Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
673
Views
0
Helpful
3
Replies

ASA 5545 multiple contexts and VPN password saving on client side

mAcRoS
Level 1
Level 1

‎10-16-2018 06:07 AM - edited ‎02-21-2020 08:21 AM

So I configured Active-Active failover on my 5545 ASA's, and everything looks great other than 1 small thing - users cannot save passwords on their clients anymore. I "ticked" that in ASDM before, which is an equivalent to setting "password-storage enable" in the group policy attribues, but now the command is gone via SSH, and in ASDM it is greyed out wherever I can find it.

 

Any ideas how I can "resurrect" the feature ?

 

Thank you in advance !

0 Helpful
3 Replies 3

Mohammed al Baqari
Level 11
Level 11

‎10-16-2018 09:44 PM

Try to create a new profile and see if its greyed out as well. I don't
think this is related to multicontext.
0 Helpful

mAcRoS
Level 1
Level 1
In response to Mohammed al Baqari

‎10-17-2018 02:34 AM - edited ‎10-17-2018 02:36 AM

This setting is usually in group policy, but I still created a new profile, which generated a new group policy, and the store password option is not there.

 

I also did some investigations in the CLI, and the command is not available, and is not present in the DfltGrpPolicy 

FW/admin# sh run all group-policy DfltGrpPolicy
group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-idle-timeout alert-interval 1
 vpn-session-timeout none
 vpn-session-timeout alert-interval 1
 vpn-filter none
 vpn-tunnel-protocol ikev1 ikev2
 ip-comp disable
 group-lock none
 pfs disable
 split-tunnel-policy tunnelall
 ipv6-split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 split-tunnel-all-dns disable
 client-bypass-protocol disable
 gateway-fqdn none
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 msie-proxy pac-url none
 msie-proxy lockdown enable
 vlan none
 address-pools none
 ipv6-address-pools none
 smartcard-removal-disconnect enable
 security-group-tag none
 periodic-authentication certificate none
 webvpn
  homepage none
  anyconnect ssl dtls enable
  anyconnect mtu 1406
  anyconnect firewall-rule client-interface private none
  anyconnect firewall-rule client-interface public none
  anyconnect keep-installer installed
  anyconnect ssl keepalive 20
  anyconnect ssl rekey time none
  anyconnect ssl rekey method none
  anyconnect dpd-interval client 30
  anyconnect dpd-interval gateway 30
  anyconnect ssl compression none
  anyconnect dtls compression none
  anyconnect modules none
  anyconnect profiles none
  anyconnect ssl df-bit-ignore disable
  anyconnect routing-filtering-ignore disable

 

FW/admin(config-group-policy)# password-storage enable
                                                     ^
ERROR: % Invalid input detected at '^' marker.
FW/admin(config-group-policy)#

FW/admin(config-group-policy)# password-storage ?
ERROR: % Unrecognized command

So it seems like this command is not available at all ?

 

Here is version info, which would be helpful I guess

FW/admin# sh version

Cisco Adaptive Security Appliance Software Version 9.9(2) <context>
Firepower Extensible Operating System Version 2.3(1.84)
Device Manager Version 7.9(2)

Compiled on Sun 25-Mar-18 17:39 PDT by builders

FW up 12 hours 10 mins
failover cluster up 4 days 17 hours

Hardware:   ASA5545, 12288 MB RAM, CPU Lynnfield 2659 MHz, 1 CPU (8 cores)
            ASA: 6455 MB RAM, 1 CPU (1 core)
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-SB-PLUS-0005
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0026
                             Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4

 

0 Helpful

mAcRoS
Level 1
Level 1

‎10-18-2018 06:18 AM

After switching back to single context the "password-storage enable" command is back in the group-policy and works as expected. Maybe I am missing something, but this setup is ok for me, so I will stick to single context and Active/Standby HA setup.

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card