Hello.

 Is there an option to turn on automatic IPSec tunnel establishment on ASA? How can we generate an interesting traffic from ASA itself?

Ping from the inside interface works all right, but if I try to enable IP SLA Tracking for the same traffic it fails.

Packet with dst 172.16.120.1 and src of inside interface address is interesting for IPSec policy.

ASA-1# sh sla mon configuration
SA Agent, Infrastructure Engine-II
Entry number: 10
Owner:
Tag:
Type of operation to perform: echo
Target address: 172.16.120.1
Interface: inside
Number of packets: 3
Request size (ARR data portion): 28
Operation timeout (milliseconds): 4
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 18
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): 120
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

ASA-1# sh sla mon operational-state
Entry number: 10
Modification time: 12:59:12.448 UTC Mon Jan 13 2020
Number of Octets Used by this Entry: 2056
Number of operations attempted: 2
Number of operations skipped: 0
Current seconds left in Life: 98
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: TRUE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): NoConnection/Busy/Timeout
Latest operation start time: 12:59:30.453 UTC Mon Jan 13 2020
Latest operation return code: Timeout
RTT Values:
RTTAvg: 0 RTTMin: 0 RTTMax: 0
NumOfRTT: 0 RTTSum: 0 RTTSum2: 0

ASA-1# ping inside 172.16.120.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.120.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms