Site-to-Site VPN

Unanswered Question
May 15th, 2009
User Badges:

I customer of us have a lot of branch offices that all connect though VPN Tunnel with on both side a Cisco router. Except voor 2 branch offices the have a fortigate firewall the connection have worked before but the last 3 weeks the connection won't get up. And get following message when I use the debug command: debug crypto isakmp error and debug crypot ipsec

168981: May 15 09:53:13.113 CETDST: ISAKMP:(2289):deleting SA reason "Fail to allocate ip address" state (R) CONF_ADDR (peer <IP OTHER SIDE)

168982: May 15 09:53:13.113 CETDST: ISAKMP (0:2289): FSM action returned error: 2

Can anyone tell me what the error message mean and how I can fix it.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Sat, 05/16/2009 - 09:18
User Badges:
  • Green, 3000 points or more


I looked this up , it sounds as a symptom that is documented in bugID# CSCsh20354

If you have smarnet open a TAC case to confirm.

Look at your IOS version code and compare it with 1st Found-In and Known Affected Versions in bellow link.

CSCsh20354 Bug Details

client does not receive mode config data

Symptom 1: A third-party vendor VPN client may not be able to establish a VPN tunnel to a Cisco router. When you enable the debug crypto isakmp command on the Cisco router, the output shows the following:

ISAKMP:(0:4:HW:2):No IP address pool defined for ISAKMP!

ISAKMP:(0:4:HW:2):deleting SA reason "Fail to allocate ip address" state (R)

CONF_ADDR (peer x.x.x.x)

Symptom 2: Although a third-party vendor VPN client can establish a VPN

tunnel to a Cisco router, the client receives only an IP address but no DNS

configuration, split-tunnel information, or other data during the mode

configuration phase. In this situation, the debug output does not show any


Conditions: Both of these symptoms are observed only when a third-party

vendor VPN client connects to a Cisco router that functions as a VPN server.



This Discussion