FTD VPN: one node in mesh showing "IKE not enabled on <if name> interface"
I am running FTD 188.8.131.52 on several ASA devices (5506W-X, 5508-X, 5515-X) and have them controlled by FMC also at 184.108.40.206. I need a site-to-site VPN between two specific devices (a 5506W and a 5508) to allows cross location services between the two sites. While I was setting it up I went ahead and opted into a full VPN mesh so that each location could more readily communicate with the others. The problem described below appears on a simple site-to-site VPN as well as the full mesh VPN design, I only mention the mesh so that I may also point out that the VPN config on each of the devices is built from the same FMC object; and the error only shows on one device (a 5508).
I have setup the VPN object in FMC with an outside interface on each device. The VPN is currently set to allow both IKEv1 and IKEv2, but this happens regardles of the IKE version. The NAT policies on each device are configured to prevent address translation when transiting to a VPN-ed remote network, and the access policies allow these networks to talk one to another. Each device also has routes to the VPN-ed networks that point to the outside interface on the remote ASA/FTD unit. To me an important point is that I am only seeing this issue on one device (a 5508) while others (one of which is also a 5508) are setting up the tunnel as expected.
When I do a debug crypto <all the usual suspects> then attach to the diag console on the failing device, and issue a ping from within its local network to a VPN-ed network (the one link I care most about right now) I see the following message.
Feb 22 14:48:31 [IKE COMMON DEBUG]Tunnel Manager failed to dispatch a KEY_ACQUIRE message. IKE not enabled on att_fiber interface
Where att_fiber is my overly non-creative name for the outside interface that is connected via AT&T Fiber. The att_fiber interface is the one that is used in the VPN configuration, and is the outside interface that handles the route to the remote network.
From this I think the crypto mapping is correct (elsewise the tunnel manager wouldn't even attempt to setup a key negotation). But, for the life of me, I can't figure out 1) how IKE would be not enabled, or 2) how to fix the issue. I also can't find any mention of "IKE not enabled on" anywhere online...
Does anyone have any clues about where to start to get this squared away?
As of June 2020, the Cisco ISE pxGrid App for QRadar Ver 1.1.0 is officially Validated and released by IBM, available for download from IBM XFE. Access the link to download app here.
The Cisco ISE pxGrid App V1.1 supports Cisco Identity Se...
i have an ip that is part of our internal network, i configured route map on the core to redirect the traffic to the firewall for further inspection.i checked the firewall logs i can see the traffic is redirect to the firewall successfully. i could ping o...
Hi, 1)May I know wht it means when context visibility Status showing 'disconnected" and '(blank)'?Difference between 'disconnected" and '(blank)'. Since both devices also not connected.I found tht these devices are no longer connected to the swi...
Hi ,I would like to configure multiple public ip (same subnet) on outside interface of ASA.I want to use static NAT for specific purpose.For example i have 8 public IP and I want to use 1 is internet ,1 for VPN ,1 for DMZ server and all ip want to a...
Hi all, Is it a way to retrieve the IPS policies from our IPS Appliance or censor? I have tried to look for a way but I am not able to do so. May I knwo any way can retrieve the policies from the Appliance either from the Appliance itself o...