Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

[ERR]crypto map WARNING: This crypto map is incomplete

i have PIX 501 ver6.3(5) when i setup VPN i get this error message

WARNING:This crypto map is incomplete to remedy the situation add a peer and a valid access-list to this crypto map.

although it seems fine in sh conf command

but tunnel is not started

when i review log i found

sa_request,ISAKMP Phase 1 exchange started

1 ACCEPTED SOLUTION

Accepted Solutions

Re: [ERR]crypto map WARNING: This crypto map is incomplete

Put the following command on the PIX and try again:

isakmp identity address

Also please double check the pre-shared keys on both ends (make sure there are no spaces).

If it still does not work, please post log of

debug crypto isakmp 127

Regards

Farrukh

11 REPLIES
Hall of Fame Super Blue

Re: [ERR]crypto map WARNING: This crypto map is incomplete

[ERR]crypto map WARNING: This crypto map is incomplete

This is nothing to worry about if when you do a "sh crypto map" you don't get the error. It is just an annoying configuration messages where when you create a crypto map it then prompts you to add a peer and an access-list which you were going to do anyway :-).

If however this still shows when you run "sh crypto map" you have probably missed a part of the config.

Jon

New Member

Re: [ERR]crypto map WARNING: This crypto map is incomplete

thanks for your reply

but no traffic between the hosts yet

any ideas what causing problems with this tunnel

when i check log i see:

sa_request

ISAKMP Phase 1 exchange started

ISAKMP Phase 1 retransmission

Hall of Fame Super Blue

Re: [ERR]crypto map WARNING: This crypto map is incomplete

Can you try some debugging on the pix ie.

debug crypto isa

debug crypto ipsec

and post the output.

Jon

Re: [ERR]crypto map WARNING: This crypto map is incomplete

kindly send outputs of following show commands for troubleshooting:

sh run isakmp

sh run crypto ipsec

sh run crypto map

New Member

Re: [ERR]crypto map WARNING: This crypto map is incomplete

i could successfully establish VPN with another FW cisco 501 6.3

but still can't fix my dilemma which i connect to Huawei Eudemon 500‎

sh isakmp

PIX Version 6.3(5)‎

interface ethernet0 10full

interface ethernet1 100full

nameif ethernet0 outside security0‎

nameif ethernet1 inside security100 ‎

access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP1‎

access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP2‎

access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP1‎

access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP2 ‎

global (outside) 1 interface‎

nat (inside) 0 access-list inside_outbound_nat0_acl

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ‎

crypto ipsec security-association lifetime seconds 3600‎

crypto map outside_map 100 ipsec-isakmp

crypto map outside_map 100 match address outside_cryptomap_100‎

crypto map outside_map 100 set peer remote peer

crypto map outside_map 100 set transform-set ESP-3DES-SHA

crypto map outside_map 100 set security-association lifetime seconds 3600 kilobytes 1843200‎

crypto map outside_map interface outside

isakmp enable outside

‎ ‎

isakmp key ******** address remote peer netmask 255.255.255.255 no-xauth no-config-mode ‎

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha‎

isakmp policy 20 group 2‎

isakmp policy 20 lifetime 86400‎

sh crypto map

Crypto Map: "outside_map" interfaces: { outside }‎

Crypto Map "outside_map" 100 ipsec-isakmp

Peer = remote peer

access-list outside_cryptomap_100; 2 elements‎

access-list outside_cryptomap_100 line 1 permit ip host 10.102.0.11 host remote internal IP1 ‎‎(hitcnt=14) ‎

access-list outside_cryptomap_100 line 2 permit ip host 10.102.0.11 host remote internal IP2 ‎‎(hitcnt=6) ‎

Current peer: remote peer

Security association lifetime: 1843200 kilobytes/3600 seconds‎

PFS (Y/N): N

Transform sets={ ESP-3DES-SHA, }‎

Crypto Map: "set" interfaces: { }‎

New Member

Re: [ERR]crypto map WARNING: This crypto map is incomplete

any ideas for this

i thought that if i could start tunnel manually would help

how to use manual key negotiation ? if it supported by pix 501

Re: [ERR]crypto map WARNING: This crypto map is incomplete

I already posted on the other thred, Manual IKE is not supported on 501 AFAIK. Can you please post the output of:

debug crypto isakmp

debug crypto ipsec

debug crypto engine

Regards

Farrukh

New Member

Re: [ERR]crypto map WARNING: This crypto map is incomplete

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block:src:Remote FW IP, dest:MY FW IP spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:Remote FW IP, dest:MY FW IP spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): ID payload

next-payload : 8

type : 2

protocol : 17

port : 500

length : 31

ISAKMP (0): Total payload length: 35

return status is IKMP_NO_ERROR

ISAKMP (0): retransmitting phase 1 (0)...

ISADB: reaper checking SA 0xb6a704, conn_id = 0

ISAKMP (0): retransmitting phase 1 (1)...

ISAKMP (0): retransmitting phase 1 (2)...

ISAKMP (0): retransmitting phase 1 (3)...

ISAKMP (0): retransmitting phase 1 (4)...IPSEC(key_engine): request timer fired: count = 1,

(identity) local= MY FW IP, remote= Remote FW IP,

local_proxy= 10.102.0.11/255.255.255.255/0/0 (type=1),

remote_proxy= 10.71.161.15/255.255.255.255/0/0 (type=1)

ISAKMP (0): deleting SA: src MY FW IP, dst Remote FW IP

ISADB: reaper checking SA 0xb6a704, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for Remote FW IP/500 not found - peers:0

IPSEC(key_engine): request timer fired: count = 2,

(identity) local= MY FW IP, remote= Remote FW IP,

local_proxy= 10.102.0.11/255.255.255.255/0/0 (type=1),

remote_proxy= 10.71.161.15/255.255.255.255/0/0 (type=1)

Re: [ERR]crypto map WARNING: This crypto map is incomplete

Put the following command on the PIX and try again:

isakmp identity address

Also please double check the pre-shared keys on both ends (make sure there are no spaces).

If it still does not work, please post log of

debug crypto isakmp 127

Regards

Farrukh

New Member

Re: [ERR]crypto map WARNING: This crypto map is incomplete

Man y are genus, it worked ‎

I have tried this command a few days ago from SSH console but it make nothing I ‎don't know why but later I have read IKE troubleshooting I found the same command ‎I tried it from pix interface it worked

Only one last thing how to change between aggressive and main mode ?‎

Re: [ERR]crypto map WARNING: This crypto map is incomplete

Dear Wael, I'm glad you have it working now :)

I'm not aware of any such command on the PIX 6.x. On 7.x and above you can use this command:

crypto isakmp am-disable

Regards

Farrukh

3227
Views
0
Helpful
11
Replies