This is exactly what I stumbled upon in real IPSec VPN deployment at one of our clients. It was sort of shameful ;)
Eugene From: Mike Rojas <[email protected]<mailto:[email protected]>> Date: Friday, May 4, 2012 4:05 PM To: <[email protected]<mailto:[email protected]>> Subject: [OSL | CCIE_Security] VPN and Dynamic Crypto maps Hi, For the people on the track and they havent run into this problem. Normally on the CCIE track most of the labs that I have run with are based on Virtual templates or static VTIs . However if by any chance you run into an issue where you have to configure VPNs using different crypto map instances, make sure that always put the dynamic crypto map with the highest (or at least higher) Sequence number than the static crypto maps. This is because phase 2 of the VPN is not gonna come up. You are going to be able to see that phase 1 is working fine, however phase 2 will not be functioning. The other side of the tunnel will be able to encrypt packets but on the device with the misconfiguration will not be able to create phase 2 and features like RRI are going to be broken. I has been a while since I didnt create an EZVPN with crypto maps and I had totally forgot about it. "If static and dynamic peers are configured on the same crypto map, the order of the crypto map entries is very important. The sequence number of the dynamic crypto map entry must be higher than all of the other static crypto map entries. If the static entries are numbered higher than the dynamic entry, connections with those peers fail." I wish It would have just failed all the way :(. http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml Mike _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
