That's a pretty well known requirement. It's unfortunate you found out the hard way :)
"A dynamic crypto map set is included by reference as part of a crypto map set. Any crypto map entries that reference dynamic crypto map sets should be the lowest priority crypto map entries in the crypto map set (that is, have the highest sequence numbers) so that the other crypto map entries are evaluated first; that way, the dynamic crypto map set is examined only when the other (static) map entries are not successfully matched."
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/ipsecint.html#wp1044457
________________________________
From: Sadiq Yakasai <sadiqtanko_at_gmail.com>
To: Cisco certification <security_at_groupstudy.com>; Cisco certification <ccielab_at_groupstudy.com>
Sent: Wednesday, April 29, 2009 2:16:28 PM
Subject: Static + Dynamic crypto map on the same interface
Hi Guys,
After troubleshooting this mutha f**ker for 4 days, i am only coming to this
realization.
When I have a Dynamic as well as a Static crypto map configuration on the
same interface (Outside) of an ASA, the Dynamic entry needs to have a higher
entry number (lower priotity) than the Static for the L2L (Static) VPN to
work! Whenever I put the Dynamic entry first, the L2L VPN just doesnt work.
The remote (Dynamic, EZVPN) config works regardless of the order though.
Anyone seen this behaviour or is this related to the version of code I am
running. This is 8.0. Or is this really "known" information which I have
missed somehow.
Excuse my languge pls, need to vent it out somewhere :-)
Thanks as usual guys,
Sadiq
-- CCIE #19963 Blogs and organic groups at http://www.ccie.netReceived on Thu Apr 30 2009 - 02:00:34 ART
This archive was generated by hypermail 2.2.0 : Mon May 04 2009 - 07:39:13 ART