Solved: !!warning:no traffic is selected in dynamic crypto map

manuscript1 · ‎02-16-2017

Hi I have an asa 55xx v9 or so ....

I also have a remote easy VPN - tunnel is up operational and my users are rampant in the joy of network connectivity

However......I have the error !!warning:no traffic is selected in dynamic crypto map on my adsm crypto map page.

Thought this would be easy by adding a traffic filer of source destination in teh traffic selection but doing so with the right networks

eg "local network remote network " in the filter the easy vpn dies a horrible death . Thsi is also true if i reverse my networks in teh traffic filter .

Also someone else in my team tried any any in this dynamic filter and the firewall when into total meltdown so wont do that in a hurry ,

Anyone know if this is a "real" error - am i exposing my moth eaten underpants ? or is thsi "normal" when using easyvpn (ikev1 ) at the remote

end ....

its doing my head in !

any help will be like manna from the gods of networking ...........

Rahul Govindan · ‎02-16-2017

Let me see if I can help :) So dynamic crypto maps were primarily meant to be for RA VPN solutions like the old Cisco IPsec VPN clients. But of course, as you have it configured and working, it can also be used for dynamic ezvpn spokes and takes some of the same characteristics as a remote client (mode config etc). The ASDM is unfortunately not so smart to understand this and is probably coded in such a way that anything under the Site to Site VPN section should have a crypto ACL to match traffic. This of course is not true, so you can safely ignore this message. Dynamic maps do not need to have a crypto ACL to match traffic because as a part of the dynamic nature of it, it should receive the proxies from the peer.

That being said, what is your ASDM version? There were a few bugs in 7.5 and 7.6 release that caused any any proxies to be added.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy60531

You might want to run 7.6(2) or later to avoid this.

View solution in original post

Rahul Govindan · ‎02-16-2017

Let me see if I can help :) So dynamic crypto maps were primarily meant to be for RA VPN solutions like the old Cisco IPsec VPN clients. But of course, as you have it configured and working, it can also be used for dynamic ezvpn spokes and takes some of the same characteristics as a remote client (mode config etc). The ASDM is unfortunately not so smart to understand this and is probably coded in such a way that anything under the Site to Site VPN section should have a crypto ACL to match traffic. This of course is not true, so you can safely ignore this message. Dynamic maps do not need to have a crypto ACL to match traffic because as a part of the dynamic nature of it, it should receive the proxies from the peer.

That being said, what is your ASDM version? There were a few bugs in 7.5 and 7.6 release that caused any any proxies to be added.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy60531

You might want to run 7.6(2) or later to avoid this.

manuscript1 · ‎02-16-2017

Thank You Rahul

thats a relief i have tied myself in knots with this we are on adsm 7.6.1

many many thank sir !

leo.espinosa · ‎05-26-2018

i had this issue after i upgraded from 8.6 to 9.8 (asa5505 to asa5506x).

Saw the warning and decided to add the any-any ACL, ouch big mistake.

Thanks a lot!

Mark Lancaster · ‎08-09-2021

Just a note I am still seeing this warning message in ASDM 7.16(1). Thank you for posting the solution to safely ignore this.