load config partial / bad encryption or wrong masterkey

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

load config partial / bad encryption or wrong masterkey

L3 Networker

We're replacing an HA pair for a customer with new hardware and building new templates as the current devices have local overrides for almost the entire device & network config (looks like the result of an improper transition to Panorama).

The idea is we export the current device config and merge it into the new template. Both Panorama and the current devices should be sharing the same (non-default) master key, so the encrypted stuff like bind passwords and SSL keys should load without an issue, right?

 

On merging the partial config in a Panorama lab, we get the following errors:

 template -> X -> config -> shared -> server-profile -> ldap -> Y -> bind-password bad encryption or wrong masterkey. Discarding.

 template -> X -> config -> shared -> response-page -> Y is invalid. Invalid base64 data
 template -> X -> config -> shared -> response-page -> Y invalid. Discarding.

 template -> X -> config -> shared -> certificate -> Y -> private-key bad encryption or wrong masterkey. Discarding.

 

This suggests that the MK used to decrypt those from the source config is incorrect, but when we specify the key in the load command we get the same results. This is all assuming the devices use the same MK as Panorama, which I just learned is no longer a requirement since PAN-OS 10.0.

 

In the rare case that the device MK was still default, we attempt to use the default MK to merge the device config (p1a2...) and PAN-OS has difficulty loading its own config (bad encryption or wrong masterkey on Panorama config nodes) so that doesn't work either.

 

Question time.

1. Is it possible that the original device MK is still default, in which case how do we merge the config into a Panorama template which is non-default? Have already tried reverting the Panorama MK to default and loading, still no dice.

2. If Panorama and a managed device can now use different master keys (actually recommended now), how are values in a template encrypted with the Panorama masterkey decrypted by the managed device on a template push?

3. Is dark matter real or an excuse for an objection to revise Newtonian physics?

 

 

2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @mb_equate ,

 

I have run into this also.  I have fixed it a couple of ways.  The easiest by far is just to manually configure the LDAP password after the load config partial.  Then the commit and push will work fine.

 

The harder way is to configure the MK on both devices.  As you have noticed, sometimes that works and sometimes it doesn't.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

Turns out a linter we had running in vscode garbled the strings, reimporting an unadulterated config from the device solved the problem.

View solution in original post

3 REPLIES 3

L3 Networker

We've had confirmation that the masterkeys are all the same, which agrees with the encrypted strings from the device export and Panorama matching (e.g. bind-passwords).

 

We can also load part of the running config with encrypted strings:

admin@panorama# load config partial mode merge from-xpath devices/entry/template/entry[@name='Z']/config/shared/server-profile" to-xpath /config/devices/entry/template/entry[@name='X']/config/shared/server-profile from running-config.xml

Config loaded from running-config.xml

[edit]

 

But not from the device export, with the same strings:

admin@panoramarama# load config partial mode merge from-xpath shared/server-profile to-xpath /config/devices/entry/template/entry[@name='X']/config/shared/server-profile from fw.xml

Config loaded from fw.xml
template -> X -> config -> shared -> server-profile -> ldap -> Y -> bind-password bad encryption or wrong masterkey. Discarding.

[edit]

🤔

Cyber Elite
Cyber Elite

Hi @mb_equate ,

 

I have run into this also.  I have fixed it a couple of ways.  The easiest by far is just to manually configure the LDAP password after the load config partial.  Then the commit and push will work fine.

 

The harder way is to configure the MK on both devices.  As you have noticed, sometimes that works and sometimes it doesn't.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Turns out a linter we had running in vscode garbled the strings, reimporting an unadulterated config from the device solved the problem.

  • 2 accepted solutions
  • 4303 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!