTTP 1.1 Protocols
HTTP 1.1 protocols now are used for URL rewrite procedures.
Certificate Expiration Validating
Device-loaded certificates can be checked for date validity. This check can be done manually or
automatically via SNMP trapping. To display a list of certificates that are expired or not yet valid, enter
the following command at the Top Level:
SCA2> show ssl cert-expiration-check
A variation of the command can be used in SSL Configuration mode, as shown below:
<config-ssl[SCA2]># cert-expiration-check
To set the SNMP trap, use the following command in Configuration mode:
<config[SCA2]># snmp trap-type enterprise ssl-cert-expire
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
78-14640-05
5
New and Changed Information
Secure Shell (SSH) Management
The SCA and SCA2 can be managed via a Secure Shell (SSH) connection. SSH clients must be set to
accept “none” as the authentication method. The SSH subsystem has been tested and found functional
with the clients listed below.
•
Cygwin1.3.15/Openssh 3.4p1 (Windows 2000)
•
Openssh 3.1p1 (Red Hat Linux 7.1)
•
PuTTY 0.53 (Windows 2000)
•
SecureCRT4.0
•
TeraTerm Pro 3.1.3 (Windows 2000)
Version Support
Only SSHv2 is supported since SSHv1 is considered an unsecure protocol. If an SSHv1 client attempts
to connect to the device, it is disconnected and an error message is displayed.
Compression
The following compression methods are supported:
•
None
•
Zlib
Concurrent Users
Only a single user connection is supported. If a second user attempts to connect to the device, no
connection is allowed and an error message is displayed.
Encryption
The following encryption methods are supported:
•
3DES-CBC
•
Arcfour
•
None
•
DES
•
3DES
Mac Support
The following Mac methods are supported:
•
hmac-sha1
•
hmac-md5
Key Exchange Method
The diffie-hellman-group1-sha1 key exchange method is supported.
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
6
78-14640-05
New and Changed Information
Public Key Algorithm
RSA and DSA keys can be imported via the Key Configuration mode. The following public key
algorithms are supported:
•
SSH-DSA
•
SSH-RSA
Authentication Method
This product supports the authentication method of “none”.
Interactive Sessions
The following session types are supported:
•
Session
•
pty-req
•
Shell
Using SSH Sessions
Follow the steps below to set up SSH management configuration.
1.
Open a management session with the device.
2.
Enter Privileged and Configuration modes.
SCA2> enable
SCA2# configure
SCA2#
3.
Specify the key to use for encryption. The host key can be in DSA or RSA format and is loaded in
Key Configuration mode.
<config[SCA2]># ssh hostkey rsa myKey
<config[SCA2]>#
Note
Although the command completer feature includes default and default-512 keys, neither of these keys
can be used. Please see the Configuration Guide for more information about the command completer
feature.
4.
Enable the SSH subsystem.
<config[SCA2]># ssh enable
<config[SCA2]>#
Open an SSH session on the configuring computer, referencing the SCA or SCA2 IP address. Additional
SSH-related commands are listed in Table 5.
You must configure at least one host key prior to enabling SSH. If you attempt to enable SSH without a
host key configured, the device generates the following error message:
%%Failed: on SCA2:missing ssh host key
If you do not specify a port for SSH, the default port 22 is used. Although the completer for the host key
configuration includes entries for “default” and “default-512” keys, neither can be used for SSH
communications.
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
78-14640-05
7
New and Changed Information
Passing Client IP Addresses in the HTTP Header
The client IP address can be passed in the HTTP header sent to the hardware server. Client IP address
information is also passed when httpheader session is enabled. The format for passed text is
“X-Forwarded-For: <Client IP>”. Follow the steps below to configure this feature.
1.
Open a management session with the device.
2.
Enter Privileged, Configuration, SSL, and Server modes.
SCA2> enable
SCA2# configure
<config[SCA2]># ssl
<config-ssl[SCA2]># server myServer
<config-ssl-server[myServer]>#
3.
Specify the client IP address is to be passed in the HTTP header.
<config-ssl-server[myServer]># httpheader forwarded
<config-ssl-server[myServer]>#
User-Configured Diagnostics Report List
Any combination of diagnostics reports can be executed at one time. In this example, the list of
diagnostic reports is removed and two reports are added. After the reports are specified, the diagnostic
list is generated.
1.
Open a management session with the device.
2.
Enter Privileged mode.
SCA2> enable
SCA2#
3.
Remove all reports from the current diagnostic report list.
SCA2# no set diag-list all
SCA2#
4.
Verify that all reports have been removed.
SCA2# show diag-list
no settings selected
SCA2#
5.
Add the netstat and processes reports to the list and verify their inclusion.
SCA2# set diag-list netstat
SCA2# set diag-list processes
SCA2# show diag-list
settings selected:
netstat processes
SCA2#
6.
Run the customized diagnostic report by entering the show diagnostic-report command.
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
8
78-14640-05
New and Changed Information
New GUI Features in Release 4.2.0b15
Certificate Revocation List
A URL-based list of revoked certificates can be used for client authentication. The list at the specified URL
is checked at intervals to ensure the list on the device is current. A CRL can be set independently for each
normal SSL server. The example below demonstrates how to enable a CRL with an existing server using
Web management.
1.
Log into the device using the Web GUI.
2.
Click SSL to activate the SSL tabs.
3.
Click the Secure Servers tab.
4.
Either click Add Secure Server to create a new server or Edit next to an existing server to change
the configuration. The Secure Server window opens.
5.
Scroll to the bottom of the window to display the Certificate Revocation List - CRL panel as
shown in Figure 1.
Figure 1
Certificate Revocation List - CRL panel.
6.
Type the URL to be used for updating the CRL in the CRL URL text box.
7.
If desired, change the interval between updates in the CRL Update Interval text box.
8.
Select the CRL Enable text box to activate use of this feature.
9.
Continue with any other configuration as desired. Make sure to save the configuration to flash.
SNMP Certificate Expiration Trap
Device-loaded certificates can be checked for date validity using an SNMP trap. The following example
demonstrate how to configure this trap using Web management.
1.
Log into the device using the Web GUI.
2.
Click SNMP to activate the SNMP tabs.
3.
Click the Traps tab. The tab contents are displayed as shown in Figure 2.
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
78-14640-05
9
New and Changed Information
Figure 2
Traps Tap with SSL Certificate Expiration Tab.
4.
Select the SSL Certificate Expiration check box to enable the trap.
5.
Click Update to save the change to the running configuration.
6.
Continue with any other configuration as desired. Make sure to save the configuration to flash.
Secure Shell (SSH) Management Configuration
You can use the Web GUI to configure SSH management of the device.
1.
Log into the device using the Web GUI.
2.
Click Access to activate the Access tabs.
3.
Click the Subsystem tab. The Subsystem tab contents are displayed as shown in Figure 3.
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
10
78-14640-05
New and Changed Information
Figure 3
Subsystem Tab Used to Configure SSH Management.
4.
Use the SSH & Telnet Management panel to configure SSH management.
5.
Change the default SSH port in the Port text box, if desired.
6.
Type an access control list number to use for security in the Access Control List Id text box, if
desired.
7.
Select either an RSA or DSA Host Key from the appropriate drop-down list box.
8.
Click Update to write the configuration to the device.
9.
Continue with any other configuration as desired. Make sure to save the configuration to flash.
Passing Client IP Addresses in the HTTP Header
The client IP address can be passed in the HTTP header sent to the hardware server. Client IP address
information is also passed when httpheader session is enabled. Follow the steps below to configure this
feature using Web management.
1.
Log into the device using the Web GUI.
2.
Click SSL to activate the SSL tabs.
3.
Click the Secure Servers tab.
4.
Either click Add Secure Server to create a new server or Edit next to an existing server to change
the configuration. The Secure Server window opens.
5.
Scroll to the Add HTTP Headers to the backend HTTP Stream panel. This section is shown in
Figure 4.
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
78-14640-05
11
Operational Notes
Figure 4
Adding the Client IP Address to the Backend HTTP Stream.
6.
Select the Add Client IP Address check box to enable the feature.
7.
Continue with any other configuration as desired. Make sure to save the configuration to flash.
Operational Notes
•
To negotiate a connection with FIPS 104-2-compliant servers configured on the SCA2, some client
browsers must be configured with TLS only. SSL must be disabled, and data is still encrypted.
•
The commands erase running-config and erase startup-config are not available in FIPS Mode.
•
Due to limitations with Netscape 4.X and earlier, the Netscape browser can hang in the following
instance:
Client authentication on the device is configured with the error state set to send an HTML error
message to the browser.
In this scenario, if Netscape does not send the client certificate or if an error condition is present,
the first connection appears to successfully connect, but an IO error also occurs on the device.
Therefore, subsequent connection attempts do not successfully create connections to the device.
This scenario causes Netscape to stop allowing connections to the device. If this situation occurs,
start Task Manager by right-clicking the task bar and selecting Task Manager from the menu. Locate
the "netscape.exe" process in the list of processes currently running on the system. Select
"netscape.exe", and right-click. Then select "End Process Tree". You now can make connections
using Netscape.
It is strongly recommended that you upgrade your Netscape browser to a more current version to
prevent the above usage conditions.
•
Configuring a device using multiple sessions or methods simultaneously can cause undesirable
results. We recommend only one session be used at a time to make configuration changes.
•
Changing terminal settings in variance with the actual window size can affect the readline
capabilities of the device: the displayed cursor position might not be indicative of its actual position.
•
No error message is displayed when deleting an access list that is referenced by certain subsystems.
Access is denied.
•
In two-port mode services such as syslog, RIP, RDATE server, SNTP server, and SNMP are
available only through the “Server” port.
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
12
78-14640-05
Operational Notes
•
To use the syslog ability, the configured syslog server must be set to listen for remote entries.
•
For optimal performance, the maximum total session cache for the SCA should not exceed 75,000.
The maximum total session cache for the SCA2 should not exceed 300,000. For example, for an
SCA2 with five secure servers, each secure server should set the cache size to 60,000 (300,000/5).
•
A saved configuration file does not contain private keys or passwords. Private keys must be loaded
separately with names exactly matching those referenced by the secure server. Additionally, old
private keys are not removed from the startup-configuration by copying a new configuration to the
device. To remove the old private keys, delete each private key, and write the running-configuration
to the startup configuration or erase the startup-configuration.
•
When using client authentication, individual Web browsers behave very differently in the way they
filter requests for client certificates and how they cache certain aspects of the session.
•
Erasing the running-configuration of a device using the GUI disconnects the Web browser from the
device. To continue configuration, reconnect to the device.
•
Setting the localport in a secure server entry to the listening TCP port of the Web management
subsystem renders the GUI is inaccessible. You must use a different listening TCP port for each
entity.
•
When writing a configuration via the GUI, the existing configuration is erased first; therefore, all
configurations written using the GUI should be complete configurations. Incremental configuration
updates are only possible by adding the changes to a complete configuration, and then writing this
configuration. An option for overwriting or incrementally updating a configuration using a written
configuration will be added at a future date.
•
The GUI caches certain items and can misrepresent the state of the actual device in certain
circumstances, such as if the device is rebooted without saving changes. To obtain the current device
state, refresh the page. This can be accomplished by holding the SHIFT-clicking the Refresh button.
•
Once Web management is enabled, it is always accessible via the "Server" port (two-port mode) or
the "Network" port (one-port mode) even if SSL client-side access has been configured. Use an
access list to prevent unwanted access.
•
Assigning a Web management access list to the device completely prevents HTTPS access from the
GUI. Setting the following access list allows HTTPS access to the GUI from any IP address:
access-list 10 permit 127.0.0.1 0.0.0.0
web-mgmt access-list 10
•
The copy to startup-configuration command replaces the public startup-configuration. The keys
and passwords still exist unless they have been deleted or erased.
•
Erasing the running-configuration of a device using the CLI disconnects any GUI or telnet sessions
from the device. To continue configuration, reconnect to the device.
•
The custom completer completes previously created objects with the word “create” if TAB is
pressed after the full name is typed. To edit an existing object, ensure “create” is not part of the
command.
•
When writing configuration files to the running configuration, the new configuration file appends
to the existing configuration rather than replacing it. In the process of recreating existing
configuration information, some errors will be displayed. These can be ignored safely.
•
The factory-set default SNMP community is “public”; however, “public” is not listed in the
configuration. The behavior of setting and resetting the SNMP community is demonstrated in the
table below.
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
78-14640-05
13
Operational Notes
Command
SNMP community is set to...
SNMP community in
configuration is...
snmp default community XYZ
XYZ
XYZ
no snmp default community
XYZ
No default community listed
snmp default community
public
public
public
•
The arrow keys on the Windows NT 4.0 default telnet client when accessing the CLI do not behave
as expected. To scroll through the command history, use CTRL-N and CTRL-P.
•
Pasting certificates or keys using the default Windows NT telnet client may fail. This may be the
result of the Return character at the end of each line in the file. If you open the file with Notepad
and see black boxes at the end of each line, delete them and replace them with carriage returns using
the Enter key. The file should load after this.
•
After changing a device from one-port to two-port mode, write the configuration to flash and reload
(reboot) the device for proper functioning.
•
Changing the interface speed and duplex from autonegotiation does not display forced configuration
if open connections are present. Forced speed and duplex settings are displayed only if a
non-autonegotiated speed is specified.
•
Multiple subsystems can be set to use the same access port. However, this causes undesirable results.
Please ensure each subsystem “listening” port is unique on the device.
•
If the first DNS server does not return a response for an unknown host before the timeout occurs, it
will not use the next domain-name suffix.
•
Non-transparent server objects are not updated if the device IP address is changed. Reloading the
device or accessing the configuration of each server object resets the IP address assignment.
•
Adding a static route entry for duplicating a previously RIP-discovered route is not supported.
Deleting a RIP-discovered route is not supported. A RIP-discovered default route cannot be cleared
with the command clear ip routes or by disabling RIP alone. To remove this type of route, disable
RIP and reload the device. The command ip route does not allow a change to an existing entry. To
change an entry, delete the old entry first and then add the new one.
•
In certain situations, spaces are echoed to the device when using the Cygwin SSH client.
•
SCA2/SSL-RX network driver stops passing traffic
•
It was observed that in two port mode with high amounts of non-SSL traffic present a network driver
would eventually stop passing traffic. The driver ring buffer operation was changed to a more
reliable configuration.
•
An enhancement in the urlrewrite User Interface has been made to support multiple ports for the
same domain name. That is, the user can now specify "urlrewrite <domain-name> 81 444" and
"urlrewrite <domain-name> 82 445" for the same Normal Server. Previously, the domain name is
unique for each urlrewrite entry.
•
Initial values for server TCP tuning parameters are taken from the global settings. The mtu setting
can be configured at the global level, but not the server level. Thus, the device will display errors
on boot because the mtu setting has been duplicated to the server TCP tuning parameters in the
startup-configuration file. This has been fixed so that the mtu setting can never be set on a per server
basis.
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
14
78-14640-05
Caveats
•
A bug was seen where the device fails to parse and rewrite URLs correctly when receiving HTTP
responses, sent by a Microsoft IIS Server, which do not contain the headers "Content-Length:" and
"Connection:". A fix has been made to interpret the missing combination of the two headers as if
the header "Connection: close" exists so that the HTTP response can be parsed correctly. This has
resolved the failures seen.
•
A bug was seen where the device, in one-armed port mode, replies to a message destined to an UDP
Multicast address. A fix has been made and the device now no longer responds to any message
destined for an UDP multicast address.
•
A bug was seen where the device, even under moderate load, suddenly lost all its memory and did
not recover. The memory was found to be locked up in the tfTcpVect and some buf-xxx memory
zones. The failure was traced to a minor performance enhancement in a network driver send routine.
The enhancement has now been disabled and it was verified to have fixed the memory leakage.
•
It was observed that HP openview could not load the MIB for the SCA device when other Cisco
MIBS had already been loaded. The enterprises object identifier was modified from "cisco" to
"ciscosca" to resolve this conflict.
Caveats
Table 2 and Table 3, respectively, summarize the release and resolved caveats for this release.
Table 2
Release Caveats Reference
Software Release: 4.2.0b15
DDTS Number
Discovered
Corrected
Caveat
CSCea35189
4.1
Using the no session cache command on an active
device can temporarily suspend the console.
CSCea45897
4.1
Device does not pass e-mail address to server if the
subject too long.
CSCea54234
4.1
Completer for urlrewrite command is unclear.
CSCea55998
4.1
Changing the Web management port with the GUI
might result in anomalous behavior.
CSCea61328
4.2
Enabling HTTPS management using the GUI will
assign an inappropriate CRL interval.
CSCea61334
4.1
Values for mtu in global TCP tuning parameters are
copied into the startup-configuration file when
server-level TCP tuning is configured.
CSCea63441
4.2
Vulnerability: Klima-Pokorny-Rosa attack on RSA
in SSL/TLS.
CSCea63444
4.1
Use of some commands might slow down
transaction processing in high-load situations.
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
78-14640-05
15
Caveats
Table 3
Resolved Caveats Reference
Software Release: 4.2.0b15
DDTS Number
Discovered
Corrected
Caveat
CSCdz65838
4.0
4.2
Setting GMT with DST in GUI does not display
properly
CSCdz84449
4.1
4.2
Possible memory leakage with step-up certificate
and exportable client connections.
CSCdz88341
4.0
4.2
SSL statistics for active server connections in the
GUI and CLI might differ
CSCdz89220
3.2
3.2
Parsing responses stops if urlredirect is enabled and
content length is zero.
CSCdz89280
4.1
4.1
Device can hang when an exportable client browser
issues a TCP RST.
CSCdz89374
3.2
3.2
Device fails to insert customer Content-Length: 0
HTTP header.
CSCdz89383
4.0
4.0
Failure with HTTP/1.1 chunked-transfer and
urlrewrite.
CSCdz89391
4.0
4.0
Failure to reset SCA to factory defaults.
CSCdz89399
4.1
3.2
Large SSL transactions can lead to a DOS attack.
CSCdz89405
3.2
3.2
Connection closed and HTTP redirect fails when a
TCP RST is propagated to client.
CSCdz89410
3.2
3.2
When upgrading the device via FTP from a telnet
client, initial attempts to load new firmware would
fail (subsequent attempts would be successful).
CSCdz89414
3.2
3.2
Malformed httpheader session inserts using
Netscape 4.7x HTTP POST.
CSCdz89421
3.2
3.2
Race condition using MS SGC, 40-bit cipher, when
the client sends GET too fast.
CSCdz89429
3.2
3.2
OpenSSL Security Advisory Alert on openssl
0.9.5a.
CSCea09188
4.1
4.2
Using step-up certificates with the export Netscape
browser fails when the strong security policy has
been configured.
CSCea09200
4.1
4.2
Device may hang with high memory usage.
CSCea25694
4.1
4.2
Failure to redirect using urlrewrite redirectonly
with HTTP/1.1 clients and a web server using
chunked transfer-encoding in subsequent HTTP
responses of a persistent connection.
CSCea35158
4.1
4.2
GMT settings in the timezone string were unclear.
CSCea35160
4.1
4.2
TCP tuning parameters were only set on the SSL
port listening socket.
CSCea35169
4.2
4.2
The openssl version is potentially susceptible to
password interception.
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
16
78-14640-05
Caveats
Table 3
Resolved Caveats Reference
Software Release: 4.2.0b15
DDTS Number
Discovered
Corrected
Caveat
CSCea35172
4.1
4.2
Linux telnet client can cause situation where
configuration sessions hang.
CSCea35178
4.2
4.2
The GUI does not display the correct timezone
setting.
CSCea35194
4.2
4.2
Incorrect FIPS server validation routine.
CSCea63433
4.1
4.1
Some memory problems might be observed with
multiple telnet sessions under high device load
conditions.
CSCea63433
4.1
4.2
Memory problems might be encountered with a high
load on the device and multiple telnet sessions.
CSCea55998
4.1
4.2
GUI hangs on changing management port number
CSCea61328
4.1
4.2
Bad CRL interval assigned enabling HTTPS
management
CSCea89051
4.1
4.2
SSL subsystem locks up and Server Hellos stop.
CSCeb13816
4.1
4.2
Multicast Ethernet destination address in Inline
mode
CSCea45897
4.1
4.2
Device does not pass e-mail address to server if
subject too long
CSCeb27753
4.1
4.2
TCP Tuning settings vs TCP stack defaults
CSCea63441
4.1
4.2
Vulnerability: Klima-Pokorny-Rosa attack on RSA
in SSL/TLS
Open Caveats - Release 4.2.0b15
•
CSCea35189
We do not recommend disabling session caching while traffic is going through the device. If session
caching is disabled while the device is experiencing heavy traffic, device functionality might be lost
for a period of time.
•
CSCea45897
In situations when the device is configued to send the client certificate to the server and the subject
field is larger than the device configuration will allow, the clent certificate is sent, but the e-mail
address is not included in the packet.
•
CSCea54234
The urlrewrite completer help shows “/path/afile” as part of the syntax. This may be misleading as
URL rewrite uses only the domain name: URL rewrite cannot be used on a per file or directory basis.
•
CSCea61334
Initial values for server TCP tuning parameters are taken from the global settings. The mtu setting
can be configured at the global level, but not the server level. Thus, the device will display errors
on boot because the mtu setting has been duplicated to the server TCP tuning parameters in the
startup-configuratin file. No other errors are associated with this caveat.
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
78-14640-05
17
Caveats
•
CSCea63444
Certain commands are very CPU intensive. We recommend the following commands not be run with
active connections present unless instructed by customer support:
– write memory
– write flash
– show netstat (when a large number of connections are present)
– show diagnostic-report (when a large number of connections are present)
If the device is experiencing high load, issuing these commands might max out the CPU, resulting
in a slowdown of transactions. Applications which have low timeout values might disconnect in this
situation.
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
18
78-14640-05
Caveats
Resolved Caveats - Release 4.2.0b15
•
CSCdz65838
In the GUI, on the Time Page, if you set the timezone to GMT and have the DST box checked when
you click update it will revert to Eastern Standard Time with the DST box unchecked.
•
CSCea84449
If an SSL server has been configured with a step-up certificate, exportable client connections can
cause a memory leakage during the SSL re-negotiation phase, and the device may eventually hang.
The bug can be revealed by using the show memory zones periodically, and observing increased
connBlock zones over time, even after exportable client connections have finished.
•
CSCdz88341
SSL statistics for active server connections in the GUI and CLI might differ.
•
CSCdz89220
When urlrewrite redirectonly is enabled and HTTP responses do not have “the header
content-length:” value, the algorithm would stop parsing responses for that connection, resulting in
no rewrite of 3xx HTTP responses and hence, no secure redirection. The fix has now been made to
treat such HTTP responses as having a content length of 0 (zero).
•
CSCdz89280
Device can hang when an exportable client browser issues a TCP RST during SSL session
negotiation. If an exportable client browser issues a TCP RST while negotiating an SSL session, a
connection in a particular transition state could become stuck in the execution queue forever leading
to a device hang. Serial console access may still be available but the device would not respond to
SSL traffic and would need to be rebooted.
•
CSCdz89374
When an HTTP request contains a header line "Content-Length: 0", the parsing algorithm fails to
parse correctly. Custom header data might not be inserted. The result is that the returned data from
OWA will contain incorrect links, "http://..." instead of "https://...” The fix has been made to correct
the parsing error, and custom header data are now inserted into every HTTP request.
•
CSCdz89383
An SSL server configured with urlrewrite redirectonly may fail when attempting to process
HTTP/1.1 chunked-transfer encoded transactions with size greater than 16k.
•
CSCdz89391
Attempting to reset the device to factory defaults using the FailSafe password may cause a device
failure. This has been fixed so that a reset to factory defaults resets the passwords to default values
and deletes any private keys stored on the device. The possible corruption of configuration files
during an upgrade or repair has also been fixed.
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
78-14640-05
19
Caveats
•
CSCdz89399
The device TCP/IP stack can consume too much memory under certain heavy load scenarios,
particularly under a heavy load of large SSL transactions, where each transaction has a size of 20KB.
This could potentially lead to frequent memory allocation failures and possible device failure. This
scenario is now prevented by introducing a low system memory limit into the TCP/IP stack code to
prevent the device from consuming too much memory. If the remaining memory is less than the low
memory limit, all SSL server TCP traffic is now dropped. In order to provide quality of service for
device telnet and Web management sessions, as well as syslog and SNMP, TCP traffic intended for
the telnet and Web management server ports and all UDP traffic is allowed to pass. Additional
checks already exist in these subsystems to prevent DoS attacks on these systems.
•
CSCdz89405
It was discovered that an HTTP 3.0x response consisting of more than one packet under a certain
scenario could cause the device to incorrectly propagate the TCP RST to the client browser, causing
the device to ignore the redirection. In this scenario, no part of the HTTP request was received by
the backend server, and the server has already sent out its 3.0x response and closed the connection
(TCP FIN). Any data belonging to the HTTP request arriving after the connection was already
closed cause lead the server to send out a TCP RST in response. The device incorrectly interpreted
this TCP RST and propagated it to the client browser. The fix has now been made to discard any
erroneous TCP RST events after a TCP FIN is already received.
•
CSCdz89410
When upgrading the device via FTP from a telnet client, initial attempts to load new firmware would
fail (subsequent attempts would be successful).
•
CSCdz89414
A problem has been fixed to correctly insert SSL session information in the HTTP request headers
(httpheader session command). This problem occurred only when Netscape 4.7x sends an HTTP
POST request. The header-body CRLF delimiter can be received with CR and LF characters in
separate buffers. In this scenario, the SSL session information was incorrectly added to the HTTP
headers. The additional headers were inserted between the CR and LF, causing a malformed request.
•
CSCdz89421
A corner-case race condition for 40-bit client step-up in all prior versions of SSL firmware has been
fixed. This bug was only present when all of the following conditions existed:
a. A Microsoft Server Gated Cryptographic (SGC) certificate is used.
b. A 40-bit cipher is negotiated first.
c. Step-up happens on the same connection.
d. The client sends an HTTP GET faster than the device connection to the backend server is made.
The race condition would hang-up the client browser in which case the user could “reload” the page
to get around the problem.
•
CSCdz89429
All the OpenSSL vulnerabilities announced on July 30, 2002 were patched. For more information,
please see http://www.openssl.org/news/secadv_20020730.
•
CSCea09188
In configurations with a secpolicy composed of only 128 bit and stronger ciphers and a step-up
certificate, connections through the device using an exportable Netscape client will fail. This is due
to the client browser attempting to step up while still in the first SSL handshake and using a weak
cipher.
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
20
78-14640-05
Caveats
•
CSCea09200
In high memory usage situations, such as when a large session cache setting is used and/or keepalive
is enabled the device can enter a state where SSL transactions are no longer serviced.
•
CSCea25694
A bug was seen where the device, configured with urlrewrite redirectonly, would fail to rewrite
URLs starting with the second HTTP response of a persistent connection in which the client is
HTTP/1.1 and the web server uses chunked transfer-encoding for the body. Additionally, if the
chunk-size had leading 0s, it was incorrectly processed as the last chunk, and urlrewrite parsing
would stop.
•
CSCea35158
The timezone setting was enhanced for the CLI and corrected for the GUI. Previously the timezone
string was interpreted as xxxyyyzzz, where xxx was the timezone at the device location, yyy was the
number of hours to get from the present timezone to GMT, and zzz was the Daylight Savings Time
setting. It now supports a timezone string of the form: GMT+n or GMT-n. Note that this offset is
from GMT and is interpreted opposite from the offset in the original form. For example, the string
“MDT7MST” is the same timezone as “GMT-7”.
•
CSCea35160
TCP tuning parameters were set only on the SSL port listening socket of a server object. There were
issues where special applications on the physical server could not handle fast TCP retransmits and
needed tuning of the device to apply to the clear text socket. The TCP tuning subsystem was
enhanced to apply settings also to the remoteport (clear text) socket.
•
CSCea35169
Using a timing attack an active attacker can substitute specifically made-up cipher text blocks for
blocks sent by legitimate SSL/TLS parties and measure the time until a response arrives. SSL/TLS
includes data authentication to ensure that such modified cipher text blocks will be rejected by the
peer (and the connection aborted), but the attacker may be able to use timing observations to
distinguish between two different error cases, namely block cipher padding errors and MAC
verification errors. This is sufficient for an adaptive attack that finally can obtain the complete
plaintext block. This vulnerability has been fixed by applying a patch to the SSL libraries.
•
CSCea35172
When using a Linux telnet session with the device, the write flash command would sometimes
terminate the session. In subsequent configuration sessions, accessing the flash file system with
such commands as write memory would hang the session. The device was not hung, but a reboot
was required before access to the flash is restored. A patch has been implemented which addresses
this situation.
•
CSCea35178
The GUI does not display the correct timezone setting. When initially connected, the GUI shows
Eastern Timezone.
•
CSCea35194
Through code review, a problem was discovered in the server validation routine in FIPS mode There
was a check for key length appropriateness in the server validation code when in FIPS mode that
would improperly access the key. The result of configuring a server without a assigning a key would
be that an inappropriate message: "Invalid key length 0" was sent to the console. A check was added
to the server validation code to make sure the key exists before accessing it.
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
78-14640-05
21
Caveats
•
CSCea63433
When the device is under high load conditions and experiencing a low memory critical state, it might
become unstable when multiple telnet sessions are initiated to the device. The additional telnet
sessions might overrun the available memory. Appropriate fixes have been made to budget memory
for multiple telnet sessions in this critical low memory state, and a check has been added to refuse
telnet clients when memory is not available to support a new telnet session.
•
CSCea55998
A bug was seen in which changing the management port while in a GUI management session would
hang the session. This was fixed by replacing the problematic timeout with a semaphore in the web
server enable.
•
CSCea61328
A bug was seen where enabling HTTPS management would assign a inappropriate value of zero to
the CRL interval of the server filter. The code was fixed to assign an appropriate default value when
enabling this feature.
•
CSCea89051
A bug was found in the processing path when a crypto operation hardware offload failed due to lack
of resources and the process then would call a software equivalent. An issue existed in the setup to
call the software routine that caused the job to stall, and subsequent access to the crypto chip to stall.
This has been fixed and verified to behave properly when this condition occurs.
•
CSCeb13816
A bug was seen where the device, in inline mode, interferes with a pass-through established TCP
connection by sending a TCP RST when seeing a packet with a Multicast Ethernet destination
address. In this configuration, the client is a Checkpoint Firewall configured with a multicast
Ethernet address and any packet sent back by a Web Server would contain the multicast Ethernet
destination address. A fix has been made and the SSL device now no longer processes any
TCP-protocol packet destined for a multicast Ethernet address.
•
CSCea45897
In situations when the device is configured to send the client certificate to the server and the subject
field is larger than the device configuration will allow, the client certificate was sent, but the e-mail
address is not included in the packet. This has been fixed to accept larger subject fields.
•
CSCeb27753
Concern has been expressed that after setting TCP tuning parameters, the output of "show ip
statistics" differs from these new values. This occurs both with the GUI and the CLI, and is the
expected behaviour. The result of "show ip statistics" lists values associated with the TCP/IP stack
on the device as a whole. TCP tuning parameters are applied to either a specific ssl server, or in a
global setting as defaults for ssl servers where not specifically overridden. Neither the global
settings nor the per-server settings are applicable to the TCP/IP stack for the device as a whole, thus
even when tuning parameters are changed, they will not be reflected in the output of "show ip
statistics" or any other commands that interrogate the state of the device stack.
•
CSCea63441
Czech cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa have come up with an
extension of the "Bleichenbacher attack" on RSA with PKCS #1 v1.5 padding as used in SSL 3.0
and TLS 1.0. Their attack requires the attacker to open millions of SSL/TLS connections to the
server under attack; the server’s behaviour when faced with specially made-up RSA ciphertexts can
reveal information that in effect allows the attacker to perform a single RSA private key operation
on a ciphertext of its choice using the server’s RSA key. Note that the server’s RSA key is not
compromised in this attack.
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
22
78-14640-05
FIPS Mode Changes
The appropriate patches have been made to the SSL libraries.
FIPS Mode Changes
Several changes have been made to FIPS mode operation commands. These command changes are listed
in Table 4.
Table 4
Deprecated FIPS Mode Commands in Version 4.2.0b15.
Mode
Command and Syntax
Description
Key
Configuration
Mode
der
Imports a DER-encoded key.
genrsa
Generates an RSA key.
net-iis
Imports an IIS-encoded key.
pem
Imports a PEM-encoded key.
RSA keys must be at least 1024 bits in length for use in FIPS mode. While shorter keys can be entered,
users are warned those keys cannot be used. The following text is displayed:
%% Invalid key length 512 for FIPS mode!
%% Key length must be 1024 at least for FIPS mode!
Firmware Version 4.2.0b15 Command Changes
Table 5 and Table 6 list commands added and changed in firmware version 4.2.0b15, respectively.
Table 5
Mode
CLI Commands Added in Firmware Version 4.2.0b15.
Command and Syntax
Description
Top Level Mode: show ssh
Non-Privileged
Mode
show ssl cert-expiration-check
Displays whether SSH is enabled, the port defined for SSH
use, and host key specified for use.
Top Level Mode: [no] set diag-list
Privileged Mode <all|cpu|device|memory|netstat|
processes|running-config|ssl|ssl-errors|
ssl-session-statistics|ssl-statistics|
startup-config|zones>
Specifies one or more reports to be added or removed from
the diagnostic report list. Use the no form of the command
to remove a report. Use the all keyword to include all
diagnostic reports.
show diag-list
Displays a list of invalid certificates stored on the device as
indicated by the certificate validity dates.
Displays a list of the user-specified diagnostic reports
generated by the show diagnostic-report command.
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
78-14640-05
23
Firmware Version 4.2.0b15 Command Changes
Table 5
CLI Commands Added in Firmware Version 4.2.0b15.
Mode
Command and Syntax
Description
Configuration
Mode
[no] snmp trap-type enterprise
ssl-cert-expire
Sets an SNMP trap to monitor for use of a certificate that
has expired or is not yet valid. Use the no form of the
command to remove the trap. If this trap has been set, it is
included in the output of the show snmp command.
ssh access-list <listid>
Assigns an access list for communication with the device
via SSH, where listid is the identifier of the existing access
list.
[no] ssh enable
Enables SSH management with device if one or two host
keys have been configured. Using the no form of the
command disables SSH management.
[no] ssh hostkey <dsa|rsa> <keyname>
Assigns a DSA or RSA key to be used as a host key for SSH
management, where keyname is the name of the key. Keys
of less than 768 bits are not allowed to be used as host keys.
If the specified key is invalid for use as a hostkey, an error
message is displayed. Use the no form of the command to
remove the specified key name from the configuration.
ssh port <portid|default>
Assigns a port for use with SSH management of the device,
where portid is the number of the port. The default option
can be used to return the port number to 22.
SSL
Configuration
Mode
cert-expiration-check
Displays a list of invalid certificates stored on the device as
indicated by the certificate validity dates.
Server
Configuration
Mode
[no] crl enable
Enables use of a Certificate Revocation List for the server
being configured.
crl interval <days>
Specifies the number of days between CRL updates from
the configured URL. The default interval is 30 days.
crl url <url>
Specifies the URL to be used for CRL updates, where url is
the complete URL entered within quotation marks. Replace
the existing URL by specifying another one.
[no] httpheader forwarded
Enables passing of the client IP address in the HTTP header
sent to the hardware server. The state of this configuration
is displayed in the output of the show ssl server command
and info command in Server Configuration mode. The
format of the passed IP is “X-Forwarded-For: <Client IP>”.
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
24
78-14640-05
Documentation Updates
Table 6
CLI Commands Changed in Firmware Version 4.2.0b15.
Mode
Command and Syntax
Top Level Mode: show device
Non-Privileged
Mode
Server
Configuration
Mode
Description
Secure Shell (SSH) information as been added to the output
of this command. If SSH is enabled, the SSH host key(s)
and port are displayed. If only one SSH host key has been
configured, the other is displayed as “(null)”.
show ssl server [servername]
Certificate Revocation List (CRL) information as been
added to the output of this command. CRL information
includes whether CRL is enabled, the CRL update interval,
and the URL to use for the CRL.
httpheader session
The client IP is now passed to the hardware server via the
HTTP header. The format of the passed IP is
“X-Forwarded-For: <Client IP>”.
Documentation Updates
All information pertaining to version 4.2.0b15 of the firmware not described in the latest Configuration
Guide is located in this Release Note.
Obtaining Documentation
Cisco provides several ways to obtain documentation, technical assistance, and other technical
resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation on the World Wide Web at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
http://www.cisco.com
International Cisco web sites can be accessed from this URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM
package, which may have shipped with your product. The Documentation CD-ROM is updated monthly
and may be more current than printed documentation. The CD-ROM package is available as a single unit
or through an annual subscription.
Registered Cisco.com users can order the Documentation CD-ROM (product number
DOC-CONDOCCD=) through the online Subscription Store:
http://www.cisco.com/go/subscription
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
78-14640-05
25
Obtaining Technical Assistance
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
•
Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from
the Networking Products MarketPlace:
http://www.cisco.com/en/US/partner/ordering/index.shtml
•
Registered Cisco.com users can order the Documentation CD-ROM (Customer Order Number
DOC-CONDOCCD=) through the online Subscription Store:
http://www.cisco.com/go/subscription
•
Nonregistered Cisco.com users can order documentation through a local account representative by
calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere
in North America, by calling 800 553-NETS (6387).
Documentation Feedback
You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click
Feedback at the top of the page.
You can e-mail your comments to bug-doc@cisco.com.
You can submit your comments by mail by using the response card behind the front cover of your
document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Obtaining Technical Assistance
Cisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) Website, as a
starting point for all technical assistance. Customers and partners can obtain online documentation,
troubleshooting tips, and sample configurations from the Cisco TAC website. Cisco.com registered users
have complete access to the technical support resources on the Cisco TAC website, including TAC tools
and utilities.
Cisco.com
Cisco.com offers a suite of interactive, networked services that let you access Cisco information,
networking solutions, services, programs, and resources at any time, from anywhere in the world.
Cisco.com provides a broad range of features and services to help you with these tasks:
•
Streamline business processes and improve productivity
•
Resolve technical issues with online support
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
26
78-14640-05
Obtaining Technical Assistance
•
Download and test software packages
•
Order Cisco learning materials and merchandise
•
Register for online skill assessment, training, and certification programs
To obtain customized information and service, you can self-register on Cisco.com at this URL:
http://www.cisco.com
Technical Assistance Center
The Cisco TAC is available to all customers who need technical assistance with a Cisco product,
technology, or solution. Two levels of support are available: the Cisco TAC website and the Cisco TAC
Escalation Center. The avenue of support that you choose depends on the priority of the problem and the
conditions stated in service contracts, when applicable.
We categorize Cisco TAC inquiries according to urgency:
•
Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities,
product installation, or basic product configuration.
•
Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably
impaired, but most business operations continue.
•
Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects
of business operations. No workaround is available.
•
Priority level 1 (P1)—Your production network is down, and a critical impact to business operations
will occur if service is not restored quickly. No workaround is available.
Cisco TAC Website
You can use the Cisco TAC website to resolve P3 and P4 issues yourself, saving both cost and time. The
site provides around-the-clock access to online tools, knowledge bases, and software. To access the
Cisco TAC website, go to this URL:
http://www.cisco.com/tac
All customers, partners, and resellers who have a valid Cisco service contract have complete access to
the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website
require a Cisco.com login ID and password. If you have a valid service contract but do not have a login
ID or password, go to this URL to register:
http://tools.cisco.com/RPF/register/register.do
If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco
TAC website, you can open a case online at this URL:
http://www.cisco.com/en/US/support/index.html
If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC
website so that you can describe the situation in your own words and attach any necessary files.
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
78-14640-05
27
Obtaining Additional Publications and Information
Cisco TAC Escalation Center
The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These
classifications are assigned when severe network degradation significantly impacts business operations.
When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer
automatically opens a case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
Before calling, please check with your network operations center to determine the level of Cisco support
services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network
Supported Accounts (NSA). When you call the center, please have available your service agreement
number and your product serial number.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online
and printed sources.
•
The Cisco Product Catalog describes the networking products offered by Cisco Systems as well as
ordering and customer support services. Access the Cisco Product Catalog at this URL:
http://www.cisco.com/en/US/products/products_catalog_links_launch.html
•
Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new
and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking
Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design
Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:
http://www.ciscopress.com
•
Packet magazine is the Cisco monthly periodical that provides industry professionals with the latest
information about the field of networking. You can access Packet magazine at this URL:
http://www.cisco.com/en/US/about/ac123/ac114/about_cisco_packet_magazine.html
•
iQ Magazine is the Cisco monthly periodical that provides business leaders and decision makers
with the latest information about the networking industry. You can access iQ Magazine at this URL:
http://business.cisco.com/prod/tree.taf%3fasset_id=44699&public_view=true&kbns=1.html
•
Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering
professionals involved in the design, development, and operation of public and private internets and
intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html
•
Training—Cisco offers world-class networking training, with current offerings in network training
listed at this URL:
http://www.cisco.com/en/US/learning/le31/learning_recommended_training_list.html
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
28
78-14640-05
Obtaining Additional Publications and Information
CCIP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ
Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and
Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to
Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE,
CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital,
the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient,
IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar,
SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S.
and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0208R)
Copyright © 2003 Cisco Systems, Inc. All rights reserved.
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
78-14640-05
29
Obtaining Additional Publications and Information
Release Notes for Version 4.2.0b15 Cisco 11000 Series Secure Content Accelerator: SCA/SCA2
30
78-14640-05
Related documents
WWW+Internet+networking - Edulink
WWW+Internet+networking - Edulink
Cisco Customer Outcome Enablement Program Terms Pilot Phase Updated: 10/05/2015
Cisco Customer Outcome Enablement Program Terms Pilot Phase Updated: 10/05/2015
Download