Preview Tool

Cisco Bug: CSCuw28957 - DMVPN Hub has no Crypto Sockets in Listen state

Last Modified

Sep 27, 2017

Products (1)

  • Cisco IOS

Known Affected Releases

15.2(4)M5.6 15.3(1)T1.1

Description (partial)

Isakmp and IPsec debugs show:

ISAKMP (16354): received packet from x.x.x.x dport 500 sport 500 Global (R) QM_IDLE      
ISAKMP: set new node -683631684 to QM_IDLE      
ISAKMP:(16354): processing HASH payload. message ID = 3611335612
ISAKMP:(16354): processing SA payload. message ID = 3611335612
ISAKMP:(16354):Checking IPSec proposal 1
ISAKMP: transform 1, ESP_AES 
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 2 (Transport)
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 3600
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 128
ISAKMP:(16354):atts are acceptable.
IPSEC(ipsec_process_proposal): proxy identities not supported
ISAKMP:(16354): IPSec policy invalidated proposal with error 32
ISAKMP:(16354): phase 2 SA policy not acceptable! (local y.y.y.y remote x.x.x.x)

ISAKMP: set new node 3763954 to QM_IDLE      
ISAKMP:(16354):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
	spi 591260944, message ID = 3763954
ISAKMP:(16354): sending packet to x.x.x.x my_port 500 peer_port 500 (R) QM_IDLE      
ISAKMP:(16354):Sending an IKE IPv4 Packet.
ISAKMP:(16354):purging node 3763954
ISAKMP:(16354):deleting node -683631684 error TRUE reason "QM rejected"

show crypto sockets will show no listening sockets:

Crypto Sockets in Listen state:

and established sockets will show empty IPsec Profiles:

IPSec Profile: ""

This issue has been observed on DMVPN Hubs with tunnel protection
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.