11-03-2008 07:05 AM
Having problem with site to site vpn, ISAKMP is thru but IPSEC can't work.
Debug shown incomplete cryptomap, what is that mean ??
Nov 3 20:00:15.794: ISAKMP (0:1): Node 1586382279, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Nov 3 20:00:15.794: ISAKMP (0:1): Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Nov 3 20:00:16.078: ISAKMP (0:1): received packet from 204.187.87.190 dport 500 sport 500 blackberry.net (I) QM_IDLE
Nov 3 20:00:16.082: ISAKMP: set new node -946320085 to QM_IDLE
Nov 3 20:00:16.082: ISAKMP (0:1): processing HASH payload. message ID = -946320085
Nov 3 20:00:16.082: ISAKMP (0:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 825141234, message ID = -946320085, sa = 63A84278
Nov 3 20:00:16.082: ISAKMP (0:1): deleting spi 825141234 message ID = 1586382279
Nov 3 20:00:16.082: ISAKMP (0:1): deleting node 1586382279 error TRUE reason "delete_larval"
Nov 3 20:00:16.082: ISAKMP (0:1): deleting node -946320085 error FALSE reason "informational (in) state 1"
Nov 3 20:00:16.082: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Nov 3 20:00:16.082: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 3 20:00:36.997: ISAKMP (0:1): purging node -570089380
Nov 3 20:00:36.997: ISAKMP (0:1): purging node -1975034219
Nov 3 20:00:38.137: %OSPF-5-ADJCHG: Process 1, Nbr 172.18.49.4 on FastEthernet0/1.1 from EXSTART to DOWN, Neighbor Down: Too many retransmissions
Nov 3 20:00:39.693: IPSEC(crypto_map_check_encrypt_core): CRYPTO: Packet dropped because of an incomplete cryptomap
Nov 3 20:00:39.693: IPSEC(crypto_map_check_encrypt_core): CRYPTO: Packet dropped because of an incomplete cryptomap
Nov 3 20:00:39.693: IPSEC(crypto_map_check_encrypt_core): CRYPTO: Packet dropped because of an incomplete cryptomap
11-03-2008 07:30 AM
It means you're probably missing something in your config. Could you post it for us?
11-03-2008 08:31 AM
Usually i think this is the acl missing from the crypto map - double check you have the match address command typed correctly.
Thanks
11-03-2008 08:36 AM
you are getting Too many retransmissions for ospf. suggest mtu problem. i would change and make sure mtu match.
Franco
11-03-2008 10:13 AM
Hi,
Problem - WARNING: crypto map entry will be incomplete
When you enter this command, you can get the error message as shown in the output.
ciscoasa(config)#crypto map mymap 20 ipsec-isakmp
WARNING: crypto map entry will be incomplete
Solution:
This is a usual warning when you define a new crypto map, a reminder that parameters such as access-list (match address), transform set and peer address must be configured before it can work. It is also normal that the first line you type in order to define the crypto map does not show in the configuration.
Please refer the below URL for additional information.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
Regards,
Arul
*Pls rate if it helps*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide