We have a Cisco 1841 Router acting as a group member in a GETVPN network. when this router reloads, ISAKMP Process always stays OFF (%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF) and only start this process until we forced it through a clear crypto gdoi command or manually disabling/enabling crypto map on the interface, otherwise Phase 1 never start and the GM never register to KS. Other group members in the network does not have this problem and is the same ISAKMP policy and GDOI configuration.
All routers in the nerwork have the same IOS (C1841-ADVIPSERVICESK9-M), Version 12.4(15)T8, RELEASE SOFTWARE (fc3)) but this problem only is present on one router.
a debug crypto isakmp was issued on the odd router but it didn's show any information because ISAKMP is stuck. after we issued clear crypto gdoi command, ISAKMP begins negotiation and authentication and the SA is finally established.
this is the router log after issued a reload command:
*Jan 27 10:51:44.695: %SYS-5-RESTART: System restarted --
Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(15)T8, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Mon 01-Dec-08 13:52 by prod_rel_team
*Jan 27 10:51:44.699: %SNMP-5-COLDSTART: SNMP agent on host XXXXXXXX is undergoing a cold start
*Jan 27 10:51:44.763: %SSH-5-ENABLED: SSH 1.99 has been enabled
*Jan 27 10:51:44.919: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Jan 27 10:51:44.919: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
*Jan 27 10:51:44.919: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
*Jan 27 10:51:45.999: %SYS-6-BOOTTIME: Time taken to reboot after reload = 130 seconds
this is the crypto configuration
crypto isakmp policy 10
crypto gdoi group GETVPN
identity number 10
server address ipv4 a.b.c.d
server address ipv4 x.y.z.x
crypto map GETVPN-MAP local-address FastEthernet0/1
crypto map GETVPN-MAP 10 gdoi
set group GETVPN
thanks in advance.
There is a know issue with GETVPN that's fixed in 12.4(15)T10:
This causes the router to not register with the KS after a reload. However, it's specific to a GETVPN configuration, which 12.4 mainline code does not support. I would suggest you open a TAC case to have it investigated.