Hi Flavio,

I'm very limited to what I can post from the actual device, this show version was taken from GNS3 using the same image and config, I've taken a couple lines out but other than that it's the same as the real one.

ASA11(config)# show version

Cisco Adaptive Security Appliance Software Version 9.6(2)

Compiled on Tue 23-Aug-16 18:38 PDT by builders
System image file is "boot:/asa962-smp-k8.bin"
Config file at boot was "startup-config"

ASA11 up 7 mins 11 secs

Hardware: ASAv, 1024 MB RAM, CPU Pentium II 2394 MHz,
Model Id: ASAv5
Internal ATA Compact Flash, 129024MB
Slot 1: ATA Compact Flash, 129024MB
BIOS Flash Firmware Hub @ 0x0, 0KB

0: Ext: Management0/0 : address is 0037.8e49.bb00, irq 11
1: Ext: GigabitEthernet0/0 : address is 0037.8e49.bb01, irq 11
2: Ext: GigabitEthernet0/1 : address is 0037.8e49.bb02, irq 10
3: Ext: GigabitEthernet0/2 : address is 0037.8e49.bb03, irq 10
4: Ext: GigabitEthernet0/3 : address is 0037.8e49.bb04, irq 11
5: Ext: GigabitEthernet0/4 : address is 0037.8e49.bb05, irq 11

Maximum Physical Interfaces : 10
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Active/Standby
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 0
Carrier : Disabled
AnyConnect Premium Peers : 2
AnyConnect Essentials : Disabled
Other VPN Peers : 50
Total VPN Peers : 50
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
Advanced Endpoint Assessment : Disabled
Shared License : Disabled
Total TLS Proxy Sessions : 2
Botnet Traffic Filter : Enabled
Cluster : Disabled

Serial Number: 9Axxxxxxxx

Image type : Release
Key version : A

No worries. 

What i was looking for is this:

"Config file at boot was "startup-config""

Just make sure your real ASA has the same line.  I was wondering that your ASA could be taking the configuration from different place this justify the described behavior. As you said that when you run the config on the running-config everything works as expected but when you load the config on the startup-config and boot the firewall then the configuration is not applied.

  With the line "Config file at boot was "startup-config"" in place, your scenario should work and if does not, maybe a TAC would be required.

-If I helped you somehow, please, rate it as useful.-

Hi Flavio,

Thanks for that, I'll have a look tomorrow on the real kit.

The only thing that doesn't work when i tftp the config to startup and reload is the 4G device access, so I know the config is being loaded but i'll check for sure tomorrow.

Thanks

DM

Hi,

So I've had a chance to look at this again, here are a couple of things i noticed that might help someone point me in the right direction.

in the Base config that is loaded first are these 2 lines:

crypto key zeroize rsa noconfirm
crypto key gen rsa general-keys modulus 1024 noconfirm

Also I noticed the username, password and domain name are different in the base config to whats in the working config.

I'm thinking that some key or keys are no being generated properly or at all when i tftp the working config to startup but work fine when I put the working config to the running config....?? both ways are being done with the base config on the ASA.... any thoughts..??

Thanks.