Comment
Author: Admin | 2025-04-27
Is done upon configuration and is considered static, remaining in place until the configuration changes or is removed. Furthermore, whenever an RRI route is configured with same destination for which a static route already exist, the existing static route is discarded and the RRI route is installed. The ASA automatically adds static routes to the routing table and announces these routes to its private network or border routers using OSPF. Do not enable RRI if you specify any source/destination (0.0.0.0/0.0.0.0) as the protected network, because this will impact traffic that uses your default route. If dynamic is specified, routes are created upon the successful establishment of IPsec security associations (SA's) and deleted after the IPsec SA's are deleted. You cannot configure a dynamic crypto map with the same name as a static crypto map and vice versa, even if one of the crypto maps is not actually in use. Note Dynamic RRI applies to IKEv2 based static crypto maps only. [no] crypto map name priority set validate-icmp-errors OR [no]crypto dynamic-map name priority set validate-icmp-errors Specifies whether incoming ICMP error messages are validated for the cryptography or dynamic cryptography map. [no] crypto map set df-bit [clear-df | copy-df | set-df} OR [no] crypto map dynamic-map set df-bit [clear-df | copy-df | set-df] Configures the existing do not fragment (DF) policy (at a security association level) for the cryptography or dynamic cryptography map. clear-df—Ignores the DF bit. copy-df—Maintains the DF bit. set-df—Sets and uses the DF bit. [no] crypto map set tfc-packets
Add Comment