Release Note for the Cisco Traffic Anomaly
Detector Appliance
July 16, 2007
Note
The most current Cisco documentation for released products is available on Cisco.com.
Contents
This release note applies to software versions 6.0(10) and 6.0(5) for the Cisco Traffic Anomaly Detector
appliance (Detector). This release note contains the following sections:
•
New Features in Software Version 6.0(5)
•
Upgrading to Software Version 6.0(x)
•
Operating Consideration
•
MultiDevice Manager Commands Omitted from the Configuration Guide
•
Software Version 6.0(10) Open Caveats and Resolved Caveats
•
Software Version 6.0(5) Open Caveats and Resolved Caveats
•
Related Documentation
•
Obtaining Documentation, Obtaining Support, and Security Guidelines
Americas Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
© 2007 Cisco Systems, Inc. All rights reserved.
New Features in Software Version 6.0(5)
New Features in Software Version 6.0(5)
The following new features are available in software version 6.0(5):
•
Support for the 2007 daylight saving time (DST) change.
•
Ability to set the TACACS+ sever port.
•
Ability to set the TACACS+ encryption key.
Upgrading to Software Version 6.0(x)
In software version 4.x, the Detector allowed you to configure illegal subnet masks. In software version
5.1(4), the Detector checks to ensure that subnet masks are legal. When you upgrade from a software
version prior to 5.1(4) to version 6.0(x), the Detector corrupts all zone configurations that contain an
illegal subnet mask. To prevent the Detector from corrupting a zone configuration that contains an illegal
subnet mask, configure the zone configuration with a legal subnet mask by performing the following
steps prior to upgrading the software:
Step 1
Use the no ip address command to delete the subnet mask.
Step 2
Use the ip address command to configure the subnet mask with a legal subnet.
For details on configuring zone IP addresses, see the “Configuring the Zone IP address Range” section
in the Cisco Traffic Anomaly Detector Configuration Guide.
Software upgrade instructions are located in the “Upgrading the Detector Software Version” section in
the Cisco Traffic Anomaly Detector Configuration Guide.
Operating Consideration
The copy ftp command supports active mode only.
MultiDevice Manager Commands Omitted from the
Configuration Guide
Three commands related to the Cisco DDoS MultiDevice Manager (MDM) software functionality on the
Detector were introduced in software version 5.1(5), but were omitted from the Cisco Traffic Anomaly
Detector Configuration Guide. The following sections describe these commands:
•
mdm logging trap Command
•
mdm restore Command
•
show mdm Command
Release Note for the Cisco Traffic Anomaly Detector Appliance
2
OL-12691-02
MultiDevice Manager Commands Omitted from the Configuration Guide
mdm logging trap Command
To configure traps for MDM logging, use the mdm logging trap command in global configuration
mode. To disable logging functions, use the no form of this command.
The syntax for this command is as follows:
mdm logging trap {alerts | critical | debugging | emergencies | errors | informational | notifications |
warnings}
The following table describes the keywords for the mdm logging trap command.
alerts
Immediate action needed (severity=1).
critical
Critical conditions (severity=2).
debugging
Debugging messages (severity=7).
emergencies
System is unusable (severity=0). This is the default.
errors
Error conditions (severity=3).
informational
Informational messages (severity=6).
notifications
Normal but significant conditions (severity=5).
warnings
Warning conditions (severity=4).
For example, to capture and log informational messages, use the mdm logging trap informational
command in global configuration mode.
user@DETECTOR# configure
user@DETECTOR-conf# mdm logging trap informational
mdm restore Command
When you enable the MDM service on the Detector to allow you to manage the device using the MDM,
the MDM automatically upgrades the RA on the device when it initiates a communication link with the
device. While the MDM is upgrading the device RA, the operating state displays on the MDM as
Initializing. The state changes to Connected when the RA upgrade is complete.
When a device appears to be constantly in a state of initialization, it may indicate that the MDM is
attempting to upgrade the device RA but cannot do so.
Use the mdm restore command to resolve issues with upgrading and connecting the device RA. To
return the device Remote Agent (RA) to the stub and force the MDM to reinstall the latest RA version,
use the mdm restore command in global configuration mode.
The syntax for this command is as follows:
mdm restore
For example:
user@DETECTOR# configure
user@DETECTOR-conf# mdm restore
Release Note for the Cisco Traffic Anomaly Detector Appliance
OL-12691-02
3
MultiDevice Manager Commands Omitted from the Configuration Guide
show mdm Command
To check the status of MDM connections and settings, use the show mdm command in EXEC mode.
The syntax for this command is as follows:
show mdm
For example:
user@DETECTOR# show mdm
The following table describes the fields in the show mdm display.
Field
Description
MDM service state
Operating state of the MDM service: enabled or disabled.
MDM servers
List of MDM servers that you define on the device (permitting them
to access the device) and the state of the key exchange process with
each of the servers: key exchange is complete or key exchange is
required.
Connected managers
MDM server currently connected to and managing the device.
MDM syslog level
Setting of the syslog server logging level: alerts, critical, debugging,
emergencies, errors, informational, notifications, warnings.
Release Note for the Cisco Traffic Anomaly Detector Appliance
4
OL-12691-02
Software Version 6.0(10) Open Caveats and Resolved Caveats
Software Version 6.0(10) Open Caveats and Resolved Caveats
The following sections contain the open and resolved caveats in software version 6.0(10):
•
Software Version 6.0(10) Open Caveats
•
Software Version 6.0(10) Resolved Caveats
Software Version 6.0(10) Open Caveats
The following caveats are open in software version 6.0(10):
•
CSCsb05557—Remote activation and synchronization processes from a Detector appliance to a
Guard appliance do not function when the Detector is located behind a device that is performing
Network Address Translation (NAT). Workaround: Reconfigure the network configuration to
disable NAT.
•
CSCsb20206—The WBM remains unresponsive while the pop up window waits for results from
the signature generation process. Even if you close the pop up window manually, the WBM remains
unresponsive while signature generation is in progress. Workaround: Wait until the pop up window
receives a result, or issue the no service wbm CLI command in configuration mode.
•
CSCsb29083—You cannot use the same name to create packet dumps in different zones.
Workaround: Assign unique names to manual packet dumps.
•
CSCsc05116—The Detector may stop functioning or start logging errors after reaching 100%
anomaly detection engine memory utilization. Workaround: Use the show resources command in
global mode to view the amount of anomaly detection engine memory currently being used by the
Detector. Reducing the number of active zones may free up memory.
•
CSCsc49737—The accelerator card may fail to load on the first attempt during the reload or bootup
process. The Detector issues and logs an error message. The Detector attempts two additional loads.
•
CSCsc69508—After importing an HTML file to serve as login banner, some SSH clients may not
be able to connect to the Detector. Workaround: Remove the login banner.
•
CSCsc77155—After a Detector reloads 1,024 consecutive times, it cannot be accessed from the
network. Workaround: Reboot the Detector.
•
CSCsd39569—After several hundred consecutive reloads, the Detector may automatically reboot.
Workaround: None.
•
CSCsd71002—Under certain conditions, the Detector does not create and activate all child zones
that are being attacked. This behavior occurs when the zone is defined on the Detector using the
dst-ip-by-name activation method, and when the attack occurs on several IP addresses from the
zone range. If global policies are only active (that is, not the dst_ip policy), only the first recognized
IP address is protected successfully. Workaround: Ensure that the dst_ip policies are active on the
zone.
•
CSCse08139—The CLI session terminates when you press Ctrl-Z several times after issuing the
more 0 command.
•
CSCse27876—When you press Ctrl-C during an import of a new software version or configuration,
you interrupt the import process and the CLI session may get disconnected. Workaround: Do not
press Ctrl-C during the import process.
•
CSCse31042—A zone configuration with ip_scan or port_scan policies cannot be imported into the
Detector. Workaround: None.
•
CSCsg42338—The Detector CPU usage may reach 100%. Workaround: Reboot the Detector.
Release Note for the Cisco Traffic Anomaly Detector Appliance
OL-12691-02
5
Software Version 6.0(10) Open Caveats and Resolved Caveats
•
CSCsi07283—The Web-Based Manager (WBM) does not reflect changes to the TimeZone
definition until the Detector is rebooted. Workaround: Reboot the Detector.
•
CSCsi21984—When using the WBM, browsing to a zone page is very slow after the zone has been
active for a long time and the zone logs become extremely long. Workaround: Export the zone logs
to an external server and then clear the log files from the Detector database.
•
CSCsi50185—When synchronizing time with NTP server, the Detector intermittently detects a
major clock change (16 seconds or more) and issues a log message. Workaround: None.
•
CSCsj27292—The Detector does not count bypass filters correctly, which may cause the watchdog
to reload the Detector. Workaround: Remove all unnecessary bypass filters.
Software Version 6.0(10) Resolved Caveats
The following caveats were resolved in software version 6.0(10):
•
CSCsh92933—After entering the tacacs authorization exec tacacs+ command, the show
running-config command does not display the tacacs authorization exec tacacs command in the
configuration output.
•
CSCsi2905, CSCsi17169—When accepting the thresholds during the learning process, the Detector
intermittently encounters an error when accepting some of the thresholds.
•
CSCsi23637—When using the Web-Based Manager (WBM), TACACS+ login authentication falls
back to local authentication even if the TACACS+ server rejects the authentication.
•
CSCsi65071—A flex-content filter with a single byte tcpdump expression may not detect the byte
in the zone traffic.
•
CSCsi67008—A flex-content filter tcpdump expression does not look at the last byte of a packet.
•
CSCsi70650—The watchdog process intermittently becomes stuck on one of the child processes.
•
CSCsi78741—The internal watchdog constantly reloads the Detector and the accelerator card is
unresponsive. The log contains many “cannot read counters” errors.
•
CSCsi86968—The MultiDevice Manager (MDM) fails to activate anomaly detection on a zone that
is configured on two Detectors.
Release Note for the Cisco Traffic Anomaly Detector Appliance
6
OL-12691-02
Software Version 6.0(5) Open Caveats and Resolved Caveats
Software Version 6.0(5) Open Caveats and Resolved Caveats
The following sections contain the open and resolved caveats in software version 6.0(5):
•
Software Version 6.0(5) Open Caveats
•
Software Version 6.0(5) Resolved Caveats
Software Version 6.0(5) Open Caveats
The following caveats are open in software version 6.0(5):
•
CSCsb05557—Remote activation and synchronization processes from a Detector appliance to a
Guard appliance do not function when the Detector is located behind a device that is performing
Network Address Translation (NAT). Workaround: Reconfigure the network configuration to
disable NAT.
•
CSCsb20206—The Web-Based Manager (WBM) remains unresponsive while the pop up window
waits for results from the signature generation process. Even if you close the pop up window
manually, the WBM remains unresponsive while signature generation is in progress. Workaround:
Wait until the pop up window receives a result, or issue the no service wbm CLI command in
configuration mode.
•
CSCsb29083—You cannot use the same name to create packet dumps in different zones.
Workaround: Assign unique names to manual packet dumps.
•
CSCsc05116—The Detector may stop functioning or start logging errors after reaching 100%
anomaly detection engine memory utilization. Workaround: Use the show resources command in
global mode to view the amount of anomaly detection engine memory currently being used by the
Detector. Reducing the number of active zones may free up memory.
•
CSCsc49737—The accelerator card may fail to load on the first attempt during the reload or bootup
process. The Detector issues and logs an error message. The Detector attempts two additional loads.
•
CSCsc69508—After importing an HTML file to serve as login banner, some SSH clients may not
be able to connect to the Detector. Workaround: Remove the login banner.
•
CSCsc77155—After a Detector reloads 1,024 consecutive times, it cannot be accessed from the
network. Workaround: Reboot the Detector.
•
CSCsd39569—After several hundred consecutive reloads, the Detector may automatically reboot.
Workaround: None.
•
CSCsd71002—Under certain conditions, the Detector does not create and activate all child zones
that are being attacked. This behavior occurs when the zone is defined on the Detector using the
dst-ip-by-name activation method, and when the attack occurs on several IP addresses from the
zone range. If global policies are only active (that is, not the dst_ip policy), only the first recognized
IP address is protected successfully. Workaround: Ensure that the dst_ip policies are active on the
zone.
•
CSCse08139—The CLI session terminates when you press Ctrl-Z several times after issuing the
more 0 command.
•
CSCse27876—When you press Ctrl-C during an import of a new software version or configuration,
you interrupt the import process and the CLI session may get disconnected. Workaround: Do not
press Ctrl-C during the import process.
•
CSCse31042—A zone configuration with ip_scan or port_scan policies cannot be imported into the
Detector. Workaround: None.
Release Note for the Cisco Traffic Anomaly Detector Appliance
OL-12691-02
7
Related Documentation
Software Version 6.0(5) Resolved Caveats
The following caveats were resolved in software version 6.0(5):
•
CSCsb33259— The graphs for the show counters history, show rates history, and the WBM traffic
rates only show current rates. The graphs do not show logs for the zone. This occurs when the zone
is active, but there is no activity (that is, there is no traffic) on it.
•
CSCsc85020—The graph interpolates the end of an attack curve with current time instead of the
real end of attack time.
•
CSCse64988—When you use the WBM to add a service to a zone, service thresholds are set to zero
and are not tuned.
•
CSCsf02506—When you use the WMB to show zone general information, the error message may
appear on the first try: “Unexpected error”.
•
CSCsg22709—When you add a service in a WBM comparison screen, the service is not added to
the zone. This occurs when you compare a zone with a snapshot.
•
CSCsg53101—When you use the WBM excessively, the RAM disk becomes filled with logs before
the logrotate policy removes old logs. This situation may cause the Detector to become unstable and
inaccessible.
Related Documentation
The following Detector documents are available:
•
Cisco Guard and Traffic Anomaly Detector Hardware Installation and Configuration Note
•
Cisco Traffic Anomaly Detector Configuration Guide
•
Cisco Traffic Anomaly Detector Web-Based Manager Configuration Guide
Obtaining Documentation, Obtaining Support, and Security
Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback,
security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s
New in Cisco Product Documentation, which also lists all new and revised Cisco technical
documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is
a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS,
iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers,
Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient,
and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0711R)
Release Note for the Cisco Traffic Anomaly Detector Appliance
8
OL-12691-02
© Copyright 2026 Paperzz