IPSEC tunnel t-shoot for Phase II

IPsec tunnel is not up, phase 1 is completed but when check isakmp status, we got the following result:

ISR#sh crypto isakmp sa | i x.x.x.x
x.x.x.x x.x.x.x MM_NO_STATE 32112 ACTIVE (deleted)

ISR#debug crypto isakmp

.....
Oct 17 10:35:02.045 GMT: ISAKMP: (32115):ID payload
Oct 17 10:35:02.045 GMT: ISAKMP: (32115): address : x.x.x.x
Oct 17 10:35:02.045 GMT: ISAKMP: (32115): protocol : 17
Oct 17 10:35:02.045 GMT: ISAKMP: (32115):Total payload length: 12
Oct 17 10:35:02.045 GMT: ISAKMP-PAK: (32115):sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 17 10:35:02.045 GMT: ISAKMP: (32115):Sending an IKE IPv4 Packet.
Oct 17 10:35:02.045 GMT: ISAKMP: (32115):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 17 10:35:02.045 GMT: ISAKMP: (32115):Old State = IKE_I_MM4 New State = IKE_I_MM5
Oct 17 10:35:02.109 GMT: ISAKMP-PAK: (32115):received packet from x.x.x.x dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 17 10:35:02.109 GMT: ISAKMP: (32115):processing ID payload. message ID = 0
Oct 17 10:35:02.109 GMT: ISAKMP: (32115):ID payload
Oct 17 10:35:02.109 GMT: ISAKMP: (32115): address : x.x.x.x
Oct 17 10:35:02.109 GMT: ISAKMP: (32115): protocol : 17
Oct 17 10:35:02.110 GMT: ISAKMP: (32115):processing HASH payload. message ID = 0
Oct 17 10:35:02.110 GMT: ISAKMP: (32115):received payload type 17
Oct 17 10:35:02.110 GMT: ISAKMP: (32115):processing keep alive: proposal=32767/32767 sec., actual=10/10 sec.
Oct 17 10:35:02.110 GMT: ISAKMP: (32115):processing vendor id payload
Oct 17 10:35:02.110 GMT: ISAKMP: (32115):vendor ID is DPD
Oct 17 10:35:02.110 GMT: ISAKMP: (32115):SA authentication status:
Oct 17 10:35:02.111 GMT: ISAKMP: (32115):SA has been authenticated with 217.168.2.25
Oct 17 10:35:02.111 GMT: ISAKMP: (32115):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 17 10:35:02.111 GMT: ISAKMP: (32115):Old State = IKE_I_MM5 New State = IKE_I_MM6
Oct 17 10:35:02.111 GMT: ISAKMP: (32115):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 17 10:35:02.111 GMT: ISAKMP: (32115):Old State = IKE_I_MM6 New State = IKE_I_MM6
Oct 17 10:35:02.111 GMT: ISAKMP: (32115):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 17 10:35:02.111 GMT: ISAKMP: (32115):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Oct 17 10:35:02.111 GMT: ISAKMP: (32115):IKE_DPD is enabled, initializing timers
Oct 17 10:35:02.112 GMT: ISAKMP: (32115):beginning Quick Mode exchange, M-ID of 4059749610
Oct 17 10:35:02.113 GMT: ISAKMP: (32115):QM Initiator gets spi
Oct 17 10:35:02.114 GMT: ISAKMP-PAK: (32115):sending packet to x.x.x.x my_port 500 peer_port 500 (I) QM_IDLE
Oct 17 10:35:02.114 GMT: ISAKMP: (32115):Sending an IKE IPv4 Packet.
Oct 17 10:35:02.114 GMT: ISAKMP: (32115):Node 4059749610, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Oct 17 10:35:02.114 GMT: ISAKMP: (32115):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Oct 17 10:35:02.114 GMT: ISAKMP: (32115):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Oct 17 10:35:02.114 GMT: ISAKMP: (32115):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Oct 17 10:35:02.186 GMT: ISAKMP-PAK: (32115):received packet from x.x.x.x dport 500 sport 500 Global (I) QM_IDLE
Oct 17 10:35:02.187 GMT: ISAKMP: (32115):set new node 3638484499 to QM_IDLE
Oct 17 10:35:02.187 GMT: ISAKMP: (32115):processing HASH payload. message ID = 3638484499
Oct 17 10:35:02.187 GMT: ISAKMP: (32115):processing NOTIFY INVALID_ID_INFO protocol 1
Oct 17 10:35:02.187 GMT: ISAKMP: (32115):peer does not do paranoid keepalives.
Oct 17 10:35:02.187 GMT: ISAKMP-ERROR: (32115):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer x.x.x.x5)
Oct 17 10:35:02.187 GMT: ISAKMP: (32115):deleting node 3638484499 error FALSE reason "Informational (in) state 1"
Oct 17 10:35:02.187 GMT: ISAKMP: (32115):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Oct 17 10:35:02.187 GMT: ISAKMP: (32115):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Oct 17 10:35:02.187 GMT: ISAKMP (32115): IPSec has no more SA's with this peer. Won't keepalive phase 1.
Oct 17 10:35:02.188 GMT: ISAKMP: (32115):set new node 633615013 to QM_IDLE
Oct 17 10:35:02.188 GMT: ISAKMP-PAK: (32115):sending packet to x.x.x.x my_port 500 peer_port 500 (I) QM_IDLE
Oct 17 10:35:02.188 GMT: ISAKMP: (32115):Sending an IKE IPv4 Packet.
Oct 17 10:35:02.188 GMT: ISAKMP: (32115):purging node 633615013
Oct 17 10:35:02.188 GMT: ISAKMP: (32115):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Oct 17 10:35:02.188 GMT: ISAKMP: (32115):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

When it shows err info as bold text in above, it normally means that Phase 1 negotiation is completed but there is some mismatch in phase2 parameters OR VPN acl. The causes of such error can be:

1, Mismatched configuration of PFS on both sides,
2, Mismatched configuration of SA lifetime on both sides,
3, ACL configuration on both sides is not compatible, host or subnet allowed on one side is not allowed on the peer side.
4, etc.

“show crypto IPSec sa peer” shows tunnel is up, however we get traffic error as below:

host#sh crypto ipsec sa peer x.x.x.x

interface: GigabitEthernet0/0/0.100
Crypto map tag: xxx, local addr x.x.x.x
protected vrf: (none)
local ident (addr/mask/prot/port): (10.32.34.23/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (23.33.42.11/255.255.255.255/0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 3, #recv errors 0

“send errors” could be that mismatched configuration of encryption domain. That is access-list on both sides must match.