Hi, I have previously tested OSPF with VTI (tunnel mode ipsec ipv4) and it does work. Can you confirm what doesn't work, do you mean the IKEv2 and IPSec SA are not formed or the OSPF adjacency isn't established? I noticed you have different MTU on your tunnel interfaces, make them the same value - this could stop OSPF adjacency forming. HTH ... View more

Hi, To access your local home network whilst connected to a VPN you would need to modify your split-tunnel configuration.   You need to modify AnyConnect XML file and change <LocalLanAccess UserControllable=”true”>true</LocalLanAccess> Create an ACL permitting from host to 0.0.0.0 and reference in your GP. access-list SPLIT-TUNNEL permit host 0.0.0.0   group-policy GP-1 attributes  split-tunnel-policy excludespecified  split-tunnel-network-list value SPLIT-TUNNEL   Here is another example HTH ... View more

Hi, As you are pinging through the ASA the icmp reply is pinging dropped. Use the command "fixup protocol icmp" to inspect icmp or alternatively you could create an ACL inbound on the outside interface permitting icmp echo-reply. HTH ... View more

Hi, I use unnumbered loopback on Hub and Spoke routers, never had an issue. This documentation says it is always required on a DVTI, but not necessary on a SVTI. You also have the option to configure the SVTI on the spoke as "ip address negotiated" which will receive an tunnel ip address from the hub once authorized.   HTH     ... View more

  Hi, Is the configuration you uploaded the latest and accurate?   In your IKEv2 Profile configuration, you have defined vanphong as the authorization profile, which does not exist. The name of your authorization policy is ikev2-auth-policy, you should change this IKEv2 Profile then you should receive the DNS configuration, the remote route etc as defined.   crypto ikev2 profile vanphong  aaa authorization group anyconnect-eap list a-eap-author-grp vanphong   crypto ikev2 authorization policy ikev2-auth-policy pool quantri dns 192.168.254.1 netmask 255.255.255.224 aaa attribute list AAA-attr route set remote ipv4 192.168.253.0 255.255.255.0 HTH ... View more

Hi, The example below will not nat traffic from your local network 192.168.203.x to the remote network FRD 192.168.208.x. This is similar to the nat configuration you already have in place for the destination network VPN. nat (inside,outside) source static LocalSubnet LocalSubnet destination static FRD FRD no-proxy-arp route-lookup HTH ... View more

Hi, Please provide your full configuration of the router for review Also please provide the output of the following command:- - show crypto ikev2 sa detail ... View more

Hi, You've not attached the configuration of the routers. Please also include the output from the commands below from the Hub and a Spoke routers - show ip route - show crypto ikev2 sa detailed ... View more

Hi, Have you confirmed with the other firewall that the crypto ACL to match the interesting traffic matches the exact networks you have configured on your ASA? They need to be the same   Also check the Phase 2 encryption/hash algorithms parameters are exactly the same on the PA firewall. ... View more

Hi, Your crypto ACL Outside2_cryptomap_1 is configured as "any4" for source, is the 3rd party VPN expecting that? .....I doubt it.   Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol 0 Port 0 Remote host: 10.13.127.76 Protocol 0 Port 0   You should modify the source network in the ACL to only your local network - NETWORK_OBJ_10.9.0.0_16.   You should only need the 2nd NAT rule   nat (inside,Outside2) source static NETWORK_OBJ_10.9.0.0_16 NETWORK_OBJ_10.9.0.0_16 destination static vcenpcsbpiapp01 vcenpcsbpiapp01 no-proxy-arp route-lookup   ...it's probably hitting the rule #39 above the rule you are expecting it to hit.   After you've made those modifications, if it still does not work please provide more debugs. Your current debugs do provide enough information, try debug crypto ipsec aswell   HTH ... View more

Hi, Looks like on Palo Alto Firewalls IKEv2 DPD = Liveness check. This link here shows how to configure   Configure this on the PA, reboot the router and confirm whether this helps. If not please provide the full debugs from the router for analysis.   You may want to check on the PA whether there are still active IKEv2 SA's when the router is down ... View more