Incomplete cryptomap - What is that mean

Unanswered Question

Having problem with site to site vpn, ISAKMP is thru but IPSEC can't work.

Debug shown incomplete cryptomap, what is that mean ??


Nov 3 20:00:15.794: ISAKMP (0:1): Node 1586382279, Input = IKE_MESG_INTERNAL, IKE_INIT_QM


Nov 3 20:00:15.794: ISAKMP (0:1): Old State = IKE_QM_READY New State = IKE_QM_I_QM1


Nov 3 20:00:16.078: ISAKMP (0:1): received packet from 204.187.87.190 dport 500 sport 500 blackberry.net (I) QM_IDLE


Nov 3 20:00:16.082: ISAKMP: set new node -946320085 to QM_IDLE


Nov 3 20:00:16.082: ISAKMP (0:1): processing HASH payload. message ID = -946320085


Nov 3 20:00:16.082: ISAKMP (0:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3


spi 825141234, message ID = -946320085, sa = 63A84278


Nov 3 20:00:16.082: ISAKMP (0:1): deleting spi 825141234 message ID = 1586382279


Nov 3 20:00:16.082: ISAKMP (0:1): deleting node 1586382279 error TRUE reason "delete_larval"


Nov 3 20:00:16.082: ISAKMP (0:1): deleting node -946320085 error FALSE reason "informational (in) state 1"


Nov 3 20:00:16.082: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY


Nov 3 20:00:16.082: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE



Nov 3 20:00:36.997: ISAKMP (0:1): purging node -570089380


Nov 3 20:00:36.997: ISAKMP (0:1): purging node -1975034219


Nov 3 20:00:38.137: %OSPF-5-ADJCHG: Process 1, Nbr 172.18.49.4 on FastEthernet0/1.1 from EXSTART to DOWN, Neighbor Down: Too many retransmissions


Nov 3 20:00:39.693: IPSEC(crypto_map_check_encrypt_core): CRYPTO: Packet dropped because of an incomplete cryptomap


Nov 3 20:00:39.693: IPSEC(crypto_map_check_encrypt_core): CRYPTO: Packet dropped because of an incomplete cryptomap


Nov 3 20:00:39.693: IPSEC(crypto_map_check_encrypt_core): CRYPTO: Packet dropped because of an incomplete cryptomap



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Mon, 11/03/2008 - 07:30
User Badges:
  • Green, 3000 points or more

It means you're probably missing something in your config. Could you post it for us?

des.mckee Mon, 11/03/2008 - 08:31
User Badges:

Usually i think this is the acl missing from the crypto map - double check you have the match address command typed correctly.


Thanks


francisco_1 Mon, 11/03/2008 - 08:36
User Badges:
  • Gold, 750 points or more

you are getting Too many retransmissions for ospf. suggest mtu problem. i would change and make sure mtu match.


Franco

ajagadee Mon, 11/03/2008 - 10:13
User Badges:
  • Cisco Employee,

Hi,


Problem - WARNING: crypto map entry will be incomplete


When you enter this command, you can get the error message as shown in the output.


ciscoasa(config)#crypto map mymap 20 ipsec-isakmp

WARNING: crypto map entry will be incomplete


Solution:


This is a usual warning when you define a new crypto map, a reminder that parameters such as access-list (match address), transform set and peer address must be configured before it can work. It is also normal that the first line you type in order to define the crypto map does not show in the configuration.


Please refer the below URL for additional information.


http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml


Regards,

Arul


*Pls rate if it helps*

Actions

This Discussion