I have a frustrating issue with a dynamic VPN head end running IOS 15.2 on 2900's. I have existing keyrings, and isakmp profiles (both main and agressive) running. When I add in a new peer, by adding in a keyring prechared statement and a match identity in the isakmp profile, phase 1 biulds but phase 2 only gets right to the end and the Cisco side resets the connection because it did not get back a response to it's Phase 2 proposal.
I have tried a number of soft clear commands to remedy this (I do have 16 other production tunnels I do not want to take down) and no avail. This is very consistent. We had this happen last week in the same manner, and the TAC finally said I must reboot the system. So I removed the cmap from the interface, and reapplied it (using notepad to do it all at once). All the tunnels dropped, and after a few manual restarts on the far end for thos etunnels that are tempermental, all tunnels came back up, including my new add.
I have a pair of 3900's running 15.1 code in the US that terminate the same tunnels, and I can add and remove PEERS all day long without resetting anything. Has anyone one encountered this before? Could there be a more polite way of resetting what ever it is that removing the CMAP does to allow my new peer to get the full treatment here?
(I am not asking for VPN peer config help, as I know this tunnel template I am using works, but if you want to see it)