Showing results for 
Search instead for 
Did you mean: 

crypto ipsec profile command missing for IKEv2 VTI VPN

Level 1
Level 1

I have a 5506 with 9.8 (device 1).  If I issue crypto ipsec ? Profile is not an option.  This command appears to be needed for IKEv2 VTI to Azure route based VPN.  (Device 2) does show the option with the same command.  I cannot tell what feature set (device 1) is missing.  Any hints appreciated.
crypto ipsec ikev2 ipsec-proposal AZURE-PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec profile “some name”
device 1
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 5 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual
This platform has a Base license.
Device 2
Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 150            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 300            perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 300            perpetual
Total VPN Peers                   : 300            perpetual
AnyConnect for Mobile             : Enabled        perpetual
AnyConnect for Cisco VPN Phone    : Enabled        perpetual
Advanced Endpoint Assessment      : Enabled        perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 1000           perpetual
Botnet Traffic Filter             : Disabled       perpetual
Cluster                           : Enabled        perpetual
Cluster Members                   : 2              perpetual
VPN Load Balancing                : Enabled        perpetual

3 Replies 3

In asa you don't use ipsec profile for IKEv2. This is used in IOS ikev2

According to this cisco article you do  "Configure ASA IPsec VTI Connection to Azure"


One device has the command and the other does not.  I am assuming it is some license feature that explains the differance.






i bumped in the same problem and the answer is: you don't have crypto ipsec profile on a context


a careful read at: has 2 tiny lines:

Context Mode

Supported in single mode only.


hope it helps.