cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1638
Views
0
Helpful
10
Replies

Missing crypto policy

pootboy69
Level 1
Level 1

Why would a crypto isakmp policy not be loaded from the startup-config into the running-config during a reload?  We had five policies, only four of which are in the running-config now.  No changes had been made after reload.  Thanx!

1 Accepted Solution

Accepted Solutions

Hi,

Seems to be a perfect match of the bug CSCtd61244. You might want to consider an upgrade to a recent release.

Regards,

Prapanch

View solution in original post

10 Replies 10

praprama
Cisco Employee
Cisco Employee

Hi,

Only reason why this would happen is if the startup-config has only 4 policies. Are you sure the configuration was saved to the startup-config prior to the reload?

Regards,

Prapanch

I did a backup, using the ASDM prior to making any changes.  The policy exists in the startup-config, but did not transfer to the running-config during the reload.  I do not understand how this could happen.

Hi,

So when you do a "show start" you see the configured isakmp policy but not when you do a "show run"? If that's the case, can you do a "copy start run" and see if it copies now?

Regards,

Prapanch

I have to schedule this for off-hours.  I will simply manually enter the policy, after I've verified that's the only command that did not load.  I still don't see how the reload could have missed it.  Thanx so much for your assistance!

Regerds,

Wolf

OK, so I tried entering the commands directly into the ASA:

I did this with ASDM as well as through the command line.  It never showed up in the configuration when I did a "show running-config crypto isakmp".

crypto isakmp policy 20 authentication pre-share

crypto isakmp policy 20 encryption 3des

crypto isakmp policy 20 hash md5

crypto isakmp policy 20 group 2

crypto isakmp policy 20 lifetime 86400

What's going on?  Thanx!

Regards,

Wolf

My apologies . . . I meant to reply to you, but wound up replying to myself.  Here's what I said:

OK, so I tried entering the commands directly into the ASA:

I did this with ASDM as well as through the command line.  It never showed up in the configuration when I did a "show running-config crypto isakmp".

crypto isakmp policy 20 authentication pre-share

crypto isakmp policy 20 encryption 3des

crypto isakmp policy 20 hash md5

crypto isakmp policy 20 group 2

crypto isakmp policy 20 lifetime 86400

What's going on?  Thanx!

Regards,

Wolf

Hi,

Can you send the output of "show run all crypto isakmp" and if possible a session log of when you are tryong to add this new policy? What are the other isakmp policies that you have configured? What version is your ASA running?

Regards,

Prapanch

Prapanch,

Thanks, again, for your respponse.  While, as a CCNA for almost ten years, I have had much experience with all manner of Cisco hardware and software, the ASA continues to challenge me, even though I have attended the first classrom course offered on the device.

We are running v8.2(2) at all locations.  I have added this policy to our backup ASA with no problem.  As the primary ASA is critical and a reload has to be scheduled well in advance, I cannot simply do that on a whim to test the integrity of the startup-configuration, even though I have verified that isakmp policy 20 exists there.

Attached is the file with the information you requested.  Note that the commands appear to have been accepted during input, but mysteriously disappear when a "sh run all crypto isakmp" command is issued.  Thank you!

Regards,

Wolf

Hi,

Seems to be a perfect match of the bug CSCtd61244. You might want to consider an upgrade to a recent release.

Regards,

Prapanch

Thank you, Prapanch!  I will read the upgrade document and look into upgrading so as not to impact out current NAT configuration.

Regards,

Wolf

Review Cisco Networking for a $25 gift card