Re: Static + Dynamic crypto map on the same interface

hmmmm, makes sense! Funny how I havent seen this anywhere so far.

Thanks Ryan!

Sadiq

On Wed, Apr 29, 2009 at 10:22 PM, Ryan West <rwest_at_zyedge.com> wrote:

> If you're referring to a an any source match dynamic crypto map, typically
> used for RA VPN, then yes. This has been like that since PIX days. Think
> about like a top down ACL, it gets to the any and just stops looking there.
> I typically configured all my crypto maps with the dynmap at 65535 to avoid
> that issue.
>
> -ryan
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Sadiq Yakasai
> Sent: Wednesday, April 29, 2009 5:16 PM
> To: Cisco certification; Cisco certification
> Subject: Static + Dynamic crypto map on the same interface
>
> Hi Guys,
>
> After troubleshooting this mutha f**ker for 4 days, i am only coming to
> this
> realization.
>
> When I have a Dynamic as well as a Static crypto map configuration on the
> same interface (Outside) of an ASA, the Dynamic entry needs to have a
> higher
> entry number (lower priotity) than the Static for the L2L (Static) VPN to
> work! Whenever I put the Dynamic entry first, the L2L VPN just doesnt work.
>
> The remote (Dynamic, EZVPN) config works regardless of the order though.
> Anyone seen this behaviour or is this related to the version of code I am
> running. This is 8.0. Or is this really "known" information which I have
> missed somehow.
>
> Excuse my languge pls, need to vent it out somewhere :-)
>
> Thanks as usual guys,
> Sadiq
>
> --
> CCIE #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net