topic Re: cli fails with crypto command in Network Security

cli fails with crypto command

Erik-234577235 — Wed, 22 May 2019 14:34:40 GMT

asa(config)# crypto ikev1 policy 10
Usage: crypto { ca | dynamic-map | ikev1 | ikev2 | ipsec | isakmp | key | map  }
        For more detailed help, please refer directly to the subcommands

with ASDM I get the same message.

I know nothing on this world is as buggy as ASDM. But cli now the same?

I have asa 9.2.4.33 and asdm 7.12, but had the same issues before with 9.2.4.5 and 7.10

I did a factory reset and thought that "RESET" would RE-SET the firewall. It does not.

ike entries are not coming back. Previous owner deleted them all, and I have to get them back - I need at least one for a S2S tunnel with ikev1.

What can I do to get them back?

thx, erik

Re: cli fails with crypto command

Rob Ingram — Wed, 22 May 2019 16:31:37 GMT

Hi,
It's not clear to me what your issue is exactly. Can you not define an IKEv1 policy? E.g:-

crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400

If "crypto ikev1 policy 10" is not recognised, on older versions the syntax would be "crypto isakmp policy 10"

HTH

Re: cli fails with crypto command

Erik-234577235 — Wed, 22 May 2019 17:56:30 GMT

as you can see in the code-block, the asa replies the first line with a hint, that the entry is wrong. But in fact, it's not. And of course the older syntax cannot work, too.

So I cannot even start with something, when

crypto ikev1 policy 10

throws an error that the syntax is wrong. It's copied from Cisco's documentation (matching version to the software). So either they cannot write down the correct syntax into the docu, or at least two asa images have this bug.

It's no surprise, asa and asdm are full of obvious bugs that every beginner sees when he first installs an asa.

My list contains not less than about 20-30 things that would not have been published, if developers would work with open eyes. (I know, the CVE list is much bigger.)

Some of the fails I'll list in the future are even security-related.

For example, did you know, when you enable bypass INCOMING VPN traffic, that you automatically activate all OUTGOING VPN traffic to be bypassed? I'm still searching for the matching documentation...

Or: the new versions warn you after login to change the enable password, that is "still not changed".

1. It IS already changed - multiple time. So the warning is wrong.

2. The warning message leads to a setting that is not there.

Ever witnessed a correct "free space" in asdm file management?

Ever tried to update a 5506x with an image without the warning that the file is not suitable? Hm, how can it be a wrong one, when the asdm update assistant chose it directly from Cisco? Same with update from computer. But when you upload the really WRONG multi-core images from 5508 or higher, it's accepted. But as you can imagine, it won't boot. Solution: close asdm and restart, as often as needed, until it works. Good luck.

Ever tried to update a WAP371? Good chance, that it changes vom Europe to America (and from an original serial number to some "bu!!$h!7". That lets things like clustering fail with the other Europe-devices. Here are some threads about it...

Just to list a few things that give an impression about Cisco's high quality. And to let people know why I don't think that this bug can be solved.