04-05-2020 11:53 PM - edited 04-06-2020 12:03 AM
04-21-2020 08:57 AM - edited 04-21-2020 08:58 AM
I am having a similar issue with migrating the configuration from one ASA to another ASA for replacement, Initially I copied the configuration from one 5508-X to the new 5516-X both at the same 9.10.1 version. Once satisfied the config came over Ok, I upgraded to 9.13. I had upgraded to 9.14, with the ASDM 7.14 and the ASDM was flaky and kept locking up, but that is another story. Downgrading to 9.13 worked fine, and is stable. However, a few other users had been added to the old 5508-X while working with the new one. So backed up 5508-X to local config, imported the config into Excel. Copied 2 of 3 users with their properties and encrypted password just fine, but third failed due to "Error: Malformed pbkdf2 hash". "Error: Username addition failed.". I have never seen this before, and there does not seem to be any issue with the account, and if the passwords did not match during creation, it would have not been created. I have moved users from ASA to ASA with this method many times without this issue. Short of re-creating the user in the new ASA and setting a new password, my concern is that there is an issue with this process, or the encryption process. This is similar to backing up a configuration and restoring it to a different ASA, so I would expect this to just work.
04-21-2020 09:18 AM
Depending on when the username was created the account password may or may not be stored with a pbkdf2 hash.
Older passwords use an md5 hash type.
04-21-2020 09:41 AM
it was created several days ago, and I just tried to migrate it to the new ASA yesterday, and had the error. The user was using it successfully just fine, so I know the password was usable. I just worked with the user, and changed the password on the first ASA. Then I performed the exact same steps as described above and the account imported fine into the new ASA. The password was somehow not in a good state even though it was working for the user. Or there is still something with the encryption process. I had performed the configuratin backup 3 times as well, just in case that was the failure, but that had the same results. Changing the password on the original ASA resolved the issue, even though it worked for the user the way it was. Just something to think about.
07-20-2021 12:43 PM
We are running CSM 4.22 SP1 and getting the same error regarding hashed enable password is malformed when deploying to ASA5585 on 9.6.4.12
Cisco referenced:
07-14-2022 06:41 AM - edited 07-14-2022 07:00 AM
I run into the same problem when trying to setup the enable password. It looks like it is not possible to use an enable password shorter then 33 characters when using CSM and using the PBKDF2 hash. I also could not get it working by using the cli.
Our company policy does not allow us to use md5 as a hash anymore. For normal operation we use AAA and you logon directly in enable mode. But by problems when AAA is not working we need to use local authentication and using a 33 character password is not workable. Is this ios or csm related I would hate to see that we need to upgrade all our ASA firewalls again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide