This is interesting. What if you change the order of proposals in the policy like this? L2L should still work after the change, and for AnyConnect client, which can negotiate both AES-GCM and AES-CBC, AES-CBC should now take priority.

crypto ikev2 policy ikev2policy 
proposal FlexVPN
proposal ikev2proposal

There is a bug which matches this behavior, although I'm not completely sure:

CSCvg84964 IOS-XE : Enhancement request to support GCM using Software Crypto engine

Symptom: AnyConnect over Ikev2 connection fails [after entering username/password] when AES-GCM-256 or AES-GCM-128 proposals are selected in IKE_SA_INIT exchange. The session establishes when any other encryption proposal [aes-cbc-256, aes-cbc-192, aes-cbc-128, 3des or des] is selected. The IKev2 and EAP debug output displays below message - IKEv2:(SESSION ID = XXX,SA ID = X):Verification of peer's authentication data FAILED IKEv2:(SESSION ID = XXX,SA ID = X):Sending authentication failure notify IKEv2-INTERNAL:Construct Notify Payload: AUTHENTICATION_FAILED

Conditions: The AnyConnect over Ikev2 connection will fail when AES-GCM-256 or AES-GCM-128 algorithm selected in IKE_SA_INIT exchange.

Workaround: Use a different encryption and integrity combination in the ikev2 profile that does not use aes-gcm [AES-GCM-256 or AES-GCM-128]. The algorithms that can be used are aes-cbc-256, aes-cbc-192, aes-cbc-128, 3des or des

The priority is already like the one you mentioned in which FlexVPN is listed first. I am not sure if the bug affects our router IOS that is 15.7(3)M4a.

I can not change the L2L algorithm to CBC but I can change anyconnect to GCM. Does anyconnect support GCM, if yes will I have to make any other changes?

This is an enhancement request and it wasn't implemented in any IOS version. Although AnyConnect supports AES-GCM, SHA2 and DH group 19 for IKEv2, it seems you cannot use AES-GCM on the router for AnyConnect. It seems IKEv2 protection is performed by software crypto engine and AES-GCM is simply not implemented there, so IKEv2 negotiation fails, although this router is equipped with hardware crypto engine...

I noticed that you also use 256-bit elliptic curve DH (ECDH) group 19. Try to change it to group 14 (2048bit) as shown below. After that AnyConnect should be able to negotiate this proposal. If not, collect debug ikev2 again.

crypto ikev2 proposal FlexVPN 
 encryption aes-cbc-128 aes-cbc-256 aes-cbc-192
 integrity sha256
 group 14

Changed the group to 14 and still not connecting. Following is the debug

790304: Dec 21 17:25:51.499 Chicago: IKEv2:Received Packet [From 119.160.2.5:34148/To 96.65.7.4:500/VRF i0:f0] 
Initiator SPI : E765AFE7BFDA9793 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST 
Payload contents: 
 SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID CFG NOTIFY(REDIRECT_SUPPORTED) 

790305: Dec 21 17:25:51.503 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Verify SA init message
790306: Dec 21 17:25:51.503 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Insert SA
790307: Dec 21 17:25:51.503 Chicago: IKEv2:Searching Policy with fvrf 0, local address 96.65.7.4
790308: Dec 21 17:25:51.503 Chicago: IKEv2:Found Policy 'FlexVPN'
790309: Dec 21 17:25:51.503 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Processing IKE_SA_INIT message
790310: Dec 21 17:25:51.503 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Received valid config mode data
790311: Dec 21 17:25:51.503 Chicago: IKEv2:Config data recieved:
790312: Dec 21 17:25:51.503 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Config-type: Config-request 
790313: Dec 21 17:25:51.503 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Attrib type: unknown, length: 2, data: 0x2 0x40
790314: Dec 21 17:25:51.503 Chicago: IKEv2:IKEv2 responder - ignoring config data received in IKE_SA_INIT exch
790315: Dec 21 17:25:51.503 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Set received config mode data
790316: Dec 21 17:25:51.503 Chicago: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
790317: Dec 21 17:25:51.503 Chicago: IKEv2:(SA ID = 4):[PKI -> IKEv2] Retrieved trustpoint(s): 'FlexVPN'   'FlexVPN-CA'   'TP-self-signed-653483565'   
790318: Dec 21 17:25:51.503 Chicago: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
790319: Dec 21 17:25:51.503 Chicago: IKEv2:(SA ID = 4):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
790320: Dec 21 17:25:51.503 Chicago: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Start PKI Session
790321: Dec 21 17:25:51.503 Chicago: IKEv2:(SA ID = 4):[PKI -> IKEv2] Starting of PKI Session PASSED
790322: Dec 21 17:25:51.503 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
790323: Dec 21 17:25:51.503 Chicago: IKEv2:(SA ID = 4):[Crypto Engine -> IKEv2] DH key Computation PASSED
790324: Dec 21 17:25:51.503 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Request queued for computation of DH key
790325: Dec 21 17:25:51.503 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
790326: Dec 21 17:25:51.527 Chicago: IKEv2:(SA ID = 4):[Crypto Engine -> IKEv2] DH key Computation PASSED
790327: Dec 21 17:25:51.527 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Request queued for computation of DH secret
790328: Dec 21 17:25:51.527 Chicago: IKEv2:(SA ID = 4):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
790329: Dec 21 17:25:51.527 Chicago: IKEv2:(SA ID = 4):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
790330: Dec 21 17:25:51.527 Chicago: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
790331: Dec 21 17:25:51.527 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Generating IKE_SA_INIT message
790332: Dec 21 17:25:51.527 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):IKE Proposal: 1, SPI size: 0 (initial negotiation), 
Num. transforms: 3
   AES-GCM   SHA256   DH_GROUP_256_ECP/Group 19
790333: Dec 21 17:25:51.527 Chicago: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
790334: Dec 21 17:25:51.527 Chicago: IKEv2:(SA ID = 4):[PKI -> IKEv2] Retrieved trustpoint(s): 'FlexVPN'   'FlexVPN-CA'   'TP-self-signed-653483565'   
790335: Dec 21 17:25:51.527 Chicago: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
790336: Dec 21 17:25:51.527 Chicago: IKEv2:(SA ID = 4):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED 

790337: Dec 21 17:25:51.527 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Sending Packet [To 119.160.2.5:34148/From 96.65.7.4:500/VRF i0:f0] 
Initiator SPI : E765AFE7BFDA9793 - Responder SPI : A2F962308637F71D Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE 
Payload contents: 
 SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ 

790338: Dec 21 17:25:51.531 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Completed SA init exchange
790339: Dec 21 17:25:51.531 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Starting timer (30 sec) to wait for auth message 

790340: Dec 21 17:25:51.819 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Received Packet [From 119.160.2.5:34149/To 96.65.7.4:500/VRF i0:f0] 
Initiator SPI : E765AFE7BFDA9793 - Responder SPI : A2F962308637F71D Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST 
Payload contents: 
 VID IDi CERTREQ CFG SA NOTIFY(IPCOMP_SUPPORTED) TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) 

790341: Dec 21 17:25:51.819 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Stopping timer to wait for auth message
790342: Dec 21 17:25:51.819 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Checking NAT discovery
790343: Dec 21 17:25:51.819 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):NAT OUTSIDE found
790344: Dec 21 17:25:51.819 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):NAT detected float to init port 34149, resp port 4500
790345: Dec 21 17:25:51.819 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Searching policy based on peer's identity '*$AnyConnectClient$*' of type 'key ID'
790346: Dec 21 17:25:51.819 Chicago: IKEv2:found matching IKEv2 profile 'FlexVPN'
790347: Dec 21 17:25:51.819 Chicago: IKEv2:Searching Policy with fvrf 0, local address 96.65.7.4
790348: Dec 21 17:25:51.819 Chicago: IKEv2:Found Policy 'FlexVPN'
790349: Dec 21 17:25:51.819 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):not a VPN-SIP session
790350: Dec 21 17:25:51.819 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Verify peer's policy
790351: Dec 21 17:25:51.819 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Peer's policy verified
790352: Dec 21 17:25:51.819 Chicago: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
790353: Dec 21 17:25:51.819 Chicago: IKEv2:(SA ID = 4):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
790354: Dec 21 17:25:51.819 Chicago: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing

790355: Dec 21 17:25:51.819 Chicago: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Getting cert chain for the trustpoint FlexVPN
790356: Dec 21 17:25:51.819 Chicago: IKEv2:(SA ID = 4):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED
790357: Dec 21 17:25:51.819 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Check for EAP exchange
790358: Dec 21 17:25:51.819 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Check for EAP exchange
790359: Dec 21 17:25:51.819 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Generate my authentication data
790360: Dec 21 17:25:51.819 Chicago: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
790361: Dec 21 17:25:51.823 Chicago: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
790362: Dec 21 17:25:51.823 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Get my authentication method
790363: Dec 21 17:25:51.823 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):My authentication method is 'RSA'
790364: Dec 21 17:25:51.823 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Sign authentication data
790365: Dec 21 17:25:51.823 Chicago: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Getting private key
790366: Dec 21 17:25:51.823 Chicago: IKEv2:(SA ID = 4):[PKI -> IKEv2] Getting of private key PASSED
790367: Dec 21 17:25:51.823 Chicago: IKEv2:(SA ID = 4):[IKEv2 -> Crypto Engine] Sign authentication data
790368: Dec 21 17:25:51.823 Chicago: IKEv2:(SA ID = 4):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED
790369: Dec 21 17:25:51.843 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Authentication material has been sucessfully signed
790370: Dec 21 17:25:51.847 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Generating AnyConnect EAP request
790371: Dec 21 17:25:51.847 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Sending AnyConnect EAP 'hello' request
790372: Dec 21 17:25:51.847 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Constructing IDr payload: '96.65.7.4' of type 'IPv4 address'
790373: Dec 21 17:25:51.847 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Building packet for encryption.  
Payload contents: 
 VID IDr CERT CERT AUTH EAP 

790374: Dec 21 17:25:51.851 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Sending Packet [To 119.160.2.5:34149/From 96.65.7.4:4500/VRF i0:f0] 
Initiator SPI : E765AFE7BFDA9793 - Responder SPI : A2F962308637F71D Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE 
Payload contents: 
 ENCR 

790375: Dec 21 17:25:51.851 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Starting timer (90 sec) to wait for auth message 

790376: Dec 21 17:25:53.287 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Received Packet [From 119.160.2.5:34149/To 96.65.7.4:4500/VRF i0:f0] 
Initiator SPI : E765AFE7BFDA9793 - Responder SPI : A2F962308637F71D Message id: 2
IKEv2 IKE_AUTH Exchange REQUEST 
Payload contents: 
 EAP 

790377: Dec 21 17:25:53.287 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Stopping timer to wait for auth message
790378: Dec 21 17:25:53.287 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Processing AnyConnect EAP response
790379: Dec 21 17:25:53.287 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Checking for Dual Auth
790380: Dec 21 17:25:53.287 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Generating AnyConnect EAP AUTH request
790381: Dec 21 17:25:53.287 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Sending AnyConnect EAP 'auth-request'
790382: Dec 21 17:25:53.287 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Building packet for encryption.  
Payload contents: 
 EAP 

790383: Dec 21 17:25:53.287 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Sending Packet [To 119.160.2.5:34149/From 96.65.7.4:4500/VRF i0:f0] 
Initiator SPI : E765AFE7BFDA9793 - Responder SPI : A2F962308637F71D Message id: 2
IKEv2 IKE_AUTH Exchange RESPONSE 
Payload contents: 
 ENCR 

790384: Dec 21 17:25:53.287 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Starting timer (90 sec) to wait for auth message 

790385: Dec 21 17:25:58.635 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Received Packet [From 119.160.2.5:34149/To 96.65.7.4:4500/VRF i0:f0] 
Initiator SPI : E765AFE7BFDA9793 - Responder SPI : A2F962308637F71D Message id: 3
IKEv2 IKE_AUTH Exchange REQUEST 
Payload contents: 
 EAP 

790386: Dec 21 17:25:58.635 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Stopping timer to wait for auth message
790387: Dec 21 17:25:58.635 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Processing AnyConnect EAP response
790388: Dec 21 17:25:58.635 Chicago: IKEv2:Using authentication method list default

790389: Dec 21 17:25:58.635 Chicago: IKEv2:(SA ID = 4):[IKEv2 -> AAA] Authentication request sent
790390: Dec 21 17:25:58.639 Chicago: IKEv2-ERROR:AnyConnect EAP - failed to get author list
790391: Dec 21 17:25:58.639 Chicago: IKEv2:Received response from aaa for AnyConnect EAP
790392: Dec 21 17:25:58.639 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Generating AnyConnect EAP VERIFY request
790393: Dec 21 17:25:58.639 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Sending AnyConnect EAP 'VERIFY' request
790394: Dec 21 17:25:58.639 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Building packet for encryption.  
Payload contents: 
 EAP 

790395: Dec 21 17:25:58.639 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Sending Packet [To 119.160.2.5:34149/From 96.65.7.4:4500/VRF i0:f0] 
Initiator SPI : E765AFE7BFDA9793 - Responder SPI : A2F962308637F71D Message id: 3
IKEv2 IKE_AUTH Exchange RESPONSE 
Payload contents: 
 ENCR 

790396: Dec 21 17:25:58.639 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Starting timer (90 sec) to wait for auth message 

790397: Dec 21 17:25:58.983 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Received Packet [From 119.160.2.5:34149/To 96.65.7.4:4500/VRF i0:f0] 
Initiator SPI : E765AFE7BFDA9793 - Responder SPI : A2F962308637F71D Message id: 4
IKEv2 IKE_AUTH Exchange REQUEST 
Payload contents: 
 EAP 

790398: Dec 21 17:25:58.987 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Stopping timer to wait for auth message
790399: Dec 21 17:25:58.987 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Processing AnyConnect EAP ack response
790400: Dec 21 17:25:58.987 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Generating AnyConnect EAP success request
790401: Dec 21 17:25:58.987 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Sending AnyConnect EAP success status message
790402: Dec 21 17:25:58.987 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Building packet for encryption.  
Payload contents: 
 EAP 

790403: Dec 21 17:25:58.987 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Sending Packet [To 119.160.2.5:34149/From 96.65.7.4:4500/VRF i0:f0] 
Initiator SPI : E765AFE7BFDA9793 - Responder SPI : A2F962308637F71D Message id: 4
IKEv2 IKE_AUTH Exchange RESPONSE 
Payload contents: 
 ENCR 

790404: Dec 21 17:25:58.987 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Starting timer (90 sec) to wait for auth message 

790405: Dec 21 17:25:59.271 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Received Packet [From 119.160.2.5:34149/To 96.65.7.4:4500/VRF i0:f0] 
Initiator SPI : E765AFE7BFDA9793 - Responder SPI : A2F962308637F71D Message id: 5
IKEv2 IKE_AUTH Exchange REQUEST 
Payload contents: 
 AUTH 

790406: Dec 21 17:25:59.271 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Stopping timer to wait for auth message
790407: Dec 21 17:25:59.271 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Send AUTH, to verify peer after EAP exchange
790408: Dec 21 17:25:59.271 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Verification of peer's authentication data FAILED
790409: Dec 21 17:25:59.271 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Sending authentication failure notify
790410: Dec 21 17:25:59.271 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Building packet for encryption.  
Payload contents: 
 NOTIFY(AUTHENTICATION_FAILED) 

790411: Dec 21 17:25:59.271 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Sending Packet [To 119.160.2.5:34149/From 96.65.7.4:4500/VRF i0:f0] 
Initiator SPI : E765AFE7BFDA9793 - Responder SPI : A2F962308637F71D Message id: 5
IKEv2 IKE_AUTH Exchange RESPONSE 
Payload contents: 
 ENCR 

790412: Dec 21 17:25:59.275 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Auth exchange failed
790413: Dec 21 17:25:59.275 Chicago: IKEv2-ERROR:(SESSION ID = 4116,SA ID = 4):: Auth exchange failed
790414: Dec 21 17:25:59.275 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Abort exchange
790415: Dec 21 17:25:59.275 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Deleting SA
790416: Dec 21 17:25:59.275 Chicago: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Close PKI Session
790417: Dec 21 17:25:59.275 Chicago: IKEv2:(SA ID = 4):[PKI -> IKEv2] Closing of PKI Session PASSED

Not sure why it still displays "IKEv2:Found Policy 'FlexVPN'". This policy should have been removed with "no crypto ikev2 policy FlexVPN" and only one left:

crypto ikev2 policy ikev2policy
proposal FlexVPN
proposal ikev2proposal

@tvotna apologies for the confusion. I basically did vice versa, removed ikev2policy so following is the current config

crypto ikev2 policy FlexVPN
proposal FlexVPN
proposal ikev2proposal