https://community.cisco.com/t5/network-security/remove-crypto-map-remnants/m-p/1013340#M917982 <HTML><HEAD></HEAD><BODY><P>Hi Wilson </P><P></P><P>Begin with the removal of the crypto map from the interface. Use the no form of the crypto map command.</P><P></P><P>ASA(config)#no crypto map mymap interface outside</P><P></P><P>Continue to use the no form to remove the other crypto map commands.</P><P></P><P>ASA(config)#no crypto map 7 set connection-type bi-directional</P><P>ASA(config)#no crypto map 7 set security-association lifetime seconds 28800 </P><P>ASA(config)#no crypto map 7 set security-association lifetime kilobytes 4608000</P><P>ASA(config)#no crypto map 7 set inheritance rule</P><P>ASA(config)#no crypto map 7 set phase1-mode main </P><P></P><P>If you remove a crypto map from an interface, it definitely brings down any IPsec tunnels </P><P>associated with that crypto map, you will then need to apply the crypto map back to the interface.</P><P></P><P>HTH </P><P></P><P>Regards MJ</P></BODY></HTML> Sun, 22 Jun 2008 19:57:59 GMT mj11 2008-06-22T19:57:59Z https://community.cisco.com/t5/network-security/remove-crypto-map-remnants/m-p/1013338#M917954 <P>I have an ASA5510 7.2</P><P></P><P>I have an old crypto map coming up in debug that I am trying to get rid of.</P><P></P><P>I used the "no cry map x" to remove and I am getting this:</P><P></P><P>"IPSEC(crypto_map_check): crypto map Map 7 incomplete. No peer ,access-list or</P><P>transform-set specified."</P><P></P><P>when I do a "sh run all crypto" I can see remnants of this config:</P><P></P><P>crypto map 7 set connection-type bi-directional</P><P>crypto map 7 set security-association lifetime seconds 28800</P><P>crypto map 7 set security-association lifetime kilobytes 4608000</P><P>crypto map 7 set inheritance rule</P><P>crypto map 7 set phase1-mode main</P><P></P><P>I have read I can do a "clear config cry map Map 7"</P><P></P><P>But I do not have the option of "config" when I do "clear"</P><P></P><P>How can I remove this ghost crypto map?</P><P></P><P>This does not work:</P><P> </P><P>no crypto map 7 set connection-type bi-directional</P><P>no crypto map 7 set security-association lifetime seconds 28800</P><P>no crypto map 7 set security-association lifetime kilobytes 4608000</P><P>no crypto map 7 set inheritance rule</P><P>no crypto map 7 set phase1-mode main</P><P></P> Mon, 11 Mar 2019 13:02:37 GMT https://community.cisco.com/t5/network-security/remove-crypto-map-remnants/m-p/1013338#M917954 wilson_1234_2 2019-03-11T13:02:37Z https://community.cisco.com/t5/network-security/remove-crypto-map-remnants/m-p/1013339#M917966 <HTML><HEAD></HEAD><BODY><P>Richard</P><P></P><P>You should be able to do </P><P></P><P>asa(config)# clear configure crypto map Map 7</P><P></P><P>Does this not work ?</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c2_72.html#wp2158588" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c2_72.html#wp2158588</A></P><P></P><P>Jon</P></BODY></HTML> Sun, 22 Jun 2008 19:53:35 GMT https://community.cisco.com/t5/network-security/remove-crypto-map-remnants/m-p/1013339#M917966 Jon Marshall 2008-06-22T19:53:35Z https://community.cisco.com/t5/network-security/remove-crypto-map-remnants/m-p/1013340#M917982 <HTML><HEAD></HEAD><BODY><P>Hi Wilson </P><P></P><P>Begin with the removal of the crypto map from the interface. Use the no form of the crypto map command.</P><P></P><P>ASA(config)#no crypto map mymap interface outside</P><P></P><P>Continue to use the no form to remove the other crypto map commands.</P><P></P><P>ASA(config)#no crypto map 7 set connection-type bi-directional</P><P>ASA(config)#no crypto map 7 set security-association lifetime seconds 28800 </P><P>ASA(config)#no crypto map 7 set security-association lifetime kilobytes 4608000</P><P>ASA(config)#no crypto map 7 set inheritance rule</P><P>ASA(config)#no crypto map 7 set phase1-mode main </P><P></P><P>If you remove a crypto map from an interface, it definitely brings down any IPsec tunnels </P><P>associated with that crypto map, you will then need to apply the crypto map back to the interface.</P><P></P><P>HTH </P><P></P><P>Regards MJ</P></BODY></HTML> Sun, 22 Jun 2008 19:57:59 GMT https://community.cisco.com/t5/network-security/remove-crypto-map-remnants/m-p/1013340#M917982 mj11 2008-06-22T19:57:59Z https://community.cisco.com/t5/network-security/remove-crypto-map-remnants/m-p/1013341#M917992 <HTML><HEAD></HEAD><BODY><P>Jon,</P><P></P><P>That worked. I tried that earlier, but don't know what I did wrong.</P><P></P><P>Thanks once again for the help.</P><P></P><P>Do you usually go straight to the command reference for issues like this?</P><P></P><P>I guess that is what I need to be doing.</P><P></P><P></P><P>I have a post about the IPS and Firewall as seperate levels of access if you are up for it.</P></BODY></HTML> Mon, 23 Jun 2008 00:12:11 GMT https://community.cisco.com/t5/network-security/remove-crypto-map-remnants/m-p/1013341#M917992 wilson_1234_2 2008-06-23T00:12:11Z https://community.cisco.com/t5/network-security/remove-crypto-map-remnants/m-p/1013342#M918000 <HTML><HEAD></HEAD><BODY><P>Richard</P><P></P><P>IPS not something i have much experience with to be honest so not sure how much help i can be. </P><P></P><P>"Do you usually go straight to the command reference for issues like this?"</P><P></P><P>I often refer to the configuration guides/command references if i either can't remember something or need to confirm something. It's often the quickest way. You may already know this but just in case </P><P></P><P>easiest way (for me anyway) to get to these docs is from the Cisco home page select "Products and Services" from bar along the top. </P><P></P><P>You get a drop down box and you can select your category - in this instance "Security". </P><P></P><P>You are then presented with a page with all the security products. Select the product you are interested in eg. </P><P></P><P>"Cisco ASA 5500 Series Adaptive Security Appliances"</P><P></P><P>and then on the next page as you scroll down there is a box headed "Support". In this box are links to command references/configuration docs etc. for the product. </P><P></P><P>You can do this with all major products.</P><P></P><P>Apologies if i am telling you something you already know, it's just that sometimes Cisco info can be a bit hard to find.</P><P></P><P>Jon</P><P></P></BODY></HTML> Mon, 23 Jun 2008 10:17:26 GMT https://community.cisco.com/t5/network-security/remove-crypto-map-remnants/m-p/1013342#M918000 Jon Marshall 2008-06-23T10:17:26Z https://community.cisco.com/t5/network-security/remove-crypto-map-remnants/m-p/1013343#M918006 <HTML><HEAD></HEAD><BODY><P>No need to apologize jon,</P><P></P><P>You have always been a great help with a pleasant demeanor.</P><P></P><P>I appreciate greatly your willingness to assist guys like me.</P><P></P><P>I ususally go to the support docs, but they almost never are a help because they are so generic for the most part.</P></BODY></HTML> Mon, 23 Jun 2008 16:42:04 GMT https://community.cisco.com/t5/network-security/remove-crypto-map-remnants/m-p/1013343#M918006 wilson_1234_2 2008-06-23T16:42:04Z