11-16-2016 05:36 AM - edited 03-20-2019 09:09 PM
I tried the latest version 3.16.4bS, it is still having the same problem. And the work around doesn't work on CSR.
Solved! Go to Solution.
11-16-2016 12:38 PM
Hi Ryan
Quick feedback:
csr1000v-universalk9.03.17.02.S.156-1.S2-std.SPA as well as csr1000v-universalk9.16.03.02.SPA do not have the problem. The fix for CSCuu42285 is present in these releases is the reason why your problem is NOT present in these releases.
As far as I can tell, what was "described" in CSCvb24236 and what was resolved seem to be different. I will get you the confirmation in 2-3 days from now. So, if you are fine with 156-1.S2 OR 16.03.02, go with the former. If you need a release with the fix in 3.16S train, let me know.
Kind regards ... Palani
11-16-2016 10:35 AM
Dear Zhiqiang.yan
A bit of background first:
CSCuu42285 was resolved in 15.5(3)S2 among other releases. This bug reported the following problem:
The cmd ”authentication local rsa-sig" comes after "authentication remote eap" when you type show run. Problem is, when you copy paste this config from one device to another, "authentication remote eap" command is not accepted as "authentication local rsa-sig" is not (yet) typed.
In releases that has the fix for CSCuu42285, we see the following behavior:
When configuring flexvpn, if users configure the ikev2 profile in the following order:
crypto ikev2 profile AnyConnect-EAP
authentication remote anyconnect-eap aggregate
authentication local rsa-sig
The remote authentication is accepted by the CLI without error, but never really takes effect. (This part is not entirely accurate as IOS does print the message “”For remote auth method to be AnyConnect EAP, the local auth method must be certificate based” and the cmd is NOT accepted) This is what that is reported in CSCvb24236.
NOTE: If you were to configure the local authentication method first, then all is well.
None of this seem to be “service impacting”. So, kindly help me understand what led you to believe you are running into CSCvb24236.
11-16-2016 10:58 AM
hi Palani,
Thanks for reply.
I have tried the work around, but it doesn't work. my device is a CSR 1000v. I did try on multiple CSR and different version of IOS XE.
for example:
crypto ikev2 profile AnyConnect-EAP
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
the "authentication remote anyconnect-eap aggregate" is still not showing on running-config. the problem is if the CSR reboot, this ikev2 profile will become incomplete, because the remote authentication is missing.
Thanks,
Ryan
11-16-2016 12:27 PM
Hi Ryan
In CSCuu42285, we (allegedly) fixed the problem of the order in which local and remote authentication appears, when you inspect the config. This fix went into 15.5(3)S2. While running 15.5(3)S2, you noticed the problem that "authentication remote anyconnect-eap aggregate" does not show up in running-config nor startup-config (when you issue write mem):
CSR-V(config-ikev2-profile)#authentication local rsa-sig
CSR-V(config-ikev2-profile)#authentication remote anyconnect-eap aggregate
CSR-V(config-ikev2-profile)#match identity remote key-id xxxx.com
CSR-V(config-ikev2-profile)#end
CSR-V#sh run | sec ikev2 profile
crypto ikev2 profile ABC
match identity remote key-id xxxx.com
authentication local rsa-sig
CSR-V#
You reported this problem via TAC case and TAC pointed you to CSCvb24236. What I looked so far does not seem to give me confirmation that you are running into CSCvb24236. Let me take a closer look at what exactly did we fix via CSCvb24236 and if it is going to benefit you.
Regret inconvenience caused.
Sincerely ... Palani
11-16-2016 12:31 PM
Thank You looking into it. If you can have a CSR, I believe it is very easy to replicate this issue on it.
11-16-2016 12:38 PM
Hi Ryan
Quick feedback:
csr1000v-universalk9.03.17.02.S.156-1.S2-std.SPA as well as csr1000v-universalk9.16.03.02.SPA do not have the problem. The fix for CSCuu42285 is present in these releases is the reason why your problem is NOT present in these releases.
As far as I can tell, what was "described" in CSCvb24236 and what was resolved seem to be different. I will get you the confirmation in 2-3 days from now. So, if you are fine with 156-1.S2 OR 16.03.02, go with the former. If you need a release with the fix in 3.16S train, let me know.
Kind regards ... Palani
11-17-2016 05:40 AM
hi Palani,
it is true that 3.17.02 doesn't have this problem. I just tried it.
what is the different of std. and ext. IOS? do they support same features?
Ryan
11-17-2016 10:18 AM
Hi Ryan
Each Cisco IOS XE Software release is classified as either a Standard-Support or Extended-Support release. A Standard-Support release has a sustaining support lifetime of 18 months from first customer shipment (FCS) with three scheduled rebuilds.
The Extended-Support release provides a sustaining support lifetime of 48 months from FCS with eight scheduled rebuilds.
Say for example, take the 3.16 release train. It corresponds to 15.5(3)S. In this train, the first three images were "std". Specific releases here are: 3.16.0S, 3.16.1aS, 2.16.2S and 3.16.3S. Next releases within the same major release train are ext releases. Specific releases are 3.16.4aS and 3.16.4bS.
Generally speaking, the features remain the same within the major release. In other words. you can expect feature parity to be maintained starting from 3.16.0S to 3.16.4bS.
In 3.16 train, fix for your problem will be part of 15.5(3)S5/3.16.5S. Its ETA is towards end of Jan/2017.
Kind regards ... Palani
11-17-2016 11:07 AM
Thanks for the info, I am seeing 3.17 is end of life from ARS, will it also happen to CSR? should I move to 16.3?
I actually tried 16.3 as well, it works too.
11-18-2016 11:37 AM
Hi Ryan
3.13S and 3.16S are the current "ext" releases meaning they will have a longer active life. Between the two, EoL for 3.13S was announced earlier this year. It will still have two more releases.
3.16S is a currently active ext release. First release in train came out in Jul/2015. Going by the contents here, Table-4 specifically, this release will be active for 36 months from Jul/2015, that is until Jul/2018.
The next ext release train is going to the 3rd release in 16.x train which would be 16.3S. This will be active for 36 months minimum, that is until Jul/2019.
All is well for you with 3.16S but for the problem we discussed in this post. This problem will be resolved in the 3.16S release scheduled for Jan/2018. Given this, if it is ok for you to wait until Jan/2018, please consider doing so. Alternatively, please consider going to 16.3(2)S as it would have a longer life than 16.2.
The release info is the same for CSR/1k or ASR/1k.
I hope this helps .... Palani
11-18-2016 01:10 PM
Thanks for the info.
11-16-2016 11:04 AM
Hi Palani,
here is what happen from my CSR 1000v, it is running 03.16.04b.S, which is the latest version.
CSR-V(config)#crypto ikev2 profile ABC
IKEv2 profile MUST have:
1. A local and a remote authentication method.
2. A match identity or a match certificate or match any statement.
CSR-V(config-ikev2-profile)#authentication local rsa-sig
CSR-V(config-ikev2-profile)#authentication remote anyconnect-eap aggregate
CSR-V(config-ikev2-profile)#match identity remote key-id xxxx.com
CSR-V(config-ikev2-profile)#end
CSR-V#sh run | sec ikev2 profile
crypto ikev2 profile ABC
match identity remote key-id xxxx.com
authentication local rsa-sig
CSR-V#wr
CSR-V#sh startup-config | section ikev2
crypto ikev2 profile ABC
match identity remote key-id xxxx.com
authentication local rsa-sig
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: