cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
476
Views
0
Helpful
3
Replies

DMVPN stop working without any change

pierresantana
Level 1
Level 1

Hi,


I have configured a DMVPN between 13 sites and I use ipsec vpn to mobile clients. Today it simple stop working and it is saying that phase 2 SA policy not acceptable. That's the error:


Mar 23 18:15:27.188: ISAKMP:(6986):Checking IPSec proposal 1
Mar 23 18:15:27.188: ISAKMP: transform 1, ESP_AES
Mar 23 18:15:27.188: ISAKMP:   attributes in transform:
Mar 23 18:15:27.188: ISAKMP:      encaps is 2 (Transport)
Mar 23 18:15:27.188: ISAKMP:      SA life type in seconds
Mar 23 18:15:27.188: ISAKMP:      SA life duration (basic) of 3600
Mar 23 18:15:27.188: ISAKMP:      SA life type in kilobytes
Mar 23 18:15:27.188: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
Mar 23 18:15:27.188: ISAKMP:      authenticator is HMAC-SHA
Mar 23 18:15:27.188: ISAKMP:      key length is 128
Mar 23 18:15:27.188: ISAKMP:(6986):atts are acceptable.
Mar 23 18:15:27.188: ISAKMP:(6986): IPSec policy invalidated proposal with error 4
Mar 23 18:15:27.188: ISAKMP:(6986): phase 2 SA policy not acceptable! (local XXX.XXX.XXX remote XXX.XXX.XXX)


Another wierd thing is that "show crypto session" is not showing nothing.


Mobile VPN clients can't connect to.


It could be a IOS bug?

Thanks for support.

3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

Are you buy chance using certificates?

If not, try giving the head end and perhaps one remote site a reboot.

What platform is your head end and what software version are you running on it?

I am not using certificates.

The router is a Cisco 2911 with IOS 15.2(4)M4.

It came back after reboot hub router.

Thank you Philip.

Yep, I have had issues with 15.2 myself.  I would upgrade to 15.4(3)Mx.