cisco PIX 501 crypto map error "WARNING: This crypto map is incomplete"

Posted on 2008-11-06
Last Modified: 2012-08-13
I wish to add a second VPN  tunnel, however when I issue the second crypto map settings the pix returns the following error:
 "WARNING: This crypto map is incomplete. To remedy the situation add a peer and a valid access-list to this crypto map".
 Note I have separate ACL lists for crypto maps and no-nat as I am aware of the issue regarding viewing and editing in the PDM software while using one access-list.
I have also tried issuing the following command to suspend the current tunnels while configuring "no crypto map transam interface outside", however to no avail.

Please can someone advise the correct way to issue multiple crypto maps?
Question by:The-Chief
    LVL 43

    Accepted Solution

    Add an additional sequence number to the existing crypto map.  You can only assign one crypto map to an interface.  You will always get that message when you are adding a crypto map based on the nature of applying the commands.

    For example:

    crypto map transam 100 match address 100
    crypto map transam 100 set peer x.x.x.x
    crypto map transam 100 set transform-set esp-3des-sha

    crypto map transam 200 match address 200
    crypto map transam 200 set peer y.y.y.y
    crypto map transam 200 set transform-set esp-3des-sha

    Author Comment

    Have tried that already, and everything looks ok after "show run" command.

    However whenever I add a new crypto map and view the settings in the PDM gui under IPsec Rules, it reads (Null Rule) after the ip address.

    Is this a bug with the PDM software?

    Also as previously stated by JFrederick29: can the initial CLI warning message be ignored when adding additional crypto maps?
    LVL 43

    Expert Comment

    Can you post the crypto map running-configuration?  Not to my knowledge that it can be ignored.
    LVL 6

    Assisted Solution

    looks like you have not mentioned peer internet address on the config:
    crypto map transam 100 set peer (x.x.x.x ) --> double check this
    for acl issue, you can try this command
    sysopt connection permit-ipsec   (to bypass acl for all ipsec traffic)

    Author Comment

    Looks like there is a underlying problem with the settings for the second tunnel. .
    I can t connect over the second tunnel on its own.
    I ll have to sort this out first before attempting to connect 2 tunnels at once.

    Author Closing Comment

    Thanks guys.
    However I have a problem with the second tunnel settings so will have to sort that out first before attempting multiple ones.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
    Let’s list some of the technologies that enable smooth teleworking. 
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now