Re: ASA 9.3(2) wants "password encryption key"

ericx · ‎12-19-2017

The following now appears in my ASA config file:

(obfuscated hash)

! The following entry is deferred until the password encryption key is specified.
snmp-server community 8 jX1ZpJ8wlsJWIYJFHHnXF4htTLcjPvQPHGM=

The snmp V2c works.

Google search for the string "The following entry is deferred until the password encryption key is specified." returns nothing useful.

So what does "deferred" mean?

What is a "password encryption key?"

Karsten Iwen · ‎12-19-2017

The ASA can encrypt local passwords (and a community-string is also a password) in the config. For that password-encryption has to be configured:

key config-key password-encryption SUPER-SECRET-KEY
password encryption aes

The key will not be visible in the config and the ASA can't use the encrypted keys until you configure the line with the config-key. That is meant with "deferred".

ericx · ‎12-19-2017

@Karsten Iwen wrote:

The ASA can encrypt local passwords (and a community-string is also a password) in the config. For that password-encryption has to be configured:
key config-key password-encryption SUPER-SECRET-KEY
password encryption aes
The key will not be visible in the config and the ASA can't use the encrypted keys until you configure the line with the config-key. That is meant with "deferred".

That's pretty clear; but it begs a few more questions..

- How is it that the community string is hashed if no config-key has been supplied?

- More to the point, the snmp v2c community string works fine from remote machines; so presumably it's not "deferred?"

Karsten Iwen · ‎12-19-2017

Actually, you should just see the encrypted string and not a hash.

If it works, it could be because of the rest of the config/setup that you didn't show. Hard to tell.