Thank you for your help throughout as well Hitesh, the problem was a missing match fvrf statement

No worries.. Glad that its sorted which matters :)

Cheers

Hitesh

Here is some more debug:

*May 16 06:22:46.192: IKEv2:% Getting preshared key from profile keyring KEY-AZURE
*May 16 06:22:46.192: IKEv2:% Matched peer block '13.80.x.x'
*May 16 06:22:46.192: IKEv2:Searching Policy with fvrf 8, local address 85.13.x.x
*May 16 06:22:46.192: IKEv2:Found Policy 'XX-POLICY-AZURE'
*May 16 06:22:46.192: IKEv2:(SESSION ID = 15868,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 2
*May 16 06:22:46.192: IKEv2:(SESSION ID = 15868,SA ID = 1):Request queued for computation of DH key
*May 16 06:22:46.194: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*May 16 06:22:46.194: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
*May 16 06:22:46.194: IKEv2:(SESSION ID = 15868,SA ID = 1):Generating IKE_SA_INIT message
*May 16 06:22:46.194: IKEv2:(SESSION ID = 15868,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 6
AES-CBC AES-CBC 3DES SHA1 SHA96 DH_GROUP_1024_MODP/Group 2

*May 16 06:22:46.194: IKEv2:(SESSION ID = 15868,SA ID = 1):Sending Packet [To 13.80.x.x:500/From 85.13.x.x:500/VRF i21:f8]
Initiator SPI : 0E63B64C35F81431 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*May 16 06:22:46.194: IKEv2:(SESSION ID = 15868,SA ID = 1):Insert SA

*May 16 06:22:46.206: IKEv2:(SESSION ID = 15868,SA ID = 1):Received Packet [From 13.80.x.x:500/To 85.13.x.x:500/VRF i21:f8]
Initiator SPI : 0E63B64C35F81431 - Responder SPI : E41A0D8555EF70C1 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID VID

*May 16 06:22:46.207: IKEv2:(SESSION ID = 15868,SA ID = 1):Processing IKE_SA_INIT message
*May 16 06:22:46.207: IKEv2:(SESSION ID = 15868,SA ID = 1):Verify SA init message
*May 16 06:22:46.207: IKEv2:(SESSION ID = 15868,SA ID = 1):Processing IKE_SA_INIT message
*May 16 06:22:46.207: IKEv2:(SESSION ID = 15868,SA ID = 1):Checking NAT discovery
*May 16 06:22:46.207: IKEv2:(SESSION ID = 15868,SA ID = 1):NAT not found
*May 16 06:22:46.207: IKEv2:(SESSION ID = 15868,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 2
*May 16 06:22:46.207: IKEv2:(SESSION ID = 15868,SA ID = 1):Request queued for computation of DH secret
*May 16 06:22:46.208: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*May 16 06:22:46.208: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*May 16 06:22:46.208: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*May 16 06:22:46.208: IKEv2:(SESSION ID = 15868,SA ID = 1):Completed SA init exchange
*May 16 06:22:46.208: IKEv2:Config data to send:
*May 16 06:22:46.208: Config-type: Config-request
*May 16 06:22:46.208: Attrib type: ipv4-dns, length: 0
*May 16 06:22:46.208: Attrib type: ipv4-dns, length: 0
*May 16 06:22:46.208: Attrib type: ipv4-nbns, length: 0
*May 16 06:22:46.208: Attrib type: ipv4-nbns, length: 0
*May 16 06:22:46.208: Attrib type: ipv4-subnet, length: 0
*May 16 06:22:46.208: Attrib type: ipv6-dns, length: 0
*May 16 06:22:46.208: Attrib type: ipv6-subnet, length: 0
*May 16 06:22:46.208: Attrib type: app-version, length: 251, data: Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S0a, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Tue 13-May-14 18:36 by mcpre
*May 16 06:22:46.208: Attrib type: split-dns, length: 0
*May 16 06:22:46.208: Attrib type: banner, length: 0
*May 16 06:22:46.208: Attrib type: config-url, length: 0
*May 16 06:22:46.208: Attrib type: backup-gateway, length: 0
*May 16 06:22:46.208: Attrib type: def-domain, length: 0
*May 16 06:22:46.208: IKEv2:(SESSION ID = 15868,SA ID = 1):Have config mode data to send
*May 16 06:22:46.208: IKEv2:(SESSION ID = 15868,SA ID = 1):Check for EAP exchange
*May 16 06:22:46.209: IKEv2:(SESSION ID = 15868,SA ID = 1):Generate my authentication data
*May 16 06:22:46.209: IKEv2:(SESSION ID = 15868,SA ID = 1):Use preshared key for id 85.13.x.x, key len 58
*May 16 06:22:46.209: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*May 16 06:22:46.209: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*May 16 06:22:46.209: IKEv2:(SESSION ID = 15868,SA ID = 1):Get my authentication method
*May 16 06:22:46.209: IKEv2:(SESSION ID = 15868,SA ID = 1):My authentication method is 'PSK'
*May 16 06:22:46.209: IKEv2:(SESSION ID = 15868,SA ID = 1):Check for EAP exchange
*May 16 06:22:46.209: IKEv2:(SESSION ID = 15868,SA ID = 1):Generating IKE_AUTH message
*May 16 06:22:46.209: IKEv2:(SESSION ID = 15868,SA ID = 1):Constructing IDi payload: '85.13.x.x' of type 'IPv4 address'
*May 16 06:22:46.209: IKEv2:(SESSION ID = 15868,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA96 Don't use ESN
*May 16 06:22:46.209: IKEv2:(SESSION ID = 15868,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDi AUTH CFG SA
ASR# TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*May 16 06:22:46.209: IKEv2:(SESSION ID = 15868,SA ID = 1):Sending Packet [To 13.80.x.x:500/From 85.13.x.x:500/VRF i21:f8]
Initiator SPI : 0E63B64C35F81431 - Responder SPI : E41A0D8555EF70C1 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR

*May 16 06:22:46.465: IKEv2:(SESSION ID = 15868,SA ID = 1):Received Packet [From 13.80.x.x:500/To 85.13.x.x:500/VRF i21:f8]
Initiator SPI : 0E63B64C35F81431 - Responder SPI : E41A0D8555EF70C1 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
IDr AUTH SA TSi TSr

*May 16 06:22:46.465: IKEv2:(SESSION ID = 15868,SA ID = 1):Process auth response notify
*May 16 06:22:46.467: IKEv2:(SESSION ID = 15868,SA ID = 1):Searching policy based on peer's identity '13.80.x.x' of type 'IPv4 address'
*May 16 06:22:46.469: IKEv2:(SESSION ID = 15868,SA ID = 1):: Failed to locate an item in the database
*May 16 06:22:46.469: IKEv2:(SESSION ID = 15868,SA ID = 1):Verification of peer's authentication data FAILED
*May 16 06:22:46.469: IKEv2:(SESSION ID = 15868,SA ID = 1):Auth exchange failed
*May 16 06:22:46.469: IKEv2:(SESSION ID = 15868,SA ID = 1):: Auth exchange failed
*May 16 06:22:46.469: IKEv2:(SESSION ID = 15868,SA ID = 1):Abort exchange
ASR#
*May 16 06:22:46.471: IKEv2:(SESSION ID = 15868,SA ID = 1):Deleting SA
ASR#
*May 16 06:22:48.463: IKEv2:Couldn't find matching SA: Detected an invalid IKE SPI

*May 16 06:22:48.463: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 13.80.x.x:500/To 85.13.x.x:500/VRF i0:f8]
Initiator SPI : 0E63B64C35F81431 - Responder SPI : E41A0D8555EF70C1 Message id: 0
IKEv2 INFORMATIONAL Exchange REQUEST
*May 16 06:22:48.463: IKEv2:: A supplied parameter is incorrect
*May 16 06:22:49.463: IKEv2:Couldn't find matching SA: Detected an invalid IKE SPI

*May 16 06:22:49.463: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 13.80.x.x:500/To 85.13.x.x:500/VRF i0:f8]
Initiator SPI : 0E63B64C35F81431 - Responder SPI : E41A0D8555EF70C1 Message id: 0
IKEv2 INFORMATIONAL Exchange REQUEST
*May 16 06:22:49.463: IKEv2:: A supplied parameter is incorrect
ASR#
*May 16 06:22:50.471: IKEv2:Couldn't find matching SA: Detected an invalid IKE SPI

*May 16 06:22:50.471: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 13.80.x.x:500/To 85.13.x.x:500/VRF i0:f8]
Initiator SPI : 0E63B64C35F81431 - Responder SPI : E41A0D8555EF70C1 Message id: 0

interface Tunnel11
ip vrf forwarding CUST
ip address 169.254.0.1 255.255.255.0
ip tcp adjust-mss 1350
tunnel source GigabitEthernet0/0/0.422
tunnel mode ipsec ipv4
tunnel destination 13.80.x.x
tunnel protection ipsec profile PROF-PH2-AZURE ikev2-profile
tunnel vrf INTERNET

Thanks

Hitesh

Legend! I had the match fvrf command in the ikev2 policy, but in the profile. Have added that and now it is working, thank you so much.

ASR#ping vrf CUST 192.168.x.5 source Gi0/0/1.606
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.x.5, timeout is 2 seconds:
Packet sent with a source address of 10.x.x.254
!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 9/9/11 ms

Interface: Tunnel11
Profile: PROF-PH1-AZURE
Uptime: 00:06:15
Session status: UP-ACTIVE
Peer: 13.80.x.x port 500 fvrf: INTERNET ivrf: CUST
Phase1_id: 13.80.x.x
Desc: (none)
Session ID: 18532
IKEv2 SA: local 85.13.x.x/500 remote 13.80.x.x/500 Active
Capabilities:(none) connid:1 lifetime:23:53:45
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 33 drop 0 life (KB/Sec) 4607997/7 hours, 53 mins
Outbound: #pkts enc'ed 22 drop 0 life (KB/Sec) 4607997/7 hours, 53 mins

Great. Remember always to rate useful posts. :)