Do you have more information on how I can make this work? I tried what you have listed above, but the tunnels do not come up even when the SLA is OK. 

IPSLAs Latest Operation Summary
Codes: * active, ^ inactive, ~ pending
All Stats are in milliseconds. Stats with u are in microseconds

ID Type Destination Stats Return Last
Code Run
-----------------------------------------------------------------------
*1 icmp-echo 8.8.8.8 RTT=75 OK 0 seconds ago

@judu review the Configuring the Flexvpn Client section - https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/sec-vpn/b-security-vpn/m_sec-cfg-flex-clnt.html

and if you still cannot get it working provide the relevant configuration for review.

Hello @Rob Ingram . Thank you for this information. I have tried several different variations of this using the example you provided and the documentation. When I remove Gi0/0/0 interface from the tunnel source-interface (changing it to dynamic), I see "Jun 26 13:36:10.545: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF". This does not turn back on no matter what combination of flexvpn client settings I use. 

I have done this only for the primary inteface for now. I figured it would be simpler to get that working before adding the alternate. The track shows Up and OK. 

Updated configuration with FlexVPN client and SLA/Track is attached.

Thank you again for taking the time to assist. It is greatly appreciated. 

----

C12345R1#show track
Track 1
IP SLA 1 reachability
Reachability is Up
1 change, last change 00:00:29
Latest operation return code: OK
Latest RTT (millisecs) 20
Tracked by:
FlexVPN 0

OMG OMG OMG OMG !!! @Rob Ingram  You are amazing! THANK YOU!  I have been banging my head against the wall! 

Jun 26 18:38:22.670: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Jun 26 18:38:23.074: %CRYPTO-6-IKMP_NO_ID_CERT_DN_MATCH: (NOT ERROR BUT WARNING ONLY)ID of cn=vpn-A.endpoint-0 (type 9) and certificate DN with cn=vpn-A.endpoint-0
Jun 26 18:38:23.104: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel10, changed state to up
C12345R1#
Jun 26 18:38:23.109: %FLEXVPN-6-FLEXVPN_CONNECTION_UP: FlexVPN(FLEX-CLIENT) Client_public_addr = 192.168.1.155 Server_public_addr = 18.218.X.X
C12345R1#
Jun 26 18:38:24.073: %SYS-5-CONFIG_I: Configured from console by console
C12345R1#
Jun 26 18:38:28.820: %BGP-5-ADJCHANGE: neighbor 169.254.221.169 Up
C12345R1#

!!!!! UNPLUG CABLE

Jun 26 18:39:05.828: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to down
C12345R1#
Jun 26 18:39:09.413: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to down
C12345R1#
Jun 26 18:39:09.414: %FLEXVPN-6-FLEXVPN_CONNECTION_DOWN: FlexVPN(FLEX-CLIENT) Client_public_addr = 192.168.1.155 Server_public_addr = 18.218.X.X
Jun 26 18:39:09.463: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
Jun 26 18:39:09.463: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Jun 26 18:39:10.417: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel10, changed state to down
C12345R1#
Jun 26 18:39:10.419: %BGP-5-NBR_RESET: Neighbor 169.254.221.169 reset (Interface flap)
Jun 26 18:39:10.421: %BGP-5-ADJCHANGE: neighbor 169.254.221.169 Down Interface flap
Jun 26 18:39:10.421: %BGP_SESSION-5-ADJCHANGE: neighbor 169.254.221.169 IPv4 Unicast topology base removed from session Interface flap
C12345R1#
Jun 26 18:39:20.133: %TRACK-6-STATE: 1 ip sla 1 reachability Up -> Down
Jun 26 18:40:06.607: %CRYPTO-6-IKMP_NO_ID_CERT_DN_MATCH: (NOT ERROR BUT WARNING ONLY)ID of cn=vpn-X.endpoint-0 (type 9) and certificate DN with cn=vpn-X.endpoint-0
Jun 26 18:40:06.636: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel10, changed state to up
C12345R1#
Jun 26 18:40:06.641: %FLEXVPN-6-FLEXVPN_CONNECTION_UP: FlexVPN(FLEX-CLIENT) Client_public_addr = 192.168.4.148 Server_public_addr = 18.218.X.X
C12345R1#
Jun 26 18:40:15.416: %BGP-5-ADJCHANGE: neighbor 169.254.221.169 Up
C12345R1#ping 172.25.0.242
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.25.0.242, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/33/44 ms

Do you have more information on how I can make this work? 

What is platform is this ASA FPR or router?

ISR 1100 Series

Friend instead of using interface connect to any of ISP as tunnel source 

Use LO as tunnel source 

This make tunnel always UP and when path via ISP 1 down the router will use other patg via ISP2.

Hi @MHM Cisco World . I have added a loopback interface, 10.10.10.1/32 and changed the tunnel source-interface to the new loopback interface. The tunnels do not come up (they are UP prior to this change). 

Looking at the log, I see packets being sent to the peer from the loopback IP. No response is received (I would assume because there is no route back to this IP on the network). Do I need to do some form of NAT?

Updated configuration with loopback interface is attached.

Thank you again for taking the time to assist. It is greatly appreciated. 

----

Jun 26 13:12:27.381: IKEv2-INTERNAL:(SESSION ID = 3,SA ID = 1):SM Trace-> SA: I_SPI=DB53A124A0D57541 R_SPI=0000000000000000 (I) MsgID = 0 CurState: I_WAIT_INIT Event: EV_RE_XMT
Jun 26 13:12:27.381: IKEv2:(SESSION ID = 3,SA ID = 1):Retransmitting packet

Jun 26 13:12:27.381: IKEv2:(SESSION ID = 3,SA ID = 1):Sending Packet [To 18.218.X.X:500/From 10.10.10.1:500/VRF i0:f0]
Initiator SPI : DB53A124A0D57541 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Jun 26 13:12:27.381: IKEv2-PAK:(SESSION ID = 3,SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 414
Payload contents:
SA Next payload: KE, reserved: 0x0, length: 40
last proposal: 0x0, reserved: 0x0, length: 36
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 3 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-GCM
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21
KE Next payload: N, reserved: 0x0, length: 140
DH group: 21, Reserved: 0x0
N Next payload: VID, reserved: 0x0, length: 36
VID Next payload: VID, reserved: 0x0, length: 23
VID Next payload: VID, reserved: 0x0, length: 19
VID Next payload: VID, reserved: 0x0, length: 23
VID Next payload: NOTIFY, reserved: 0x0, length: 21
NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP
NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) Next payload: VID, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
VID Next payload: NONE, reserved: 0x0, length: 20