Symptom
DH Key computation fails during the processing of IKE_SA_INIT by a DMVPN hub
The output of "sh crypto ikev2 diagnose error count " shows an increase in DH public key computation failed
#sh crypto ikev2 diagnose error count
IKEv2 error counters:
A supplied parameter is incorrect : 101
Failed to find a matching policy : 3
Failed to locate an item in the database : 3
Failed to validate the certificate : 7
Detected an invalid IKE SPI : 76
Packet is a retransmission : 3189
Negotiation context locked currently in use : 17169
Error encountered while navigating State Machine : 403
Could not find neg context : 20
Failed to receive the AUTH msg before the timer expired : 21
Maximum number of retransmissions reached : 4750
Initial exchange failed : 91838
Auth exchange failed : 28
Negotiating limit reached, deny SA request : 5
DH public key computation failed : 91836 <====== Keeps on increasing, the debugs show as well that DH computations is failing.
Creation/Installation of IPsec SA into IPsec DB failed : 3
Conditions
May occur post the hub router faces mcplo-ucode crash after the ESP recovers from a crash.
Further Problem Description
The DH failures may also occur without an associated crash. SSH and RSA operations may fail for the same reason.
