Guest

Preview Tool

Cisco Bug: CSCvt13822 - ASA: VTI rejecting IPSec tunnel due to no matching crypto map entry

Last Modified

Sep 17, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

99.10(1.22)

Description (partial)

Symptom:
ASA configured with VTI tunnel experiencing issues for the VTI tunnel in down down state, this related to rejecting IPSec tunnel due to no matching crypto map entry:

Feb 07 2020 12:37:10: %ASA-7-713906: IP = x.x.x.x, Connection landed on tunnel_group x.x.x.x
Feb 07 2020 12:37:10: %ASA-7-713906: IP = x.x.x.x, Connection landed on tunnel_group x.x.x.x

Feb 07 2020 12:37:10: %ASA-3-713061: Group = x.x.x.x, IP = x.x.x.x, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside

Feb 07 2020 12:38:10: %ASA-7-713221: Group = x.x.x.x, IP = x.x.x.x, Static Crypto Map check, checking map = outside_map, seq = 123...
Feb 07 2020 12:38:10: %ASA-7-713224: Group = x.x.x.x, IP = x.x.x.x, Static Crypto Map Check by-passed: Crypto map entry incomplete!

- From "debug crypto ikev1 255":
Feb 07 12:56:17 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Session is being torn down. Reason: crypto map policy not found

Feb 07 12:56:17 [IKEv1]IP = x.x.x.x, Received encrypted packet with no matching SA, dropping

Conditions:
ASA with IPsec VTI tunnel configuration using IKEv1
Remove nameif and re-apply it under tunnel interface or simply modifying it.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.