FTD VPN: one node in mesh showing "IKE not enabled on <if name> interface"
I am running FTD 184.108.40.206 on several ASA devices (5506W-X, 5508-X, 5515-X) and have them controlled by FMC also at 220.127.116.11. I need a site-to-site VPN between two specific devices (a 5506W and a 5508) to allows cross location services between the two sites. While I was setting it up I went ahead and opted into a full VPN mesh so that each location could more readily communicate with the others. The problem described below appears on a simple site-to-site VPN as well as the full mesh VPN design, I only mention the mesh so that I may also point out that the VPN config on each of the devices is built from the same FMC object; and the error only shows on one device (a 5508).
I have setup the VPN object in FMC with an outside interface on each device. The VPN is currently set to allow both IKEv1 and IKEv2, but this happens regardles of the IKE version. The NAT policies on each device are configured to prevent address translation when transiting to a VPN-ed remote network, and the access policies allow these networks to talk one to another. Each device also has routes to the VPN-ed networks that point to the outside interface on the remote ASA/FTD unit. To me an important point is that I am only seeing this issue on one device (a 5508) while others (one of which is also a 5508) are setting up the tunnel as expected.
When I do a debug crypto <all the usual suspects> then attach to the diag console on the failing device, and issue a ping from within its local network to a VPN-ed network (the one link I care most about right now) I see the following message.
Feb 22 14:48:31 [IKE COMMON DEBUG]Tunnel Manager failed to dispatch a KEY_ACQUIRE message. IKE not enabled on att_fiber interface
Where att_fiber is my overly non-creative name for the outside interface that is connected via AT&T Fiber. The att_fiber interface is the one that is used in the VPN configuration, and is the outside interface that handles the route to the remote network.
From this I think the crypto mapping is correct (elsewise the tunnel manager wouldn't even attempt to setup a key negotation). But, for the life of me, I can't figure out 1) how IKE would be not enabled, or 2) how to fix the issue. I also can't find any mention of "IKE not enabled on" anywhere online...
Does anyone have any clues about where to start to get this squared away?
Hello All, We are using Cisco ASA 5585-X for many years however we are facing a lot issues with a stable version of the software image presently we are using Version 9.4(4)20 however present software have seemed to be a bug as m...
This article is intended to be a simple example of configuring AnyConnect relevant syslog messages to be sent from the ASA to a Syslog server. The syslog server in this example is Spunk but almost any syslog server should be do the job. The ...
NGFW Spring 2020 Releases
It’s official! FTD 6.6, ASA 9.14.1, and FXOS 2.8 have been released. We want to thank the hundreds of team members for the tens of thousands of man-hours dedicated to driving this critical release over the finish line. 120...
Hi,I was trying to 2fa cisco duo , all the required settings done as per below . The problem is duo cloud does nti not getting any request from the asa . So I am not getting any code from the duo https://www.youtube.com/watch?v=6nEvmc8wji...
This event continues the conversation of our recent Community Ask Me Anything event "Secure Remote Workers".
To participate in this event, please use the button to ask your questions
Here’s your ch...