Why ASA got a lot error messages after configuring Anyconnect VPN with ASDM ?

wfqk · ‎06-28-2015

Hi I configured Anyconnect VPN in ASA5505 with ASDM. When I reloaded it, I got a lot following message, which seems to be related with Anyconnect VPN. But finally the ASA went into formal status. Any one has idea what that mean ? Please see the following :

Software clause at DFARS sec. 252.227-7013.

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706

Configuration Compatibility Warning:
The version 8.4(6)0 configuration may contain syntax that is
not backward compatible with the 8.2(5) image that is loaded.

*** Output from config line 4, "ASA Version 8.4(6) "

subnet 10.1.1.0 255.255.255.128
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 46, " subnet 10.1.1.0 255.255..."

subnet 100.1.1.0 255.255.255.0
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 48, " subnet 100.1.1.0 255.25..."

no arp permit-nonconnected
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 56, "no arp permit-nonconnect..."

nat (any,outside) dynamic interface
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 59, " nat (any,outside) dynam..."

timeout pat-xlate 0:00:30
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 61, "timeout pat-xlate 0:00:3..."

user-identity default-domain LOCAL
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 69, "user-identity default-do..."

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart ^

ERROR: % Invalid input detected at '^' marker.
*** Output from config line 74, "snmp-server enable traps..."

crypto ipsec ikev2 ipsec-proposal DES
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 75, "crypto ipsec ikev2 ipsec..."

protocol esp encryption des
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 76, " protocol esp encryption..."

protocol esp integrity sha-1 md5
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 77, " protocol esp integrity ..."

crypto ipsec ikev2 ipsec-proposal 3DES
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 78, "crypto ipsec ikev2 ipsec..."

protocol esp encryption 3des
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 79, " protocol esp encryption..."

protocol esp integrity sha-1 md5
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 80, " protocol esp integrity ..."

crypto ipsec ikev2 ipsec-proposal AES
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 81, "crypto ipsec ikev2 ipsec..."

protocol esp encryption aes
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 82, " protocol esp encryption..."
.
protocol esp integrity sha-1 md5
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 83, " protocol esp integrity ..."

crypto ipsec ikev2 ipsec-proposal AES192
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 84, "crypto ipsec ikev2 ipsec..."

protocol esp encryption aes-192
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 85, " protocol esp encryption..."

protocol esp integrity sha-1 md5
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 86, " protocol esp integrity ..."

crypto ipsec ikev2 ipsec-proposal AES256
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 87, "crypto ipsec ikev2 ipsec..."

protocol esp encryption aes-256
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 88, " protocol esp encryption..."

protocol esp integrity sha-1 md5
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 89, " protocol esp integrity ..."

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES2 ^56 AES192 AES 3DES DES

ERROR: % Invalid input detected at '^' marker.
*** Output from config line 90, "crypto dynamic-map SYSTE..."
ERROR: Dynamic crypto map not found
*** Output from config line 91, "crypto map outside_map 6..."
WARNING: crypto map has incomplete entries
*** Output from config line 92, "crypto map outside_map i..."

crypto ikev2 policy 1
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 93, "crypto ikev2 policy 1"

encryption aes-256
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 94, " encryption aes-256"

integrity sha
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 95, " integrity sha"

group 5 2
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 96, " group 5 2"

prf sha
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 97, " prf sha"

lifetime seconds 86400
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 98, " lifetime seconds 86400"

crypto ikev2 policy 10
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 99, "crypto ikev2 policy 10"

encryption aes-192
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 100, " encryption aes-192"

integrity sha
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 101, " integrity sha"

group 5 2
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 102, " group 5 2"

prf sha
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 103, " prf sha"

lifetime seconds 86400
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 104, " lifetime seconds 86400"

crypto ikev2 policy 20
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 105, "crypto ikev2 policy 20"

encryption aes
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 106, " encryption aes"

integrity sha
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 107, " integrity sha"

group 5 2
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 108, " group 5 2"

prf sha
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 109, " prf sha"

lifetime seconds 86400
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 110, " lifetime seconds 86400"

crypto ikev2 policy 30
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 111, "crypto ikev2 policy 30"

encryption 3des
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 112, " encryption 3des"

integrity sha
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 113, " integrity sha"

group 5 2
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 114, " group 5 2"

prf sha
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 115, " prf sha"

lifetime seconds 86400
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 116, " lifetime seconds 86400"

crypto ikev2 policy 40
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 117, "crypto ikev2 policy 40"

encryption des
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 118, " encryption des"

integrity sha
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 119, " integrity sha"

group 5 2
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 120, " group 5 2"

prf sha
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 121, " prf sha"

lifetime seconds 86400
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 122, " lifetime seconds 86400"

crypto ikev2 enable outside client-services port 443
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 123, "crypto ikev2 enable outs..."

ssh key-exchange group dh-group1-sha1
^
ERROR: % Invalid Hostname
*** Output from config line 126, "ssh key-exchange group d..."

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 134, " anyconnect image disk0:..."

anyconnect enable
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 135, " anyconnect enable"

vpn-tunnel-protocol ikev2 ssl-client
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 140, " vpn-tunnel-protocol ike..."
.
Cryptochecksum (unchanged): 303897ec 602e3eae f02b08cb 3902681a
Type help or '?' for a list of available commands.
asa1>
asa1>
asa1>

Abaji Rawool · ‎06-29-2015

Hi,

It looks like something wrong with the boot variable. The configurations prior to reboot was at 8.4 and then the ASA booted with old image in 8.2

You can see this message

"Configuration Compatibility Warning:
The version 8.4(6)0 configuration may contain syntax that is
not backward compatible with the 8.2(5) image that is loaded"

check the correct image is set on the ASA using "show run boot"

HTH

Abaji.