I do not have an ASA to test so I have to folks in this forum. It would be helpful if folks have done this before or can test this to give me a definitive answer.
I have Cisco ASR 1002, code XE 3.4.1 doing site-2-site VPN with an ASA managed by another company that I have no control over running 8.3 (I think).
the site-2-site vpn is very easy straight forward as follows:
ip access-list extended companyX
permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255
crypto isakmp key cciesec address 220.127.116.11 no-xauth
crypto isakmp policy 10
encr aes 256
crypto isakmp aggressive-mode disable
no crypto ipsec nat-t udp-en
crypto ipsec transform tset esp aes-256 esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
match address companyX
set peer 18.104.22.168
set pfs group5
set trans tset
set security life second 3600
crypto map vpn
So I disable VPN aggressive mode on the ASR router, only main-mode is allowed. I have no idea how the ASA is configured. The site-2-site VPN is working fine "most of the time". Sometimes, application folks reported that network 192.168.1.0/24 can not communicate with network 10.0.1.0/24.
When the VPN tunnel is not working I am seeing this in the ASR log:
000927: Jan 8 02:47:20.535 gmt: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
000928: Jan 8 05:33:24.726 gmt: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
000929: Jan 8 10:04:25.026 gmt: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
000930: Jan 8 11:12:55.819 gmt: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
I know the Agressive-Mode on the ASA can be turned off with "crypto isakmp am-disable" but I do not control the ASA
Does this mean that the ASA, by default, enable Aggressive Mode? Without turning it off, will it cause issue with my site-2-site VPN because the ASR does not allow aggressive mode?