How do I resolve VPN crypto map entry errors in Amazon VPC?

Last updated: 2018-10-15

I'm using a Cisco ASA device as my customer gateway in Amazon VPC. When I try to establish a virtual private network (VPN) connection to my VPC, I receive the error Rejecting IPSec tunnel: no matching crypto map entry for remote proxy local proxy on my customer gateway. How do I resolve this error?

Short description

In established VPN connections, the standby tunnel can trigger this error in some Cisco ASA configurations. For more information, see Troubleshooting Cisco ASA Customer Gateway Connectivity.

Note: This specific error message pertains to Cisco ASA devices. However, the resolution applies to any customer gateway that uses a policy-based VPN or route-based VPN with a non-default proxy ID.


Be sure that your network traffic is initiated from your local network on the customer gateway to your VPC.

Configure route-based VPN connections with default proxy IDs if your device supports it.

Your customer gateway

Example: Cisco ASA device (customer gateway configuration example)

Did this article help?

Do you need billing or technical support?