policy-map global_policy settings incorrect / downgrade command

TomF · ‎08-30-2018

LS,

my goal is to setup an ASA5506 (without Firepower, etc) to a predefined configuration.

For this I use a configuration file which should replace the startup-config.

To put the file on the system (including the firmware version 9.8.2) I use the following command:

'downgrade /noconfirm disk0:/<firmware> ' disk0:/<config-file>'

This works however not all settings are correct. The policy-map settings are not correct after the downgrade is done. Inspection for h323 h225 and skinny are enabled although they should not be.

How can I fix this?

The config file contains the following settings:

class-map inspection_default
match default-inspection-traffic

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512

policy-map global_policy
class inspection_default
inspect ftp
no inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
no inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns preset_dns_map

After the downgrade command the running-config contains (inspection for enable for h323 h225 and skinny):

policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns preset_dns_map

You help is appreciated

Tom

Ajay Saini · ‎09-01-2018

Hi Tom,

Is there a reason why we are using the downgrade command instead of the copy command to replace the startup config with the saved config file.

Was this config taken from the same box earlier or from some other box.

Either ways, you can change those configuration parameters manually after the downgrade:

policy-map global_policy
class inspection_default

no inspect h323 h225

no inspect skinny

That should help you get back the same config parameters.

HTH
AJ

TomF · ‎09-02-2018

Thanks for the feedback. I need to automate the configuration of the ASA device as we deliver it as part of our product (so lots of devices to configure).
I don’t want to do the manual change afterwards to error prone.

I had hoped that somebody has seen this before and knows if this is a “feature” or a “bug”. I prefer to change the config file instead of the tooling we use.

I can try to change the tooling we use and use copy to replace the startup-config.

TomF · ‎09-03-2018

Hi, I invested some more on the problem and this is what I found.

If one makes a copy of the startup-config then the system puts it some annotations in the file (see below).

It turns out that these are essential to get the exact same configuration.

I also tried to copy my config file to the startup-config. Also that gave problems e.g. access-list command changed from "any" to "any4".

The following procedure seems to work

Reset the device
- Go to configuration mode and execute the following commands
  - no firewall transparent
  - write erase
  - reload noconfirm
- Install the new configuration on the device (e.g. copy-paste into the terminal emulator)

Make sure that the configuration has been written to the startup-config and reboot

Copy the startup-config to another file e.g.
- copy startup-config my_config.cfg

The my_config file can be used with the upgrade command.

: Saved

:
: Serial Number: Jxxxxxx
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2)

......

< config command>

......

:End