Hi,

Thanks for the quick response.

ASA Config:

crypto ikev2 policy 5
 encryption aes-256
 integrity sha256
 group 19
 prf sha256
 lifetime seconds 86400

crypto ipsec ikev2 ipsec-proposal 5
 protocol esp encryption aes-256
 protocol esp integrity sha-256

crypto map outside_map 10 set pfs group19
crypto map outside_map 10 set peer <Router peer ip>
crypto map outside_map 10 set ikev2 ipsec-proposal 5

crypto map outside_map 10 match address Enc_Domain

I'm happy the encryption domain/crypto ACLs are ok but i can share them if you like?

Full debug output:

Mar 12 11:59:14.007: IKEv2-INTERNAL:(SESSION ID = 476829,SA ID = 1):SM Trace-> SA: I_SPI=69F88680A54D9AD0 R_SPI=0000000000000000 (I) MsgID = 0 CurState: IDLE Event: EV_INIT_SA
Mar 12 11:59:14.007: IKEv2-INTERNAL:(SESSION ID = 476829,SA ID = 1):SM Trace-> SA: I_SPI=69F88680A54D9AD0 R_SPI=0000000000000000 (I) MsgID = 0 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
Mar 12 11:59:14.007: IKEv2-INTERNAL:(SESSION ID = 476829,SA ID = 1):SM Trace-> SA: I_SPI=69F88680A54D9AD0 R_SPI=0000000000000000 (I) MsgID = 0 CurState: I_BLD_INIT Event: EV_SET_POLICY
Mar 12 11:59:14.007: IKEv2-INTERNAL:(SESSION ID = 476829,SA ID = 1):Setting configured policies
Mar 12 11:59:14.007: IKEv2-INTERNAL:(SESSION ID = 476829,SA ID = 1):SM Trace-> SA: I_SPI=69F88680A54D9AD0 R_SPI=0000000000000000 (I) MsgID = 0 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
Mar 12 11:59:14.007: IKEv2-INTERNAL:(SESSION ID = 476829,SA ID = 1):SM Trace-> SA: I_SPI=69F88680A54D9AD0 R_SPI=0000000000000000 (I) MsgID = 0 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
Mar 12 11:59:14.007: IKEv2:(SESSION ID = 476829,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 2
Mar 12 11:59:14.007: IKEv2:(SESSION ID = 476829,SA ID = 1):Request queued for computation of DH key
Mar 12 11:59:14.007: IKEv2-INTERNAL:(SESSION ID = 476829,SA ID = 1):SM Trace-> SA: I_SPI=69F88680A54D9AD0 R_SPI=0000000000000000 (I) MsgID = 0 CurState: I_BLD_INIT Event: EV_NO_EVENT
Mar 12 11:59:14.007: IKEv2-INTERNAL:(SESSION ID = 476829,SA ID = 1):SM Trace-> SA: I_SPI=69F88680A54D9AD0 R_SPI=0000000000000000 (I) MsgID = 0 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
Mar 12 11:59:14.007: IKEv2-INTERNAL:(SESSION ID = 476829,SA ID = 1):Action: Action_Null
Mar 12 11:59:14.007: IKEv2-INTERNAL:(SESSION ID = 476829,SA ID = 1):SM Trace-> SA: I_SPI=69F88680A54D9AD0 R_SPI=0000000000000000 (I) MsgID = 0 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
Mar 12 11:59:14.007: IKEv2-INTERNAL:(SESSION ID = 476829,SA ID = 1):SM Trace-> SA: I_SPI=69F88680A54D9AD0 R_SPI=0000000000000000 (I) MsgID = 0 CurState: I_BLD_INIT Event: EV_BLD_MSG
Mar 12 11:59:14.007: IKEv2:(SESSION ID = 476829,SA ID = 1):Generating IKE_SA_INIT message
Mar 12 11:59:14.007: IKEv2:(SESSION ID = 476829,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA1 SHA96 DH_GROUP_1024_MODP/Group 2

Mar 12 11:59:14.007: IKEv2:(SESSION ID = 476829,SA ID = 1):Sending Packet [To <ASA>:500/From <Router>:500/VRF i0:f0]
Initiator SPI : 69F88680A54D9AD0 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Mar 12 11:59:14.007: IKEv2-PAK:(SESSION ID = 476829,SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 348
Payload contents:
SA Next payload: KE, reserved: 0x0, length: 48
last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
KE Next payload: N, reserved: 0x0, length: 136
DH group: 2, Reserved: 0x0
N Next payload: VID, reserved: 0x0, length: 36
VID Next payload: VID, reserved: 0x0, length: 23
VID Next payload: NOTIFY, reserved: 0x0, length: 21
NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP
NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: NONE, reserved: 0x0, length: 28
Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

Mar 12 11:59:14.011: IKEv2-INTERNAL:(SESSION ID = 476829,SA ID = 1):SM Trace-> SA: I_SPI=69F88680A54D9AD0 R_SPI=0000000000000000 (I) MsgID = 0 CurState: I_BLD_INIT Event: EV_INSERT_SA
Mar 12 11:59:14.011: IKEv2:(SESSION ID = 476829,SA ID = 1):Insert SA
Mar 12 11:59:14.011: IKEv2-INTERNAL:(SESSION ID = 476829,SA ID = 1):SM Trace-> SA: I_SPI=69F88680A54D9AD0 R_SPI=0000000000000000 (I) MsgID = 0 CurState: I_WAIT_INIT Event: EV_NO_EVENT

Mar 12 11:59:14.015: IKEv2:(SESSION ID = 476829,SA ID = 1):Received Packet [From <ASA>:500/To <Router>:500/VRF i0:f0]
Initiator SPI : 69F88680A54D9AD0 - Responder SPI : 00F0A8B3EB4ABE56 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Mar 12 11:59:14.015: IKEv2-PAK:(SESSION ID = 476829,SA ID = 1):Next payload: NOTIFY, version: 2.0 Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 36
Payload contents:
NOTIFY(NO_PROPOSAL_CHOSEN) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: NO_PROPOSAL_CHOSEN

Mar 12 11:59:14.019: IKEv2-INTERNAL:(SESSION ID = 476829,SA ID = 1):SM Trace-> SA: I_SPI=69F88680A54D9AD0 R_SPI=00F0A8B3EB4ABE56 (I) MsgID = 0 CurState: I_WAIT_INIT Event: EV_RECV_INIT
Mar 12 11:59:14.019: IKEv2-INTERNAL:(SESSION ID = 476829,SA ID = 1):Processing IKE_SA_INIT message
Mar 12 11:59:14.019: IKEv2-INTERNAL:(SESSION ID = 476829,SA ID = 1):SM Trace-> SA: I_SPI=69F88680A54D9AD0 R_SPI=00F0A8B3EB4ABE56 (I) MsgID = 0 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
Mar 12 11:59:14.019: IKEv2:(SESSION ID = 476829,SA ID = 1):Processing IKE_SA_INIT message
Mar 12 11:59:14.019: IKEv2-ERROR:(SESSION ID = 476829,SA ID = 1):: Received no proposal chosen notify
Mar 12 11:59:14.019: IKEv2-INTERNAL:(SESSION ID = 476829,SA ID = 1):SM Trace-> SA: I_SPI=69F88680A54D9AD0 R_SPI=00F0A8B3EB4ABE56 (I) MsgID = 0 CurState: INIT_DONE Event: EV_FAIL
Mar 12 11:59:14.019: IKEv2:(SESSION ID = 476829,SA ID = 1):Failed SA init exchange
Mar 12 11:59:14.019: IKEv2-ERROR:(SESSION ID = 476829,SA ID = 1):Initial exchange failed: Initial exchange failed
Mar 12 11:59:14.019: IKEv2-INTERNAL:(SESSION ID = 476829,SA ID = 1):SM Trace-> SA: I_SPI=69F88680A54D9AD0 R_SPI=00F0A8B3EB4ABE56 (I) MsgID = 0 CurState: EXIT Event: EV_ABORT
Mar 12 11:59:14.019: IKEv2-INTERNAL:(SESSION ID = 476829,SA ID = 1):SM Trace-> SA: I_SPI=69F88680A54D9AD0 R_SPI=00F0A8B3EB4ABE56 (I) MsgID = 0 CurState: EXIT Event: EV_CHK_PENDING_ABORT
Mar 12 11:59:14.019: IKEv2-INTERNAL:(SESSION ID = 476829,SA ID = 1):SM Trace-> SA: I_SPI=69F88680A54D9AD0 R_SPI=00F0A8B3EB4ABE56 (I) MsgID = 0 CurState: EXIT Event: EV_CHK_GKM
MAN-MCIR02-MC1#
Mar 12 11:59:14.019: IKEv2-INTERNAL:(SESSION ID = 476829,SA ID = 1):SM Trace-> SA: I_SPI=69F88680A54D9AD0 R_SPI=00F0A8B3EB4ABE56 (I) MsgID = 0 CurState: EXIT Event: EV_UPDATE_CAC_STATS
Mar 12 11:59:14.019: IKEv2:(SESSION ID = 476829,SA ID = 1):Abort exchange
Mar 12 11:59:14.019: IKEv2:(SESSION ID = 476829,SA ID = 1):Deleting SA

Regards,

Josh

Hi,

You have PRF configured on the ASA but not the router

ROUTER

crypto ikev2 proposal 1
encryption aes-cbc-256
integrity sha256
group 19

ASA

crypto ikev2 policy 5
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400

Add it to the router configuration and try again

HTH