Showing results for 
Search instead for 
Did you mean: 

Editing a crypto map with multiple entries

There's a crypto map that already existed and I edited one of the entries to change the diffie-hillman group and the lifetime. The SA table doesn't show the change. Do I need to delete that entry in the crypto map and then recreate it?


Here's the crypto map right now:


Crypto Map IPv4 "ToVendor" 18 ipsec-isakmp
Description: To_Monitor
Peer = x.x.x.x
Extended IP access list 123
access-list 123 permit ip host
access-list 123 permit ip host
access-list 123 permit ip host
access-list 123 permit ip host
access-list 123 permit ip host
Current peer: x.x.x.x
Security association lifetime: 4608000 kilobytes/28800 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group5
Mixed-mode : Disabled
Transform sets={
ESP-AES-256-SHA256: { esp-256-aes esp-sha256-hmac } ,
Interfaces using crypto map ToVendor:



Here's the shortened output for the crytpo ipsec sa:



protected vrf: (none)
local ident (addr/mask/prot/port): (
remote ident (addr/mask/prot/port): (
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:


Thanks for any help

Rob Ingram
VIP Mentor

Hi @germaine.hudson 

That IPSec SA isn't formed properly, there are no inbound|outbound esp sas.

You shouldn't need to delete the crypto map enter, clear the crypto isakmp|ipsec sas and then generate some traffic in order to establish the tunnel.


So the diffie-hillman not showing in the IPSEC sa output isnt an issue?

Rob Ingram
VIP Mentor

If the IPSec SA wasn't established correctly before, then no possibly not.

Has the VPN worked before?


Double check the crypto map ACL that defines interesting traffic and isakmp/ipsec policies.

Run the debugs isakmp|ipsec and provide the output for review.

No the tunnel has never been up before. There's an extended access-list on the port. I'm assuming the issue might be there. If I add a sequence to permit esp from their host and udp-eq isakmp I'm hoping that it will come up. 

Rob Ingram
VIP Mentor


An ACL on the outside interface inbound? Then yes, you'll need to ensure ESP, UDP/500 and if nat in the path UDP/4500

Content for Community-Ad