Version of the Cisco ASA images.

Hi all.

Anyone can check my perception on the differences between these images?

asa933-7-lfbff-k8. SPA

asa924-5-smp - K8.bin

asa924-5 - k8.bin

I guess that lfbff is for the X 5506 and 5508-X with firepower onboard services.

What are the supposed to a user of the image of SMP (Symmetric MultiProcessing)? The ASA 5506-X and 5508-X would be able to run the SMP image?

Witch platforms use the image without any abbreviation?

Any clarification would be greatly appreciated.

Concerning

Hello

Yes you are right.

asa933-7-lfbff-k8. SPA - this would be used on active firepower ASA for example 5506-X etc.

asa924-5-smp - K8.bin - this is used for devices using Multi hearts.

Anything with "smp" in the file name is only compatible with the X-5500 series. The "smp" means symmetric multiprocessor and requires a multicore processor.

asa924-5 - k8.bin - it is used for legacy of the ASA using single cores.

Kind regards

Aditya

Tags: Cisco Security

Similar Questions

  • Evaluation version for the cisco secure access control server

    Hello

    I can get the trial version for the cisco secure access control server. IF SO pls send me the link.

    Thank you

    Hi Thomas,

    You can download ACS for windows 4.1 or 4.2 from the link below:

    http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-eval

    For ACS 5.x, please visit cisco.com

    Download software > Security > Cisco Secure Access Control System 5.x > Secure Access Control System Software

    HTH

    Kind regards

    Jousset

    Please evaluate the useful messages-

  • A possible bug related to the Cisco ASA "show access-list"?

    We had a strange problem in our configuration of ASA.

    In the "show running-config:

    Inside_access_in access-list CM000067 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:http_access

    Inside_access_in access-list CM000458 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:https_access

    Note to inside_access_in to access test 11111111111111111111111111 EXP:1/16/2014 OWN list: IT_Security BZU:Network_Security

    access-list extended inside_access_in permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 Journal

    access-list inside_access_in note CM000260 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - dgm

    access-list inside_access_in note CM006598 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - ns

    access-list inside_access_in note CM000220 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - ssn

    access-list inside_access_in note CM000223 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:tcp / 445

    inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 any eq www log

    inside_access_in allowed extended access list tcp 172.31.254.0 255.255.255.0 any https eq connect

    inside_access_in list extended access permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log

    inside_access_in list extended access permit udp 172.31.254.0 255.255.255.0 connect any eq netbios-ns

    inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log

    inside_access_in list extended access permitted tcp 172.31.254.0 connect any EQ 445 255.255.255.0

    Inside_access_in access-list CM000280 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:domain

    inside_access_in list extended access permitted tcp object 172.31.254.2 any newspaper domain eq

    inside_access_in list extended access permitted udp object 172.31.254.2 any newspaper domain eq

    Inside_access_in access-list CM000220 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:catch_all

    inside_access_in list extended access permitted ip object 172.31.254.2 any newspaper

    Inside_access_in access-list CM0000086 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:SSH_internal

    inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 interface inside the eq ssh log

    Inside_access_in access-list CM0000011 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

    inside_access_in list extended access allow object TCPPortRange 172.31.254.0 255.255.255.0 host log 192.168.20.91

    Inside_access_in access-list CM0000012 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:FTP

    access-list extended inside_access_in permitted tcp object inside_range 1024 45000 192.168.20.91 host range eq ftp log

    Inside_access_in access-list CM0000088 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

    inside_access_in access list extended ip 192.168.20.0 255.255.255.0 allow no matter what paper

    Inside_access_in access-list CM0000014 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:DropIP

    inside_access_in list extended access permitted ip object windowsusageVM any newspaper

    inside_access_in list of allowed ip extended access any object testCSM

    inside_access_in access list extended ip 172.31.254.0 255.255.255.0 allow no matter what paper

    Inside_access_in access-list CM0000065 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:IP

    inside_access_in list extended access permit ip host 172.31.254.2 any log

    Inside_access_in access-list CM0000658 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security

    inside_access_in list extended access permit tcp host 192.168.20.95 any log eq www

    In the "show access-list":

    access-list inside_access_in line 1 comment CM000067 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:http_access

    access-list inside_access_in line 2 Note CM000458 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:https_access

    Line note 3 access-list inside_access_in test 11111111111111111111111111 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security

    4 extended access-list inside_access_in line allowed tcp host 1.1.1.1 host 192.168.20.86 eq newsletter interval 300 (hitcnt = 0) 81 0x0a 3bacc1

    line access list 5 Note CM000260 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - dgm

    line access list 6 Note CM006598 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - ns

    line access list 7 Note CM000220 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - ssn

    line access list 8 Note CM000223 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:tcp / 445

    allowed to Access-list inside_access_in line 9 extended tcp 172.31.254.0 255.255.255.0 any interval information eq www journal 300 (hitcnt = 0) 0 x 06 85254 has

    allowed to Access-list inside_access_in 10 line extended tcp 172.31.254.0 255.255.255.0 any https eq log of information interval 300 (hitcnt = 0) 0 x7e7ca5a7

    allowed for line access list 11 extended udp 172.31.254.0 inside_access_in 255.255.255.0 any netbios-dgm eq log of information interval 300 (hitcn t = 0) 0x02a111af

    allowed to Access-list inside_access_in line 12 extended udp 172.31.254.0 255.255.255.0 any netbios-ns eq log of information interval 300 (hitcnt = 0) 0 x 19244261

    allowed for line access list 13 extended tcp 172.31.254.0 inside_access_in 255.255.255.0 any netbios-ssn eq log of information interval 300 (hitcn t = 0) 0x0dbff051

    allowed to Access-list inside_access_in line 14 extended tcp 172.31.254.0 255.255.255.0 no matter what eq 445 300 (hitcnt = 0) registration information interval 0 x 7 b798b0e

    access-list inside_access_in 15 Note CM000280 EXP:1/16/2014 OWN line: IT_Security BZU:Network_Security JST:domain

    allowed to Access-list inside_access_in line 16 extended tcp object 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 0x6c416 81 b

    allowed to Access-list inside_access_in line 16 extended host tcp 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 0x6c416 81 b

    allowed to Access-list inside_access_in line 17 extended udp object 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 227 0xc53bf

    allowed to Access-list inside_access_in line 17 extended udp host 172.31.254.2 all interval information journal field eq 300 (hitcnt = 0) 227 0xc53bf

    access-list inside_access_in 18 Note CM000220 EXP:1/16/2014 OWN line: IT_Security BZU:Network_Security JST:catch_all

    allowed to Access-list inside_access_in line 19 scope ip object 172.31.254.2 no matter what information recording interval 300 (hitcnt = 0) 0xd063707c

    allowed to Access-list inside_access_in line 19 scope ip host 172.31.254.2 any which information recording interval 300 (hitcnt = 0) 0xd063707c

    access-list inside_access_in line 20 note CM0000086 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:SSH_internal

    permit for line access list extended 21 tcp 172.31.254.0 inside_access_in 255.255.255.0 interface inside the eq ssh information recording interval 300 (hitcnt = 0) 0x4951b794

    access-list inside_access_in line 22 NOTE CM0000011 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:PortRange

    permit for access list 23 inside_access_in line scope object TCPPortRange 172.31.254.0 255.255.255.0 192.168.20.91 host registration information interval 300 (hitcnt = 0) 0x441e6d68

    allowed for line access list 23 extended tcp 172.31.254.0 inside_access_in 255.255.255.0 192.168.20.91 host range ftp smtp log information interval 300 (hitcnt = 0) 0x441e6d68

    access-list inside_access_in line 24 Note CM0000012 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:FTP

    25 extended access-list inside_access_in line allowed tcp object inside_range Beach 1024 45000 host 192.168.20.91 eq ftp interval 300 0xe848acd5 newsletter

    allowed for access list 25 extended range tcp 12.89.235.2 inside_access_in line 12.89.235.5 range 1024 45000 host 192.168.20.91 eq ftp interval 300 (hitcnt = 0) newsletter 0xe848acd5

    permit for access list 26 inside_access_in line scope ip 192.168.20.0 255.255.255.0 no interval 300 (hitcnt = 0) newsletter 0xb6c1be37

    access-list inside_access_in line 27 Note CM0000014 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:DropIP

    allowed to Access-list inside_access_in line 28 scope ip object windowsusageVM no matter what information recording interval 300 (hitcnt = 0) 0 x 22170368

    allowed to Access-list inside_access_in line 28 scope ip host 172.31.254.250 any which information recording interval 300 (hitcnt = 0) 0 x 22170368

    allowed to Access-list inside_access_in line 29 scope ip testCSM any object (hitcnt = 0) 0xa3fcb334

    allowed to Access-list inside_access_in line 29 scope ip any host 255.255.255.255 (hitcnt = 0) 0xa3fcb334

    permit for access list 30 inside_access_in line scope ip 172.31.254.0 255.255.255.0 no interval 300 (hitcnt = 0) newsletter 0xe361b6ed

    access-list inside_access_in line 31 Note CM0000065 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:IP

    allowed to Access-list inside_access_in line 32 scope ip host 172.31.254.2 any which information recording interval 300 (hitcnt = 0) 0xed7670e1

    access-list inside_access_in line 33 note CM0000658 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security

    allowed to Access-list inside_access_in line 34 extended host tcp 192.168.20.95 any interval information eq www 300 newspapers (hitcnt = 0) 0x8d07d70b

    There is a comment in the running configuration: (line 26)

    Inside_access_in access-list CM0000088 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

    This comment is missing in 'display the access-list '. In the access list, for all lines after this comment, the line number is more correct. This poses problems when trying to use the line number to insert a new rule.

    Everyone knows about this problem before? Is this a known issue? I am happy to provide more information if necessary.

    Thanks in advance.

    See the version:

    Cisco Adaptive Security Appliance Software Version 4,0000 1

    Version 7.1 Device Manager (3)

    Updated Friday, June 14, 12 and 11:20 by manufacturers

    System image file is "disk0: / asa844-1 - k8.bin.

    The configuration file to the startup was "startup-config '.

    fmciscoasa up to 1 hour 56 minutes

    Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor

    Internal ATA Compact Flash, 128 MB

    BIOS Flash M50FW016 @ 0xfff00000, 2048KB

    Hardware encryption device: Cisco ASA-5505 Accelerator Board (revision 0 x 0)

    Start firmware: CN1000-MC-BOOT - 2.00

    SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03

    Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.06

    Number of Accelerators: 1

    Could be linked to the following bug:

    CSCtq12090: ACL note line is missing when the object range is set to ACL

    The 8.4 fixed (6), so update to a newer version and observe again.

    --
    Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
    http://www.Kiva.org/invitedBy/karsteni

  • Back on the cisco ASA 5500 series and PIX 500 series

    Hello

    I fund a site www http://www.searchsecurity.de/themenkanaele/plattformsicherheit/schwachstellenmanagement/allgemein/articles/106752/ (only in German). I have read that it is possible to make a denial of service on cisco PIX 500 series and series 5500 ASA, when the TTL value is enabled.

    How can I check that? or solve the problem?

    I thank you,

    Mary

    What version of the code you run the Pix or ASA. Refer to the "Products affected" section for more information on versions and the products concerned. This should point you in the right direction.

    Also, listed in the URL is bypasses and fixed Versions that you may want to check.

    Kind regards

    Arul

  • Problem with the Cisco ASA 5525 X SFR and Firesight high school

    Hi team,

    We have two ASA 5525 X installed on them and Firesight in a Linux VM whose two SFRs are registered with SFR failover mode. We use the SAA secondary off the hook if the primary fails to turn on the secondary manually switch the wan cable. I turn on the ASA secondary every weekend to take the configuration of the primary for the ASA and the SFR and close by button walk / stop.

    Last week I turn on high school ASA and the Firesight couldn't see the secondary SFR and show the message below:

    Module device heartbeat: device > don't send heartbeats.

    (I should mention I can Pinger the IP ADDRESS)

    I tried to study the problem without success.

    I also deleted the sensor just Firesight devices management in case something is stuck, and I'm trying to re added without success.

    I'm new in firepower so... any ideas?

    Thank you

    Finally, this problem has been resolved by the redefinition of firepower:

    see detailed here procedure to perform this redefinition;

    http://www.Cisco.com/c/en/us/support/docs/security/ASA-firepower-service...

    Before that, it appeared that firepower was not very healthy:

    After a success "" configure Manager add xxxxx"command.

    the command of managers show show nothing;

    He should have shown this result:

    > Display managers
    Host: 193.193.2.75
    Registration key: AZERTY
    Inscription: pending
    State of the PRC:

    on the other hand, in expert mode, the following command shows several processes (and not in the normal state):

    sudo pmtool status | grep-i down

    Last point,

    After the recreation and reconfigure all this fire power, installed in the ASA secondary standby, was considered to be OK under Firesight health Monitor,.

    but after 10mins, it appeared in critical condition with the following message:

    "Interface"DataPlaneInterface0"receives not all packages.

    This is normal and due to the fact that Eve ASA receives no flow and the same goes for firepower inside this ASA;

    by performing a failover from the primary to the secondary ASA, this critical message disappeared for firepower inside the ASA Sec and appeared for firepower inside the ASA elementary school

  • disable the cisco ASA connection using only activate password via asdm

    Hi all

    How to disable the connection to my cisco asa 5520 using only activate password via asdm? I like to asdm connection using the user name and password. TIA!

    The command:

     aaa authentication http console LOCAL

    .. .will be force users accessing to ASDM (which uses transport http (s)) to be authenticated on the LOCAL database.

    You can also specify another list of defined authentication method, such as RADIUS, RADIUS or AD. (Although t wew love to leave a LOCAL method on the spot, in which case your external authentication server is not available.)

  • the Cisco asa vpn processing error payload: payload ID: 1

    Hello

    I set up vpn L2TP by using ASDM and now I am not able to connect my Cisco ASA 5505.

    It is showing the error message

    3 July 7, 2011 18:57:38 IP = *. *. *. *, payload processing error: ID payload: 1

    Please suggest me how to solve this problem (by using ASDM)

    Thank you

    Hi Nikhil,

    Your config seems incomplete, command 'IPSec l2tp ipsec vpn-tunnel-Protocol' is missing, what is needed to connect L2tp try to reconfigure your firewall using the link:-

    http://www.Cisco.com/en/us/customer/docs/security/ASA/asa80/configuration/guide/l2tp_ips.html

    Hope this helps,

    Parminder Sian

  • AAA to circumvent the password to enable on the Cisco ASA

    Hi all. I'm having a problem where I get authenticated by the AAA server, but after authentication, that I am placed in user mode. AAA admin (I have no access to the AAA server) told me that he had all the users configured with priv level 15, which will lead them directly in the mode privilege on routers.

    My question is how can I configure my Cisco ASA to get around using a password to enable. See below the configuration of my

    AAA-server protocol Ganymede MYGROUP +.
    Max - a failed attempts 4
    AAA-server host 2.2.2.2 MYGROUP (inside)
    timeout 3
    key *.
    Console Telnet AAA authentication LOCAL MYGROUP
    Console to enable AAA authentication LOCAL MYGROUP
    privilege MYGROUP 15 AAA accounting command

    Looks like you want to directly access the exec privileges mode. This feature is not supported by the ASA. This is only possible on IOS devices.

    Rgds, jousset

    Note the useful questions.

  • Discover device directly connected to the cisco ASA

    How do I know which is directly connected to an ASA interface? I'm looking for some commands that can be executed on the SAA to find the directly connected Cisco device.

    Thank you

    Boudou

    Unfortunately it is not available on SAA for you tell what device is directly connected to it, there is no 'see the neighboring cdp' on SAA unfortunately.

    You can check the ARP table and see which is the next hop, but who would only give the layer 3 device, such that there could be a switch between the two institutions.

  • Completely disable the Cisco ASA threat detection

    Hi all

    On a Cisco ASA5510, Version 8.2 (1) with ADSM v. 6.2 (1) we have this threat detection because we like to allow all traffic through at this time:

    Wouldn't be fair to assume that this setting blocks any traffic that might normally be considered to be a threat? We assume that the setting 'Enable parsing' verified by himself just analyze traffic but takes no action.

    Yes you are right. Not all IP block until you have the keyword "flee".

    Thank you and best regards,

    Maryse Amrodia

  • Cisco UCS C240M4 Esxi installation version 5.0 cisco custom image do not start

    Hi all

    We are trying to install ESXi 5.0 on Cisco UCS C240M4 server and during loading of the VMware purple screen with the following error

    Bora/vmkernel/hardware/apic.c:1913 and bora/vmkernel/hardware/apic.c:1915 NOT_IMPLEMENTED NOT_IMPLEMENTED.

    Greetings.

    ESXi 5.1 U2 is the first supported by Cisco for the C240M4. See matrix interop

    I suspect that older versions 5.0 and earlier versions will have problems with the latest chipsets, as well as the lack of 12 GB storage controller drivers.

    You will want to check the interop matrix for which OS versions are supported as well as different levels of driver for the network cards, storage, etc.

    Thank you

    Kirk...

  • Problem with the Cisco ASA vpn redundancy?

    Hi all

    I have a series ASA 5500 firewall and need to set a different peer ip for the connection of site2sitevpn. In fact, my goal is, ASA tent first pair ip of the site2site tunnel, when ASA may not reach this ip, try to reach another ip I set before. I can configure this scenerio on Cisco router with this command;


    
    crypto map tohub 1 ipsec-isakmp 
     set peer 10.1.1.1 default 
     set peer 10.2.2.2

    but I wonder what can I do about ASA?

    Thank you.

    Best regards.

    Shane,

    You can configure multiple IP addresses, under the same entry of homologous set on ASA, but it works the same on IOS with preferred peer, it passes between defined peer.

    Marcin

  • Cisco ASA, connect an IP address on the OUTSIDE of the VPN remote access

    Hello

    I tried to find resources on the net but could not find a solution, then post it here. Maybe someone can help.

    So the problem is that I'm trying to access a server on the cloud for remote VPN access (cisco asa 5510).

    The server on the cloud (54.54.54.54) is only accessible from the outside interface (192.168.11.2) NY Firewall (cisco asa 5510)

    I added some ACE for this in the ACL of VPN tunnel to divide.

    NY-standard host allowed fw # access - list vpn_remote-customer 54.54.54.54

    And I see the road added to my cliet machine after the VPN connection, but still it cannot connect to this server.

    The network INTERIOR, I can connect to the server.

    Thanks in advance.

    Hello

    This is most likely a problem with NAT hair/U-turn hairpin.

    Will need to see the configurations or you would need to check yourself

    I don't know what your version of the Software ASA is to be like who determines what is the format of NAT configuration.

    So far, you have confirmed that the ASA VPN configuration provides the VPN Client with the route to the remote server. Then in circulation should be tunnel to the ASA.

    Then, you will need to check the output of this command

    See the race same-security-traffic

    You should see the command in the output below

    permit same-security-traffic intra-interface

    If you do not, you will need to add it. This effect of controls is to allow traffic to enter an interface and exit through the same interface. In your case this applies to Internet VPN Client traffic to the remote server as it between ' outside ' and spell through the 'outside'.

    Then, should ensure that dynamic PAT is configured for the VPN Clients.

    8.2 software (and below)

    You most likely have a dynamic configuration PAT like that on the firewall, if levels of above running software version

    Global 1 interface (outside)

    NAT (inside) 1 0.0.0.0 0.0.0.0

    In this situation if we wanted to add dynamic PAT for a pool of VPN, we would add

    NAT (outside) 1

    This would allow users to use the same public IP address as LAN users, when accessing the remote VPN server

    Software 8.3 (and above)

    Because the NAT configuration format is completely different in the latest software, you could probably just add a new configuration of NAT completely without adding a

    network of the VPN-PAT object

    subnet

    dynamic NAT interface (outdoors, outdoor)

    Of course, its possible that there could be some configuration NAT already on the device which could cause problems for this configuration. If this does not work then that we would have to look at the actual configurations on the ASA.

    Hope this helps

    Let me know how it goes

    -Jouni

  • Problem with the Cisco VPN and Vista client

    Hello

    I have an easy VPN server configured on a c2811 and users use the Cisco VPN client. Lately, I have users running Windows Vista 64 bit and I need to know what is the correct version of the vpn client, I have to use and the compatibility problems with the server, I configured.

    Thank you and best regards.

    Cisco VPN Client doesn't have any version that is compatible with Vista 64 bit OS. The only customer that Cisco has released that supports the 64 bit OS's AnyConnect, but it is only supported on the CISCO ASA Appliance

  • EzVPN between Cisco ASA 5505 (with NEM mode) and Ciscoo 881 Roure

    Hi friends,

    I configured the Cisco ASA 5505 and Cisco router with DMVPN 881. 3 offices works very well but one office remains failure. I did the same configuration for all facilities but this router does not work. Any ideas?

    Please find below the exit of 881 router Cisco:

    YF2_Tbilisi_router #.
    * 4 August 09:31:26.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:31:26.793 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
    * 4 August 09:31:26.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:31:26.793: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:31:26.793 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:31:36.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:31:36.793 4 August: ISAKMP (0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
    * 4 August 09:31:36.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:31:36.793: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:31:36.793 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 09:31:44.929 4 August: ISAKMP: (0): serving SA., its is 88961 B 34, delme is 88961 B 34
    * 4 August 09:31:46.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:31:46.793 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

    * 09:31:46.793 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
    * 09:31:46.793 4 August: % CRYPTO-6-EZVPN_CONNECTION_DOWN: user (customer) = group = Youth_Facility_2 Server_public_addr = 1.1.1.1
    * 4 August 09:31:46.793: ISAKMP:isadb_key_addr_delete: no key for address 1.1.1.1 (root NULL)
    * 09:31:46.793 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
    * 09:31:46.793 4 August: ISAKMP: Unlocking counterpart struct 0x8AA90C50 for isadb_mark_sa_deleted(), count 0
    * 09:31:46.793 4 August: ISAKMP: delete peer node by peer_reap for 1.1.1.1: 8AA90C50
    * 09:31:46.793 4 August: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    * 09:31:46.793 4 August: ISAKMP: (0): former State = new State IKE_I_AM1 = IKE_DEST_SA

    * 4 August 09:31:47.805: del_node 2.2.2.2 src dst 1.1.1.1:500 fvrf 0 x 0, ivrf 0 x 0
    * 09:31:47.805 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

    * 4 August 09:31:47.805: ISAKMP: (0): profile of THE request is (NULL)
    * 09:31:47.805 4 August: ISAKMP: created a struct peer 1.1.1.1, peer port 500
    * 09:31:47.805 4 August: ISAKMP: new created position = 0x8AA90C50 peer_handle = 0 x 80004819
    * 09:31:47.805 4 August: ISAKMP: lock struct 0x8AA90C50, refcount 1 to peer isakmp_initiator
    * 09:31:47.805 4 August: ISAKMP: (0): client configuration parameters 87531228 adjustment
    * 09:31:47.805 4 August: ISAKMP: 500 local port, remote port 500
    * 09:31:47.805 4 August: ISAKMP: find a dup her to the tree during his B 88961, 34 = isadb_insert call BVA
    * 4 August 09:31:47.805: ISAKMP: (0): set up client mode.
    * 4 August 09:31:47.805: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
    * 4 August 09:31:47.805: ISAKMP: (0): built the seller-07 ID NAT - t
    * 4 August 09:31:47.805: ISAKMP: (0): built of NAT - T of the seller-03 ID
    * 4 August 09:31:47.805: ISAKMP: (0): built the seller-02 ID NAT - t
    * 4 August 09:31:47.805: ISKAMP: more send buffer from 1024 to 3072
    * 09:31:47.805 4 August: ISAKMP: (0): ITS been pre-shared key and XAUTH authentication using id ID_KEY_ID type
    * 09:31:47.805 4 August: ISAKMP (0): payload ID
    next payload: 13
    type: 11
    Group ID: Youth_Facility_2
    Protocol: 17
    Port: 0
    Length: 24
    * 09:31:47.805 4 August: ISAKMP: (0): the total payload length: 24
    * 09:31:47.809 4 August: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
    * 09:31:47.809 4 August: ISAKMP: (0): former State = new State IKE_READY = IKE_I_AM1

    * 4 August 09:31:47.809: ISAKMP: (0): Beginner aggressive Mode Exchange
    * 4 August 09:31:47.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:31:47.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:31:57.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:31:57.809 4 August: ISAKMP (0): increment the count of errors on his, try 1 5: retransmit the phase 1
    * 4 August 09:31:57.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:31:57.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:31:57.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:32:07.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:32:07.809 4 August: ISAKMP (0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
    * 4 August 09:32:07.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:32:07.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:32:07.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:32:17.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:32:17.809 4 August: ISAKMP (0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
    * 4 August 09:32:17.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:32:17.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:32:17.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:32:27.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:32:27.809 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
    * 4 August 09:32:27.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:32:27.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:32:27.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:32:37.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:32:37.809 4 August: ISAKMP (0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
    * 4 August 09:32:37.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:32:37.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:32:37.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 09:32:46.793 4 August: ISAKMP: (0): serving SA., his is 872E1504, delme is 872E1504
    * 4 August 09:32:47.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:32:47.809 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

    * 09:32:47.809 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
    * 09:32:47.809 4 August: % CRYPTO-6-EZVPN_CONNECTION_DOWN: user (customer) = group = Youth_Facility_2 Server_public_addr = 1.1.1.1
    * 4 August 09:32:47.809: ISAKMP:isadb_key_addr_delete: no key for address 1.1.1.1 (root NULL)
    * 09:32:47.809 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
    * 09:32:47.809 4 August: ISAKMP: Unlocking counterpart struct 0x8AA90C50 for isadb_mark_sa_deleted(), count 0
    * 09:32:47.809 4 August: ISAKMP: delete peer node by peer_reap for 1.1.1.1: 8AA90C50
    * 09:32:47.809 4 August: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    * 09:32:47.809 4 August: ISAKMP: (0): former State = new State IKE_I_AM1 = IKE_DEST_SA

    * 4 August 09:32:48.909: del_node src 2.2.2.2:500 dst 1.1.1.1:500 fvrf 0 x 0, ivrf 0 x 0
    * 09:32:48.909 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

    * 4 August 09:32:48.909: ISAKMP: (0): profile of THE request is (NULL)
    * 09:32:48.909 4 August: ISAKMP: created a struct peer 1.1.1.1, peer port 500
    * 09:32:48.909 4 August: ISAKMP: new created position = 0x8AA90C50 peer_handle = 0 x 80004818
    * 09:32:48.909 4 August: ISAKMP: lock struct 0x8AA90C50, refcount 1 to peer isakmp_initiator
    * 09:32:48.909 4 August: ISAKMP: (0): client setting Configuration parameters 88C05A48
    * 09:32:48.909 4 August: ISAKMP: 500 local port, remote port 500
    * 09:32:48.909 4 August: ISAKMP: find a dup her to the tree during the isadb_insert his 87B57D38 = call BVA
    * 4 August 09:32:48.909: ISAKMP: (0): set up client mode.
    * 4 August 09:32:48.909: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
    * 4 August 09:32:48.909: ISAKMP: (0): built the seller-07 ID NAT - t
    * 4 August 09:32:48.909: ISAKMP: (0): built of NAT - T of the seller-03 ID
    * 4 August 09:32:48.909: ISAKMP: (0): built the seller-02 ID NAT - t
    * 4 August 09:32:48.909: ISKAMP: more send buffer from 1024 to 3072
    * 09:32:48.913 4 August: ISAKMP: (0): ITS been pre-shared key and XAUTH authentication using id ID_KEY_ID type
    * 09:32:48.913 4 August: ISAKMP (0): payload ID
    next payload: 13
    type: 11
    Group ID: Youth_Facility_2
    Protocol: 17
    Port: 0
    Length: 24
    * 09:32:48.913 4 August: ISAKMP: (0): the total payload length: 24
    * 09:32:48.913 4 August: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
    * 09:32:48.913 4 August: ISAKMP: (0): former State = new State IKE_READY = IKE_I_AM1

    * 4 August 09:32:48.913: ISAKMP: (0): Beginner aggressive Mode Exchange
    * 4 August 09:32:48.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:32:48.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:32:58.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:32:58.913 4 August: ISAKMP (0): increment the count of errors on his, try 1 5: retransmit the phase 1
    * 4 August 09:32:58.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:32:58.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:32:58.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:33:08.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:33:08.913 4 August: ISAKMP (0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
    * 4 August 09:33:08.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:33:08.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:33:08.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:33:18.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:33:18.913 4 August: ISAKMP (0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
    * 4 August 09:33:18.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:33:18.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:33:18.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:33:28.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:33:28.913 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
    * 4 August 09:33:28.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:33:28.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:33:28.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.

    There is no DMVPN on the SAA. All that you have configured, is not compatible with the ASA or something another DMVPN then. At least debugging shows that there are some EzVPN involved.

    The debug version, it seems that there is no communication on UDP/500 possible between devices. Maybe something is blocking who?

Maybe you are looking for