FTD VPN: one node in mesh showing "IKE not enabled on <if name> interface"
I am running FTD 184.108.40.206 on several ASA devices (5506W-X, 5508-X, 5515-X) and have them controlled by FMC also at 220.127.116.11. I need a site-to-site VPN between two specific devices (a 5506W and a 5508) to allows cross location services between the two sites. While I was setting it up I went ahead and opted into a full VPN mesh so that each location could more readily communicate with the others. The problem described below appears on a simple site-to-site VPN as well as the full mesh VPN design, I only mention the mesh so that I may also point out that the VPN config on each of the devices is built from the same FMC object; and the error only shows on one device (a 5508).
I have setup the VPN object in FMC with an outside interface on each device. The VPN is currently set to allow both IKEv1 and IKEv2, but this happens regardles of the IKE version. The NAT policies on each device are configured to prevent address translation when transiting to a VPN-ed remote network, and the access policies allow these networks to talk one to another. Each device also has routes to the VPN-ed networks that point to the outside interface on the remote ASA/FTD unit. To me an important point is that I am only seeing this issue on one device (a 5508) while others (one of which is also a 5508) are setting up the tunnel as expected.
When I do a debug crypto <all the usual suspects> then attach to the diag console on the failing device, and issue a ping from within its local network to a VPN-ed network (the one link I care most about right now) I see the following message.
Feb 22 14:48:31 [IKE COMMON DEBUG]Tunnel Manager failed to dispatch a KEY_ACQUIRE message. IKE not enabled on att_fiber interface
Where att_fiber is my overly non-creative name for the outside interface that is connected via AT&T Fiber. The att_fiber interface is the one that is used in the VPN configuration, and is the outside interface that handles the route to the remote network.
From this I think the crypto mapping is correct (elsewise the tunnel manager wouldn't even attempt to setup a key negotation). But, for the life of me, I can't figure out 1) how IKE would be not enabled, or 2) how to fix the issue. I also can't find any mention of "IKE not enabled on" anywhere online...
Does anyone have any clues about where to start to get this squared away?
IntroductionComponentsISE ConfigurationEnd user perspective and Validation
Cisco Identity Services Engine (ISE) gives you intelligent Integrated protection through intent-based policy and compliance solution. ISE supports external MDM ...
This video provides the steps to configure the Cisco Threat Response (CTR) and ESA Integration.
This is live on the portal:https://video.cisco.com/video/6159336218001
And on YouTube:https://www.youtube.com/watch?v=UCKIdx5rdFg
I need to migrate from C170 to C190 and have already match to the same Firmware Version. I have a question. Is there any method that can export and import the configuration file instead of form cluster ?
This AMA will serve as the Q&A for the Cisco Live Digital breakout DGTL-BRKSEC-1011 - "A Challenger Appears: Defending Mailboxes in the Cloud" which covers a brand new product which will be announced during the event: Cloud Mailbox Defense.