cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1070
Views
5
Helpful
2
Replies

Static vs. Dynamic Crypto Map

J.W.S.
Level 1
Level 1

Hello Guys and Ladys, 

 

i have a simple question.....i think its simple for the professionals of this board.

So in my company we have like 220 VPN router, we´ve connected to a Cisco ASA 5525. 

We use IKEv2 and the peers are connected via LTE. 

 

So my question...s it better to use static oder dynamic crypto maps? 

Every peer has a different PSK, Network but they all have the same route. 

So we have some problems, that some routers cant rekey the SA and we have to reboot them. 

The ASA logs says, there is an Error with our dynamic Crypto-Map. 

Actually, we use dynamic crypto maps. 


So is there a chance to solve the problem or maybe get a better positon for the problem, if we use static crypto maps? 

What is the recommended method for our scenario? 

 

So thank you guys an wave a nice week. 

 

Stay healthy

2 Replies 2

@J.W.S. have you got DPD keepalives enabled to clear stale SAs?

 

Assuming your hub is the ASA, a dynamic crypto is the easiest /best solution on the ASA with a static crypto map on each of the routers. Bear in mind on newer 17.x code dynamic/static crypto maps have been depreciated.

 

Ideally the best solution is a route based VPN, use a router instead of the ASA as the hub, you could then run DMVPN or FlexVPN.

 

 

If you use dynamic then it ok and still you can use ipsec profile for each group of peer,

Some peer will enable pfs and other not run pfs and hence your issue is solve with one dymanic crypto and different many ipsec profiles.