Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3998
Views
0
Helpful
8
Replies

ASA clear pre-share key

Tomasz Tuzimek
Level 1
Level 1

‎10-08-2010 07:45 AM

I must overwrite once a week a preshare key(for VPN client) because ASA clears this password. I dont know where is cause. Maybe bug in software.

Labels:
0 Helpful
8 Replies 8

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-08-2010 08:29 AM

Tomasz,

Start with saying which version and what do you see in logs (on informational level) around the time when keys get corrupted.

Did you already check fsck?

Marci

0 Helpful

Namit Agarwal
Cisco Employee
Cisco Employee

‎10-08-2010 05:22 PM

Hi,

Please provide the version of the VPN Client and the ASA image as well. What I understand is that the pre-shared-key configured under the tunnel-group ipsec-attributes for the remote access vpn is being deleted from the config on the ASA. Please correct if I am wrong.

Thanks,

Namit

0 Helpful

Tomasz Tuzimek
Level 1
Level 1
In response to Namit Agarwal

‎10-11-2010 02:10 AM

I have got 3 VPNgroups only one of them has got this problem.

about 30 minutes ago again I overwrote preshare key "asa1(config-tunnel-ipsec)#  pre-shared-key X*******" and VPN is connected.

I am working on VPN client 5.0.04.0300 and 5.0.02.0090.

ASA soft has got :

Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(3)

Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"

asa1 up 192 days 13 hours
failover cluster up 1 year 18 days

Hardware:   ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
....

....

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 250
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
VPN Peers                    : 5000
WebVPN Peers                 : 2
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions            : 2

This platform has an ASA 5550 VPN Premium license.

#######################################asa1# sh vpn-sessiondb summa

Active Session Summary

Sessions:
                           Active : Cumulative : Peak Concurrent : Inactive
  IPsec Remote Access   :       5 :       1248 :               7
  Totals                :       5 :       1248

License Information:
  IPsec   :   5000    Configured :   5000    Active :      6    Load :   0%
  SSL VPN :      2    Configured :      2    Active :      0    Load :   0%
                            Active : Cumulative : Peak Concurrent
  IPsec               :          6 :      10744 :               8
  Totals              :          6 :      10744

Active NAC Sessions:
  No NAC sessions to display

Active VLAN Mapping Sessions:
  No VLAN Mapping sessions to display
asa1#

#######################################logs:

asa1# sh logging | b 8:00
Oct 11 2010 08:38:00: %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 850
Oct 11 2010 08:38:00: %ASA-7-715047: IP = x.x.x.x, processing SA payload
Oct 11 2010 08:38:00: %ASA-7-715047: IP = x.x.x.x, processing ke payload
Oct 11 2010 08:38:00: %ASA-7-715047: IP = x.x.x.x, processing ISA_KE payload
Oct 11 2010 08:38:00: %ASA-7-715047: IP = x.x.x.x, processing nonce payload
Oct 11 2010 08:38:00: %ASA-7-715047: IP = x.x.x.x, processing ID payload
Oct 11 2010 08:38:00: %ASA-7-715047: IP = x.x.x.x, processing VID payload
Oct 11 2010 08:38:00: %ASA-7-715049: IP = x.x.x.x, Received xauth V6 VID
Oct 11 2010 08:38:00: %ASA-7-715047: IP = x.x.x.x, processing VID payload
Oct 11 2010 08:38:00: %ASA-7-715049: IP = x.x.x.x, Received DPD VID
Oct 11 2010 08:38:00: %ASA-7-715047: IP = x.x.x.x, processing VID payload
Oct 11 2010 08:38:00: %ASA-7-715049: IP = x.x.x.x, Received Fragmentation VID
Oct 11 2010 08:38:00: %ASA-7-715064: IP = x.x.x.x, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
Oct 11 2010 08:38:00: %ASA-7-715047: IP = x.x.x.x, processing VID payload
Oct 11 2010 08:38:00: %ASA-7-715049: IP = x.x.x.x, Received NAT-Traversal ver 02 VID
Oct 11 2010 08:38:00: %ASA-7-715047: IP = x.x.x.x, processing VID payload
Oct 11 2010 08:38:00: %ASA-7-715049: IP = x.x.x.x, Received Cisco Unity client VID
Oct 11 2010 08:38:00: %ASA-7-713906: IP = x.x.x.x, Connection landed on tunnel_group Medsar
Oct 11 2010 08:38:00: %ASA-7-715047: Group = Medsar, IP = x.x.x.x, processing IKE SA payload
Oct 11 2010 08:38:00: %ASA-7-715028: Group = Medsar, IP = x.x.x.x, IKE SA Proposal # 1, Transform # 6 acceptable  Matches global IKE entry # 1
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing ISAKMP SA payload
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing ke payload
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing nonce payload
Oct 11 2010 08:38:00: %ASA-7-713906: Group = Medsar, IP = x.x.x.x, Generating keys for Responder...
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing ID payload
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing hash payload
Oct 11 2010 08:38:00: %ASA-7-715076: Group = Medsar, IP = x.x.x.x, Computing hash for ISAKMP
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing Cisco Unity VID payload
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing xauth V6 VID payload
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing dpd vid payload
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing NAT-Traversal VID ver 02 payload
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing NAT-Discovery payload
Oct 11 2010 08:38:00: %ASA-7-713906: Group = Medsar, IP = x.x.x.x, computing NAT Discovery hash
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing NAT-Discovery payload
Oct 11 2010 08:38:00: %ASA-7-713906: Group = Medsar, IP = x.x.x.x, computing NAT Discovery hash
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing Fragmentation VID + extended capabilities payload
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing VID payload
Oct 11 2010 08:38:00: %ASA-7-715048: Group = Medsar, IP = x.x.x.x, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Oct 11 2010 08:38:00: %ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 432
Oct 11 2010 08:38:00: %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 56
Oct 11 2010 08:38:00: %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 56
Oct 11 2010 08:38:00: %ASA-5-713904: Group = Medsar, IP = x.x.x.x, Received an un-encrypted INVALID_HASH_INFO notify message, dropping
Oct 11 2010 08:38:00: %ASA-4-713903: Group = Medsar, IP = x.x.x.x, Error, peer has indicated that something is wrong with our message.  This could indicate a pre-shared key mismatch.
Oct 11 2010 08:38:00: %ASA-4-713903: Group = Medsar, IP = x.x.x.x, Information Exchange processing failed
Oct 11 2010 08:38:00: %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 56
Oct 11 2010 08:38:00: %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 56
Oct 11 2010 08:38:00: %ASA-5-713904: Group = Medsar, IP = x.x.x.x, Received an un-encrypted AUTH_FAILED notify message, dropping
Oct 11 2010 08:38:00: %ASA-4-713903: Group = Medsar, IP = x.x.x.x, Information Exchange processing failed
Oct 11 2010 08:38:02: %ASA-7-715065: Group = Medsar, IP = x.x.x.x, IKE AM Responder FSM error history (struct &0x2645a0a0)  , :  AM_DONE, EV_ERROR-->AM_WAIT_MSG3, EV_PROB_AUTH_FAIL-->AM_WAIT_MSG3, EV_TIMEOUT-->AM_WAIT_MSG3, NullEvent-->AM_SND_MSG2, EV_CRYPTO_ACTIVE-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_SND_MSG2, EV_RESEND_MSG
Oct 11 2010 08:38:02: %ASA-7-713906: Group = Medsar, IP = x.x.x.x, IKE SA AM:6442e280 terminating:  flags 0x0104c001, refcnt 0, tuncnt 0
Oct 11 2010 08:38:02: %ASA-7-713906: Group = Medsar, IP = x.x.x.x, sending delete/delete with reason message
Oct 11 2010 08:38:02: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing blank hash payload
Oct 11 2010 08:38:02: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing IKE delete payload
Oct 11 2010 08:38:02: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing qm hash payload
Oct 11 2010 08:38:02: %ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=b36ebb22) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Oct 11 2010 08:38:02: %ASA-3-713902: Group = Medsar, IP = x.x.x.x, Removing peer from peer table failed, no match!
Oct 11 2010 08:38:02: %ASA-4-713903: Group = Medsar, IP = x.x.x.x, Error: Unable to remove PeerTblEntry

I haven,t got any concept what is cause

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Tomasz Tuzimek

‎10-11-2010 02:21 AM

Tomasz,

Well I find it strange that it's triggered (if I understand what you're saying) so regularly, like there was something (script, CSM, etc) accessing device and overriding those keys.

Can you please run "fsck flash:" for me?

Do you have an external syslog? You could probably trace is there were any changes done on the appliance itself...maybe it's due to ASDM interaction?

I don't remember any bugs to explain this behavior - not to say that there are none

Marcin

0 Helpful

Tomasz Tuzimek
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-11-2010 03:28 AM

Thanks.

I have got syslog but ASA is logging only VPN messages.

I configure ASA only by CLI. I dont run ASDM.

I done fsck:

asa1# fsck disk0:

fsck of disk0: complete
asa1#

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Tomasz Tuzimek

‎10-11-2010 05:03 AM

Tomasz,

It was worth a shot :-)

What you could do is to make sure that either of the two syslogs are being logged by default to syslogs regardless of level

%ASA-5-111008:
%ASA-5-111010:

Those two should inform you of any actions done by a user.

Marcin

0 Helpful

Tomasz Tuzimek
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-12-2010 03:22 AM

asa1(config)# logging message 111008
asa1(config)# logging message 111010
syslog 111010 not found

Is 111010 message correct?

I apply option 'ForceKeepAlives=1'

I dont know if help something.

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Tomasz Tuzimek

‎10-12-2010 06:29 AM

Tomasz,

The forcekeepalives option can only impact operational IKE tunnels.

The two syslogs were taken from my ASA 8.3

Marcin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents