08-23-2010 09:08 AM - edited 03-11-2019 11:29 AM
Why would a crypto isakmp policy not be loaded from the startup-config into the running-config during a reload? We had five policies, only four of which are in the running-config now. No changes had been made after reload. Thanx!
Solved! Go to Solution.
08-25-2010 08:42 AM
Hi,
Seems to be a perfect match of the bug CSCtd61244. You might want to consider an upgrade to a recent release.
Regards,
Prapanch
08-23-2010 09:22 AM
Hi,
Only reason why this would happen is if the startup-config has only 4 policies. Are you sure the configuration was saved to the startup-config prior to the reload?
Regards,
Prapanch
08-23-2010 09:24 AM
I did a backup, using the ASDM prior to making any changes. The policy exists in the startup-config, but did not transfer to the running-config during the reload. I do not understand how this could happen.
08-23-2010 09:53 AM
Hi,
So when you do a "show start" you see the configured isakmp policy but not when you do a "show run"? If that's the case, can you do a "copy start run" and see if it copies now?
Regards,
Prapanch
08-23-2010 09:56 AM
I have to schedule this for off-hours. I will simply manually enter the policy, after I've verified that's the only command that did not load. I still don't see how the reload could have missed it. Thanx so much for your assistance!
Regerds,
Wolf
08-23-2010 11:10 AM
OK, so I tried entering the commands directly into the ASA:
I did this with ASDM as well as through the command line. It never showed up in the configuration when I did a "show running-config crypto isakmp".
crypto isakmp policy 20 authentication pre-share
crypto isakmp policy 20 encryption 3des
crypto isakmp policy 20 hash md5
crypto isakmp policy 20 group 2
crypto isakmp policy 20 lifetime 86400
What's going on? Thanx!
Regards,
Wolf
08-24-2010 11:15 AM
My apologies . . . I meant to reply to you, but wound up replying to myself. Here's what I said:
OK, so I tried entering the commands directly into the ASA:
I did this with ASDM as well as through the command line. It never showed up in the configuration when I did a "show running-config crypto isakmp".
crypto isakmp policy 20 authentication pre-share
crypto isakmp policy 20 encryption 3des
crypto isakmp policy 20 hash md5
crypto isakmp policy 20 group 2
crypto isakmp policy 20 lifetime 86400
What's going on? Thanx!
Regards,
Wolf
08-24-2010 05:33 PM
Hi,
Can you send the output of "show run all crypto isakmp" and if possible a session log of when you are tryong to add this new policy? What are the other isakmp policies that you have configured? What version is your ASA running?
Regards,
Prapanch
08-25-2010 06:07 AM
Prapanch,
Thanks, again, for your respponse. While, as a CCNA for almost ten years, I have had much experience with all manner of Cisco hardware and software, the ASA continues to challenge me, even though I have attended the first classrom course offered on the device.
We are running v8.2(2) at all locations. I have added this policy to our backup ASA with no problem. As the primary ASA is critical and a reload has to be scheduled well in advance, I cannot simply do that on a whim to test the integrity of the startup-configuration, even though I have verified that isakmp policy 20 exists there.
Attached is the file with the information you requested. Note that the commands appear to have been accepted during input, but mysteriously disappear when a "sh run all crypto isakmp" command is issued. Thank you!
Regards,
Wolf
08-25-2010 08:42 AM
Hi,
Seems to be a perfect match of the bug CSCtd61244. You might want to consider an upgrade to a recent release.
Regards,
Prapanch
08-25-2010 08:51 AM
Thank you, Prapanch! I will read the upgrade document and look into upgrading so as not to impact out current NAT configuration.
Regards,
Wolf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide