This is a known issue:
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ike.html#wp1042880
"A crypto map set may include a dynamic crypto map. Dynamic crypto map
sets should be the lowest priority crypto maps in the crypto map set
(that is, they should have the highest sequence numbers) so that the
security appliance evaluates other crypto maps first. It examines the
dynamic crypto map set only when the other (static) map entries do not
match."
Thanks,
David
CCIE #16333
On Apr 29, 2009, at 4:16 PM, Sadiq Yakasai wrote:
> Hi Guys,
>
> After troubleshooting this mutha f**ker for 4 days, i am only coming
> to this
> realization.
>
> When I have a Dynamic as well as a Static crypto map configuration
> on the
> same interface (Outside) of an ASA, the Dynamic entry needs to have
> a higher
> entry number (lower priotity) than the Static for the L2L (Static)
> VPN to
> work! Whenever I put the Dynamic entry first, the L2L VPN just
> doesnt work.
>
> The remote (Dynamic, EZVPN) config works regardless of the order
> though.
> Anyone seen this behaviour or is this related to the version of code
> I am
> running. This is 8.0. Or is this really "known" information which I
> have
> missed somehow.
>
> Excuse my languge pls, need to vent it out somewhere :-)
>
> Thanks as usual guys,
> Sadiq
>
> --
> CCIE #19963
Blogs and organic groups at http://www.ccie.net
Received on Wed Apr 29 2009 - 18:55:52 ART
This archive was generated by hypermail 2.2.0 : Mon May 04 2009 - 07:39:13 ART