Hi balaji, phase II is up and encap/decap packet, but we can't ping the bgp peer, it is big concern for me. I have no clue what is the problem. I compared with other site, the setting remain the same. the bgp peer also be reflected in routing table I guess the established tunnel might not be valid.

aa-makit-pon72-spl-am#sh cry ipsec sa

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 38.57.132.42

protected vrf: LAN
local ident (addr/mask/prot/port): (38.57.132.42/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (63.250.144.1/255.255.255.255/47/0)
current_peer 63.250.144.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 108, #pkts encrypt: 108, #pkts digest: 108
#pkts decaps: 155, #pkts decrypt: 155, #pkts verify: 155
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 38.57.132.42, remote crypto endpt.: 63.250.144.1
plaintext mtu 1466, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x40A9072(67801202)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x38A2D30C(950194956)
transform: esp-gcm 256 ,
in use settings ={Transport, }
conn id: 2009, flow_id: ESG:9, sibling_flags FFFFFFFF80000008, crypto map: Tunnel1-head-0, initiator : False
sa timing: remaining key lifetime (k/sec): (4607981/3323)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x40A9072(67801202)
transform: esp-gcm 256 ,
in use settings ={Transport, }
conn id: 2010, flow_id: ESG:10, sibling_flags FFFFFFFF80000008, crypto map: Tunnel1-head-0, initiator : False
sa timing: remaining key lifetime (k/sec): (4607990/3323)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

aa-makit-pon72-spl-am#sh ip route vrf LAN 62.6.89.201

Routing Table: LAN
Routing entry for 62.6.89.201/32
Known via "static", distance 1, metric 0 (connected)
Routing Descriptor Blocks:
* directly connected, via Tunnel1
Route metric is 0, traffic share count is 1

#pkts encaps: 108, #pkts encrypt: 108, #pkts digest: 108
#pkts decaps: 155, #pkts decrypt: 155, #pkts verify: 155

this seems to be ok, are you able to reach any other end point via VPN, if you have VPN available are you able to reach other side router and check ?

may be worth enable debug to see why BGP failing ? (any changes on the config both side?) 

Now, the bgp come up after reset the ipsec session.  The difference is that ESP packet not sent out from CE router, but only received. After reset, we can see ESP packet back and forth. I am wondering what could cause the router not send out ESP packets. Currently, the C1111 router run over 17.09.04a, not sure if any bug 

 @@@@@@@@@@@@@@@@@@@@@

before reset

----------------------------------------------------------------------------
# size timestamp source destination dscp protocol
----------------------------------------------------------------------------
0 162 0.000000 63.250.144.1 -> 38.57.132.42 0 BE ESP
1 162 0.000000 63.250.144.1 -> 38.57.132.42 0 BE ESP
2 162 5.054990 63.250.144.1 -> 38.57.132.42 0 BE ESP
3 162 5.100992 63.250.144.1 -> 38.57.132.42 0 BE ESP
4 162 10.055997 63.250.144.1 -> 38.57.132.42 0 BE ESP

@@@@@@@@@@@@@@@@@@@@@@@@

after reset

----------------------------------------------------------------------------
# size timestamp source destination dscp protocol
----------------------------------------------------------------------------
0 178 0.000000 63.250.144.1 -> 38.57.132.42 0 BE ESP
1 114 0.000000 38.57.132.42 -> 63.250.144.1 48 CS6 ESP
2 178 0.000992 38.57.132.42 -> 63.250.144.1 48 CS6 ESP
3 134 0.022994 63.250.144.1 -> 38.57.132.42 0 BE ESP
4 114 0.032988 63.250.144.1 -> 38.57.132.42 0 BE ESP
5 178 0.041990 63.250.144.1 -> 38.57.132.42 0 BE ESP
6 178 0.045988 38.57.132.42 -> 63.250.144.1 48 CS6 ESP
7 178 0.066983 63.250.144.1 -> 38.57.132.42 0 BE ESP

aa-makit-pon72-spl-am#show crypto session de
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect, U - IKE Dynamic Route Update
S - SIP VPN

Interface: Tunnel1
Profile: HVPN1
Uptime: 00:25:59
Session status: UP-ACTIVE
Peer: 63.250.144.1 port 500 fvrf: (none) ivrf: LAN
Phase1_id: 63.250.144.1
Desc: (none)
Session ID: 1
IKEv2 SA: local 38.57.132.42/500 remote 63.250.144.1/500 Active
Capabilities:DU connid:1 lifetime:23:34:01
IPSEC FLOW: permit 47 host 38.57.132.42 host 63.250.144.1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 1683 drop 0 life (KB/Sec) 4607606/2040
Outbound: #pkts enc'ed 2533 drop 0 life (KB/Sec) 4607148/2040

aa-makit-pon72-spl-am#show tcp bri
TCB Local Address Foreign Address (state)
FFFF598C0120 62.5.54.19.54546 194.102.8.177.49 LASTACK
FFFF595390C0 62.5.54.19.22 194.102.8.165.59520 ESTAB
FFFF594F0E38 62.5.54.19.179 62.6.89.201.30712 ESTAB
FFFF54CC2F08 38.57.132.42.22 195.182.112.204.55240 ESTAB
FFFF598F91D0 62.5.54.19.22 193.113.244.141.58624 ESTAB
aa-makit-pon72-spl-am#

Inbound: #pkts dec'ed 1683 drop 0 life (KB/Sec) 4607606/2040

Outbound: #pkts enc'ed 2533 drop 0 life (KB/Sec) 4607148/2040

this what I looking for, if IPSec receive any inbound traffic and send outbound 
note:- you need to run this command multi times to check this 

to solve this issue and not need run reset anymore use dpd under ikev2 profile 

MHM

I checked the setting, the dpd was there 

@@@@@@@@@@@@@@@@@@

crypto ikev2 profile HVPN1
match identity remote address 63.250.144.1 255.255.255.255
identity local email aa-makit-pon72-spl-am@hvpnv4.bt.com
authentication remote pre-share
authentication local pre-share
keyring local HVPN
dpd 30 30 periodic

@@@@@@@@@@@@@@@@@@@

You are so welcome 

MHM