I customer of us have a lot of branch offices that all connect though VPN Tunnel with on both side a Cisco router. Except voor 2 branch offices the have a fortigate firewall the connection have worked before but the last 3 weeks the connection won't get up. And get following message when I use the debug command: debug crypto isakmp error and debug crypot ipsec
168981: May 15 09:53:13.113 CETDST: ISAKMP:(2289):deleting SA reason "Fail to allocate ip address" state (R) CONF_ADDR (peer <IP OTHER SIDE)
168982: May 15 09:53:13.113 CETDST: ISAKMP (0:2289): FSM action returned error: 2
Can anyone tell me what the error message mean and how I can fix it.
I looked this up , it sounds as a symptom that is documented in bugID# CSCsh20354
If you have smarnet open a TAC case to confirm.
Look at your IOS version code and compare it with 1st Found-In and Known Affected Versions in bellow link.
CSCsh20354 Bug Details
client does not receive mode config data
Symptom 1: A third-party vendor VPN client may not be able to establish a VPN tunnel to a Cisco router. When you enable the debug crypto isakmp command on the Cisco router, the output shows the following:
ISAKMP:(0:4:HW:2):No IP address pool defined for ISAKMP!
ISAKMP:(0:4:HW:2):deleting SA reason "Fail to allocate ip address" state (R)
CONF_ADDR (peer x.x.x.x)
Symptom 2: Although a third-party vendor VPN client can establish a VPN
tunnel to a Cisco router, the client receives only an IP address but no DNS
configuration, split-tunnel information, or other data during the mode
configuration phase. In this situation, the debug output does not show any
Conditions: Both of these symptoms are observed only when a third-party
vendor VPN client connects to a Cisco router that functions as a VPN server.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :