ASA IPSec with Ikev2 and FQDN on Zscaler

Hi all,

I am trying to establish an IPSec Tunnel with Ikev2 from a CISCO ASA with a dynamic IP Address. I know that we have to use FQDN on Zscaler. The corresponding setting on the ASA is crypto isakmp identity key-id “FQDN used in Zscaler”

We use ASA code 9.6, all published config-examples by Zscaler are 9.2 or lower.

Here is our config:
crypto isakmp identity key-id “FQDN used in ZScaler Portal”

crypto ipsec ikev2 ipsec-proposal Zscaler-TransformV2
protocol esp encryption null
protocol esp integrity sha-1

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400

access-list outside_cryptomap_1 line 1 extended permit ip object INTERNAL-LAN any
group-policy GroupPolicy_165.225.26.44 internal
group-policy GroupPolicy_165.225.26.44 attributes
vpn-tunnel-protocol ikev2
tunnel-group type ipsec-l2l
tunnel-group general-attributes
default-group-policy GroupPolicy_165.225.26.44
tunnel-group ipsec-attributes
ikev2 local-authentication pre-shared-key **********
ikev2 remote-authentication pre-shared-key **********
isakmp keepalive threshold 20 retry 5
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer
crypto map outside_map 2 set ikev2 ipsec-proposal Zscaler-TransformV2

The error message we get is:
IKEv2 Negotiation aborted due to ERROR: Auth exchange failed
IKEv2 was unsuccessful at setting up a tunnel
Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel

I am very sure that the PSKs are matching and don’t include any special characters like “?”
Does anybody have a working configuration for IPSec Tunnel, IKEv2 and Dyn IP on the remote ASA?


Can you try to issue the one more command in phase 2,

crypto map outside_map 2 set pfs group2 or
crypto map outside_map 2 set pfs group5

Ramesh M

Thanks for your reply.
I have tried both settings with no luck. I still get the same error messages.

I had the issue and resolved after given this command…

What code version did you use for the ASA?

I was used Asa 9.9.2.

@bernd.zielhoff Can you confirm if this issue resolved, can share me the configuration file and debug result to verify this

this has not been resolved, but I have given up and using Ikev1.

Thanks for your update.
Let me see if I can share you the configuration in my setup.

Just to follow up here… IKEv2 and Aggressive mode does not work and aggressive is not really supported from a protocol perspective therefore the isakmp identity must ip …