Guest

Preview Tool

Cisco Bug: CSCsy74914 - CSM config deploy fails when using IKE-proposal with DH group 5

Last Modified

Nov 11, 2016

Products (1)

  • Cisco Security Manager

Known Affected Releases

3.2(2)

Description (partial)

Symptom:

CSM shows IKE Proposals fails when using DH group 5, and log the error below:

"The IKE Proposal Diffie-Hellman group can only be 2"

We do not see any problem when using IKE Proposals with DH group 2.

Conditions:

Installed a Cisco Secure Manager V 3.2.2.   Tested with CSM that is coupled with a MARS.  Also, the problem is found when using Cisco Secure Manager V 3.2.2 without MARS.

Four ASA5520's running 8.0.4 that was built, two VPN Cluster, each containing two ASA's

The devices was discovered with CSM online, and have set the checkmark to discover the VPN Config .  With the CSM we discovered the four units correct and discovered the VPN config.  When want to use the CSM to deploy the Configs you may ran into problems below:   

1) Imported the running config and without change deployed it to a file. When doing so the IKE Configuration gets corrupted and major lines that are missing, see below:

Original Config:

crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400


Config generated by CSM:

crypto isakmp policy 10
authentication pre-share
encryption aes-256
group 5
crypto isakmp policy 20
encryption aes-256
group 5
crypto isakmp policy 65535
authentication pre-share
encryption 3des
group 2

Only the proposal which uses DH Group 2 is used correct.

1- The CSM Validation ran through without warnings.  But looking in the device view at the IKE-proposals only the last proposal is displayed. The other proposals are obviously not read properly by the CSM.

Given this fact that only one proposal is in the CSM, we would expect only the last proposal to appear in the new configuration.  

2)  When one adds in the CSM  some predefined IKE Proposals which do not have a DH 2 the validation shows an error below

"The IKE Proposal Diffie-Hellman group can only be 2"

3) Even if one selects in CSM only proposals with DH 2.

The resulting config still carries fragments of the initial proposals (see 1) ) which would result in errors upon an VPN Tunnel connection.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.