Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2034
Views
0
Helpful
5
Replies

WARNING: crypto map has incomplete entries

ehayric1320
Level 1
Level 1

‎02-19-2016 03:15 PM

So I have a simple lab set up in Packet Tracer and I have never worked with an ASA before. I am trying to configure a basic S2S VPN using IPSec but cannot ping from one inside network to the other inside network. I noticed a strange error when applying the crypto map to the outside interface which I feel could be causing the issue but I have looked through the Cisco guides and it seems I have defined everything I need so I am not sure if this is a bug in PT?

The pings from the host are just timing out and not telling me dest host unreachable so I don't believe it's a route issue but believe it is getting hung up on ASA1. When I start the ping the isakmp sa output goes from blank to actually having some info but has a state of MM_No_State. I have attached a screenshot of the lab for reference.

ciscoasa1(config)#crypto map outside_map interface outside

WARNING: crypto map has incomplete entries

ciscoasa1#sh crypto isakmp sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1
1 IKE Peer: 192.168.0.12
Type : L2L Role : Initiator
Rekey : no State : MM_NO_STATE

There are no IKEv2 SAs

ASA1 Config:
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 19.168.0.11 255.255.255.0
!
object network net-local
subnet 192.168.101.0 255.255.255.0
description LAN
object network net-remote
subnet 192.168.102.0 255.255.255.0
description Remote
!
route outside 192.168.102.0 255.255.255.0 192.168.0.12 1
!
access-list outside_1_cryptomap extended permit icmp object net-local object net-remote
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 192.168.0.12
crypto map outside_map 1 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
encr aes
authentication pre-share
group 2
!
tunnel-group 192.168.0.12 type ipsec-l2l
tunnel-group 192.168.0.12 ipsec-attributes
ikev1 pre-shared-key cisco1
!

ASA2 Config:
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.102.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.12 255.255.255.0
!
object network net-local
subnet 192.168.102.0 255.255.255.0
description LAN
object network net-remote
subnet 192.168.101.0 255.255.255.0
description Remote
!
route outside 192.168.101.0 255.255.255.0 192.168.0.11 1
!
access-list outside_1_cryptomap extended permit icmp object net-local object net-remote
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 192.168.0.11
crypto map outside_map 1 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
encr aes
authentication pre-share
group 2
!
tunnel-group 192.168.0.11 type ipsec-l2l
tunnel-group 192.168.0.11 ipsec-attributes
ikev1 pre-shared-key cisco1


Labels:
Preview file
20 KB
0 Helpful
5 Replies 5

Marius Gunnerud
VIP
VIP

‎02-20-2016 01:24 AM

Your configuration looks correct.  As for the error you are getting when applying it to the outside interface, it would seem that this is a packet tracer / virtualization problem and nothing to do with your configuration.  Have you tried this in GNS3?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

ehayric1320
Level 1
Level 1
In response to Marius Gunnerud

‎02-20-2016 07:52 AM

"Have you tried this in GNS3?"


Unfortunately since upgrading to the newest version of GNS3, Cisco is being a drag and won't let me download the ASAv software which from my understanding is the only way to get it to work. The old version of GNS3 would always give me issues using ASA 8.4 for some reason the ASA would boot fine but after saving my lab and closing GNS3 and it would no longer work after that and keep getting stuck at "Restarting System".

Any idea how I can get the ASAv software? MY CCO account let's me download pretty much all software but not ASAv, I am guessing because of the sensitivity of the cryptographic software.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to ehayric1320

‎02-20-2016 01:20 PM

You would probably need to contact Cisco directly and ask them for it, or contact your local Cisco partner and have them download it for you, you may have to pay for the software though of this I am uncertain.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

jomar050485
Level 1
Level 1

‎02-22-2016 07:17 AM

It looks like you don't have a valid isakmp policy which is why you have a MM_NO_STATE.

Try adding:

crypto ikev1 policy 20
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400


to both ASAs

					
				
			
			
				
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
			
		
	
				
		
			
					
		
	
				
		
			
					
				
		
			
		
			
					
			
		
				
		
	
	


		

	

		

			

	
		
			
					

	
			

				
		
			
		
			
				

					
						
	
			0
		

	Helpful

					
				

			
			
		

	
		
    	
		

			
				
					
				
				
			
		

	
    
			

		

	

	

	

    

	

	


				
		
	
	


		

			

	
		
			
					
				
		
			
		
			
		
	
	


		

	

		

			

	
		
			
					
				
		
			
					
				
		
			
					
		
	
				
		
			
					
		
	
				
		
	
	


		

	



		

	

	

	




			
		
    
            

                

            

        

	
		

		
	

	

	



	
                

                
				
            
                
                    
        

	
	

		
	

	


		
	
		

			

	 
	 
	
	

	

	

	
		

			

			
	

	

		


	

	
		

			
			

	

		

			

	
		
			

		


	

	
			

	
	
	 
	
	
	
				
		

			
				
					
					
				
			
		

	
			
	
	
	
	
	


		

	

	

	

	

	

	

	
			
					
				
		

	


	

		
	
	


		

	

		

			

	
		

			
		
			
			
		
		
	
		

	
	


		

	

		

			

	
		

			
		
			

	
			
					Marius Gunnerud
					
				
		


		
	
		

	
	

	
		

			
		
				
		
	

	

	
			
				
		VIP
		
			
		
		
		
		
		
		
		
		
	
			
		
	

							
							
	


		
			
					
		

			VIP
		

	
				
		
			
					

	
		In response to jomar050485
	
	


				
		
	
		

	
	


		

			

	
		
			
		
			
					
		

			
    

	
		
		
		‎02-22-2016
	
		
		01:45 PM
	
	

	
	
	
	
	
	
	
	
	
	
	
	

		

	
				
		
	
	


		

	

		

			

	
		
			
					
		

	
		

			
				
					
					
						
The isakmp policy is fine.  Hash sha is missing from the show run as it is the default.  It can be seen if you issue the show run all crypto or show crypto isakmp policy (or possible show crypto ikev1 policy).


--


Please remember to select a correct answer and rate helpful posts

					
				
			
			
				

	--
Please remember to select a correct answer and rate helpful posts


			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
			
		
	
				
		
			
					
		
	
				
		
			
					
				
		
			
		
			
					
			
		
				
		
	
	


		

	

		

			

	
		
			
					

	
			

				
		
			
		
			
				

					
						
	
			0
		

	Helpful

					
				

			
			
		

	
		
    	
		

			
				
					
				
				
			
		

	
    
			

		

	

	

	

    

	

	


				
		
	
	


		

			

	
		
			
					
				
		
			
		
			
		
	
	


		

	

		

			

	
		
			
					
				
		
			
					
				
		
			
					
		
	
				
		
			
					
		
	
				
		
	
	


		

	



		

	

	

	




			
		
    
            

                

            

        

	
		

		
	

	

	



	
                

                
				
            
        
    

    
        


	
			
				

					
						

							
		

			

	
			
				
					
				
				
			
		


		

	
							

								
								
							

							

								

	
									
								


							

						

					
				

			
		
	


    
    
        
        
            
        
        
	
    

	

	

	

	

	



				
			
		
		
	
	


		

			

	
		
			        

		
				

        

	


		
			
 
 

		
			
		
			

		
			



  

    

      

        

          
Customers Also Viewed These Support Documents