Crypto Map Incomplete

Unanswered Question
Oct 30th, 2009
User Badges:

Hi, I created 1 Site to Site tunnel but 1 of the already created Tunnel has broken up.

before creating the tunnel

crypto map VPN 95 ipsec-isakmp

! Incomplete

after creating the tunnel

crypto map VPN 60 ipsec-isakmp

! Incomplete

crypto map VPN 95 ipsec-isakmp

! Incomplete

I dont know the reason, why it happened and whether above 2 lines are responsible or not.

Please suggest.

I found this 1 in Cisco:::

Every static crypto map must define an access list and an IPsec peer. If either is missing, the crypto map is incomplete and the security appliance drops any traffic that it has not already matched to an earlier, complete crypto map. Use the show conf command to ensure that every crypto map is complete. To fix an incomplete crypto map, remove the crypto map, add the missing entries, and reapply it.

We discourage the use of the any keyword to specify source or destination addresses in crypto access lists because they cause problems. We strongly discourage the permit any any command statement because it does the following:

•Protects all outbound traffic, including all protected traffic sent to the peer specified in the corresponding crypto map.

•Requires protection for all inbound traffic.

I created this accesslist too:-

access-list incoming permit ip host any

what may be the reason that othet tunnel went off.

please tell me the troubleshooting steps too(Without using Debug commands)


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Patrick0711 Fri, 10/30/2009 - 12:16
User Badges:
  • Bronze, 100 points or more

Each static crypto map entry should have a peer IP Address as well as an access-list that defines interesting traffic.

Removing an access-list that was referenced in a crypto map will cause an incomplete crypto map.


This Discussion