Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-Site VPN

I customer of us have a lot of branch offices that all connect though VPN Tunnel with on both side a Cisco router. Except voor 2 branch offices the have a fortigate firewall the connection have worked before but the last 3 weeks the connection won't get up. And get following message when I use the debug command: debug crypto isakmp error and debug crypot ipsec

168981: May 15 09:53:13.113 CETDST: ISAKMP:(2289):deleting SA reason "Fail to allocate ip address" state (R) CONF_ADDR (peer <IP OTHER SIDE)

168982: May 15 09:53:13.113 CETDST: ISAKMP (0:2289): FSM action returned error: 2

Can anyone tell me what the error message mean and how I can fix it.


Re: Site-to-Site VPN


I looked this up , it sounds as a symptom that is documented in bugID# CSCsh20354

If you have smarnet open a TAC case to confirm.

Look at your IOS version code and compare it with 1st Found-In and Known Affected Versions in bellow link.

CSCsh20354 Bug Details

client does not receive mode config data

Symptom 1: A third-party vendor VPN client may not be able to establish a VPN tunnel to a Cisco router. When you enable the debug crypto isakmp command on the Cisco router, the output shows the following:

ISAKMP:(0:4:HW:2):No IP address pool defined for ISAKMP!

ISAKMP:(0:4:HW:2):deleting SA reason "Fail to allocate ip address" state (R)

CONF_ADDR (peer x.x.x.x)

Symptom 2: Although a third-party vendor VPN client can establish a VPN

tunnel to a Cisco router, the client receives only an IP address but no DNS

configuration, split-tunnel information, or other data during the mode

configuration phase. In this situation, the debug output does not show any


Conditions: Both of these symptoms are observed only when a third-party

vendor VPN client connects to a Cisco router that functions as a VPN server.


CreatePlease login to create content