[ERR]crypto map WARNING: This crypto map is incomplete

Answered Question
May 29th, 2008

i have PIX 501 ver6.3(5) when i setup VPN i get this error message

WARNING:This crypto map is incomplete to remedy the situation add a peer and a valid access-list to this crypto map.

although it seems fine in sh conf command

but tunnel is not started

when i review log i found

sa_request,ISAKMP Phase 1 exchange started

I have this problem too.
0 votes
Correct Answer by Farrukh Haroon about 8 years 6 months ago

Put the following command on the PIX and try again:

isakmp identity address

Also please double check the pre-shared keys on both ends (make sure there are no spaces).

If it still does not work, please post log of

debug crypto isakmp 127

Regards

Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Thu, 05/29/2008 - 17:58

[ERR]crypto map WARNING: This crypto map is incomplete

This is nothing to worry about if when you do a "sh crypto map" you don't get the error. It is just an annoying configuration messages where when you create a crypto map it then prompts you to add a peer and an access-list which you were going to do anyway :-).

If however this still shows when you run "sh crypto map" you have probably missed a part of the config.

Jon

waaelnady Sat, 05/31/2008 - 23:27

thanks for your reply

but no traffic between the hosts yet

any ideas what causing problems with this tunnel

when i check log i see:

sa_request

ISAKMP Phase 1 exchange started

ISAKMP Phase 1 retransmission

Jon Marshall Sun, 06/01/2008 - 01:51

Can you try some debugging on the pix ie.

debug crypto isa

debug crypto ipsec

and post the output.

Jon

utkarsh.vijay.sawant Sun, 06/01/2008 - 05:20

kindly send outputs of following show commands for troubleshooting:

sh run isakmp

sh run crypto ipsec

sh run crypto map

waaelnady Mon, 06/02/2008 - 05:18

i could successfully establish VPN with another FW cisco 501 6.3

but still can't fix my dilemma which i connect to Huawei Eudemon 500‎

sh isakmp

PIX Version 6.3(5)‎

interface ethernet0 10full

interface ethernet1 100full

nameif ethernet0 outside security0‎

nameif ethernet1 inside security100 ‎

access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP1‎

access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP2‎

access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP1‎

access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP2 ‎

global (outside) 1 interface‎

nat (inside) 0 access-list inside_outbound_nat0_acl

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ‎

crypto ipsec security-association lifetime seconds 3600‎

crypto map outside_map 100 ipsec-isakmp

crypto map outside_map 100 match address outside_cryptomap_100‎

crypto map outside_map 100 set peer remote peer

crypto map outside_map 100 set transform-set ESP-3DES-SHA

crypto map outside_map 100 set security-association lifetime seconds 3600 kilobytes 1843200‎

crypto map outside_map interface outside

isakmp enable outside

‎ ‎

isakmp key ******** address remote peer netmask 255.255.255.255 no-xauth no-config-mode ‎

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha‎

isakmp policy 20 group 2‎

isakmp policy 20 lifetime 86400‎

sh crypto map

Crypto Map: "outside_map" interfaces: { outside }‎

Crypto Map "outside_map" 100 ipsec-isakmp

Peer = remote peer

access-list outside_cryptomap_100; 2 elements‎

access-list outside_cryptomap_100 line 1 permit ip host 10.102.0.11 host remote internal IP1 ‎‎(hitcnt=14) ‎

access-list outside_cryptomap_100 line 2 permit ip host 10.102.0.11 host remote internal IP2 ‎‎(hitcnt=6) ‎

Current peer: remote peer

Security association lifetime: 1843200 kilobytes/3600 seconds‎

PFS (Y/N): N

Transform sets={ ESP-3DES-SHA, }‎

Crypto Map: "set" interfaces: { }‎

waaelnady Tue, 06/10/2008 - 00:11

any ideas for this

i thought that if i could start tunnel manually would help

how to use manual key negotiation ? if it supported by pix 501

Farrukh Haroon Tue, 06/10/2008 - 05:28

I already posted on the other thred, Manual IKE is not supported on 501 AFAIK. Can you please post the output of:

debug crypto isakmp

debug crypto ipsec

debug crypto engine

Regards

Farrukh

waaelnady Thu, 06/12/2008 - 05:31

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block:src:Remote FW IP, dest:MY FW IP spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:Remote FW IP, dest:MY FW IP spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): ID payload

next-payload : 8

type : 2

protocol : 17

port : 500

length : 31

ISAKMP (0): Total payload length: 35

return status is IKMP_NO_ERROR

ISAKMP (0): retransmitting phase 1 (0)...

ISADB: reaper checking SA 0xb6a704, conn_id = 0

ISAKMP (0): retransmitting phase 1 (1)...

ISAKMP (0): retransmitting phase 1 (2)...

ISAKMP (0): retransmitting phase 1 (3)...

ISAKMP (0): retransmitting phase 1 (4)...IPSEC(key_engine): request timer fired: count = 1,

(identity) local= MY FW IP, remote= Remote FW IP,

local_proxy= 10.102.0.11/255.255.255.255/0/0 (type=1),

remote_proxy= 10.71.161.15/255.255.255.255/0/0 (type=1)

ISAKMP (0): deleting SA: src MY FW IP, dst Remote FW IP

ISADB: reaper checking SA 0xb6a704, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for Remote FW IP/500 not found - peers:0

IPSEC(key_engine): request timer fired: count = 2,

(identity) local= MY FW IP, remote= Remote FW IP,

local_proxy= 10.102.0.11/255.255.255.255/0/0 (type=1),

remote_proxy= 10.71.161.15/255.255.255.255/0/0 (type=1)

Correct Answer
Farrukh Haroon Thu, 06/12/2008 - 05:54

Put the following command on the PIX and try again:

isakmp identity address

Also please double check the pre-shared keys on both ends (make sure there are no spaces).

If it still does not work, please post log of

debug crypto isakmp 127

Regards

Farrukh

waaelnady Tue, 06/17/2008 - 06:16

Man y are genus, it worked ‎

I have tried this command a few days ago from SSH console but it make nothing I ‎don't know why but later I have read IKE troubleshooting I found the same command ‎I tried it from pix interface it worked

Only one last thing how to change between aggressive and main mode ?‎

Farrukh Haroon Tue, 06/17/2008 - 06:59

Dear Wael, I'm glad you have it working now :)

I'm not aware of any such command on the PIX 6.x. On 7.x and above you can use this command:

crypto isakmp am-disable

Regards

Farrukh

Actions

This Discussion