Hello Rob, thanks for responding.

So I just changed my configuration to have a static default route to ISP 1 (Primary) and a default route to ISP2 (back up) with an ad of 2 with crypto map applied to both interfaces.

I shut down the main ISP1 interface and the back up default route was installed to ISP2 but the tunnel just does not want to come up. I end up seeing no ikev2 SAs for the new/backup tunnel (goes from IN-NEG to being deleted) but I do have IPSec SA with incrementing errors on the back up ISP, and the old IPSEC sa associated with primary interface just stays up not doing anything.

If I could, I too would also turn this into a route-based VPN but it is not possible at the moment.

---

@Joebananas wrote:

but I do have IPSec SA with incrementing errors on the back up ISP, and the old IPSEC sa associated with primary interface just stays up not doing anything.

---

If you still have the old IPSec SA then Dead Peer Detection keepalives is not configured on the router, this will clear down the old SAs. Dead Peer Detection (DPD) is disabled by default. 

DPD can be configured under the IKEV2 profile or globally

crypto ikev2 profile profile-name
 dpd interval retry-interval {on-demand | periodic }

or

crypto ikev2 dpd interval retry-interval {on-demand | periodic }

Hello Rob,

I just was testing to see why that IPSEC SA was there still. It seems that even if the interface is shut down, as long as the crypto map is applied to the interface, that IPSEC SA populates with no ikev2 SA. Not sure if this is expected behavior or oddities due to being virtualized hardware.

Hello MHM,

What do you mean by LO?

I do have multiple peers configured on the ASA crypto map. The one that is second in the peer line never wants to work. If I flip the order as mentioned above, it comes up just fine.
crypto map set peer PEER1 PEER2

Peer1 is ISP1 which is the main VPN interface on the router. Once that interface is shut down, and the crypto map is applied to the PEER2 interface it never comes up. If I switch the ASA crypto map to crypto map set peer PEER2 PEER1 then it comes up but I cannot fail back over to primary interface because the same issue occurs here.

Yes I see I already run lab from Yesterday and hope figure out why it not work. 
I will update you soon 

Thank you for taking the time. Driving me crazy! Please do update me if you find a solution

Hello mhm!

how is that possible?

in my lab phase 1 and 2 settings are identical. I don’t have to change anything except the order of the peers on the ASA. The fact that it comes up when I do that, would imply that Dh group, phase 2, etc should be fine no?

Oh, you meaning that it work when the you change the Peer order ?
if Yes can you share the show ip route in router ?

ping from Router to ASA using the interface IP that is not work.

The route that the router takes is a default route. I’ve got one default route to isp1 (main vpn interface) being tracked by a track that pings the isp1 peer, and another to isp2 with an ad of 2. The second kicks in once I simulate a failover by shutting down the primary interface. The Asa is just using one default route out to the router connected to it and that router learns the peer ips through bgp. When peer 1 goes down, it is not pingable by Asa (which tears down the tunnel due to dpd) but peer 2 is pingable but the tunnel never comes up. I actually tested this on production equipment (asa ver 9.14) and it was the same behavior. The only difference between my lab and production is we tested the production environment with peer ips on two different devices but the behavior was the same regardless

in router we can not change the default route 
BUT 
we can config static route for ASA LAN toward ISP1 using track, track here is direct to ASA IP 
and config static route for ASA LAN toward ISP2 using high metric 

here if track to asa is UP then router will use ISP1 toward ASA, if down then it will use ISP2

try this if the track not work I will check EEM in router detect ISAKMP keepalive and shift traffic toward ISP2