Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
604
Views
0
Helpful
1
Replies

CSM creating duplicate crypto maps for site to site VPNs ?

mark.doyle
Level 1
Level 1

ā€Ž05-23-2011 09:35 AM - edited ā€Ž02-21-2020 04:21 AM

I have an odd issue with CSM, where it creates duplicate crypto maps for site to site VPNs. I'm using CSM 4 SP 1, talking to to an ASA 8.3.2 firewall that acts as hub for site.

Depending on what changes I make, crypto maps will be  duplicated to the next available map numbers, with the existing crypto  maps staying behind minus the peer command.  I don't mind that it wants  to renumber the maps, but it's leaving the old map configs in which  makes the running config a mess after a while when you have a bunch of VPNs.  :-)

So first I have....

crypto map outside_map2 1 match address Any_to_VPN_1

crypto map outside_map2 1 set peer 1.1.1.1
crypto map outside_map2 1 set transform-set ESP-AES-256-SHA ESP-AES-256-MD5
crypto map outside_map2 1 set security-association lifetime seconds 3600
crypto map outside_map2 1 set reverse-route

On next deployment the config grows (note the peer statement moves)...

crypto map outside_map2 1 match address Any_to_VPN_1

crypto map outside_map2 1 set transform-set ESP-AES-256-SHA ESP-AES-256-MD5
crypto map outside_map2 1 set security-association lifetime seconds 3600
crypto map outside_map2 1 set reverse-route

crypto map outside_map2 2 match address Any_to_VPN_1

crypto map outside_map2 2 set peer 1.1.1.1
crypto map outside_map2 2 set transform-set ESP-AES-256-SHA ESP-AES-256-MD5
crypto map outside_map2 2 set security-association lifetime seconds 3600
crypto map outside_map2 2 set reverse-route

And on the deployment after that the trend continues...

crypto map outside_map2 1 match address Any_to_VPN_1

crypto map outside_map2 1 set transform-set ESP-AES-256-SHA ESP-AES-256-MD5
crypto map outside_map2 1 set security-association lifetime seconds 3600
crypto map outside_map2 1 set reverse-route

crypto map outside_map2 2 match address Any_to_VPN_1

crypto map outside_map2 2 set transform-set ESP-AES-256-SHA ESP-AES-256-MD5
crypto map outside_map2 2 set security-association lifetime seconds 3600
crypto map outside_map2 2 set reverse-route

crypto map outside_map2 3 match address Any_to_VPN_1

crypto map outside_map2 3 set peer 1.1.1.1
crypto map outside_map2 3 set transform-set ESP-AES-256-SHA ESP-AES-256-MD5
crypto map outside_map2 3 set security-association lifetime seconds 3600
crypto map outside_map2 3 set reverse-route

Any ideas?

Thanks,

Mark

0 Helpful
1 Reply 1

Nicolas Fournier
Cisco Employee
Cisco Employee

ā€Ž05-28-2011 09:42 AM

Hi Mark,

I believe this is due to the following bug: CSCti80866 Re-Deploy w/o changes - set peer cli negated on ASA.

You can have a look at it's description from the following link: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti80866

As you can see there, upgrading to 4.0(1)SP1 or 4.1(0) should prevent this from happening.

Regards,

Nicolas

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card