ASA Dynamic Crypto map

Similar Messages

• Crypto map entry is incomplete

  Hi
  This is my config below. The error i am recieving is crypto map entry is incomplete. Can someone please take a look and let me know.  Thank you
  ASA(config)# crypto map outside_map 1 match address outside_1_cryptomap
  WARNING: The crypto map entry is incomplete!
  ASA(config)# show run
  : Saved
  ASA Version 8.4(4)1
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.10.10.2 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  ftp mode passive
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network net-local
  subnet 10.10.10.20 255.255.255.0
  object network net-remote
  subnet 10.10.3.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 10.10.10.20 255.255.255.0 10.
  10.3.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (any,any) source static net-local net-local destination static net-remote ne
  t-remote
  object network obj_any
  nat (inside,outside) dynamic interface
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer 96.145.68.82
  crypto map outside_map interface outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 10.10.10.22-10.10.10.231 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  tunnel-group 81.141.29.69 type ipsec-l2l
  tunnel-group 81.141.29.69 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:c2b7cdae5eb0961d822f634f2b36d3dc
  : end
  ASA(config)#

  Hi,
  You lack a "transform-set" configuration from the "crypto map" line.
  For example
  Create the IKEv1 Transform set
  crypto ipsec ikev1 transform-set AES esp-aes esp-sha-hmac
  and
  Use it in the VPN configuration
  crypto map outside_map 1 set ikev1 transform-set AES
  The values ofcourse depend on the your own preference
  Hope this helps
  - Jouni

• Site to Site VPN working without Crypto Map (ASA 8.2(1))

  Hi All,
  Found a strange situation on our ASA5540 firewall :
  We have couple Site to Site VPNs and also enable cleint VPN on the ASA, all are working fine. But found a Site to Site VPN is up and running without crypto map configuration. Is it possible ?
  I tried to clear isa sa and clear ipsec sa then the VPN came up again. Also tested it's pingable to remote site thru the VPN.
  I did see there is tunnel-group config for the VPN but didn't see any crypto map and ACL.
  How does Firewall know which traffic need be encrypted to this VPN tunnel without crypto map?
  Is it the bug ?
  Thanks in advance,

  It might be an easy vpn setup.
  Could you post a running config output remove any sensitive info.  This could help us answer your question more exactly.

• Crypto Map Dynamic IP Reconnection Issues

  Hello,
  We are connecting using at each remote site a Cisco 837 router with a ISDN modem as a passthrough to a PIX Firewall.
  Each time the ISDN connection drops the Cisco box either requires a reboot or the crypto map to be restarted before anyone can connect through to the PIX. Has anyone got any ideas please?
  Many Thanks
  Mark

  It'll be because the PIX doesn't recognise that the tunnel has gone down, and therefore still tries the old tunnel and nothing works, until you reboot the PIX or clear down the tunnels. All this does is make the PIX build new tunnels and everything works.
  You need to enable ISAKMP keepalives on both ends so that they'll determine that the other end has gone down and reset their own tunnels, allowing new ones to be built.
  Use:
  crypto isakmp keepalive 30
  on the router, and:
  isakmp keepalive 30
  on the PIX and they'll send keepalives every 30 seconds then and quickly know if the other end has died.

• Multiple Crypto Maps on Single Outside Interface

  Hi, I had the following crypto map configured on my ASA5505 to allow Cisco IPSec VPN clients to connect from the outside:
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  I'm trying now to set up an additional crypto map - a static configuration to establish a tunnel with Windows Azure services. The configuration they gave me is:
  crypto map azure-crypto-map 10 match address azure-vpn-acl
  crypto map azure-crypto-map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
  crypto map azure-crypto-map 10 set transform-set azure-ipsec-proposal-set
  crypto map azure-crypto-map interface outside
  However, when I apply that configuration, my Cisco IPSec clients can no longer connect. I believe my problem is that last line:
  crypto map azure-crypto-map interface outside
  which blows away my original line:
  crypto map outside_map interface outside
  It seems I'm stuck with picking just one of the maps to apply to the outside interface. Is there a way to apply both of these maps to the outside interface to allow both IPSec tunnels to be created? We're running ASA version 8.4(7)3.

  Hi,
  You can use the same "crypto map"
  Just add
  crypto map outside_map 10 match address azure-vpn-acl
  crypto map outside_map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
  crypto map outside_map 10 set transform-set azure-ipsec-proposal-set
  Your dynamic VPN Clients will continue to work just fine as their "crypto map" statements are with the lowest priority/order in the "crypto map" configurations (65535) and the L2L VPN is higher (10)
  And what I mean with the above is that when a L2L VPN connections is formed from the remote end it will naturally match the L2L VPN configurations you have with "crypto map" configurations using the number "10". Then when a VPN Client connects it will naturally not match the number "10" specific configurations and will move to the next entry and will match it (65535)
  If you would happen to configure a new L2L VPN connection then you could give it the number "11" for example and everything would still be fine.
  Hope this helps
  - Jouni

• Cisco 5520: removed crypto map still in effect

  so i typoed a command: "crypto map Map1 7"... instead of "crypto map Map1 70".
  I cleared the Map1 7 entries, and added the correct entries in Map1 70.
  I cleared all of the vpn sessions:
  no crypto map Map1 int outside
  cl ips sa
  cl isa sa
  Now, however, whenever I try to ping the remote network from the inside interface, it seems to read the Map1 7 policy instead of Map1-70.
  Is there anyway to clear the Map1 7 entries from memory? I'm trying to avoid rebooting the firewall.
  Thanks,
  Jeff
  But when I try

  With ASA you need the "clear configure" command to remove a crypto map sequence number
  clear configure crypto map map-name seq-num
  (in configuration mode)

• WARNING: This crypto map is incomplete

                  Hi ,
    i have ASA with 4 l2l vpn configured. as now am trying to configure new VPN tunnel; while configuring of crypto map set match add its giving me
  error like ... WARNING: This crypto map is incomplete
    as i have read all the discussion from forms its not effecting ; request you to please help
  Thanks
  Gajendra

  Hi,
  This is a normal message and just tells you that you have not yet entered all the "crypto map" commands related to this new connection to make the configuration complete
  You will essentially have to make sure that you have ATLEAST the following lines configured
  crypto map match address
  crypto map set peer
  crypto map set ikev1 transform-set
  The "transform-set" part might NOT need the "ikev1" depending on your ASAs software level.
  - Jouni

• Rejecting IPSec tunnel: no matching crypto map entry for remote proxy

  Hi!
  I have already search for this but didn't get an exact answer I'm looking for so I try asking it again (if there is the same question).
  I'm in process of migrating some VPN tunnels with  from a Cisco router to an ASA, everything will keep the same but just the peering IP address. However, some of the tunnel was being torn down since it request for a proxy doesn't match the one configured on our side. And the remote peer said there is no such issue on the previous platform, but now they need to reset the tunnel from time to time.
  Apr 18 2013 07:29:10 asa002 : %ASA-3-713061: Group = 192.168.1.226, IP = 192.168.1.226, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.1.226/255.255.255.255/0/0 local proxy 10.10.9.81/255.255.255.255/0/0 on interface outside
  Apr 18 2013 07:29:10 asa002 : %ASA-3-713902: Group = 192.168.1.226, IP = 192.168.1.226, QM FSM error (P2 struct &0x745e9150, mess id 0x8d7ad777)!
  Apr 18 2013 07:29:10 asa002 : %ASA-3-713902: Group = 192.168.1.226, IP = 192.168.1.226, Removing peer from correlator table failed, no match!
  The remote peer said they did not change the proxy id on their side so it is possibly the old platform will just not setting up the SA without torn down the tunnel while the ASA on the new platform will torn down if there is any mismatch.
  Anyway I have requested the remote side to remove those unmatched entried to avoid the tunnel being torn down, but if there any configuration that is related to this issue? i.e. Just bring up the SA with matched addresses and ignore others, instead of torn down the tunnel.
  Thanks!!
  //Cody

  Are you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
  If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
  access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
  Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
  nat (outside) 1 172.16.0.0 255.255.240.0

• Rejecting IPSec tunnel: no matching crypto map entry for remote proxy on interface outside.

  Hi,
  I have read a problem where the VPN between an ISP and ourselves started dropping sessions. I have rebuilt the crypto map and tried to dig deeper into my config and some basic troubleshooting while I await the ISP to respond.
  Any ideas?
  Thanks Steve
  https://supportforums.cisco.com/thread/255085
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution10
  5 Jun 13 15:46:25 713904 IP = 209.183.xxx.xxx, Received encrypted packet with no matching SA, dropping
  4 Jun 13 15:46:25 113019 Group = 209.183.xxx.xxx, Username = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
  3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Removing peer from correlator table failed, no match!
  3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, QM FSM error (P2 struct &0xda90f540, mess id 0x76c09eb7)!
  3 Jun 13 15:46:25 713061 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.0.0/255.255.240.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
  5 Jun 13 15:46:25 713119 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, PHASE 1 COMPLETED
  6 Jun 13 15:46:25 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = 209.183.xxx.xxx
  6 Jun 13 15:46:25 713172 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

  Are you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
  If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
  access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
  Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
  nat (outside) 1 172.16.0.0 255.255.240.0

• Troubles using VRF-aware IPsec w/ crypto maps

  I'm trying to get a lab setup to work with a C2951 (15.2(4)M4) peering with an ASA 5510 (9.1(2)). The config is based on crypto maps, since I want the C2951 to be the initiating side, and as far as I understand, VTIs wouldn't be working together with the ASA due to the default 'any' crypto statements that are being applied on SVTIs.
  So I've set up this IKEv1-, crypto map-based lab, and the tunnel strictly won't come up; it seems that crypto doesn't find any interesting traffic at all (no debug crypto isakmp output pops up).
  What I'm doing for testing is issuing a VRF Ping from a loopback interface of the C2951. I was following the following cheat sheet to configure the IOS box:
  https://supportforums.cisco.com/docs/DOC-13524
  Please see the attached config files and the setup drawing.
  This is the way I'm testing it:
  C2951#sh deb
  Cryptographic Subsystem:
    Crypto ISAKMP debugging is on
  C2951#
  C2951#ping vrf test 10.0.0.1 source lo 1
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
  Packet sent with a source address of 40.0.0.1
  Success rate is 0 percent (0/5)
  C2951#
  Any hints for me, please?

  There are no VRF routes left in the config, and I've cleared the global and the VRF routing table. Even rebooted the box. Still only half of the Pings get answered. There are no crypto ipsec errors, so it should have something to do with routing...but what?
  C2951#sh crypto ipsec sa
  interface: GigabitEthernet0/0
      Crypto map tag: OUR-MAP, local addr 30.0.0.2
     protected vrf: test
     local  ident (addr/mask/prot/port): (40.0.0.1/255.255.255.255/0/0)
     remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
     current_peer 20.0.0.1 port 500
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
      #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 0
       local crypto endpt.: 30.0.0.2, remote crypto endpt.: 20.0.0.1
       path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
       current outbound spi: 0xEB02ACDA(3942821082)
       PFS (Y/N): Y, DH group: group5
       inbound esp sas:
        spi: 0x1A943A9F(445921951)
          transform: esp-aes esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 18009, flow_id: ISM VPN:9, sibling_flags 80000040, crypto map: OUR-MAP
          sa timing: remaining key lifetime (k/sec): (4225929/3571)
          IV size: 16 bytes
          replay detection support: Y
          Status: ACTIVE(ACTIVE)
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0xEB02ACDA(3942821082)
          transform: esp-aes esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 18010, flow_id: ISM VPN:10, sibling_flags 80000040, crypto map: OUR-MAP
          sa timing: remaining key lifetime (k/sec): (4225928/3571)
          IV size: 16 bytes
          replay detection support: Y
          Status: ACTIVE(ACTIVE)
       outbound ah sas:
       outbound pcp sas:
  C2951#sh ip route 10.0.0.0
  % Network not in table
  C2951#sh ip route vrf test 10.0.0.0
  Routing Table: test
  Routing entry for 10.0.0.0/24, 1 known subnets
  S        10.0.0.0 [1/0] via 20.0.0.1, GigabitEthernet0/0

• VRF Aware Crypto Map

  Hi,
  I´ve a VPN Router with VRF´s for every customer and also for the Internet Connection.
  On the Router run many DMVPN´s and Static VTI.
  Now I must configure a new VPN based on a crypto map.
  I´ve read that it´s impossible to termnate a crypto map an a VTI on the same physical interface.
  So I´ve installed a new physical interface to terminate the crypto map.
  This are the configuration which insert to the running configuration:
  crypto keyring KEYRING-Customer vrf OUTSIDE_CM
  pre-shared-key address a.b.c.d key KEY
  crypto isakmp policy 100
  encr aes 256
  hash sha1
  group 14
  authentication pre-share
  ip access-list exten ACL-Customer
  10 permit ip 1.2.3.4 0.0.0.255 5.6.7.8 0.0.0.255
  crypto isakmp profile Customer
  keyring KEYRING-Customer
  match identity address a.b.c.d 255.255.255.255 OUTSIDE_CM
  local-address Gig0/0
  vrf Customer
  crypto map CMAP 10 ipsec-isakmp
  set peer a.b.c.d
  set transform-set AES256
  set isakmp-profile Customer
  match address ACL-Customer
  set pfs group14
  int gig0/0
  vrf forwarding Customer
  ip address 1.2.3.4 255.255.255.0
  crypto map CMAP
  But I see nothing on the router. Whit debug crypto isakmp i can´t see any traffic for this VPN.
  Where is my mistake ?
  The OUTSIDE_CM VRF ist the VRF for WWW traffic.
  The Customer VRF ist the Customer LAN.
  Many Thanks
  BR Martin

  Marcin,
  the reason why I don´t use VTI in this case is very simple. I transfer the old VPN from a PIX and im not shure
  if it possible to run this VPN with VTI, because the other side is not configured from us.
  An it´s not a cisco device. What do you think....  When I´ve try to use a VTI, how the other side is checking the Crypto map ? Because, normaly, when a ASA for Example builds a VPN the device´s check which crypto map is configured on the other side and if the crypto map isn´t idetical, the VPN doesn´t came up.....
  Thank´s for your help. It´s my first Router with VPN´s. Normally I use ASA´s. But I think with a router we are more flexible... QoS, OSPF etc....
  BR M

• Crypto map incomplete

  I have PIX 515 and trying to add a gateway to gateway VPN tunnel with dynamic IP. I already have two other VPN tunnels configured with static IP. I enter the access-list 110 than the crypto map mymap 20 ipsec-isakmp no problem. than the crypto map mymap 20 match address 101 I get error message Crypto map incomplete. Why am I getting this error and how do I get around it. Thanks.

  Yes I have an Incomplete.
  crypto ipsec transform-set tr-set esp-des esp-md5-hmac
  crypto dynamic-map dynmap 10 set transform-set tr-set
  crypto dynamic-map dynmap 15 set transform-set tr-set
  crypto dynamic-map dynmap 15 set security-association lifetime seconds 3600 kilo
  bytes 4608000
  crypto map mymap 10 ipsec-isakmp
  crypto map mymap 10 match address 101
  crypto map mymap 10 set peer 70.106.123.11
  crypto map mymap 10 set transform-set tr-set
  crypto map mymap 15 ipsec-isakmp
  crypto map mymap 15 match address 105
  crypto map mymap 15 set peer 67.100.146.217
  crypto map mymap 15 set transform-set tr-set
  crypto map mymap 20 ipsec-isakmp
  ! Incomplete
  crypto map mymap 6335 ipsec-isakmp dynamic dynmap
  crypto map mymap interface outside

• VPN BACKUP and CRYPTO MAP

  Currently I have a VPN site to site and the company acquired a new internet service. I would like to configure vpn so if the internet service had any fault will activate the tunnel through the new service. I searched the Internet and found to be added to the new peer crypto map.
  This is the configuration of the router:
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key cisco1234 address 1.1.1.1
  crypto isakmp key cisco1234 address 2.2.2.2
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel to a sucursal
  set peer 1.1.1.1
  set peer 2.2.2.2
  set transform-set ESP-3DES-SHA
  set pfs group1
  match address 100
  When a test is done through the SDM gives me the message "The Following peer (s) do not have a pre shared key configured" 2.2.2.2.
  I think the solution is this line:
  crypto isakmp key address 2.2.2.2 cisco1234
  and not because he throws such error.

  Hello,
  This is possible only for LAN-to-LAN tunnels. If you are using remote VPN clients or any other VPN such as AnyConnect it is not possible.
  If this is a site to site tunnel you just need to add a route point traffic for the remote network through the outside-backup ISP.
  Example:
                      ISP1----------------------------
  PC --- ASA === Site to Site tunnel === ASA/Router ---- Remote VPN client  10.10.10.10
                      ISP2-----------------------------
  route outside 0.0.0.0 0.0.0.0 ISP1
  route backup 10.10.10.10.0 255.255.255.0 ISP2
  Regards,
  Juan Lombana
  Please rate helpful posts.

• Dynamic value mapping

  hi,
  can u plz explain about Dynamic value mapping and where it actually use this
  thanks
  guna

  Hi ,
  Dynamic value mapping.is nothing but
  It is FixValues and ValueMapping under Conversion Functions.
  Eg:
  You need such a requirement. Where the values in the source are mapped to someother value in the target as below.
  1--> Mr
  2--> MS
  3--> MRS
  FixValues is used when you know the entire set of Key value pair in the Design Time. You give the Key and the value in the FixValues and the mapping checks and maps the values to the target.
  In the case of Value mapping, you maintain this Key - Value pair in the Integration Directory and thereby make changes easily and also use them in the Mapping in IR
  Refer These blogs
  ValueMapping using the Graphical Mapping Tool -value mapping using grapic mapping tool
  Value Mapping replication - value mapping replication
  Accessing Value Mapping defined in Directory using Java functions - accesing value mapping
  Dynamic Date Conversion in Message Mapping - dynamic date conversion
  Dynamic Configuration of Some Communication Channel Parameters using Message Mapping - dynamic confighuration
  Dynamic file name(XSLT Mapping with Java Enhancement) using XI 3.0 SP12 Part -II - dynamic file name
  and also
  Refer this link
  http://help.sap.com/saphelp_nw2004s/helpdata/en/d7/e551cf896c3a49bb87bb4ce38c99c8/frameset.htm - external context mapping
  Regards,
  Suryanarayana

• Dynamic Tempo Mapping In Audition CC

  Hello Adobe,
  I've seen various forum postings about this in the past, but nothing very recently.  I just downloaded the latest version of Audition CC.  It looks great, a lot of cool new features, but I wanted to reiterate on past postings that dynamic tempo mapping functionality would be extremely useful.  It doesn't need to be anything too fancy.  Just need to be able to tell Audition that after 30 bars of 4/4 at 120 bpm, I'd like the metronome and bars/beats display to change to 3/4 at 130 bpm etc.
  Just want to bump this back onto your radar.  Thanks.
  -Brendan

  I've used the Ozone with Audition in the past (we're talking about the keyboard/audio combo device, right?) and it's been fine.  If you're seeing the playhead move and the level meters update when attempting to play through it, that means the communication should be there.
  Any chance you can show us screenshots of the "Audio Hardware" and "Audio Channel Mapping" panels in the preferences dialog?  That might help get started.