Showing results for 
Search instead for 
Did you mean: 

IPsec VPN not working after upgrade to 8.4.7

Level 1
Level 1


Here is some small digram of my firewalls

LAN ---- FW(A) ----- S2S Tunnel ------- FW (B)------------------ LAN

                  |                                                                  |

                   --------- Cisco VPN need to be run -------------

I used to run that VPN for more than three years with no issue, but after upgrading FW (A) from 8.2.5 to 8.4.7 I got below error msg

Group = XXXX, Username = XXXX, IP = x..x.x.x, Skipping dynamic map SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: cannot match peerless map when peer found in previous map entry.

Please does any body have any clue about it and I solve that?


8 Replies 8

Level 1
Level 1

Hello Mike,

Basically, in older versions, when you hit a static crypto map and you did not match that static crypto map completely the connection continues until the dynamic crypto map. For that reason you could connect your IPSec clients before. A bug was opened about this vulnerability.

CSCuc75090  Bug Details

Crypto IPSec SA's are created by dynamic crypto map for static peers


When a static VPN peer adds any traffic to the crypto ACL, an SA is built even though the IP pair is not allowed in the crypto acl at the main side. Those SA's are eventually matched and  setup by the dynamic crypto map instance.


This was a intended design since day one that enabled customers to fall through in case of static crypto map didn't provide a needed crypto services.

The SA need to be initiated from a statically configured peer and a dynamic crypto map instance must be configured on the receiving end.



Meaning, if you are on the local network and would like to reach any host on the remote site you could use the L2L tunnel that is already established with the remote peer. However, if you are on any other external network you will need to use the VPN client to connect to the sites.

I hope this helps.


but That bug should be resolved in 8.4.6, looks it still there


That's correct. This is actually a vulnerability and it could be affecting your version as well.

Please let me know if you have any other question.


Level 1
Level 1

I'm hitting the same issue. Do we have a workaround so that VPN still works from a remote site-to-site VPN connected office, my users can still client VPN into the ASA at the HQ?

Do I just need to add and entry on my "crypto dynamic-map outside_dyn_map" for each remote office public IP that I have site-to-site tunnel built too?


Well, actually the main question is why you need to use the VPN client to connect to a remote site if you already have a L2L established with that site? Meaning, if you are located inside of any of the VPN endpoints you could use the L2L to reach the remote site. However, if you are on any other external network you will be able to connect to any of the sites using the VPN client.

This is basically why Cisco created this vulnerability, it does not make sense to have multiple IPSec connections with the same peer. Then, if you need to allow more networks for the users, you just need to include them on the VPN traffic of the L2L.

Please let me know if you have any other question.


I'm goint to tell you why do I need that remote VPN. I used that VPN to acess al my network from the HQ firewall and I don't need my lan client access the other network too. my HQ network is like start network and only that VPN can access them all

I did a static nat that when trying to use the remote VPN so it is hit the other firewall with different IP of the tunnel,

so you need to create a nat from the inside interface to the outside interface with source nat to any outside IP address other that the outside interface.

hope this helps


Hello Mike,

Thanks for the information!

That would be a good workaround but it will depend of how many public ip addresses you have available, also if you really want to spend one of those ip addresses for that access. Based on your requirements I was thinking that you could use AnyConnect instead of IPSec VPN client. I do not know how many users need to connect from your HQs to the remote site, but the ASA has 2 available SSL licenses that you could use. Since Anyconnect uses SSL protocol it will not cause any problems on your environment.

Below some information:

Hope this helps,


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: