Symptom
Ikev2 tunnel does not establish. One side of the exchange will see continual retransmissions in the debugs. The other side will experience a timeout condition waiting for a message from the peer.
The output of "show crypto ikev2 diagnose error" might contain an error "Failed to compute a hash value"
Router# sh cry ikev2 diagnose err
Error(2): Failed to compute a hash value
-Traceback= 1#504a05817403fc8af50b1518ca6b4f0b :7FDE28F13000+116BD203 :7FDE28F13000+1163EB5D :7FDE28F13000+1162BFAA :7FDE28F13000+1162BC18 :7FDE28F13000+115FAE54 :7FDE28F13000+11604881 :7FDE28F13000+1160C9D1 :7FDE28F13000+1160C648 :7FDE28F13000+1162876B :7FDE28F13000+11627E32 :7FDE28F13000+11621558 :7FDE28F13000+1169B248
Conditions
1) IKEv2 fragmentation configured - "crypto ikev2 fragmentation mtu x"
2) aes-gcm used for the encryption in the ikev2 proposal
crypto ikev2 proposal aes-gcm-proposal
encryption [aes-gcm-256 | aes-gcm-128]
prf
group
3) IKEv2 Fragmentation is being invoked. That is to say that there is an IKEv2 message that exceeds the size of the configured value for "crypto ikev2 fragmentation mtu x"
Workaround
1) Use a different encryption and integrity combination in the ikev2 profile that does not use aes-gcm
2) Try to avoid having ikev2 fragmentation invoked. (change to pre-share auth rather than rsa-sig auth)
3) Disable ikev2 fragmentation and let IP fragment the message as needed
Further Problem Description
