Static Crypto Map Entry (Priority)

RS_MCPRS_MCP Posts: 352Member
Hi All,

I have dual IPSec Site-to-Site VPN tunnels running on my main Cisco ASA 5520, The tunnels have been up and traversing traffic in both directions for quite some time and all of a sudden on one day, one of my sites could send traffic but not recieve any.

I troubleshooted very hard in terms of bouncing the tunnels, checking the configuration etc, but it just so happened that changing the static crypto map entry 'priority' to a lower number resolved the issue.

Why is this and why did this cause traffic to stop all of a sudden?

All is working now and it has remained stable for a few weeks.

Thank you for your help in advance.

Comments

  • millworxmillworx Posts: 290Member
    I don't know if this is exactly related, and I don't know where I read it, but as a general rule, you want to make your crypto map priority lower that your isakmp policy number. Most of the time it works just fine and really doesn't matter, but I did read that somewhere.

    Is this the only crypto map on your box?
    Currently Reading:
    CCIE: Network Security Principals and Practices
    CCIE: Routing and Switching Exam Certification Guide
  • shednikshednik Posts: 2,005Member
    Definitely need some more information to give you a specific reason, but as it has already been asked were there multiple entries in your crypto map? If changing the priority fixed the issue it was more then likely hitting a different priority on the map for the interface.
  • RS_MCPRS_MCP Posts: 352Member
    millworx wrote: »
    I don't know if this is exactly related, and I don't know where I read it, but as a general rule, you want to make your crypto map priority lower that your isakmp policy number. Most of the time it works just fine and really doesn't matter, but I did read that somewhere.

    Is this the only crypto map on your box?

    Crypto map entry lower than the ISAKMP policy...? You would to show me the read for that. No, I have multiple static crypto maps on my ASA for multiple sites.
  • RS_MCPRS_MCP Posts: 352Member
    shednik wrote: »
    Definitely need some more information to give you a specific reason, but as it has already been asked were there multiple entries in your crypto map? If changing the priority fixed the issue it was more then likely hitting a different priority on the map for the interface.

    "it was more then likely hitting a different priority on the map for the interface"

    Would you mind explaining in more detail, I am not understanding.
  • shednikshednik Posts: 2,005Member
    RS_MCP wrote: »
    "it was more then likely hitting a different priority on the map for the interface"

    Would you mind explaining in more detail, I am not understanding.

    Do you have multiple entries in the crypto map?

    I don't have a lot of time now to dig into it too much, working on an issue with one of my ASA clusters but take a look here.

    IPSec Example

    If you have entry 5 and entry 10 and entry 10 was the one you wanted it to use and moving it to entry 3 or 4 made it work means it was matching on number 5 for some reason. Crypto maps are sequential like an ACL, Didn't the CCSP exams cover this fairly in depth? I would expect it would but I haven't studied for the exams yet.

    Hope this help.
  • ilcram19-2ilcram19-2 Posts: 436Banned
    throw the ASA's away lol
  • RS_MCPRS_MCP Posts: 352Member
    "Do you have multiple entries in the crypto map?"

    I have a number of "Source" networks but "Destination" is a single network on each individual static crypto map entry.
  • shednikshednik Posts: 2,005Member
    RS_MCP wrote: »
    "Do you have multiple entries in the crypto map?"

    I have a number of "Source" networks but "Destination" is a single network on each individual static crypto map entry.

    I meant multiple sequence numbers not networks.
  • viper75viper75 Posts: 726Member ■■■■□□□□□□
    Do you have any Dynamic crypto maps? If you do, change their priority number to a higher number.
    CCNP Security - DONE!
    CCNP R&S - In Progress...
    CCIE Security - Future...
  • RS_MCPRS_MCP Posts: 352Member
    shednik wrote: »
    I meant multiple sequence numbers not networks.

    I have a number of static crypto maps with each assigned a priority, not sure what you mean by sequence numbers?
  • RS_MCPRS_MCP Posts: 352Member
    viper75 wrote: »
    Do you have any Dynamic crypto maps? If you do, change their priority number to a higher number.

    No, they are all static crypto maps and I have no dynamic. The default dynamic crypto map is assigned the highest (65335).
  • RS_MCPRS_MCP Posts: 352Member
    Hi All,

    I raised a TAC request with Cisco today and their VPN specialist engineer was also unable to understand the problem I had, he does not know why either, I'm sure we can find out???
  • burbankmarcburbankmarc Posts: 460Member
    If it's not matching traffic to a different crypto map entry then it's probably a bug. What version of the ASA software are you running?
  • RS_MCPRS_MCP Posts: 352Member
    If it's not matching traffic to a different crypto map entry then it's probably a bug. What version of the ASA software are you running?

    ASA Version: 8.2(1)
  • RS_MCPRS_MCP Posts: 352Member
    Hi All,

    A response from the Cisco TAC Engineer:

    CSCtb53186 Bug Details
    Duplicate ASP crypto table entry causes firewall to not encrypt traffic

    Symptom:
    When testing 100 site to site vpn connections on an ASA running 8.2.1 one or two tunnels would not encrypt traffic.

    The connections were established and dropped multiple times before seeing this issue.

    Conditions:
    "sho asp table vpn-context detail " shows duplicate crypto table entries.
    Two current and one left over from previous connection.

    This creates the problem of the traffic not being encrypted.

    Workaround:
    1. Reload ASA.or
    2. Upgrade to get the fix for both CSCtb53186 and CSCtd36473. CSCtd36473 is a defect with a very similar symptom but different root cause.

    This bug is resolved on version 8.2(4)

    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

    Please let me know your thoughts?
  • burbankmarcburbankmarc Posts: 460Member
    Well reloading your ASA all the time isn't very effective. I would upgrade the software for sure.

    I like to patch and upgrade though, it's just the way I am. I know some sysadmins/network engineers can go years without updates. If that works for you, cool, but I always seem to run into bugs like the OP.
  • aaku_usaaku_us Posts: 1Registered Users ■□□□□□□□□□
    Guys i had a similar problem with phase 2 not completing. What i did is moved the crypto map higher up on the list and it started working. Also my cry was static not dynamic. I have had this issue with two clients alrfeady. My question is after upgrading the software...did the problem ever returned? did the upgrade resolve the issue? Initial thoughts from the tac engineer were similar...he informed me that the IOS may need to be upgraded.
  • xXErebuSxXErebuS Posts: 230Member
    Have fun upgrading from 8.2 to 8.3+.

    For record what shednik was trying to get at is did you have:


    access-list first extended permit ip host X.X.X.X host X.X.X.X
    access-list second extended permit ip any any
    access-list third extended permit ip host X.X.X.X host X.X.X.X

    crypto map crymap1 10 match address first
    crypto map crymap1 20 match address second
    crypto map crymap1 30 match address third

    Obviously the third crypto statment will not work correctly.... I think you already know this and it sounds like a bug but I thought I would explain for anyone reading the thread who may have the issue shednik was explaining.
Sign In or Register to comment.