Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
740
Views
0
Helpful
2
Replies

Can't add crypto map to physical interface

john000011111
Level 1
Level 1

‎12-09-2015 02:46 PM

Hello all,

I am setting up a 6504 router to replace our current 6506, as we do not need the extra slots. We are also upgrading from SUP2s to SUP720s in the process.

Here is a show mod on the new chassis, using software s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(33)SXJ7, RELEASE SOFTWARE (fc5)

:

Mod Ports Card Type                              Model            

--- ----- -------------------------------------- ------------------ 

  1    2  Supervisor Engine 720 (Active)         WS-SUP720-3B      

  2    2  Supervisor Engine 720 (Hot)            WS-SUP720-3B      

  3   48  SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX   

  4    8  8 port 1000mb GBIC Enhanced QoS        WS-X6408A-GBIC   

And on the old one, using software

IOS (tm) c6sup2_rp Software (c6sup2_rp-JK9SV-M), Version 12.2(18)SXD7, RELEASE SOFTWARE (fc1)

:

Here is the issue I'm running into:

On the 6548 switch module, we need to put a crypto map on some of the interfaces. There is no issue placing a crypto map on the interfaces with our 6506. However with the new one, we receive this:

ERROR: Crypto Map configuration is not supported on the given interface

I am however able to add a crypto map to Vlans. 

My apologies if I have not given enough information to assist me. Just let me know what might be needed and I'll post it right away. Thanks for any help, it is much appreciated! 

Labels:
0 Helpful
2 Replies 2

Richard Bradfield
Level 6
Level 6

‎12-09-2015 10:33 PM

just to clarify, you had the same type of module(6548) on the 6506 and the configuration worked.

can you post the relevant  config for the working 6506

So it looks like an OS problem

0 Helpful

john000011111
Level 1
Level 1
In response to Richard Bradfield

‎12-10-2015 09:10 AM

Thanks for your reply, Richard

I did neglect to include the show mod from the working one. 

Mod Ports Card Type                              Model       

--- ----- -------------------------------------- ------------------ -----------

  1    2  Catalyst 6000 supervisor 2 (Active)    WS-X6K-S2U-MSFC2   

  2    2  Catalyst 6000 supervisor 2 (Hot)       WS-X6K-S2U-MSFC2   

  3   48  SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-45AF   

  5    8  8 port 1000mb GBIC Enhanced QoS        WS-X6408A-GBIC     

The only difference in modules here is 45AF vs TX.

On the router where we are able to add crypto maps to interfaces (I have changed some IP addresses):

crypto ipsec security-association lifetime seconds 86400

crypto ipsec transform-set ipcom esp-3des esp-md5-hmac

crypto map carrier local-address Vlan150

crypto map carrier 1 ipsec-isakmp
description carrier 1
set peer 10.0.0.1
set transform-set ipcom
set pfs group2
match address 120
reverse-route

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2

access-list 120 permit ip 192.168.0.56 0.0.0.7 10.0.0.1 0.0.0.31

interface GigabitEthernet3/13
description Edge1-g0/2
ip address 192.168.0.2 255.255.255.252
ip route-cache flow
crypto map carrier

interface Vlan150
description carrierHA-VPN
ip address 192.168.0.57 255.255.255.248

With the other router, we're able to add all of the relevant crypto related config, and have generated RSA keys. It simply does not allow us to add the crypto map command to the interface. 

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card