Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Remove Crypto Map remnants

I have an ASA5510 7.2

I have an old crypto map coming up in debug that I am trying to get rid of.

I used the "no cry map x" to remove and I am getting this:

"IPSEC(crypto_map_check): crypto map Map 7 incomplete. No peer ,access-list or

transform-set specified."

when I do a "sh run all crypto" I can see remnants of this config:

crypto map 7 set connection-type bi-directional

crypto map 7 set security-association lifetime seconds 28800

crypto map 7 set security-association lifetime kilobytes 4608000

crypto map 7 set inheritance rule

crypto map 7 set phase1-mode main

I have read I can do a "clear config cry map Map 7"

But I do not have the option of "config" when I do "clear"

How can I remove this ghost crypto map?

This does not work:

no crypto map 7 set connection-type bi-directional

no crypto map 7 set security-association lifetime seconds 28800

no crypto map 7 set security-association lifetime kilobytes 4608000

no crypto map 7 set inheritance rule

no crypto map 7 set phase1-mode main

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Remove Crypto Map remnants

Richard

You should be able to do

asa(config)# clear configure crypto map Map 7

Does this not work ?

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c2_72.html#wp2158588

Jon

5 REPLIES
Hall of Fame Super Blue

Re: Remove Crypto Map remnants

Richard

You should be able to do

asa(config)# clear configure crypto map Map 7

Does this not work ?

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c2_72.html#wp2158588

Jon

New Member

Re: Remove Crypto Map remnants

Jon,

That worked. I tried that earlier, but don't know what I did wrong.

Thanks once again for the help.

Do you usually go straight to the command reference for issues like this?

I guess that is what I need to be doing.

I have a post about the IPS and Firewall as seperate levels of access if you are up for it.

Hall of Fame Super Blue

Re: Remove Crypto Map remnants

Richard

IPS not something i have much experience with to be honest so not sure how much help i can be.

"Do you usually go straight to the command reference for issues like this?"

I often refer to the configuration guides/command references if i either can't remember something or need to confirm something. It's often the quickest way. You may already know this but just in case

easiest way (for me anyway) to get to these docs is from the Cisco home page select "Products and Services" from bar along the top.

You get a drop down box and you can select your category - in this instance "Security".

You are then presented with a page with all the security products. Select the product you are interested in eg.

"Cisco ASA 5500 Series Adaptive Security Appliances"

and then on the next page as you scroll down there is a box headed "Support". In this box are links to command references/configuration docs etc. for the product.

You can do this with all major products.

Apologies if i am telling you something you already know, it's just that sometimes Cisco info can be a bit hard to find.

Jon

New Member

Re: Remove Crypto Map remnants

No need to apologize jon,

You have always been a great help with a pleasant demeanor.

I appreciate greatly your willingness to assist guys like me.

I ususally go to the support docs, but they almost never are a help because they are so generic for the most part.

New Member

Re: Remove Crypto Map remnants

Hi Wilson

Begin with the removal of the crypto map from the interface. Use the no form of the crypto map command.

ASA(config)#no crypto map mymap interface outside

Continue to use the no form to remove the other crypto map commands.

ASA(config)#no crypto map 7 set connection-type bi-directional

ASA(config)#no crypto map 7 set security-association lifetime seconds 28800

ASA(config)#no crypto map 7 set security-association lifetime kilobytes 4608000

ASA(config)#no crypto map 7 set inheritance rule

ASA(config)#no crypto map 7 set phase1-mode main

If you remove a crypto map from an interface, it definitely brings down any IPsec tunnels

associated with that crypto map, you will then need to apply the crypto map back to the interface.

HTH

Regards MJ

6438
Views
5
Helpful
5
Replies
CreatePlease to create content