Thanks for checking in on this!  Here's status with an Android client in limbo (post username authentication):

#sh crypto ikev2 sa detail

IKEv2 SAs:

Session-id:20, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
255117379 <outside IP>/4500 <remote host>/3863 READY RESPONDER
Encr: AES-GCM, keysize: 256, Hash: N/A, DH Grp:21, Auth sign: RSA, Auth verify: EAP
Life/Active Time: 86400/46 sec
Session-id: 20
Status Description: Negotiation done
Local spi: 3DADFDE3FB7ABFAF Remote spi: 0BFCB880111BF54A
Local id: cn=*.contoso.net (matches primary trustpoint cn)
Remote id: *$AnyConnectClient$*
Local req mess id: 1 Remote req mess id: 6
Local next mess id: 1 Remote next mess id: 6
Local req queued: 1 Remote req queued: 6
Local window: 1 Remote window: 1
DPD configured for 30 seconds, retry 2
NAT-T is detected outside
Assigned host addr: 10.10.0.20
IKEv2 Fragmentation Configured MTU: 576 bytes, Overhead: 28 bytes, Effective MTU: 548 bytes
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 10.10.0.20/0 - 10.10.0.20/65535
ESP spi in/out: 0xf3c3ac7d/0x221a3ad5
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-GCM, keysize: 256, esp_hmac: N/A
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Parent SA Extended Status:
Delete in progress: FALSE
Marked for delete: FALSE

<remote host>/3863 <<- issue in your remote Peer' it not use static NAT for port 4500 

That why IPsec failed 

MHM

I wouldn't think that an issue since this is a Remote Access not Site-to-Site; the Android client connects to 4500 on the ASA which is configured for static NAT.  I, too, am quite suspect of NAT configuration (though I don't believe that's changed) since I'm passing no traffic after the tunnel establishment.

If one of peer behind NAT 

Ipsec start use 4500 port' here your asa use 4500 port but remote peer not use that' so traffic is drop.

MHM

Thanks much for all your help so far.

I've reviewed the last few years of working configurations and they all match the current running config, including NAT and route rules (as seen in the attached running-config).  Is there anything else that might be contributing to this?  I wouldn't expect the same version of software and same config to start having problems unprompted.

You can have a remote peer behind a dynamic PAT/NAT, the remote port does not need to be 4500.

@lridium what changes where made?

From the ASA enable IKEv2 debugs

debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116158-trouble-asa-ikev2-00.html

From client side, run DART to collect troubleshooting data, check the output and find the corresponding errors. https://www.cisco.com/c/en/us/support/docs/security/secure-client/221919-collect-dart-bundle-for-secure-client.html

Thanks for saving my sanity confirming the remote port, I couldn't find it anywhere to be certain!

Regarding changes, I updated the trustpoint (routine certificate renewal), tested, all worked fine.  I went back to delete the old trustpoint and I don't believe I changed anything else in the VPN config (it's possible I did as part of an audit, but that's what I'm unclear on).  Minus the trustpoint changes the running configuration is identical (line-by-line review).  I've gone back and restored the old trustpoint and rolled back to much older Secure Client versions (just to rule both out) and seen the same behavior.  Current testing is with all the latest and greatest (certs and Secure Client).

Regarding further data you suggested, absolutely will do but I'll probably be a day or two before I get that fleshed out and packaged up.  I took an initial look at both (the debug and a DART log) a few days ago before I posted but I will rerun and report back from there.  Thank you for the response!

Tunnel-id Local Remote Status Role
255117379 <outside IP>/4500 <remote host>/3863 READY RESPONDER
Encr: AES-GCM, keysize: 256, Hash: N/A, DH Grp:21, Auth sign: RSA, Auth verify: EAP

The authc is success abd hence ikev2 phase1 is ok 

Show crypto ipsec sa<<- Ping and check if yoh see any drop

Do packet capture in outside specific upd port 4500 abd see if traffic come from client' if it come and asa drop it then as I mentioned before it issue of remote peer udp port (not 4500)

MHM

I'll pull the IPSEC SA for you as soon as I get back local to the network.  After the status you quoted above, ping checks failed when I last tested.

Yes ping failed but where it failed in asa or remote peer 

Capture traffic and do show crypto ipsec sa 

You will know excatly where ping is drop or failed 

Goodluck 

MHM

Ping failed from ASA to remote peer's assigned VPN dhcp pool address.  Will report back.

I check RAVPN can accpet any udp port not only 4500.

MHM