Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASDM Backup of 5510 restored onto a different 5510 newer IOS

We use an ASA 5510 as the head end for our WAN which consists of around 30 branch offices, running Cisco 2825 routers with ipsec tunnels back to the data center.

I took a backup of my "in service" ASA5510 (IOS Version 8.0(2) ) and restored it onto my "backup" ASA5510 (IOS Version 8.2(2).  Everything seemed to look fine, but when I took the ASA  to the data center and tried to put it into service, the tunnels would not come up.

For the record, I shut down the "in service" ASA and moved all of the cabling over to the "backup" ASA, which I had running, in the hopes of keeping the downtime to a minimum (and I double checked that everything was in the right port).

After about 15 minutes, I gave up and plugged everything back into the "in service" ASA and all my tunnels came back up.

Is there something basic that I missed here?  Did the IOS version change break it?

In the 8.2(2) version on my "backup" I see a reference to "peer-id-validate req" when i do a "show run all" -- is this default behavior or did something change in 8.2 ?

Did moving the configuration onto different hardware break it?

I have compared the configs (as best I could) and nothing is jumping out other than the "peer-validate" mentioned above.

Any guidance is appreciated.

Thanks,

Brian

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASDM Backup of 5510 restored onto a different 5510 newer IOS

Yup, try that, if it doesnt work, paste the debug crypto isakmp 255.

Mike

Mike
4 REPLIES
Cisco Employee

ASDM Backup of 5510 restored onto a different 5510 newer IOS

Hey Brian,

Ugly issue here. Are you using Pre-share keys or digital certificates? Would be a good idea to open a tac case nad have a window to troubleshoot this problem, maybe gathering some debugs of ISAKMP to check in which phase 1 the problem is located at.

Mike

Mike
New Member

Re: ASDM Backup of 5510 restored onto a different 5510 newer IOS

I am using Pre-Shared keys.  Is there a possibility that I will need to re-enter the keys (i.e. did they come over as "astrisks (*****)"?)

Thanks

Brian

Cisco Employee

Re: ASDM Backup of 5510 restored onto a different 5510 newer IOS

Yup, try that, if it doesnt work, paste the debug crypto isakmp 255.

Mike

Mike
New Member

Re: ASDM Backup of 5510 restored onto a different 5510 newer IOS

That was the problem, the pre-Shared keys which where in the backup were stored as an asterisk (*).  This seems like it should have been something that was thought about.  You take a backup of a device but if you restore it, it does not work, since the Pre-Shared keys get lost in translation!

Thanks for the input Mike.

Brian

368
Views
0
Helpful
4
Replies