Symptom
Newly deployed site to site IKEv2 VPN tunnel using dynamic crypto map does not come up.
Conditions
RA VPN using IPsec IKEv2 already deployed on FTD.
Deploy new site to site VPN tunnel using IKEv2 with different/non-default IKEv2 IPsec proposals.
Workaround
If not using IPsec/IKEv2 for RA VPN, disable IPsec from the "Access Interfaces" Tab under the Connection Profile.
If using IPsec/IKEv2 for RA VPN:
Workaround 1 (Preferred):
On the RA VPN crypto maps (Advanced tab of Conection profile), add the settings to be used for the site to site tunnel. Add the PFS settings if any and the IKEv2 IPsec proposal to be used for the site to site VPN tunnel.
Workaround 2 (Production Impacting and Works sometimes):
Edit the connection profile and remove IPsec from the access interface. Deploy the same.
Re-enable IPsec and deploy.
The dynamic crypto map now should be deployed to a higher sequence number than the site to site VPN dynamic crypto map.
Further Problem Description
The Site to Site VPN tunnel fails to come up because there is a pre-existing dynamic crypto map (due to the use of IPsec on RA VPN) which is preferred over the newly delpoyed dynamic crypto map for the site to site VPN tunnel.
