cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
302
Views
0
Helpful
4
Replies

vpn crypto L2L limitation concern

Hi, I have been trying to understand if I missed something or if if there is a limit for the crypto maps when creating a vpn, 

 

there was already up and running a vpn tunnel 

crypto map OUTSIDE_map1 9 match address OUTSIDE_cryptomap_9
      crypto map OUTSIDE_map1 10 set  peer  X.X.X.X
      crypto map OUTSIDE_map1 10 set  ikev2 ipsec-proposal  AES256 AES192 AES 3DES DES

So I tried the create new vpn under the sequence of 10

 

 crypto map OUTSIDE_map1 11 match address OUTSIDE_cryptomap_10
crypto map OUTSIDE_map1 11 set peer X.X.X.X
crypto map OUTSIDE_map1 11 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES 

 

and I got the error:

 

ERROR: Exceeded maximum of 9 ipsec-proposals for crypto map.

 

and overwrote the crytpos that I have and merged them

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate

Re: vpn crypto L2L limitation concern

How did "crypto map OUTSIDE_map1 10 set peer 37.120.33.66" change to "crypto map OUTSIDE_map1 10 set peer 37.120.33.66 38.122.33.68"? 

 

Looks like there is/was a typo in the input commands that you are sending to the ASA. You might have mistakenly changed another crypto map entry (sequence 10) instead of Sequence 11.

 

The error message "ERROR: Exceeded maximum of 9 ipsec-proposals for crypto map." comes in if you already have IPsec proposals on a sequence number and try to add more than 9 to the same sequence number. 

4 REPLIES 4
VIP Advocate

Re: vpn crypto L2L limitation concern

Strange. Can you attach the sanitized output of "show run crypto" here? It looks like you are only adding 5. Unless there is already something configured under sequence 11. 

Re: vpn crypto L2L limitation concern

yes, not sure and not quite familiar with the CLI, 

I modified so Ips are fake, the rest is what I currently have 

 

not sure how to revert it back


BEFORE THE CHANGE



crypto map OUTSIDE_map1 10 match address OUTSIDE_cryptomap_9
crypto map OUTSIDE_map1 10 set peer 37.120.33.66
crypto map OUTSIDE_map1 10 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

 

BELOW AFTER THE CHANGE


crypto map OUTSIDE_map1 10 match address OUTSIDE_cryptomap_9
crypto map OUTSIDE_map1 10 set peer 37.120.33.66 38.122.33.68
crypto map OUTSIDE_map1 10 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map OUTSIDE_map1 11 match address OUTSIDE_cryptomap_10
crypto map OUTSIDE_map1 11 set peer 38.122.33.68
crypto map OUTSIDE_map1 11 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

INFO: You must configure ikev2 remote-authentication pre-shared-key
and/or certificate to complete authentication.

ERROR: Exceeded maximum of 9 ipsec-proposals for crypto map.
CISCO_ASAFW/pri/act(config)#

VIP Advocate

Re: vpn crypto L2L limitation concern

How did "crypto map OUTSIDE_map1 10 set peer 37.120.33.66" change to "crypto map OUTSIDE_map1 10 set peer 37.120.33.66 38.122.33.68"? 

 

Looks like there is/was a typo in the input commands that you are sending to the ASA. You might have mistakenly changed another crypto map entry (sequence 10) instead of Sequence 11.

 

The error message "ERROR: Exceeded maximum of 9 ipsec-proposals for crypto map." comes in if you already have IPsec proposals on a sequence number and try to add more than 9 to the same sequence number. 

Highlighted

Re: vpn crypto L2L limitation concern

you were right, after correcting the right peers and crypt acl matched the correct interesting traffic, somehow when I had the script and be ready for copy and paste, that made me fail, so I did it step by step, and no errors, tunnels are up and running, thanks for the catch up