Cisco Bug: CSCsy74914 - CSM config deploy fails when using IKE-proposal with DH group 5
Nov 11, 2016
- Cisco Security Manager
Known Affected Releases
Symptom: CSM shows IKE Proposals fails when using DH group 5, and log the error below: "The IKE Proposal Diffie-Hellman group can only be 2" We do not see any problem when using IKE Proposals with DH group 2. Conditions: Installed a Cisco Secure Manager V 3.2.2. Tested with CSM that is coupled with a MARS. Also, the problem is found when using Cisco Secure Manager V 3.2.2 without MARS. Four ASA5520's running 8.0.4 that was built, two VPN Cluster, each containing two ASA's The devices was discovered with CSM online, and have set the checkmark to discover the VPN Config . With the CSM we discovered the four units correct and discovered the VPN config. When want to use the CSM to deploy the Configs you may ran into problems below: 1) Imported the running config and without change deployed it to a file. When doing so the IKE Configuration gets corrupted and major lines that are missing, see below: Original Config: crypto isakmp policy 10 authentication pre-share encryption aes-256 hash sha group 5 lifetime 86400 crypto isakmp policy 20 authentication rsa-sig encryption aes-256 hash sha group 5 lifetime 86400 crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 Config generated by CSM: crypto isakmp policy 10 authentication pre-share encryption aes-256 group 5 crypto isakmp policy 20 encryption aes-256 group 5 crypto isakmp policy 65535 authentication pre-share encryption 3des group 2 Only the proposal which uses DH Group 2 is used correct. 1- The CSM Validation ran through without warnings. But looking in the device view at the IKE-proposals only the last proposal is displayed. The other proposals are obviously not read properly by the CSM. Given this fact that only one proposal is in the CSM, we would expect only the last proposal to appear in the new configuration. 2) When one adds in the CSM some predefined IKE Proposals which do not have a DH 2 the validation shows an error below "The IKE Proposal Diffie-Hellman group can only be 2" 3) Even if one selects in CSM only proposals with DH 2. The resulting config still carries fragments of the initial proposals (see 1) ) which would result in errors upon an VPN Tunnel connection.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases