@Ditter ok thats fine I was just seeking clarification as to your setup. As it's a lab and traffic to the private ip address is routable then NAT-T does not apply.

Those messages in your last debugs were the initial MM1 messages from the initiator sent to the FTD, which did not receive a response and were retransmitted. Packet capture on the FTD would confirm if the IKE packet was even received.

I think that the problem is somewhere in the following output of the FTD where no decrypted packets leave the FDM to go to the client 192.168.90.60

@MHM Cisco World please check is also yourself

> show crypto ipsec sa
interface: vlan_26
Crypto map tag: CSM_vlan_26_map, seq num: 1, local addr: 192.168.64.17

access-list CSM_IPSEC_ACL_1 extended permit ip 192.168.90.32 255.255.255.224 192.168.105.176 255.255.255.240
Protected vrf (ivrf):
local ident (addr/mask/prot/port): (192.168.90.32/255.255.255.224/0/0)
remote ident (addr/mask/prot/port): (192.168.105.176/255.255.255.240/0/0)
current_peer: 192.168.64.53

#pkts encaps: 161, #pkts encrypt: 161, #pkts digest: 161
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0   <--------????????????
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 161, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

@Ditter as before, this output would be from when the FTD established the tunnel, but the router has send errors? So therefore nothing would be decrypted on the FTD. One reason this can happen if ESP is blocked in one direction, the SAs can be established but counters do not increase (in one direction). Traffic from the router is the likely problem or an issue with the router itself, do you have another device that's is newer than the ISR G1 router you can try?

I will try to find another router (not sure if i have newer routers in my ...arsenal).

I will make a try and come back with updates.

Thanks for your time and effort  !!

Can I see the No-NAT and ACL you use in FTD 

MHM

Hi,  i send you a | inc from the cli , the FTD has none NAT rule.

> show running-config | include NAT
>

I do not know if you mean something different.  I also sent in my previous thread some screenshots of the FMC where i manage the FTD. Please take a look at them.
AT

This new FTD there is no NAT at all?

What I meaning about acl in FTD is you mention that you allow traffic between local and remote lan' can I see acl you use ?

MHM

CISCO ROUTER SIDE

crypto isakmp policy 1
encr aes
authentication pre-share
group 14
crypto isakmp key <ommited> address 192.168.64.17
crypto isakmp keepalive 30
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
crypto map vpn-to-hq 10 ipsec-isakmp
set peer 192.168.64.17
set transform-set TS
match address VPN-TRAFFIC

and

ip access-list extended VPN-TRAFFIC
permit ip 192.168.105.176 0.0.0.15 192.168.90.32 0.0.0.31

At the FTD side i have configured the following:

crypto map CSM_vlan_26_map 1 match address CSM_IPSEC_ACL_1
crypto map CSM_vlan_26_map 1 set peer 192.168.64.53
crypto map CSM_vlan_26_map 1 set ikev1 transform-set CSM_TS_1
crypto map CSM_vlan_26_map 1 set security-association lifetime seconds 86400
crypto map CSM_vlan_26_map 1 set reverse-route
crypto map CSM_vlan_26_map interface vlan_26

and

access-list CSM_IPSEC_ACL_1 extended permit ip 192.168.90.32 255.255.255.224 192.168.105.176 255.255.255.240

@Ditter why have you got this route below, traffic should be routed to the next hop 192.168.64.54 and it should route onward.

ip route 192.168.90.32 255.255.255.224 192.168.64.17

 Remove it.

I had this route in order to send the interesting traffic via the 192.168.64.17 which is the FTD vpn side.

But as per your advise i removed it and now the tunnel tries to come up but it does not come up:

Router#ping 192.168.90.60 source fastEthernet 0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.90.60, timeout is 2 seconds:
Packet sent with a source address of 192.168.105.177
.....
Success rate is 0 percent (0/5)
Router#
Router#
Router#
Router#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.64.17 192.168.64.53 MM_NO_STATE 0 ACTIVE

Router#
Feb 11 17:02:16.640: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 192.168.64.53, remote 192.168.64.17)
Feb 11 17:02:16.640: ISAKMP: Error while processing SA request: Failed to initialize SA
Feb 11 17:02:16.640: ISAKMP: Error while processing KMI message 0, error 2.

Thanks,

1. DH is 14 to both sides

2. Static IPs to both sides - no firewall between them

3. FTD is running version 7.2.5 - configured via FMC (FTDs are 2140s)

4. Please refer to the screenshot so as to see how i enable the bypass ACP for VPN, i suppose that is what you mean

5. Not sure what keepalive you mean , it is in enable state (please refer to screenshot vpn-7.png), is it something else i should enable?

As far as the HA is concerned i am sure that the vpn hits FTD-1 and not the standby FTD-2 as i saw it from some troubleshooting info from within the FMC 

In order to recap:

The tunnel does not come up when pinging from the router side (it tries but the isakmp sa does not come to idle state)

The tunnel only comes up when i initiate from the FTD side (although configured as bidirectional)  , and while ping is running i see the following:

IPSEC encrypt/decrypt counters increase in the router side  BUT only IPSEC encrypt counters increase in FTD side.  The decrypt counters do not increase in the FTD side. 

If it is an IOS/old router problem i have to find one newer and check again with same settings as discussed with @Rob Ingram