Hi,

ml1witten · ‎07-16-2017

Hello: Assistance would be appreciated...

Since a reboot yesterday, I have been getting an odd error when setting up pre-shared keys in IKEv1 (have not tried passwords or IKEv2 or other keys yet.. they may have same issue)

System: ASA 5508x, currently running 9.7(1)4 (will check later today for updates), device manager version 7.7(1)150. I get t he same behavior from multiple computers, etc.

So let's say I set a pre-shared-key in the GUI to "asdfa" (no quotes).

ASDM sends the following and gets the following error:

[ERROR] ikev1 pre-shared-key 8 asdfa
Ciphertext asdfa is not well formed

If I go in through the CLI, and don't put the "8" it seems happy enough to take my key.

Yesterday it was also happy to take that key, before I had to shut it down for a power failure (did a proper shutdown).

Looking at some other things, I see my local passwords are displayed as pbkdf2, though the general password encryption is set to AES. It has been months since I messed with the internal encryption and passphrase settings, and have had no trouble with them since.. I had only been setting up PSK's again the last few days as a test for lan-2-lan connections (until I get certs running again).

So, it seems obvious to me that something in the reboot or ASDM told ASDM to start adding the "8" (encrypted passphrase) to the pre-shared-key commands, even though (of course) it is a plain text key.

Anyone know a way to make ASDM do the correct behavior? I generally find maneuvering the mass of settings in the ASA easier with ASDM.

Thanks!

-M

ml1witten · ‎07-16-2017

A bit more info.. I see why I did not run into it earlier in the week. It appears to only be an issue if you change that password. If you are creating a new profile, it does not add the 8. So far, it only appears to be doing this on IKE1 PSK's. No problems changing local passwords, for example.

Looks like an ASDM issue...

Aditya Ganjoo · ‎07-16-2017

Hi,

You can try the following steps:

Enter the new password without encryption

Once you have the commands, please include the following: password encryption aes.

This will convert your clear text command into encrypted.

Regards,

Aditya

ml1witten · ‎07-17-2017

Aditya,

Thank you for the reply. I am afraid this is an ASDM issue... Yes, I am able to set the password using the standard CLI, but ASDM assumes that once it is set, you will (somehow) only be manually entering the encrypted password in the GUI, so it puts that 8 in front of it (indicating encryption). This happens in the IKEv1 config (probably V2 as well) pre-shared key GUI filed in both the tunnel group editor and the connection profile editor. You have to delete the connection and re-enter it for it to provide the non-encrypted form of the password change command. I have had similar issues int he past with SNMP settings, etc.

Or you just go to the CLI and do it, as you say.

Thank you!

-Mike

Aditya Ganjoo · ‎07-17-2017

Hi Mike,

Yes the CLI seems to be a good option then.

Do you mind telling me the ASDM/ASA version as well?

Regards,

Aditya

Please mark helpful and mark correct answers.

ml1witten · ‎07-17-2017

Per my original post (grin):

System: ASA 5508x, currently running 9.7(1)4 (will check later today for updates), device manager version 7.7(1)150. I get t he same behavior from multiple computers, etc.

Thank you!!

ASDM/ASA Pre-Shared-Key "Not Well Formed" error