Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Incomplete cryptomap - What is that mean

Having problem with site to site vpn, ISAKMP is thru but IPSEC can't work.

Debug shown incomplete cryptomap, what is that mean ??

Nov 3 20:00:15.794: ISAKMP (0:1): Node 1586382279, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

Nov 3 20:00:15.794: ISAKMP (0:1): Old State = IKE_QM_READY New State = IKE_QM_I_QM1

Nov 3 20:00:16.078: ISAKMP (0:1): received packet from 204.187.87.190 dport 500 sport 500 blackberry.net (I) QM_IDLE

Nov 3 20:00:16.082: ISAKMP: set new node -946320085 to QM_IDLE

Nov 3 20:00:16.082: ISAKMP (0:1): processing HASH payload. message ID = -946320085

Nov 3 20:00:16.082: ISAKMP (0:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 825141234, message ID = -946320085, sa = 63A84278

Nov 3 20:00:16.082: ISAKMP (0:1): deleting spi 825141234 message ID = 1586382279

Nov 3 20:00:16.082: ISAKMP (0:1): deleting node 1586382279 error TRUE reason "delete_larval"

Nov 3 20:00:16.082: ISAKMP (0:1): deleting node -946320085 error FALSE reason "informational (in) state 1"

Nov 3 20:00:16.082: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Nov 3 20:00:16.082: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Nov 3 20:00:36.997: ISAKMP (0:1): purging node -570089380

Nov 3 20:00:36.997: ISAKMP (0:1): purging node -1975034219

Nov 3 20:00:38.137: %OSPF-5-ADJCHG: Process 1, Nbr 172.18.49.4 on FastEthernet0/1.1 from EXSTART to DOWN, Neighbor Down: Too many retransmissions

Nov 3 20:00:39.693: IPSEC(crypto_map_check_encrypt_core): CRYPTO: Packet dropped because of an incomplete cryptomap

Nov 3 20:00:39.693: IPSEC(crypto_map_check_encrypt_core): CRYPTO: Packet dropped because of an incomplete cryptomap

Nov 3 20:00:39.693: IPSEC(crypto_map_check_encrypt_core): CRYPTO: Packet dropped because of an incomplete cryptomap

4 REPLIES
Green

Re: Incomplete cryptomap - What is that mean

It means you're probably missing something in your config. Could you post it for us?

New Member

Re: Incomplete cryptomap - What is that mean

Usually i think this is the acl missing from the crypto map - double check you have the match address command typed correctly.

Thanks

Re: Incomplete cryptomap - What is that mean

you are getting Too many retransmissions for ospf. suggest mtu problem. i would change and make sure mtu match.

Franco

Cisco Employee

Re: Incomplete cryptomap - What is that mean

Hi,

Problem - WARNING: crypto map entry will be incomplete

When you enter this command, you can get the error message as shown in the output.

ciscoasa(config)#crypto map mymap 20 ipsec-isakmp

WARNING: crypto map entry will be incomplete

Solution:

This is a usual warning when you define a new crypto map, a reminder that parameters such as access-list (match address), transform set and peer address must be configured before it can work. It is also normal that the first line you type in order to define the crypto map does not show in the configuration.

Please refer the below URL for additional information.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Regards,

Arul

*Pls rate if it helps*

785
Views
5
Helpful
4
Replies
CreatePlease login to create content