ā05-23-2011 09:35 AM - edited ā02-21-2020 04:21 AM
I have an odd issue with CSM, where it creates duplicate crypto maps for site to site VPNs. I'm using CSM 4 SP 1, talking to to an ASA 8.3.2 firewall that acts as hub for site.
Depending on what changes I make, crypto maps will be duplicated to the next available map numbers, with the existing crypto maps staying behind minus the peer command. I don't mind that it wants to renumber the maps, but it's leaving the old map configs in which makes the running config a mess after a while when you have a bunch of VPNs. :-)
So first I have....
crypto map outside_map2 1 match address Any_to_VPN_1
crypto map outside_map2 1 set peer 1.1.1.1
crypto map outside_map2 1 set transform-set ESP-AES-256-SHA ESP-AES-256-MD5
crypto map outside_map2 1 set security-association lifetime seconds 3600
crypto map outside_map2 1 set reverse-route
On next deployment the config grows (note the peer statement moves)...
crypto map outside_map2 1 match address Any_to_VPN_1
crypto map outside_map2 1 set transform-set ESP-AES-256-SHA ESP-AES-256-MD5
crypto map outside_map2 1 set security-association lifetime seconds 3600
crypto map outside_map2 1 set reverse-route
crypto map outside_map2 2 match address Any_to_VPN_1
crypto map outside_map2 2 set peer 1.1.1.1
crypto map outside_map2 2 set transform-set ESP-AES-256-SHA ESP-AES-256-MD5
crypto map outside_map2 2 set security-association lifetime seconds 3600
crypto map outside_map2 2 set reverse-route
And on the deployment after that the trend continues...
crypto map outside_map2 1 match address Any_to_VPN_1
crypto map outside_map2 1 set transform-set ESP-AES-256-SHA ESP-AES-256-MD5
crypto map outside_map2 1 set security-association lifetime seconds 3600
crypto map outside_map2 1 set reverse-route
crypto map outside_map2 2 match address Any_to_VPN_1
crypto map outside_map2 2 set transform-set ESP-AES-256-SHA ESP-AES-256-MD5
crypto map outside_map2 2 set security-association lifetime seconds 3600
crypto map outside_map2 2 set reverse-route
crypto map outside_map2 3 match address Any_to_VPN_1
crypto map outside_map2 3 set peer 1.1.1.1
crypto map outside_map2 3 set transform-set ESP-AES-256-SHA ESP-AES-256-MD5
crypto map outside_map2 3 set security-association lifetime seconds 3600
crypto map outside_map2 3 set reverse-route
Any ideas?
Thanks,
Mark
ā05-28-2011 09:42 AM
Hi Mark,
I believe this is due to the following bug: CSCti80866 Re-Deploy w/o changes - set peer cli negated on ASA.
You can have a look at it's description from the following link: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti80866
As you can see there, upgrading to 4.0(1)SP1 or 4.1(0) should prevent this from happening.
Regards,
Nicolas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide