ASDM wants to push crypto ipsec ikev1 transform-set changes after upgrade

swagoner1 · ‎02-12-2016

Yesterday I upgraded from 8.4 to 8.4 7.30 to fix the ike vulnerability. Also upgraded from ASDM 6.4 to 7.1(7). Its an active/standby cluster and upgrade went fine. But when I open a VPN tunnel in ASDM then cancel it -without making any changes the "apply" buttom becomes active and shows it wants to push the list of changes below. Not sure why its wanting to do this, if its going to hurt anything, or if its just a cosmetic change?

Thanks.

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
      crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
      crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
      crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
      crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
      crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
      crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
      crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
      crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
      crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
      crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
      crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
      crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
      crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
      crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
      crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
      crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
      crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
      crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
      crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

Philip D'Ath · ‎02-14-2016

What a pain.

It wont affect anything. It is just creating "system" transform sets.

Was their a newer ASDM available?

9724784591 · ‎02-16-2016

Swagoner1, we are actually in the same boat, with the same version upgrade to do at my company. It would be super convenient if you have a few moments for a for a quick chat to ask you how it went. I haven't found a ton of people who have went from 8.4 to 8.4(7.30). I'll gladly send you an amazon gift card to compensate you for your time. My number is 972-665-5886. -Andrew