Hi ,

matthewik.lee · ‎05-20-2015

Hi,

I failed to use VPN client(to site1 ASA) and the debug say "Skipping dynamic map" like below:

May 20 10:15:04 [IKEv1]Group = xxxx, Username = yyyy, IP = [ASA outside intf public IP address], Skipping dynamic map Internet_dyn_map sequence 999: cannot match peerless map when peer found in previous map entry.

My original crypto map of site1 ASA

crypto dynamic-map Internet_dyn_map 999 set pfs group1
crypto dynamic-map Internet_dyn_map 999 set ikev1 transform-set ESP-3DES-MD5
crypto dynamic-map Internet_dyn_map 999 set reverse-route

crypto map Internet_map 10 match address site1-site2
crypto map Internet_map 10 set peer x.x.x.x
crypto map Internet_map 10 set ikev1 transform-set myset
crypto map Internet_map 20 match address site1-site3
crypto map Internet_map 20 set peer y.y.y.y
crypto map Internet_map 20 set ikev1 transform-set myset
crypto map Internet_map 999 ipsec-isakmp dynamic Internet_dyn_map
crypto map Internet_map interface Internet

It is config-ed the l2l vpn sessions for site1-site2, site1-site3

I use vpn client to site1 from site3, it failed and shows:

Skipping dynamic map Internet_dyn_map sequence 999: cannot match peerless map when peer found in previous map entry.

My co-worker in site2 vpn to site1 failed either with same log error: Skipping dynamic map Internet_dyn_map sequence 999:

After viewing https://supportforums.cisco.com/discussion/12032041/remote-access-vpn-issue

I tried remove l2l vpn settings on site1 ASA, that is, delete "crypto map Internet_map 10" and "crypto map Internet_map 20"

Then my vpn client access (to site1) succeed and my co-worker vpn from site2 succeed also.

I cannot figure out why, so I add back "crypto map Internet_map 10"(for site1-site2) on site1 ASA, I still can vpn to site1 from site3, but my co-worker cannot.

I delete "crypto map Internet_map 10"(site1-site2) and add "crypto map Internet_map 20"(site1-site3) on site1 ASA, then vpn failed from site3, but works from site2.

Could someone help me tell me the sympoton is caused by my miscofigurations or the behavior is expected and explain more what may cause: Skipping dynamic map Internet_dyn_map sequence 999:

Thanks a lot.

Matthew

matthewik.lee · ‎05-20-2015

I searched more and found another thread: https://supportforums.cisco.com/discussion/12099546/ipsec-vpn-not-working-after-upgrade-847, it mentioned a bug: CSCuc75090. But the version in my ASA is 9.1(2).

It is expected behavior that l2l vpn and RA dynamic vpn cannot use the same outside public ip address, or becuase of the bug?

Santhosha Shetty · ‎05-21-2015

Hi Mathew,

Looks like ASA already has static VPN configured with lets say peer IP x.x.x.x and the
dynamic-client connections are also coming using same source( i.e. x.x.x.x) ; *This is not a     supported scenario* since ASA will not be able to negotiate two different IPSec SA’s for same    peer matching two different crypto map.

There already exist static map for peer x.x.x.x and when it comes to matching the group based on IP ,it always picks static map since it is placed above dynamic map.

•  Any specific reason you are using client based vpn even though there exist a
site to site vpn between same two peers?


•  If at all you want to use client based vpn, you have to go for Anyconnect vpn.

HTH,

Santhosh

matthewik.lee · ‎05-28-2015

Hi Santhosh,

We use MPLS VPN for inter-office traffics, and ASAs in offices are used as firewall and remote access VPN concentrator. Now we want to use L2L VPN between offices to backup MPLS VPN links.

So this thinkings are not feasible.

Thanks Matthew

ahsan.kazmi · ‎11-17-2016

Hi Santhosh,

I am in the same dilemma where we want to setup l2l vpn as well as use RA VPN cleint .. both oriignating from same Peer IP.

IS there no solution to this?

Thanks,

Hasan

Santhosha Shetty · ‎11-17-2016

Hi Hasan,

What kind of RA VPN solution are you using?

As stated in previous response, ANYCONNECT for RA and L2L can go together for same peer IP.

If at all you want to terminate RA-Ipsec , then you can give it a shot by making both l2l and RA terminate using dynamic-map( this ASA will only act as responder to VPN connection)

HTH,

Santhosh

ahsan.kazmi · ‎11-17-2016

Thanks for quick reply ..

i am using Cisco Client for RA VPN.

Can you point me to some instructions on how to do dynamic map for both l2l and RA using same peer. I am a newbie...

Santhosha Shetty · ‎11-17-2016

For L2L config:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119007-config-asa9x-ike-ipsec-00.html

You can treat your ASA as Central-ASA.

For RA-IPsec Config:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70917-asa-split-tunnel-vpn-client.html#configasa

The config guide was prepared using older ASA/ASDM code.If you are using new ASA code, use keywords ikev1 instead of isakmp(shown in doc for old ASA code)

**Also note CISCO IPSEC Client (RA-VPN client) is no more supported, its already EOL and EOS

Regards,

Santhosh

ahsan.kazmi · ‎11-20-2016

thanks a lot , it worked like a charm!

Shakti Kumar · ‎11-17-2016

Hi ,

if you wish to connect using RA-VPN behind s2s tunnel , there are 2 options

1.) use any other RA-solution rather than ikev1 , for ex-ikev2 or SSL

2.) use set peer option under dynamic for example

crypto dynamic-map Internet_dyn_map 999 set peer x.x.x.x

Please rate if helpful

Thanks

Shakti

RA VPN failed as "Skipping dynamic map Internet_dyn_map"