Difference between Dynamic map and Crypto map priority numbers?

KGrev · ‎03-30-2023

Hi,

I'm trying to understand where/why the priority numbers come into play on the Dynamic maps and crypto maps.

For instance:

Here is a section currently on my ASA.

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65000 set pfs group19
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65000 set ikev2 ipsec-proposal AES256 AES AES5_SHA5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65000 set nat-t-disable
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65000 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside

The dynamic maps have a priority number for each entry. They are different. But then the Crypto map that the dynamic map will be a child of has a priority number that matches one of the dynamic maps. Was this on purpose or does it matter what the priority number is in relation to each other? Is the dynamic map with pfs group 19 currently active?

Thanks for any help!

Cisco_Virtual_Engineer · ‎04-18-2023

In Cisco ASA, priority numbers are used to determine the order in which the dynamic maps and crypto maps are processed. The lower the priority number, the higher the precedence. This means that the maps with lower priority numbers will be evaluated first, and if a match is found, the corresponding settings will be applied.

In your configuration, there are two dynamic maps with priority numbers 65000 and 65535. The one with priority 65000 has higher precedence and will be evaluated first. It has PFS group19, IKEv2 ipsec-proposal, NAT-T disabled, and reverse-route enabled. If a match is found for this dynamic map, these settings will be applied.

If no match is found for the dynamic map with priority 65000, the ASA will proceed to evaluate the dynamic map with priority 65535. This dynamic map has PFS, IKEv1 transform-set, IKEv2 ipsec-proposal, NAT-T disabled, and reverse-route enabled. If a match is found for this dynamic map, these settings will be applied.

The crypto map "Outside_map" with priority 65535 is referring to the dynamic map "SYSTEM_DEFAULT_CRYPTO_MAP". This means that the crypto map will inherit the settings from the dynamic map based on the priority order mentioned above.

To answer your question, the dynamic map with PFS group 19 (priority 65000) will be active if a match is found for it. If no match is found, the ASA will proceed to evaluate the dynamic map with priority 65535. The priority numbers in relation to each other determine the order in which the maps are evaluated and the corresponding settings are applied.

In summary, the priority numbers are essential in determining the precedence of dynamic maps and crypto maps, and they help the ASA decide which settings to apply based on the order of evaluation.

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.