ASA Crypto Map Ordering
A friend of mine was telling me about an ASA issue he was having. His LAN-to-LAN tunnels would establish and cause intermittent connectivity issues. He would be able to only get to some subnets on either side of the tunnel. It wasn’t always the same subnets, nor would it always happen. His ACLs were the same on either side, as well as his crypto map sequencing.
Below is similar to what his maps looked like:
1 2 3 4 5 6 7 8 9 10 11 12 13 | crypto map global_map 10 match address outside_1_cryptomap_1 crypto map global_map 10 set pfs crypto map global_map 10 set peer 1.1.1.1 crypto map global_map 10 set transform-set ESP-AES-128-SHA crypto map global_map 10 set security-association lifetime seconds 28800 crypto map global_map 10 set security-association lifetime kilobytes 4608000 crypto map global_map 15 ipsec-isakmp dynamic global_dyn_map !!!!here is our dynamic!!!!!!! crypto map global_map 20 match address outside_2_cryptomap_2 crypto map global_map 20 set pfs crypto map global_map 20 set peer 2.2.2.2 crypto map global_map 20 set transform-set ESP-3DES-SHA crypto map global_map 20 set security-association lifetime seconds 28800 crypto map global_map 20 set security-association lifetime kilobytes 4608000 |
The issue was that he had his dynamic mapping in the middle of his crypto sequence. Once he moved it to the end, all was well:
1 2 3 4 5 6 7 8 9 10 11 12 13 | crypto map global_map 10 match address outside_1_cryptomap_1 crypto map global_map 10 set pfs crypto map global_map 10 set peer 1.1.1.1 crypto map global_map 10 set transform-set ESP-AES-128-SHA crypto map global_map 10 set security-association lifetime seconds 28800 crypto map global_map 10 set security-association lifetime kilobytes 4608000 crypto map global_map 20 match address outside_2_cryptomap_2 crypto map global_map 20 set pfs crypto map global_map 20 set peer 2.2.2.2 crypto map global_map 20 set transform-set ESP-3DES-SHA crypto map global_map 20 set security-association lifetime seconds 28800 crypto map global_map 20 set security-association lifetime kilobytes 4608000 crypto map global_map 65535 ipsec-isakmp dynamic global_dyn_map !!!!our dynamic at the end!!! |
Every example I’ve ever seen had these dynamics at the end, but I didn’t think it would affect your L2Ls this way.
Thanks for the tip Brian!