Symptom

If we have an IKEv2 profile with a non-default lifetime value set and we want to move back to the default one by negating the command, it changes the lifetime value to default as expected, but it also adds 'no lifetime certificate' to the configuration.

Conditions

IOS-XE/IKEv2 profile The non-default lifetime value was set in a profile and later on removed by using 'no lifetime ' Changing the lifetime to a non-default value: R1(config-ikev2-profile)#lifetime 333 R1(config-ikev2-profile)# R1(config-ikev2-profile)#do sh run | s crypto ikev2 profile IKEv2_profile crypto ikev2 profile IKEv2_profile match identity remote any authentication remote pre-share authentication local pre-share keyring local IKEv2_keyring lifetime 333 R1(config-ikev2-profile)# Removing the non-default value; 'no lifetime certificate' was added. R1(config-ikev2-profile)#no lifetime 333 R1(config-ikev2-profile)# R1(config-ikev2-profile)#do sh run | s crypto ikev2 profile IKEv2_profile crypto ikev2 profile IKEv2_profile match identity remote any authentication remote pre-share authentication local pre-share keyring local IKEv2_keyring no lifetime certificate R1(config-ikev2-profile)#

Workaround

NA

Further Problem Description