Rekey : no State : MM_ACTIVE

ASA side intiated the VPN connection.

On the Router side - i do not see any encrypt and decrypt.

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

Can you post bot the side config. make sure tunnel IP reachable each other.

below example help you :

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/119425-configure-ipsec-00.html

CISCO ASA SIDE CONFIGURATION :-

interface GigabitEthernet0/2
nameif outside
security-level 0
pppoe client vpdn group TO_HO
ip address 101.53.X.X 255.255.255.255 pppoe setroute

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TUNNEL_ESP_3DES_None esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 110.93.X.X
crypto map outside_map 1 set transform-set TUNNEL_ESP_3DES_None
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group 110.93.X.X type ipsec-l2l
tunnel-group 110.93.X.X ipsec-attributes
pre-shared-key *

access-list inside_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 172.17.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 object-group REMOTE

access-list OUTSIDE_IN_ICE extended permit icmp any any echo-reply
access-list OUTSIDE_IN_ICE extended permit icmp any any time-exceeded
access-list OUTSIDE_IN_ICE extended permit ip any any
access-list OUTSIDE_IN_ICE extended permit tcp any any
access-list OUTSIDE_IN_ICE extended permit icmp any any echo
access-list OUTSIDE_IN_ICE remark OUTSIDE-ASA RULE FOR IPSEC
access-list OUTSIDE_IN_ICE extended permit esp any any
access-list OUTSIDE_IN_ICE remark ISAKMP PORT FOR DP
access-list OUTSIDE_IN_ICE extended permit udp any any eq isakmp
access-list OUTSIDE_IN_ICE extended permit udp any any
access-list OUTSIDE_IN_ICE extended permit ip 172.17.0.0 255.255.255.0 192.168.17.0 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list NAT1
nat (inside) 1 192.168.17.0 255.255.255.0
access-group OUTSIDE_IN_ICE in interface outside
route outside 110.93.X.X 255.255.255.248 202.163.X.X 1
route outside 172.17.0.0 255.255.255.0 110.93.X.X 1

Router End Configuration:-

crypto isakmp policy 35
encr 3des
authentication pre-share
group 2
lifetime 28800

crypto isakmp key w***** address 101.53.X.X

crypto ipsec transform-set ICE-TEST esp-aes esp-sha-hmac
mode tunnel

crypto map VPN_FOR_ICE 105 ipsec-isakmp
description ***** VPN Tunnel from KHI-DP to GUL Office *****
set peer 101.53.x.x
set transform-set ICE-TEST
match address GULSHAN

ip access-list extended GULSHAN
permit ip 172.17.0.0 0.0.0.255 192.168.17.0 0.0.0.255

ip route 101.53.x.x 255.255.255.255 110.93.x.x
ip route 192.168.17.0 255.255.255.0 101.53.x.x

And this is VPN_FOR_ICE  applied on the ISP interface.

high level your config not matching both the sides :

1. Life time

2. hash sha  - On ASA configured i do not see on Router

3. transform-set  - you using both the side not correct.

So how i can correct this configuration as in my other ticket the IPSEC Tunnel was stuck in MM_WAIT2 MSG ?

I configured this via ASDM and this got our Phase 2 of the tunnel up at both sides.

Router#show crypto isakmp sa

110.93.X.X 101.53.X.X QM_IDLE 19380 ACTIVE

You may be correct here, i see the Tunnerl Active. (some how your config confused me).

you do not have any decrypt or encrypt-

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

Can you post below full output  of :

ASA 
# show crypto ipsec sa peer x.x.x.x (Router Peer IP)
Router 
# show crypto ipsec sa peer y.y.y.y ( ASA pere IP)

Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA

110.93.X.X 101.53.X.X QM_IDLE 9810 ACTIVE
110.93.X.X 101.53X.X MM_NO_STATE 9809 ACTIVE (deleted)

Router#SHOW crypto ipsec sa peer 101.53.X.X

interface: Vlan101
Crypto map tag: VPN_FOR_ICE, local addr 110.93.X.X

protected vrf: (none)
local ident (addr/mask/prot/port): (172.17.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.17.0/255.255.255.0/0/0)
current_peer 101.53.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 110.93.X.X remote crypto endpt.: 101.53.X.X
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Vlan101
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:
Router#

GUL-ASA# show crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 110.93.X.X
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

GUL-ASA# show crypto ipsec sa peer 110.93.x.x detail

There are no ipsec sas for peer 110.93.x.x

There is no output for the phase 2 on ASA end.So what need to do on the ASA end that will match the configuration at both ends.

i am new to Cisco ASA and really struggles initially with the IPSEC configuration.

Not sure at this stage, since you mentioned both the side Phase 2 up, so i want look the output, Phase 2 come up you need to intiate the traffic from the device in the ACL to communicate other side.

If ASA side ISAMP up

# show crypto isakmp sa

then intiate the traffic from these IP range and post the output again.

Local ident (addr/mask/prot/port): (172.17.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.17.0/255.255.255.0/0/0)

Note : i will review full config soon and get back to you any issue.

GUL-ASA# show crypto ipsec sa peer 110.93.X.X detail | i encap|decap
#pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0

After adjusting the transform set on CISCO ASA End as i shared in the above configuration , i found some hits on the 2nd phase at Cisco ASA end but still pings are not successfull.

no crypto map outside_map 1 set transform-set TUNNEL_ESP_3DES_None

crypto map outside_map 1 set transform-set ESP-AES-128-SHA

GUL-ASA# show crypto ipsec sa peer 110.93.X.X | i encap|decap
#pkts encaps: 200, #pkts encrypt: 200, #pkts digest: 200
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
GUL-ASA#

This the new packet capture between my system behind the router and the remote system but pings are not working even though the local firewall on the pc is off as well.Also the traces showed timeouts when tracing my system from the remote pc.

GUL-ASA# packet-tracer input inside icmp 192.168.17.150 8 0 172.17.0.175

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.17.0.0 255.255.255.0 outside

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 192.168.17.0 255.255.255.0 outside 172.17.0.0 255.255.255.0
NAT exempt
translate_hits = 7356, untranslate_hits = 5
Additional Information:

Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 access-list NAT1
match ip inside host 192.168.17.150 outside any
dynamic translation to pool 1 (101.53.x.x [Interface PAT])
translate_hits = 28273, untranslate_hits = 882
Additional Information:

Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 access-list NAT1
match ip inside host 192.168.17.150 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1966976, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

GUL-ASA#

ALHAMDULLILAH .

I have resolved the issue as our scenario is like this MYPC-ACCESSSWITCH-CORESWITCH-CISCO ASA5520-CISCOROUTER2921----->Internet<-------------Gulshan-CISCOASA5520----ATTENDENCEMACHINE.

The Nat command for the reverse traffic of 192.168.17.0 is missing on Saturday so today when i configured that statement my LAN TO LAN Communication started working.

access-list NAT140 extended permit ip 172.17.0.0 255.255.255.0 GULSHAN-POOL 255.255.255.0

as the packets from the head-office are not encapsulated on IPSEC tunnel towards the Gulshan ASA Firewall on Saturday.

Phase 2 come up you need to intiate the traffic from the device in the ACL to communicate other side.

Good know you able to resolved and thanks for sharing the solution with community...that help you and other members here.