the 40.18 should be able to ping the asa public IP?

Thanks, so its possible the vpn came up.

but am not sure why vFTD does not redistribute remote networks. when i go to core sw and do show ip route "remote _ network" i get subnet not in table. why would this be, yet there is ospf between the 2?

the remote are different vendors: check point, FTD, Cisco ASA, Fortigates, SOphos , ios routers, others are on cloud.

Thanks, so its possible the vpn came up.

but am not sure why vFTD does not redistribute remote networks. when i go to core sw and do show ip route "remote _ network" i get subnet not in table. why would this be, yet there is ospf between the 2?

you want remote lan advertise via OSPF over IPsec s2s VPN ?

this not work you need route-based VPN for that 
config tunnel and run ospf over tunnel and you can learn the remote LAN prefix via tunnel

MHM

whats the implication if changing the tunnels from policy based?

will i have to involve clients to change on their end?

do you have a guide to do this conversion, am using fmc for configurations.

Thank you.

Reverse Route Injection is enabled by default in Firepower Management Center.

Subnet/IP Address (Network) remains the default selection.

When you have selected Protected Networks as Any and observe default route traffic being dropped, disable the Reverse Route Injection under VPN> Site to Site > edit a VPN > IPsec > Enable Reverse Route Injection. Deploy the configuration changes; this will remove set reverse-route (Reverse Route Injection) from the crypto map configuration and remove the VPN-advertised reverse route that causes the reverse tunnel traffic to be dropped.

make sure reverse route injection is enabled - it is by default.. and also check if you are seeing the routes on FTD and if static is redistributed into OSPF ?

you dont have to do route based as such, but route based VPN will allow you exchange routes via the tunnel with a routing protocol... if these are clients that you have no control of, then routing / dynamic protocol may be a bit more challenging.

as seeing the routes on ftd as static, and redistributing into ospf process, but downstream ospf neighbor does not know about the routes.

What could be happening?

I have redistributed type 2.

On policy-based vpn there is also the option for "enable reverse route injection"

What does the do when checked?

Thanks.

It inserts the routes in the routing for the remote subnets and allows them to be redistributed to other routing protocols...

Please check the ospf database on FTD and other devices

https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/12151-trouble-main.html

ospf works okay for other networks, as well as redistribution.

But for the ipsecs, redistribution is not working as expected.

Why would this be?

opsf db, the devices are on the ospf db and the ospf neighborship.

Its confusing.

if its redistributing, why is the core, downstream switch not learning the ipsec routes?