Site-to-Site VPN

ThaMaster · ‎05-15-2009

I customer of us have a lot of branch offices that all connect though VPN Tunnel with on both side a Cisco router. Except voor 2 branch offices the have a fortigate firewall the connection have worked before but the last 3 weeks the connection won't get up. And get following message when I use the debug command: debug crypto isakmp error and debug crypot ipsec

168981: May 15 09:53:13.113 CETDST: ISAKMP:(2289):deleting SA reason "Fail to allocate ip address" state (R) CONF_ADDR (peer <IP OTHER SIDE)

168982: May 15 09:53:13.113 CETDST: ISAKMP (0:2289): FSM action returned error: 2

Can anyone tell me what the error message mean and how I can fix it.

JORGE RODRIGUEZ · ‎05-16-2009

Martijn,

I looked this up , it sounds as a symptom that is documented in bugID# CSCsh20354

If you have smarnet open a TAC case to confirm.

Look at your IOS version code and compare it with 1st Found-In and Known Affected Versions in bellow link.

CSCsh20354 Bug Details

client does not receive mode config data

Symptom 1: A third-party vendor VPN client may not be able to establish a VPN tunnel to a Cisco router. When you enable the debug crypto isakmp command on the Cisco router, the output shows the following:

ISAKMP:(0:4:HW:2):No IP address pool defined for ISAKMP!

ISAKMP:(0:4:HW:2):deleting SA reason "Fail to allocate ip address" state (R)

CONF_ADDR (peer x.x.x.x)

Symptom 2: Although a third-party vendor VPN client can establish a VPN

tunnel to a Cisco router, the client receives only an IP address but no DNS

configuration, split-tunnel information, or other data during the mode

configuration phase. In this situation, the debug output does not show any

errors.

Conditions: Both of these symptoms are observed only when a third-party

vendor VPN client connects to a Cisco router that functions as a VPN server.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh20354

Regards

Jorge Rodriguez