I understand, and if I don't have the keys, can I delete it and create another one normally, or does this cause a problem?

Ipsec is p2p'

So the key remote and local must match in both side (peers)' and sure you can change it but you need to do change in both peers.

This ipsec vpn between your asa abd what ? Is it same asa mgmt by same fmc ? Or other peer is not manage by you?

MHM

Hello @MHM Cisco World  

No, I don't manage the other peer.
This is a laboratory environment, and the other side is a Huawei ATN 910.

The Tunnel did not close, and the client said that its configuration was done, but in addition to not seeing the peer's IP, and the proposal that is not in the configurations of my ASA (tran1), some configurations that it made are not clear, And even without the keys, I would like to know if the tunnel would only work with them.

Huawei:
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes 256
ESP protocol: authentication SHA2-HMAC-256, encryption 256-AES
transform: esp-new

Hello @Rob Ingram The person responsible for the area changed jobs, and I'm not a security expert.

I executed the command, but the only fields that return me with the encrypted keys do not seem to be those responsible for establishing the tunnel.

ASA# more system:running-config
: Saved

:
:SerialNumber:
enable password $sha512$
admin password $sha512
Cryptochecksum:54d0099

I need to ensure that I am passing the correct settings to the other side/peer to connect with my equipment.
I did a laboratory, and the local and remote ike key on the wing need to be identical on both sides, right? If so, I don't have that key.

ASA/vpn# show vpn-sessiondb ratio encryption
Filter Group: All
Encryption Tunnels Percent
none 0 0%
DES 0 0%
3DES 0 0%
RC4 0 0%
AES128 0 0%
AES192 0 0%
AES256 0 0%
AES-GCM-128 0 0%
AES-GCM-192 0 0%
AES-GCM-256 0 0%
AES-GMAC-128 0 0%
AES-GMAC-192 0 0%
AES-GMAC-256 0 0%

ASA/vpn# show vpn-sessiondb ratio proto
ASA/vpn# show vpn-sessiondb ratio protocol
Filter Group: All
Total Active Tunnels: 0
Cumulative Tunnels: 0

Protocol Tunnels Percent
IKEv1 0 0%
IKEv2 0 0%
IPsec 0 0%
IPsecLAN2LAN 0 0%
IPsecLAN2LANOverNatT 0 0%
IPsecOverNatT 0 0%
IPsecOverTCP 0 0%
IPsecOverUDP 0 0%
L2TPOverIPsec 0 0%
L2TPOverIPsecOverNatT 0 0%
Clientless 0 0%
Port-Forwarding 0 0%
IMAP4S 0 0%
POP3S 0 0%
SMTPS 0 0%
AnyConnect-Parent 0 0%
SSL-Tunnel 0 0%
DTLS-Tunnel 0 0%

ASA/vpn# show crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs
ASA/vpn# show crypto ipsec sa

There are no ipsec sas
ASA/vpn#

Is there any summary I can share with the client on the other side/peer so we can close the tunnel? The other side is a Huawei, but I don't know what information I share, and I also don't have the local and remote IPsec keys.

Encr:
Keysaze:
Hash:
DH Grp:
Auth sign PSK:
Peer = Outside: x.x.x.x

Can you help me with what I should share?

@joandwifi example:-

ASA# more system:running-config | begin tunnel-group
tunnel-group RAVPN type remote-access
tunnel-group RAVPN webvpn-attributes
authentication aaa certificate
group-url https://vpn.integrate.uk.com enable
tunnel-group VPN type ipsec-l2l
tunnel-group VPN ipsec-attributes
ikev1 pre-shared-key Cisco1234
ikev2 remote-authentication pre-shared-key Cisco1234
ikev2 local-authentication pre-shared-key Cisco1234

Your output confirms no active tunnels. Is any VPN configured?

Hello @MHM Cisco World  

Did not work.
This command didn't bring me anything on the production equipment that currently has 101 active tunnels.
PROD01-ASA# more system:running-config | begin tunnel-group
PROD01-ASA# changeto context vpn
PROD01-ASA/vpn# show vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection: DefaultL2LGroup
Index: 7065 IP Addr: x.x.x.x
Protocol: IKEv2 IPsec
Encryption: IKEv2: (1)AES256 IPsec: (2)AES256
Hashing: IKEv2: (1)SHA256 IPsec: (2)SHA256
Tx Bytes: 450671072071 Rx Bytes: 50792103274
Login Time: 16:08:53 EDT Mon Jan 22 2024
Duration: 24d 16h:13m:09s

PROD-ASA/vpn# show vpn-sessiondb summary
-------------------------------------------------- -------------------------
VPN Session Summary
-------------------------------------------------- -------------------------
Active : Cumulative : Peak Concur : Inactive
----------------------------------------------
Site-to-Site VPN : 101 : 144214 : 102
IKEv2 IPsec:101:144214:102
-------------------------------------------------- -------------------------
Total Active and Inactive: 101 Total Cumulative: 144214
-------------------------------------------------- -------------------------

@joandwifi if you are using multi-context mode you need to run " more system:running-config | begin tunnel-group" under the correct context, hence why you would not see the tunnel-groups.

Hi @Rob Ingram Unfortunately it doesn't work within the context, only in system.

ASA# changeto context vpn
ASA/vpn# more system:running-config | begin tunnel-group
^
ERROR: % Invalid input detected at '^' marker.
ASA/vpn# more system:running-config
^
ERROR: % Invalid input detected at '^' marker.
ASA/vpn# changeto context system
ASA# more system:running-config
: Saved

As it is a laboratory, can I delete this configuration and configure another key?

ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

If so, in addition to the new keys, can you please summarize what settings I need to share to match my ASA?
I really don't know if the proposal is relevant to the establishment of the tunnel

more system:running-config

Dont specify any word just above command 

The key will appear as clear text not encrypt 

MHM

Hi @MHM Cisco World Thank you for your support, I explained  @Rob Ingram what didn't work.
I saw that you mentioned the possibility, and now I'm thinking about changing the ikev2 keys:
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

Also, could you help me by summarizing what else I should give the customer to configure? I'm thinking he made the wrong configuration, but as I said, the person responsible for the area has already left, and I don't know what he shared.
I would like to send the new keys and the correct information for establishing the tunnel,

Ops, back to commenting that I managed to find the key, but it was with the support of TAC:

more flash:/admin.cfg or more flash:/vpn.cfg

Thanks!