Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Missing crypto policy

Why would a crypto isakmp policy not be loaded from the startup-config into the running-config during a reload?  We had five policies, only four of which are in the running-config now.  No changes had been made after reload.  Thanx!

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Missing crypto policy

Hi,

Seems to be a perfect match of the bug CSCtd61244. You might want to consider an upgrade to a recent release.

Regards,

Prapanch

10 REPLIES
Cisco Employee

Re: Missing crypto policy

Hi,

Only reason why this would happen is if the startup-config has only 4 policies. Are you sure the configuration was saved to the startup-config prior to the reload?

Regards,

Prapanch

Community Member

Re: Missing crypto policy

I did a backup, using the ASDM prior to making any changes.  The policy exists in the startup-config, but did not transfer to the running-config during the reload.  I do not understand how this could happen.

Cisco Employee

Re: Missing crypto policy

Hi,

So when you do a "show start" you see the configured isakmp policy but not when you do a "show run"? If that's the case, can you do a "copy start run" and see if it copies now?

Regards,

Prapanch

Community Member

Re: Missing crypto policy

I have to schedule this for off-hours.  I will simply manually enter the policy, after I've verified that's the only command that did not load.  I still don't see how the reload could have missed it.  Thanx so much for your assistance!

Regerds,

Wolf

Community Member

Re: Missing crypto policy

OK, so I tried entering the commands directly into the ASA:

I did this with ASDM as well as through the command line.  It never showed up in the configuration when I did a "show running-config crypto isakmp".

crypto isakmp policy 20 authentication pre-share

crypto isakmp policy 20 encryption 3des

crypto isakmp policy 20 hash md5

crypto isakmp policy 20 group 2

crypto isakmp policy 20 lifetime 86400

What's going on?  Thanx!

Regards,

Wolf

Community Member

Re: Missing crypto policy

My apologies . . . I meant to reply to you, but wound up replying to myself.  Here's what I said:

OK, so I tried entering the commands directly into the ASA:

I did this with ASDM as well as through the command line.  It never showed up in the configuration when I did a "show running-config crypto isakmp".

crypto isakmp policy 20 authentication pre-share

crypto isakmp policy 20 encryption 3des

crypto isakmp policy 20 hash md5

crypto isakmp policy 20 group 2

crypto isakmp policy 20 lifetime 86400

What's going on?  Thanx!

Regards,

Wolf

Cisco Employee

Re: Missing crypto policy

Hi,

Can you send the output of "show run all crypto isakmp" and if possible a session log of when you are tryong to add this new policy? What are the other isakmp policies that you have configured? What version is your ASA running?

Regards,

Prapanch

Community Member

Re: Missing crypto policy

Prapanch,

Thanks, again, for your respponse.  While, as a CCNA for almost ten years, I have had much experience with all manner of Cisco hardware and software, the ASA continues to challenge me, even though I have attended the first classrom course offered on the device.

We are running v8.2(2) at all locations.  I have added this policy to our backup ASA with no problem.  As the primary ASA is critical and a reload has to be scheduled well in advance, I cannot simply do that on a whim to test the integrity of the startup-configuration, even though I have verified that isakmp policy 20 exists there.

Attached is the file with the information you requested.  Note that the commands appear to have been accepted during input, but mysteriously disappear when a "sh run all crypto isakmp" command is issued.  Thank you!

Regards,

Wolf

Cisco Employee

Re: Missing crypto policy

Hi,

Seems to be a perfect match of the bug CSCtd61244. You might want to consider an upgrade to a recent release.

Regards,

Prapanch

Community Member

Re: Missing crypto policy

Thank you, Prapanch!  I will read the upgrade document and look into upgrading so as not to impact out current NAT configuration.

Regards,

Wolf

504
Views
0
Helpful
10
Replies
CreatePlease to create content