I am starting to evaluate CiscoWorks VMS (VPN Management Services), and I am running into some issues that I hope someone might have some ideas on:
1) in the software update tool, synchronizing objects with the CCO is slow. Maybe there isn't anything that can be done about this, but it's a nuisance.2) in the software update tool, if I select the nmdib (or whatever it is) then it complains that the program doesn't have an integration tool built in. As far as I can tell, I have updated with all the latest 2.2 patches. (As this is an eval, I don't get to order a 2.3 update kit)
3) in the software update tool, the Cat6000 won't update, complaining of a conflict in major version number, saying that it needs 7.10 . 1.10 is what's there now, and 7.1 (not 7.10) is the highest available version that I can see for it.4) In the PIX config import tool, when I go to import my existing configs, it goes through the motions and then complains about parse errors because I have special characters in my isakmp keys. [Ok, I'd never noticed before that it said "alphanumeric"... it works without complaint if you use special characters.] But having complained, it doesn't give me a chance to tweak those lines or ignore them -- the entire import fails. Well, I can't go around changing my active keys just to play with the tool... and see below.
5) In the PIX config import tool, when I go to import from a file [having editted the isakmp keys] after long enough to have imported the config, it fails with a message,Failed to get config txt decoration from device task obj!
??? WTF ??
In combination with the above, this means that until I change my active keys [on devices thousands of miles away] I can't import my configs.
6) In the PIX device config tool, if I change the Future Contact username, then generation goes okay, but at deployment time it complains that the Future Contact password does not match the enable password. Which is untrue -- the passwords are the same for the enable password and for the two users I have created. It's possible the same passwords encrypt differently for different users though. To get around this, I had to re-import the config and not touch the Future Contact.7) This tool is slow with one firewall, often taking 15-20 seconds to fetch the screen after a minor update. What's it going to be like managing a series of them???
8) I followed the instructions for creating a dynamic map, but import config still gives me a warning that I need to have a dynamic map on the outside interface or else ezvpn won't work. I also turned on ezvpn and ezvpn client (but not ezvpn remote)... didn't seem to matter.9) In the isakmp key help, I see that it says to be sure to give matching keys to the device at the other end of the tunnel. I'm evaluating this software in hopes that it will cut down on manual (error-prone) repetition. Why can't it (hypothetically) allow tunnel endpoints to be created between devices, with automatically mirrored keys and policies?
10) What's with all the extra 'Finish' steps and so on? I'm really starting to dislike Windows "Wizard" style GUIs. :(