Symptom

ASA configured with VTI tunnel experiencing issues for the VTI tunnel in down down state, this related to rejecting IPSec tunnel due to no matching crypto map entry: Feb 07 2020 12:37:10: %ASA-7-713906: IP = x.x.x.x, Connection landed on tunnel_group x.x.x.x Feb 07 2020 12:37:10: %ASA-7-713906: IP = x.x.x.x, Connection landed on tunnel_group x.x.x.x Feb 07 2020 12:37:10: %ASA-3-713061: Group = x.x.x.x, IP = x.x.x.x, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside Feb 07 2020 12:38:10: %ASA-7-713221: Group = x.x.x.x, IP = x.x.x.x, Static Crypto Map check, checking map = outside_map, seq = 123... Feb 07 2020 12:38:10: %ASA-7-713224: Group = x.x.x.x, IP = x.x.x.x, Static Crypto Map Check by-passed: Crypto map entry incomplete! - From "debug crypto ikev1 255": Feb 07 12:56:17 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Session is being torn down. Reason: crypto map policy not found Feb 07 12:56:17 [IKEv1]IP = x.x.x.x, Received encrypted packet with no matching SA, dropping

Conditions

ASA with IPsec VTI tunnel configuration using IKEv1 Remove nameif and re-apply it under tunnel interface or simply modifying it.

Workaround

Remove the VTI interface tunnel and the tunnel-group configuration, then re-apply it.

Further Problem Description