05-29-2008 03:01 AM - edited 03-09-2019 08:47 PM
i have PIX 501 ver6.3(5) when i setup VPN i get this error message
WARNING:This crypto map is incomplete to remedy the situation add a peer and a valid access-list to this crypto map.
although it seems fine in sh conf command
but tunnel is not started
when i review log i found
sa_request,ISAKMP Phase 1 exchange started
Solved! Go to Solution.
06-12-2008 05:54 AM
Put the following command on the PIX and try again:
isakmp identity address
Also please double check the pre-shared keys on both ends (make sure there are no spaces).
If it still does not work, please post log of
debug crypto isakmp 127
Regards
Farrukh
05-29-2008 05:58 PM
[ERR]crypto map WARNING: This crypto map is incomplete
This is nothing to worry about if when you do a "sh crypto map" you don't get the error. It is just an annoying configuration messages where when you create a crypto map it then prompts you to add a peer and an access-list which you were going to do anyway :-).
If however this still shows when you run "sh crypto map" you have probably missed a part of the config.
Jon
05-31-2008 11:27 PM
thanks for your reply
but no traffic between the hosts yet
any ideas what causing problems with this tunnel
when i check log i see:
sa_request
ISAKMP Phase 1 exchange started
ISAKMP Phase 1 retransmission
06-01-2008 01:51 AM
Can you try some debugging on the pix ie.
debug crypto isa
debug crypto ipsec
and post the output.
Jon
06-01-2008 05:20 AM
kindly send outputs of following show commands for troubleshooting:
sh run isakmp
sh run crypto ipsec
sh run crypto map
06-02-2008 05:18 AM
i could successfully establish VPN with another FW cisco 501 6.3
but still can't fix my dilemma which i connect to Huawei Eudemon 500â
sh isakmp
PIX Version 6.3(5)â
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0â
nameif ethernet1 inside security100 â
access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP1â
access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP2â
access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP1â
access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP2 â
global (outside) 1 interfaceâ
nat (inside) 0 access-list inside_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac â
crypto ipsec security-association lifetime seconds 3600â
crypto map outside_map 100 ipsec-isakmp
crypto map outside_map 100 match address outside_cryptomap_100â
crypto map outside_map 100 set peer remote peer
crypto map outside_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 100 set security-association lifetime seconds 3600 kilobytes 1843200â
crypto map outside_map interface outside
isakmp enable outside
â â
isakmp key ******** address remote peer netmask 255.255.255.255 no-xauth no-config-mode â
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash shaâ
isakmp policy 20 group 2â
isakmp policy 20 lifetime 86400â
sh crypto map
Crypto Map: "outside_map" interfaces: { outside }â
Crypto Map "outside_map" 100 ipsec-isakmp
Peer = remote peer
access-list outside_cryptomap_100; 2 elementsâ
access-list outside_cryptomap_100 line 1 permit ip host 10.102.0.11 host remote internal IP1 ââ(hitcnt=14) â
access-list outside_cryptomap_100 line 2 permit ip host 10.102.0.11 host remote internal IP2 ââ(hitcnt=6) â
Current peer: remote peer
Security association lifetime: 1843200 kilobytes/3600 secondsâ
PFS (Y/N): N
Transform sets={ ESP-3DES-SHA, }â
Crypto Map: "set" interfaces: { }â
06-10-2008 12:11 AM
any ideas for this
i thought that if i could start tunnel manually would help
how to use manual key negotiation ? if it supported by pix 501
06-10-2008 05:28 AM
I already posted on the other thred, Manual IKE is not supported on 501 AFAIK. Can you please post the output of:
debug crypto isakmp
debug crypto ipsec
debug crypto engine
Regards
Farrukh
06-12-2008 05:31 AM
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:Remote FW IP, dest:MY FW IP spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:Remote FW IP, dest:MY FW IP spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): ID payload
next-payload : 8
type : 2
protocol : 17
port : 500
length : 31
ISAKMP (0): Total payload length: 35
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 1 (0)...
ISADB: reaper checking SA 0xb6a704, conn_id = 0
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): retransmitting phase 1 (2)...
ISAKMP (0): retransmitting phase 1 (3)...
ISAKMP (0): retransmitting phase 1 (4)...IPSEC(key_engine): request timer fired: count = 1,
(identity) local= MY FW IP, remote= Remote FW IP,
local_proxy= 10.102.0.11/255.255.255.255/0/0 (type=1),
remote_proxy= 10.71.161.15/255.255.255.255/0/0 (type=1)
ISAKMP (0): deleting SA: src MY FW IP, dst Remote FW IP
ISADB: reaper checking SA 0xb6a704, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for Remote FW IP/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= MY FW IP, remote= Remote FW IP,
local_proxy= 10.102.0.11/255.255.255.255/0/0 (type=1),
remote_proxy= 10.71.161.15/255.255.255.255/0/0 (type=1)
06-12-2008 05:54 AM
Put the following command on the PIX and try again:
isakmp identity address
Also please double check the pre-shared keys on both ends (make sure there are no spaces).
If it still does not work, please post log of
debug crypto isakmp 127
Regards
Farrukh
06-17-2008 06:16 AM
Man y are genus, it worked â
I have tried this command a few days ago from SSH console but it make nothing I âdon't know why but later I have read IKE troubleshooting I found the same command âI tried it from pix interface it worked
Only one last thing how to change between aggressive and main mode ?â
06-17-2008 06:59 AM
Dear Wael, I'm glad you have it working now :)
I'm not aware of any such command on the PIX 6.x. On 7.x and above you can use this command:
crypto isakmp am-disable
Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: