04-12-2022 12:58 PM
Hello Guys and Ladys,
i have a simple question.....i think its simple for the professionals of this board.
So in my company we have like 220 VPN router, we´ve connected to a Cisco ASA 5525.
We use IKEv2 and the peers are connected via LTE.
So my question...s it better to use static oder dynamic crypto maps?
Every peer has a different PSK, Network but they all have the same route.
So we have some problems, that some routers cant rekey the SA and we have to reboot them.
The ASA logs says, there is an Error with our dynamic Crypto-Map.
Actually, we use dynamic crypto maps.
So is there a chance to solve the problem or maybe get a better positon for the problem, if we use static crypto maps?
What is the recommended method for our scenario?
So thank you guys an wave a nice week.
Stay healthy
04-12-2022 01:12 PM
@J.W.S. have you got DPD keepalives enabled to clear stale SAs?
Assuming your hub is the ASA, a dynamic crypto is the easiest /best solution on the ASA with a static crypto map on each of the routers. Bear in mind on newer 17.x code dynamic/static crypto maps have been depreciated.
Ideally the best solution is a route based VPN, use a router instead of the ASA as the hub, you could then run DMVPN or FlexVPN.
04-12-2022 01:16 PM
If you use dynamic then it ok and still you can use ipsec profile for each group of peer,
Some peer will enable pfs and other not run pfs and hence your issue is solve with one dymanic crypto and different many ipsec profiles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide