Hello,

checking the logs of the RV106:

Hi

1. have you configured multiple-subnets (using ipgroups on RV160) for this IKEv2 tunnel to ASA?

2. If yes, then assuming that the ASA is running some older image/firmware, there is a bug in ASA specifically for "Ipsec tunnel with multiple tunnels using IKEv2". So it will not be able to support multiple subnets with a IKEv2-based Ipsec site-to-site tunnel, becos the ikev2 implementation on ASA does not support child-SA payloads with more than 1-pair of traffic selectors(subnet pair) 

3. So i beleive and i dont know any confirmation about it, but i have read/heard somewhere that Cisco has fixed this issue with IKEv2 and multiple-subnets as of April 2021, and the fixes have been applied to ALL images/firmware for Cisco-ASA, Cisco-ISR/IOS routers,

etc

- So find out if there is a "new" latest image dated in say June2021 or July2021 and find out if the fix is present in it and update your Cisco-ASA. It should then solve your present issue with RV160

4. Else the only alternate solution is to use IKEV1 for the ipsec tunnel using multiple-subnets. There are no issues with IKEv1 on Cisco-ASA or other Cisco-ISR routers

5. If no, there are NO multiple subnets and only 1 pair of traffic-selector configured for the ikev2 tunnel between RV160 and Cisco-ASA, then please post the configs applied on RV160 (and maybe also the config on ASA too). we will need to check if any issues due to configs applied

>>>In case you consider that any other small business cisco router will have the same issue with Cisco-Asa?

Its actually the other way round. 

1. The IKEv2 implementation on Cisco-ASA and Cisco-ISR/IOS routers is having the Bug. When multiple-subnets are configured for "IKEv2-based" tunnels, the ASA/ISR/IOS routers dont support multiple-traffic-selectors being received from the remote IKEv2-peer (in this case RV340/345 and RV160/260 Cisco-SBR-Routers) in the Child-SA-Payload during the IKEV2 protocol negotiation for establishing the tunnel. They support ONLY 1-pair of Traffic-selectors at a time in the child-SA payload

2. This is the same case with Fortinet-VPN-Gateways too and some other VPN gateways that have not implemented the complete IKEV2 features as per RFC standards

3. The Cisco SBR RV340/345/340W/345P routers are running Strongswan opensource application for the IPSec VPN features, so they are all supporting the complete RFC standards for IPSec/IKEV2 (and IKEv1 also).

a) So whenever you are configuring specifically IKEV2 S2S tunnels with multiple-subnets (using IPGroups) on these SBR-Routers AND if the peergw is any of the Cisco-ASA/ISR/IOS routers (running older firmware before April-2020 i guess) OR FortinetGw, then you will need to enable one additional option on the SBR Routers in the Advanced settings of S2S tunnel config "Non-RFC" option 

- its as shown in the attached screenshot

b) As for the same IKEV2 S2S tunnel configs using multiple subnets with FortinetGw and other such VPN-Peers that have problems establishing the ikev2- tunnels with multiple-subnets, you will need to

- check by enabling the "Non-RFC" option and see whether it solves the problem

- else additionally on the said remote peergws, you will need to ensure that when configuring the S2S tunnel, the multiple-subnets are not grouped together into single groups. Instead on FortinetGw (and ESX-Edge-Gw, etc) you will need to configure the traffic-selectors as separate pairs under ONE IKEv2/IKEv1 Tunnel Profile 

https://serverfault.com/questions/471977/fortigate-ipsec-vpn-configuring-multiple-phase-2-connections-multiple-subnets

thanks