DMVPN stop working without any change

pierresantana · ‎03-23-2016

Hi,

I have configured a DMVPN between 13 sites and I use ipsec vpn to mobile clients. Today it simple stop working and it is saying that phase 2 SA policy not acceptable. That's the error:

Mar 23 18:15:27.188: ISAKMP:(6986):Checking IPSec proposal 1
Mar 23 18:15:27.188: ISAKMP: transform 1, ESP_AES
Mar 23 18:15:27.188: ISAKMP:   attributes in transform:
Mar 23 18:15:27.188: ISAKMP:      encaps is 2 (Transport)
Mar 23 18:15:27.188: ISAKMP:      SA life type in seconds
Mar 23 18:15:27.188: ISAKMP:      SA life duration (basic) of 3600
Mar 23 18:15:27.188: ISAKMP:      SA life type in kilobytes
Mar 23 18:15:27.188: ISAKMP:      SA life duration (VPI) of 0x0 0x46 0x50 0x0
Mar 23 18:15:27.188: ISAKMP:      authenticator is HMAC-SHA
Mar 23 18:15:27.188: ISAKMP:      key length is 128
Mar 23 18:15:27.188: ISAKMP:(6986):atts are acceptable.
Mar 23 18:15:27.188: ISAKMP:(6986): IPSec policy invalidated proposal with error 4
Mar 23 18:15:27.188: ISAKMP:(6986): phase 2 SA policy not acceptable! (local XXX.XXX.XXX remote XXX.XXX.XXX)

Another wierd thing is that "show crypto session" is not showing nothing.

Mobile VPN clients can't connect to.

It could be a IOS bug?

Thanks for support.

Philip D'Ath · ‎03-23-2016

Are you buy chance using certificates?

If not, try giving the head end and perhaps one remote site a reboot.

What platform is your head end and what software version are you running on it?

pierresantana · ‎03-23-2016

I am not using certificates.

The router is a Cisco 2911 with IOS 15.2(4)M4.

It came back after reboot hub router.

Thank you Philip.

Philip D'Ath · ‎03-23-2016

Yep, I have had issues with 15.2 myself. I would upgrade to 15.4(3)Mx.