Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

pix 515 warning

I get this warning when setting up site to site vpn using pdm 3.0 on pix 515 ver 6.3(4)

[OK] isakmp key @############## address netmask no-xauth no-config-mode

[OK] pdm location outside

[OK] pdm location outside

[OK] access-list 100 line 3 permit ip

[OK] access-list 100 line 4 permit ip

[OK] nat (inside) 0 access-list 100

[OK] access-list outside_cryptomap_31 permit ip

[OK] access-list outside_cryptomap_31 permit ip

[ERR]crypto map newmap 31 set peer

WARNING: This crypto map is incomplete. To remedy the situation add a peer and a valid access-list to this crypto map.

[OK] crypto map newmap 31 match address outside_cryptomap_31

[OK] crypto map newmap 31 set transform-set basis

[OK] crypto map newmap 31 set security-association lifetime seconds 28800 kilobytes 4608000

[OK] crypto map newmap interface outside

[OK] sysopt connection permit-ipsec

everything looks ok when i go through the steps.

Cisco Employee

Re: pix 515 warning


With every peer we need to add a crypto access list which tells the pix what all traffic needs to be send through that tunnel for that peer.

This warning comes if you define a peer and match list is not defined.

I can see that you have defined the match address after defining the peer so that is why you got that warning.

crypto map newmap 31 match address outside_cryptomap_31

You dont need to worry,it looks fine.check the config and you should see both the set peer and match address in the crypto config.

hope this helps.


New Member

Re: pix 515 warning

So I dont need to go back and add another peer and access list ?

Then why does my tunel not come up

Result of firewall command: "sh crypto isakmp sa"

Total : 0

Embryonic : 0

dst src state pending created

CreatePlease login to create content