Preview Tool

Cisco Bug: CSCtf09901 - CSM generates wrong CLI for Hub-Spoke VPN on ASA

Last Modified

Nov 11, 2016

Products (1)

  • Cisco Security Manager

Known Affected Releases


Description (partial)

when configuring Hub-spoke vpn with the ASA acting as hub and PKI, csm does not create the correct configuration to make the vpn tunnel to come up properly.

Scenario is ASA with dynamic crypto map and spoke with dynamic IP address.

The spoke is provisioned fine, the ASA has the following issue:
1- DefaultL2LGroup has not trustpoint set (for some reason the trust point is set in the DefaultRAGroup...)

need to 
set trustpoint <TG name> 
in the TG config

2- in order to have the tunnel to land in the DefaultL2LGroup we need to change the default tunnel-group-map

tunnel-group-map DefaultL2LGroup

VPN Hub-spoke, ASA is the hub, PKI is used
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.