Cisco Cisco Intelligent Automation for Cloud 4.1 Release Notes
11
Cisco Intelligent Automation for Cloud 4.1.1 Release Notes
OL-29969-03
Known Issues
Solution
After the decommission process is complete, log into the PNSC and delete the reference for the removed
CSR from the Resources tab under Managed Resources. This action should only be taken by staff
experienced with managing the network infrastructure.
CSR from the Resources tab under Managed Resources. This action should only be taken by staff
experienced with managing the network infrastructure.
Firewall Problems
Issues with VDCs and VMs
Problem
Any user-created firewall rule to deny traffic (such as a Virtual Data Center rule and/or a Virtual Machine
Firewall rule) which was created for unprotected networks on advanced network services VDCs will not
take full effect. This is because the default permit statement created as part of creating the unprotected
network is taking precedent over user created rules.
Firewall rule) which was created for unprotected networks on advanced network services VDCs will not
take full effect. This is because the default permit statement created as part of creating the unprotected
network is taking precedent over user created rules.
Solution
A Process Orchestrator server global variable called “Default CSR and VSG fw sequence number”
sets the default Permit All Firewall rules sequence number to a very large number (default value of
65000), insuring that the user rules come before the default permit all/deny all regardless of type.
sets the default Permit All Firewall rules sequence number to a very large number (default value of
65000), insuring that the user rules come before the default permit all/deny all regardless of type.
Proper Order for Drop and Permit Not Being Maintained
Problem
When applying Virtual Data Center (VDC) or Virtual Machine (VM) Firewall rules between
zones/networks/servers, Cisco IAC is not retaining the proper order in which drop and permit rules need
to be applied. The correct ordering should match (i.e. be consistent) on both the Cloud Service Router
(CSR) Zone Based Firewall and Virtual Security Gateway (VSG) Layer2 Firewall.
zones/networks/servers, Cisco IAC is not retaining the proper order in which drop and permit rules need
to be applied. The correct ordering should match (i.e. be consistent) on both the Cloud Service Router
(CSR) Zone Based Firewall and Virtual Security Gateway (VSG) Layer2 Firewall.
Solution
The long term solution is to offer to users the capability to change the Firewall rules order in the user
interface. Until Cisco IAC offers that capability we are applying the rules in the order in which they are
provisioned.
interface. Until Cisco IAC offers that capability we are applying the rules in the order in which they are
provisioned.
If any rule order needs changing the user would need to manually rollback the affected set of rules and
renter them in the correct order. This is similar to the functionality and logic of manually editing rules
in the command line.
renter them in the correct order. This is similar to the functionality and logic of manually editing rules
in the command line.
Appliance and PO Authentication Failure
Problem
IAC Appliance NTLM authentication to Process Orchestrator server fails with the error message:
[ERROR] [WebServiceClient] Error send/receive SOAP message
org.springframework.ws.client.WebServiceTransportException: Unauthorized [401]