Oh, you didn't say you were

sandin.barucic1 · ‎02-10-2016

I attempt to crypto map MAP-VPN interface OUTSIDE I receive WARNING: crypto map has incomplete entries. Any recommendation here are the conf

ASA Version 8.4(2)

!

hostname ciscoasa

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 172.16.22.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 80

ip address 22.22.22.22 255.255.255.0

!

route outside 172.16.22.0 255.255.255.0 11.11.11.1 1

!

access-list ACL-BLUE-VPN extended permit icmp 172.16.22.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list ACL-INSIDE-NONAT extended permit icmp 192.168.11.0 255.255.255.0 172.16.22.0 255.255.255.0

access-list ACL-INSIDE-NONAT extended permit icmp 172.16.22.0 255.255.255.0 192.168.11.0 255.255.255.0

!

telnet timeout 5

ssh timeout 5

!

crypto ipsec ikev1 transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

!

crypto map MAP-VPN 10 match address ACL-BLUE-VPN

crypto map MAP-VPN 10 set peer 11.11.11.11

crypto map MAP-VPN 10 set ikev1 transform-set ESP-AES128-SHA

crypto map MAP-VPN interface outside

crypto ikev1 enable outside

crypto ikev1 policy 15

encr aes

authentication pre-share

group 2

!

tunnel-group 11.11.11.11 type ipsec-l2l

tunnel-group 11.11.11.11 ipsec-attributes

ikev1 pre-shared-key sekretk3y

!

Philip D'Ath · ‎02-10-2016

It looks ok to me. Maybe try adding:

group-policy GroupPolicy_11.11.11.11 internal
group-policy GroupPolicy_11.11.11.11 attributes
  vpn-tunnel-protocol ikev1

tunnel-group 11.11.11.11 general-attributes
  default-group-policy GroupPolicy_11.11.11.11

sandin.barucic1 · ‎02-11-2016

Hey Philip no go still receiving incomplete entries

ASA Version 8.4(2)

!

hostname ciscoasa

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 172.16.22.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 80

ip address 22.22.22.22 255.255.255.0

!

route outside 172.16.22.0 255.255.255.0 11.11.11.1 1

!

access-list ACL-BLUE-VPN extended permit icmp 172.16.22.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list ACL-INSIDE-NONAT extended permit icmp 192.168.11.0 255.255.255.0 172.16.22.0 255.255.255.0

access-list ACL-INSIDE-NONAT extended permit icmp 172.16.22.0 255.255.255.0 192.168.11.0 255.255.255.0

!

group-policy GroupPolicy_11.11.11.11 internal

group-policy GroupPolicy_11.11.11.11 attributes

vpn-tunnel-protocol ssl-clientless

!

telnet timeout 5

ssh timeout 5

!

crypto ipsec ikev1 transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

!

crypto map MAP-VPN 10 match address ACL-BLUE-VPN

crypto map MAP-VPN 10 set peer 11.11.11.11

crypto map MAP-VPN 10 set ikev1 transform-set ESP-AES128-SHA

crypto map MAP-VPN interface outside

crypto ikev1 enable outside

crypto ikev1 policy 15

encr aes

authentication pre-share

group 2

!

tunnel-group 11.11.11.11 type ipsec-l2l

tunnel-group 11.11.11.11 general-attributes

default-group-policy GroupPolicy_11.11.11.11

tunnel-group 11.11.11.11 ipsec-attributes

ikev1 pre-shared-key sekretk3y

Dinesh Moudgil · ‎02-10-2016

Hi sandin.barucic1,

Tried the same config and it works in my setup.
Can you try removing "crypto map MAP-VPN interface outside" and re-adding this command and let me know how it fares?

Regards,
Dinesh Moudgil

P.S. Please rate the helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

sandin.barucic1 · ‎02-11-2016

Hey Dinesh,

Thank you for responding i tried removing and reapplying the crypto map MAP-VPN interface outside and it still giving me warring

crypto map has incomplete entries

Marius Gunnerud · ‎02-10-2016

is phase 1 getting stuck at any stage? issue show crypto isa sa and see. Could be a misconfiguration at the other end.

do a debug to get some more info

debug cry condition peer 11.11.11.11

debug cry ikev1 127

debug cry ipsec 127

post the output here please, preferably in an attached file

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

sandin.barucic1 · ‎02-11-2016

Morning Marius,

i tried to apply all of the commands above but i am unable to run the debug command on that ASA5505

Cisco Adaptive Security Appliance Software Version 8.4(2)

Device Manager Version 6.4(5)

Philip D'Ath · ‎02-11-2016

Are you able to upgrade to 8.4(7) ?

sandin.barucic1 · ‎02-11-2016

I wish, i am using Cisco packet tracer to replicate possible deployment before i deploy. i tried everything i know.

ciscoasa#sh crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

ciscoasa#sh crypto ip

ciscoasa#sh crypto ipsec sa

There are no ipsec sas

Philip D'Ath · ‎02-11-2016

Oh, you didn't say you were using an emulator. It is probably an issue with your emulator. I think the config is fine.

sandin.barucic1 · ‎02-11-2016

that is what i am starting to assume as well. i tried everything and nothing seems to be working. Well thank you for your help.

Marius Gunnerud · ‎02-12-2016

Yes it could be an issue with the emulator. Have you tried building the setup again from scratch?

The debug commands for 8.4 are debug crypto isakmp 127 and debug crypto ipsec 127

Or it might be debug crypto isa sa 127 and debug crypto ipsec sa 127

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎02-10-2016

Just noticed you are missing the command:

crypto ikev1 enable outside

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

ASA- WARNING: Crypto map has incomplete entries.