Solved: [ASA 5515] Not able to configure crypto map

Bastien BZH · ‎03-20-2018

Im currently trying to configure VPN on my ASA 5515 but the command "crypto map" is not available on CLI

The ios version is 8.6(1)2.

Here is a an export of all the enabled features :

Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Disabled       perpetual

As you can see, the required "VPN-3DES-AES" is enable. Still im not able to use the "crypto map" command. Only "ca" and "key" options are available.

Ive got Security Plus license on the ASA.

Any idea of what i am missing there ?

Thanks for your help

Marvin Rhoads · ‎03-22-2018

So it shows you have sufficient privilege but you are in multiple context mode.

When you have a multiple context ASA (and version 8.6) VPN is not supported at all.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/mode_contexts.html#wp1035807

Site-site VPN support with multiple context was added in release 9.0(1) and remote access SSL VPN in ASA 9.5(2).

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/general/asa-99-general-config/ha-contexts.html#ID-2171-000009a8

View solution in original post

Bogdan Nita · ‎03-21-2018

Did you check if you are running a no payload encryption image ?

Bastien BZH · ‎03-22-2018

You might have nailed it Bogdan. The os we are running is a asa861-2-smp-k8.bin but i cant figure out if it support VPN or not.

Bogdan Nita · ‎03-22-2018

Based on the image name it is not npe.

You could also try to upgrade the ASA to a newer version.

Marvin Rhoads · ‎03-22-2018

All ASAs support site-site VPN.

Are you in single or multiple context mode? "show mode"

Does your user have level 15 privilege? "show curpriv"

Bastien BZH · ‎03-22-2018

Hello Marvin,

Here is the result of your commands :

ciscoasa/mycontext(config)# show mode
Security context mode: multiple
ciscoasa/mycontext(config)# show cur
ciscoasa/mycontext(config)# show curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV P_CONF

Marvin Rhoads · ‎03-22-2018

So it shows you have sufficient privilege but you are in multiple context mode.

When you have a multiple context ASA (and version 8.6) VPN is not supported at all.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/mode_contexts.html#wp1035807

Site-site VPN support with multiple context was added in release 9.0(1) and remote access SSL VPN in ASA 9.5(2).

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/general/asa-99-general-config/ha-contexts.html#ID-2171-000009a8

Bastien BZH · ‎03-22-2018

Thanks a lot Marvin, i missed that part.

I'm gonna find a way to merge my contexts into one so i can use site-to-site VPN.

Marvin Rhoads · ‎03-22-2018

You're welcome.

You should really upgrade to a more current release for features, security and code stability.

The recommended version for an ASA 5515-X is currently one of the recent interim builds of 9.4(4), 9.6(4) or 9.8(2).

https://software.cisco.com/download/release.html?mdfid=284143128&flowid=31442&softwareid=280775065&release=9.4.4%20Interim&relind=AVAILABLE&rellifecycle=&reltype=latest

Bastien BZH · ‎04-04-2018

Thanks to you Marvin I successfuly installed the last stable build 9.4(4) and built-up VPN on my ASA. Regards, Bastien