Crypto map entry is incomplete

Similar Messages

• Rejecting IPSec tunnel: no matching crypto map entry for remote proxy

  Hi!
  I have already search for this but didn't get an exact answer I'm looking for so I try asking it again (if there is the same question).
  I'm in process of migrating some VPN tunnels with  from a Cisco router to an ASA, everything will keep the same but just the peering IP address. However, some of the tunnel was being torn down since it request for a proxy doesn't match the one configured on our side. And the remote peer said there is no such issue on the previous platform, but now they need to reset the tunnel from time to time.
  Apr 18 2013 07:29:10 asa002 : %ASA-3-713061: Group = 192.168.1.226, IP = 192.168.1.226, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.1.226/255.255.255.255/0/0 local proxy 10.10.9.81/255.255.255.255/0/0 on interface outside
  Apr 18 2013 07:29:10 asa002 : %ASA-3-713902: Group = 192.168.1.226, IP = 192.168.1.226, QM FSM error (P2 struct &0x745e9150, mess id 0x8d7ad777)!
  Apr 18 2013 07:29:10 asa002 : %ASA-3-713902: Group = 192.168.1.226, IP = 192.168.1.226, Removing peer from correlator table failed, no match!
  The remote peer said they did not change the proxy id on their side so it is possibly the old platform will just not setting up the SA without torn down the tunnel while the ASA on the new platform will torn down if there is any mismatch.
  Anyway I have requested the remote side to remove those unmatched entried to avoid the tunnel being torn down, but if there any configuration that is related to this issue? i.e. Just bring up the SA with matched addresses and ignore others, instead of torn down the tunnel.
  Thanks!!
  //Cody

  Are you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
  If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
  access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
  Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
  nat (outside) 1 172.16.0.0 255.255.240.0

• Rejecting IPSec tunnel: no matching crypto map entry for remote proxy on interface outside.

  Hi,
  I have read a problem where the VPN between an ISP and ourselves started dropping sessions. I have rebuilt the crypto map and tried to dig deeper into my config and some basic troubleshooting while I await the ISP to respond.
  Any ideas?
  Thanks Steve
  https://supportforums.cisco.com/thread/255085
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution10
  5 Jun 13 15:46:25 713904 IP = 209.183.xxx.xxx, Received encrypted packet with no matching SA, dropping
  4 Jun 13 15:46:25 113019 Group = 209.183.xxx.xxx, Username = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
  3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Removing peer from correlator table failed, no match!
  3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, QM FSM error (P2 struct &0xda90f540, mess id 0x76c09eb7)!
  3 Jun 13 15:46:25 713061 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.0.0/255.255.240.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
  5 Jun 13 15:46:25 713119 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, PHASE 1 COMPLETED
  6 Jun 13 15:46:25 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = 209.183.xxx.xxx
  6 Jun 13 15:46:25 713172 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

  Are you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
  If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
  access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
  Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
  nat (outside) 1 172.16.0.0 255.255.240.0

• Crypto map has incomplete entries message

  I'm working on building a configuration on a 5540 running 9.1.2 for L2L VPN.  When I reload the device, I get this message:
  .WARNING: crypto map has incomplete entries
  *** Output from config line 10665, "crypto map L2LVPN interf..."
  I seems it's giving me the error on the line where the crypto map is assigned to the outside interface.  Unfortunately this message really is not very helpful.  I do not have this in production yet. Is there any way I can find out where my problem may be?
  Thanks.
  Jason

  Hi,
  This usually indicates that one L2L VPN connection Crypto Map configuration is missing some essential parameter to make it complete.
  So issue the command
  show run crypto map
  Then make sure that the following lines exists
  crypto map match address
  crypto map set peer
  crypto map set ikev1 transform-set
  If any of the 3 things mentioned above are missing then the crypto map configuration is deemed incomplete and doesnt have the information needed for that L2L VPN to function.
  Atleast this is what it seems to me.
  Hope it helps
  - Jouni

• [ERR]crypto map WARNING: This crypto map is incomplete

  i have PIX 501 ver6.3(5) when i setup VPN i get this error message
  WARNING:This crypto map is incomplete to remedy the situation add a peer and a valid access-list to this crypto map.
  although it seems fine in sh conf command
  but tunnel is not started
  when i review log i found
  sa_request,ISAKMP Phase 1 exchange started

  i could successfully establish VPN with another FW cisco 501 6.3
  but still can't fix my dilemma which i connect to Huawei Eudemon 500‎
  sh isakmp
  PIX Version 6.3(5)‎
  interface ethernet0 10full
  interface ethernet1 100full
  nameif ethernet0 outside security0‎
  nameif ethernet1 inside security100 ‎
  access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP1‎
  access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP2‎
  access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP1‎
  access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP2 ‎
  global (outside) 1 interface‎
  nat (inside) 0 access-list inside_outbound_nat0_acl
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ‎
  crypto ipsec security-association lifetime seconds 3600‎
  crypto map outside_map 100 ipsec-isakmp
  crypto map outside_map 100 match address outside_cryptomap_100‎
  crypto map outside_map 100 set peer remote peer
  crypto map outside_map 100 set transform-set ESP-3DES-SHA
  crypto map outside_map 100 set security-association lifetime seconds 3600 kilobytes 1843200‎
  crypto map outside_map interface outside
  isakmp enable outside
  ‎ ‎
  isakmp key ******** address remote peer netmask 255.255.255.255 no-xauth no-config-mode ‎
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption 3des
  isakmp policy 20 hash sha‎
  isakmp policy 20 group 2‎
  isakmp policy 20 lifetime 86400‎
  sh crypto map
  Crypto Map: "outside_map" interfaces: { outside }‎
  Crypto Map "outside_map" 100 ipsec-isakmp
  Peer = remote peer
  access-list outside_cryptomap_100; 2 elements‎
  access-list outside_cryptomap_100 line 1 permit ip host 10.102.0.11 host remote internal IP1 ‎‎(hitcnt=14) ‎
  access-list outside_cryptomap_100 line 2 permit ip host 10.102.0.11 host remote internal IP2 ‎‎(hitcnt=6) ‎
  Current peer: remote peer
  Security association lifetime: 1843200 kilobytes/3600 seconds‎
  PFS (Y/N): N
  Transform sets={ ESP-3DES-SHA, }‎
  Crypto Map: "set" interfaces: { }‎

• WARNING: This crypto map is incomplete

                  Hi ,
    i have ASA with 4 l2l vpn configured. as now am trying to configure new VPN tunnel; while configuring of crypto map set match add its giving me
  error like ... WARNING: This crypto map is incomplete
    as i have read all the discussion from forms its not effecting ; request you to please help
  Thanks
  Gajendra

  Hi,
  This is a normal message and just tells you that you have not yet entered all the "crypto map" commands related to this new connection to make the configuration complete
  You will essentially have to make sure that you have ATLEAST the following lines configured
  crypto map match address
  crypto map set peer
  crypto map set ikev1 transform-set
  The "transform-set" part might NOT need the "ikev1" depending on your ASAs software level.
  - Jouni

• Crypto map incomplete

  I have PIX 515 and trying to add a gateway to gateway VPN tunnel with dynamic IP. I already have two other VPN tunnels configured with static IP. I enter the access-list 110 than the crypto map mymap 20 ipsec-isakmp no problem. than the crypto map mymap 20 match address 101 I get error message Crypto map incomplete. Why am I getting this error and how do I get around it. Thanks.

  Yes I have an Incomplete.
  crypto ipsec transform-set tr-set esp-des esp-md5-hmac
  crypto dynamic-map dynmap 10 set transform-set tr-set
  crypto dynamic-map dynmap 15 set transform-set tr-set
  crypto dynamic-map dynmap 15 set security-association lifetime seconds 3600 kilo
  bytes 4608000
  crypto map mymap 10 ipsec-isakmp
  crypto map mymap 10 match address 101
  crypto map mymap 10 set peer 70.106.123.11
  crypto map mymap 10 set transform-set tr-set
  crypto map mymap 15 ipsec-isakmp
  crypto map mymap 15 match address 105
  crypto map mymap 15 set peer 67.100.146.217
  crypto map mymap 15 set transform-set tr-set
  crypto map mymap 20 ipsec-isakmp
  ! Incomplete
  crypto map mymap 6335 ipsec-isakmp dynamic dynmap
  crypto map mymap interface outside

• Multiple Crypto Maps on Single Outside Interface

  Hi, I had the following crypto map configured on my ASA5505 to allow Cisco IPSec VPN clients to connect from the outside:
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  I'm trying now to set up an additional crypto map - a static configuration to establish a tunnel with Windows Azure services. The configuration they gave me is:
  crypto map azure-crypto-map 10 match address azure-vpn-acl
  crypto map azure-crypto-map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
  crypto map azure-crypto-map 10 set transform-set azure-ipsec-proposal-set
  crypto map azure-crypto-map interface outside
  However, when I apply that configuration, my Cisco IPSec clients can no longer connect. I believe my problem is that last line:
  crypto map azure-crypto-map interface outside
  which blows away my original line:
  crypto map outside_map interface outside
  It seems I'm stuck with picking just one of the maps to apply to the outside interface. Is there a way to apply both of these maps to the outside interface to allow both IPSec tunnels to be created? We're running ASA version 8.4(7)3.

  Hi,
  You can use the same "crypto map"
  Just add
  crypto map outside_map 10 match address azure-vpn-acl
  crypto map outside_map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
  crypto map outside_map 10 set transform-set azure-ipsec-proposal-set
  Your dynamic VPN Clients will continue to work just fine as their "crypto map" statements are with the lowest priority/order in the "crypto map" configurations (65535) and the L2L VPN is higher (10)
  And what I mean with the above is that when a L2L VPN connections is formed from the remote end it will naturally match the L2L VPN configurations you have with "crypto map" configurations using the number "10". Then when a VPN Client connects it will naturally not match the number "10" specific configurations and will move to the next entry and will match it (65535)
  If you would happen to configure a new L2L VPN connection then you could give it the number "11" for example and everything would still be fine.
  Hope this helps
  - Jouni

• Cisco 5520: removed crypto map still in effect

  so i typoed a command: "crypto map Map1 7"... instead of "crypto map Map1 70".
  I cleared the Map1 7 entries, and added the correct entries in Map1 70.
  I cleared all of the vpn sessions:
  no crypto map Map1 int outside
  cl ips sa
  cl isa sa
  Now, however, whenever I try to ping the remote network from the inside interface, it seems to read the Map1 7 policy instead of Map1-70.
  Is there anyway to clear the Map1 7 entries from memory? I'm trying to avoid rebooting the firewall.
  Thanks,
  Jeff
  But when I try

  With ASA you need the "clear configure" command to remove a crypto map sequence number
  clear configure crypto map map-name seq-num
  (in configuration mode)

• Converting crypto map to unnumbered VTI

  I'm trying to convert a crypto map VPN to a ip unnumbered VTI. The crypto map has been working for months. The VTI... no so much. Here are the applicable config entries.
  ### original config
  crypto isakmp policy 30
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key xxxxxxxx address 10.1.1.10
  crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
  crypto map CRYPTO 50 ipsec-isakmp
  set peer 10.1.1.10
  set transform-set 3DES-SHA
  set pfs group2
  match address VPN1
  ip access-list extended VPN1
  permit ip host 172.16.16.10 host 10.5.5.1
  permit ip host 172.16.16.10 host 10.5.5.4
  I only removed the crypto map and added the following.
  ### New Config
  crypto ipsec profile V1
  set security-association lifetime seconds 28800
  set transform-set 3DES-SHA
  set pfs group2
  interface Tunnel0
  ip unnumbered FastEthernet0/0
  ip nat outside
  ip virtual-reassembly
  tunnel source 172.16.8.1
  tunnel destination 10.1.1.10
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile V1
  I keep getting this ISAKMP error now.
  ISAKMP:(0:54:HW:2):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 10.1.1.10)
  Any help would be greatly appreciated. Also... I have no idea what is running on the other end (it's a partner network), but I suspect it's a crypto map on IOS.
  Thank you!

  Access-lists, FW (ZBF, CBAC) and all other features work on SVTI same way they would work on a physical or other logical interfaces (with very few exceptions). 

• Crypto map question

  Hi
  If I have 2 crypto maps defined on my pix 506E. Traffic of my first crypto map goes for tunnel 1 & traffic of my second interface goes for tunnel2.
  I can't apply the command crypto map CCS interface outside & crypto map PLC interface outside.
  I am able to apply only one.
  How can I do to use both crypto maps?
  crypto ipsec transform-set my_PLC esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 86400
  crypto map PLC 30 ipsec-isakmp
  crypto map PLC 30 match address PLC
  crypto map PLC 30 set peer 10.10.10.1
  crypto map PLC 30 set transform-set my_PLC
  crypto map PLC interface outside
  isakmp key ******* address 10.10.10.1 netmask 255.255.255.255
  isakmp identity address
  isakmp policy 30 authentication pre-share
  isakmp policy 30 encryption 3des
  isakmp policy 30 hash md5
  isakmp policy 30 group 2
  isakmp policy 30 lifetime 86400
  crypto ipsec transform-set my_ccs esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 86400
  crypto map CCS 20 ipsec-isakmp
  crypto map CCS 20 match address CCS
  crypto map CCS 20 set peer 20.20.20.1
  crypto map CCS 20 set transform-set my_ccs
  crypto map CCS interface outside
  isakmp key ****** address 20.20.20.1 netmask 255.255.255.255
  isakmp identity address
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption 3des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400

  Hi
  You can only have one crypto map per interface but you can have separate entries within the same crypto map eg.
  crypto map CCS 20 ipsec-isakmp
  crypto map CCS 20 match address CCS
  crypto map CCS 20 set peer 20.20.20.1
  crypto map CCS 20 set transform-set my_ccs
  crypto map CCS 30 ipsec-isakmp
  crypto map CCS 30 match address PLC
  crypto map CCS 30 set peer 10.10.10.1
  crypto map CCS 30 set transform-set my_PLC
  crypto map CCS interface outside
  HTH
  Jon

• One crypto map, different tunnel source addresses (secondary)

  Hi,
  I have two devices with two different (public) IP addresses (Cisco 2811 and Cisco 851), which both host some IPSec tunnels (IPSec/ESP/Tunnel mode). I want to move the 851's configuration to the 2811, and remove the 851 from the network. There is a crypto map assigned to the main outside interface of the 2811 with a few entries. The problem is that I cannot change any of the tunnel TEPs, so the IP address of the 851 must be moved onto the 2811 (as a secondary address). Is there anything I can do to use the secondary address as an IPSec tunnel source? Or do I have to do it using NAT and loopback interfaces?

  Source IP addresses for IKE for exchanges leaving out of the same physical interface, ie:
  crypto map to-peer_a 10 ipsec-isakmp
  set peer 10.1.3.1
  set local-address loopback1 <-- new command
  match address 100
  crypto map to-peer_a 20 ipsec-isakmp
  set peer 10.1.3.2
  set local-address loopback2 <-- new command
  match address 101
  Current code allows to specify a local-address for each crypto map only, and not on a per crypto map instance, as suggested above.

• Troubles using VRF-aware IPsec w/ crypto maps

  I'm trying to get a lab setup to work with a C2951 (15.2(4)M4) peering with an ASA 5510 (9.1(2)). The config is based on crypto maps, since I want the C2951 to be the initiating side, and as far as I understand, VTIs wouldn't be working together with the ASA due to the default 'any' crypto statements that are being applied on SVTIs.
  So I've set up this IKEv1-, crypto map-based lab, and the tunnel strictly won't come up; it seems that crypto doesn't find any interesting traffic at all (no debug crypto isakmp output pops up).
  What I'm doing for testing is issuing a VRF Ping from a loopback interface of the C2951. I was following the following cheat sheet to configure the IOS box:
  https://supportforums.cisco.com/docs/DOC-13524
  Please see the attached config files and the setup drawing.
  This is the way I'm testing it:
  C2951#sh deb
  Cryptographic Subsystem:
    Crypto ISAKMP debugging is on
  C2951#
  C2951#ping vrf test 10.0.0.1 source lo 1
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
  Packet sent with a source address of 40.0.0.1
  Success rate is 0 percent (0/5)
  C2951#
  Any hints for me, please?

  There are no VRF routes left in the config, and I've cleared the global and the VRF routing table. Even rebooted the box. Still only half of the Pings get answered. There are no crypto ipsec errors, so it should have something to do with routing...but what?
  C2951#sh crypto ipsec sa
  interface: GigabitEthernet0/0
      Crypto map tag: OUR-MAP, local addr 30.0.0.2
     protected vrf: test
     local  ident (addr/mask/prot/port): (40.0.0.1/255.255.255.255/0/0)
     remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
     current_peer 20.0.0.1 port 500
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
      #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 0
       local crypto endpt.: 30.0.0.2, remote crypto endpt.: 20.0.0.1
       path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
       current outbound spi: 0xEB02ACDA(3942821082)
       PFS (Y/N): Y, DH group: group5
       inbound esp sas:
        spi: 0x1A943A9F(445921951)
          transform: esp-aes esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 18009, flow_id: ISM VPN:9, sibling_flags 80000040, crypto map: OUR-MAP
          sa timing: remaining key lifetime (k/sec): (4225929/3571)
          IV size: 16 bytes
          replay detection support: Y
          Status: ACTIVE(ACTIVE)
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0xEB02ACDA(3942821082)
          transform: esp-aes esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 18010, flow_id: ISM VPN:10, sibling_flags 80000040, crypto map: OUR-MAP
          sa timing: remaining key lifetime (k/sec): (4225928/3571)
          IV size: 16 bytes
          replay detection support: Y
          Status: ACTIVE(ACTIVE)
       outbound ah sas:
       outbound pcp sas:
  C2951#sh ip route 10.0.0.0
  % Network not in table
  C2951#sh ip route vrf test 10.0.0.0
  Routing Table: test
  Routing entry for 10.0.0.0/24, 1 known subnets
  S        10.0.0.0 [1/0] via 20.0.0.1, GigabitEthernet0/0

• IPSec VRF Aware (Crypto Map)

  Hello!
  I have some problem with configuring vrf aware Ipsec (Crypto Map).
  Any traffic (from subnet 10.6.6.248/29) do not pass trouth router, but if i run command "ping vrf inside 10.5.5.1 source gi 0/1.737" it working well.  
  Configuration below:
  ip vrf outside
   rd 1:1
  ip vrf inside
   rd 2:2
  track 10 ip sla 10 reachability
  ip sla schedule 10 life forever start-time now
  crypto keyring outside vrf outside 
    pre-shared-key address 10.10.10.100 key XXXXXX
  crypto isakmp policy 20
   encr aes 256
   authentication pre-share
   group 2
  crypto isakmp invalid-spi-recovery
  crypto isakmp keepalive 10 periodic
  crypto isakmp profile AS_outside
     vrf inside
     keyring outside
     match identity address 10.10.10.100 255.255.255.255 outside
     isakmp authorization list default
  crypto ipsec transform-set ESP-AESesp-aes 256 esp-sha-hmac 
   mode tunnel
  crypto ipsec df-bit clear
  crypto map outside 10 ipsec-isakmp 
   set peer 10.10.10.100
   set security-association idle-time 3600
   set transform-set ESP-AES 
   set pfs group2
   set isakmp-profile AS_outside
   match address inside_access
  ip route vrf inside 10.5.5.0 255.255.255.0 GigabitEthernet0/0.806 10.10.10.100 track 10
  ip access-list extended inside_access
   permit ip 10.6.6.248 0.0.0.7 10.5.5.0 0.0.0.255
  icmp-echo 10.10.10.100 source-interface GigabitEthernet0/0.806
   vrf outside
  interface GigabitEthernet0/0.806
  ip vrf forwarding outside
  ip address 10.10.10.101 255.255.255.0
  crypto-map outside
  interface GigabitEthernet0/1.737
  ip vrf forwarding inside
  ip address 10.6.6.252 255.255.255.248

  Hello Frank!
  >>  1. You may want to consider removing the "track 10" from your static route to eliminate any issues that this could be causing.
  I tried it before. Nothing changes.
  >> 2. If you teardown the tunnel, can the traffic from your end client (not the ping generated locally) cause the tunnel to build? If not, you may want to use netflow or ACL counters to verify that your packets are hitting the inside interface.
  It is also checked. netflow present counters and ACL counters not present. Source ip is 10.6.6.254/29.
  show command below:
  ISR-vpn-1#show ip cef vrf inside exact-route  10.6.6.254 10.5.5.1
   10.6.6.254  -> 10.5.5.1 => IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
  ISR-vpn-1#show ip cef vrf inside 10.24.1.0/24 internal                
  10.5.5.0/24, epoch 0, RIB[S], refcount 5, per-destination sharing
    sources: RIB 
    feature space:
     NetFlow: Origin AS 0, Peer AS 0, Mask Bits 24
    ifnums:
     GigabitEthernet0/0.806(24): 10.10.10.100
    path 22D160E8, path list 22AC27E8, share 1/1, type attached nexthop, for IPv4
    nexthop 10.10.10.100 GigabitEthernet0/0.806, adjacency IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
    output chain: IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)

• Crypto map gone wrong

  We've noticed a very strange issue on our Cisco 3800 router.
  The router is hosting multiple Site to Site VPN connections. All of the VPNs are working fine.
  While doing some routine diagnostigs we've noticed that one of the VPN's crypto maps is not displayed correctrly as you can see in the image below.
  I checked the associated ACL and the last entry is displayed correctly.
  I also tried to recreate the acl to see if that will fix this.
  Only this crypto map is displayed like this. All of the other are displaing just fine.
  I noticed that if I remove the last statement from the ACL then the crypto map will be displayed correctly.
  What could be the reason for this phenomenon?
  Can this cause any connectivity issues in the future?

  Access-lists, FW (ZBF, CBAC) and all other features work on SVTI same way they would work on a physical or other logical interfaces (with very few exceptions).