Symptom
With IKEv2 configuration, under the tunnel-group, if the "ikev2 remote-authentication pre-shared-key" value ends with a backslash "\", the tunnel forms and works fine, however, after a reload for any reason, the ASA deletes the whole line
> Before Reload
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *******
ikev2 local-authentication pre-shared-key *******
> After Reload
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev2 local-authentication pre-shared-key *******
Conditions
- IKEv2 used
- Remote Pre-Shared-Key (PSK) string which ends with a backslash "\"
- Reload
- Issue seen on ASAv Version 9.20 and FPR-1010 Version 9.18(2) (ASA Code)
Workaround
+ Modify the PSK and delete the backslash at the end
Further Problem Description
> Once the reboot is finished, the console logs shows the following:
Reading from flash...
!!!!!......WARNING: HMAC-SHA1-96 is considered insecure. This option is deprecated and will be removed in a later version.
*** Output from config line 327, "ssh cipher integrity med..."
WARNING: DH group 2 is considered insecure. This option is deprecated and will be removed in a later version.
*** Output from config line 328, "ssh key-exchange group d..."
WARNING: This command will not take effect until interface 'outside' has been assigned an IPv4 address
*** Output from config line 334, "ssh X.X.X.X 255.25..."
[...]
WARNING: This command will not take effect until interface 'outside' has been assigned an IPv4 address
*** Output from config line 349, "ssh X.X.X.X 255.25..."
ikev2 remote-authentication pre-shared-key RdC23.${saef!541.>\
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 370, " ikev2 remote-authentica..."
.
Cryptochecksum (unchanged): XXXXXXXXXXXXXXXXXXXXXXXXXXXX
INFO: File /mnt/disk0/.private/dynamic-config.json not opened; errno 2
INFO: Network Service reload not performed.
