Hi
Can you verify if your ip-sec certificates on the cucm nodes have expired or there is mismatched certificates on the sub nodes? If yes, you can use the following work-around:
1. For expired:
Regenerate the IP-Sec ceritifcate
2. For mismatch
http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-version-71/111796-cucm-drf.html
IF these are fine, then try to restart the master agent service on pub and then local agent on the subs.
Regards
Aditya