05-22-2019 07:34 AM
asa(config)# crypto ikev1 policy 10 Usage: crypto { ca | dynamic-map | ikev1 | ikev2 | ipsec | isakmp | key | map } For more detailed help, please refer directly to the subcommands
with ASDM I get the same message.
I know nothing on this world is as buggy as ASDM. But cli now the same?
I have asa 9.2.4.33 and asdm 7.12, but had the same issues before with 9.2.4.5 and 7.10
I did a factory reset and thought that "RESET" would RE-SET the firewall. It does not.
ike entries are not coming back. Previous owner deleted them all, and I have to get them back - I need at least one for a S2S tunnel with ikev1.
What can I do to get them back?
thx, erik
05-22-2019 09:31 AM
05-22-2019 10:56 AM
as you can see in the code-block, the asa replies the first line with a hint, that the entry is wrong. But in fact, it's not. And of course the older syntax cannot work, too.
So I cannot even start with something, when
crypto ikev1 policy 10
throws an error that the syntax is wrong. It's copied from Cisco's documentation (matching version to the software). So either they cannot write down the correct syntax into the docu, or at least two asa images have this bug.
It's no surprise, asa and asdm are full of obvious bugs that every beginner sees when he first installs an asa.
My list contains not less than about 20-30 things that would not have been published, if developers would work with open eyes. (I know, the CVE list is much bigger.)
Some of the fails I'll list in the future are even security-related.
For example, did you know, when you enable bypass INCOMING VPN traffic, that you automatically activate all OUTGOING VPN traffic to be bypassed? I'm still searching for the matching documentation...
Or: the new versions warn you after login to change the enable password, that is "still not changed".
1. It IS already changed - multiple time. So the warning is wrong.
2. The warning message leads to a setting that is not there.
Ever witnessed a correct "free space" in asdm file management?
Ever tried to update a 5506x with an image without the warning that the file is not suitable? Hm, how can it be a wrong one, when the asdm update assistant chose it directly from Cisco? Same with update from computer. But when you upload the really WRONG multi-core images from 5508 or higher, it's accepted. But as you can imagine, it won't boot. Solution: close asdm and restart, as often as needed, until it works. Good luck.
Ever tried to update a WAP371? Good chance, that it changes vom Europe to America (and from an original serial number to some "bu!!$h!7". That lets things like clustering fail with the other Europe-devices. Here are some threads about it...
Just to list a few things that give an impression about Cisco's high quality. And to let people know why I don't think that this bug can be solved.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide