cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
476
Views
0
Helpful
0
Replies
Highlighted

FTD VPN: one node in mesh showing "IKE not enabled on <if name> interface"

I am running FTD 6.2.2.1 on several ASA devices (5506W-X, 5508-X, 5515-X) and have them controlled by FMC also at 6.2.2.1.  I need a site-to-site VPN between two specific devices (a 5506W and a 5508) to allows cross location services between the two sites.  While I was setting it up I went ahead and opted into a full VPN mesh so that each location could more readily communicate with the others.  The problem described below appears on a simple site-to-site VPN as well as the full mesh VPN design, I only mention the mesh so that I may also point out that the VPN config on each of the devices is built from the same FMC object; and the error only shows on one device (a 5508).

 

I have setup the VPN object in FMC with an outside interface on each device.  The VPN is currently set to allow both IKEv1 and IKEv2, but this happens regardles of the IKE version.  The NAT policies on each device are configured to prevent address translation when transiting to a VPN-ed remote network, and the access policies allow these networks to talk one to another.  Each device also has routes to the VPN-ed networks that point to the outside interface on the remote ASA/FTD unit.  To me an important point is that I am only seeing this issue on one device (a 5508) while others (one of which is also a 5508) are setting up the tunnel as expected.

 

When I do a debug crypto <all the usual suspects> then attach to the diag console on the failing device, and issue a ping from within its local network to a VPN-ed network (the one link I care most about right now) I see the following message.

Feb 22 14:48:31 [IKE COMMON DEBUG]Tunnel Manager failed to dispatch a KEY_ACQUIRE message. IKE not enabled on att_fiber interface

Where att_fiber is my overly non-creative name for the outside interface that is connected via AT&T Fiber.  The att_fiber interface is the one that is used in the VPN configuration, and is the outside interface that handles the route to the remote network.

 

From this I think the crypto mapping is correct (elsewise the tunnel manager wouldn't even attempt to setup a key negotation).  But, for the life of me, I can't figure out 1) how IKE would be not enabled, or 2) how to fix the issue.  I also can't find any mention of "IKE not enabled on" anywhere online...

 

Does anyone have any clues about where to start to get this squared away?