cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
834
Views
0
Helpful
5
Replies
Beginner

WARNING: crypto map has incomplete entries

So I have a simple lab set up in Packet Tracer and I have never worked with an ASA before. I am trying to configure a basic S2S VPN using IPSec but cannot ping from one inside network to the other inside network. I noticed a strange error when applying the crypto map to the outside interface which I feel could be causing the issue but I have looked through the Cisco guides and it seems I have defined everything I need so I am not sure if this is a bug in PT?

The pings from the host are just timing out and not telling me dest host unreachable so I don't believe it's a route issue but believe it is getting hung up on ASA1. When I start the ping the isakmp sa output goes from blank to actually having some info but has a state of MM_No_State. I have attached a screenshot of the lab for reference.

ciscoasa1(config)#crypto map outside_map interface outside

WARNING: crypto map has incomplete entries

ciscoasa1#sh crypto isakmp sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1
1 IKE Peer: 192.168.0.12
Type : L2L Role : Initiator
Rekey : no State : MM_NO_STATE

There are no IKEv2 SAs

ASA1 Config:
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 19.168.0.11 255.255.255.0
!
object network net-local
subnet 192.168.101.0 255.255.255.0
description LAN
object network net-remote
subnet 192.168.102.0 255.255.255.0
description Remote
!
route outside 192.168.102.0 255.255.255.0 192.168.0.12 1
!
access-list outside_1_cryptomap extended permit icmp object net-local object net-remote
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 192.168.0.12
crypto map outside_map 1 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
encr aes
authentication pre-share
group 2
!
tunnel-group 192.168.0.12 type ipsec-l2l
tunnel-group 192.168.0.12 ipsec-attributes
ikev1 pre-shared-key cisco1
!

ASA2 Config:
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.102.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.12 255.255.255.0
!
object network net-local
subnet 192.168.102.0 255.255.255.0
description LAN
object network net-remote
subnet 192.168.101.0 255.255.255.0
description Remote
!
route outside 192.168.101.0 255.255.255.0 192.168.0.11 1
!
access-list outside_1_cryptomap extended permit icmp object net-local object net-remote
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 192.168.0.11
crypto map outside_map 1 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
encr aes
authentication pre-share
group 2
!
tunnel-group 192.168.0.11 type ipsec-l2l
tunnel-group 192.168.0.11 ipsec-attributes
ikev1 pre-shared-key cisco1


Everyone's tags (3)
5 REPLIES 5
Highlighted
VIP Advocate

Your configuration looks

Your configuration looks correct.  As for the error you are getting when applying it to the outside interface, it would seem that this is a packet tracer / virtualization problem and nothing to do with your configuration.  Have you tried this in GNS3?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
Highlighted
Beginner

"Have you tried this in GNS3?

"Have you tried this in GNS3?"


Unfortunately since upgrading to the newest version of GNS3, Cisco is being a drag and won't let me download the ASAv software which from my understanding is the only way to get it to work. The old version of GNS3 would always give me issues using ASA 8.4 for some reason the ASA would boot fine but after saving my lab and closing GNS3 and it would no longer work after that and keep getting stuck at "Restarting System".

Any idea how I can get the ASAv software? MY CCO account let's me download pretty much all software but not ASAv, I am guessing because of the sensitivity of the cryptographic software.

Highlighted
VIP Advocate

You would probably need to

You would probably need to contact Cisco directly and ask them for it, or contact your local Cisco partner and have them download it for you, you may have to pay for the software though of this I am uncertain.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
Highlighted
Beginner

It looks like you don't have

It looks like you don't have a valid isakmp policy which is why you have a MM_NO_STATE.

Try adding:

crypto ikev1 policy 20
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400

to both ASAs

Highlighted
VIP Advocate

The isakmp policy is fine.

The isakmp policy is fine.  Hash sha is missing from the show run as it is the default.  It can be seen if you issue the show run all crypto or show crypto isakmp policy (or possible show crypto ikev1 policy).

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts