Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
605
Views
0
Helpful
4
Replies

ASDM Backup of 5510 restored onto a different 5510 newer IOS

Go to solution
BrianChernish
Level 1
Level 1

‎10-31-2011 01:56 PM - edited ‎03-11-2019 02:44 PM

We use an ASA 5510 as the head end for our WAN which consists of around 30 branch offices, running Cisco 2825 routers with ipsec tunnels back to the data center.

I took a backup of my "in service" ASA5510 (IOS Version 8.0(2) ) and restored it onto my "backup" ASA5510 (IOS Version 8.2(2).  Everything seemed to look fine, but when I took the ASA  to the data center and tried to put it into service, the tunnels would not come up.

For the record, I shut down the "in service" ASA and moved all of the cabling over to the "backup" ASA, which I had running, in the hopes of keeping the downtime to a minimum (and I double checked that everything was in the right port).

After about 15 minutes, I gave up and plugged everything back into the "in service" ASA and all my tunnels came back up.

Is there something basic that I missed here?  Did the IOS version change break it?

In the 8.2(2) version on my "backup" I see a reference to "peer-id-validate req" when i do a "show run all" -- is this default behavior or did something change in 8.2 ?

Did moving the configuration onto different hardware break it?

I have compared the configs (as best I could) and nothing is jumping out other than the "peer-validate" mentioned above.

Any guidance is appreciated.

Thanks,

Brian

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to BrianChernish

‎11-01-2011 10:44 AM

Yup, try that, if it doesnt work, paste the debug crypto isakmp 255.

Mike

Mike

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎10-31-2011 03:08 PM

Hey Brian,

Ugly issue here. Are you using Pre-share keys or digital certificates? Would be a good idea to open a tac case nad have a window to troubleshoot this problem, maybe gathering some debugs of ISAKMP to check in which phase 1 the problem is located at.

Mike

Mike
0 Helpful

Go to solution
BrianChernish
Level 1
Level 1
In response to Maykol Rojas

‎11-01-2011 08:26 AM

I am using Pre-Shared keys.  Is there a possibility that I will need to re-enter the keys (i.e. did they come over as "astrisks (*****)"?)

Thanks

Brian

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to BrianChernish

‎11-01-2011 10:44 AM

Yup, try that, if it doesnt work, paste the debug crypto isakmp 255.

Mike

Mike
0 Helpful

Go to solution
BrianChernish
Level 1
Level 1
In response to Maykol Rojas

‎11-01-2011 09:48 PM

That was the problem, the pre-Shared keys which where in the backup were stored as an asterisk (*).  This seems like it should have been something that was thought about.  You take a backup of a device but if you restore it, it does not work, since the Pre-Shared keys get lost in translation!

Thanks for the input Mike.

Brian

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card