Can't get L2L tunnel up

Also, when I do debug cry isakmp I dont get any output which also tells me that this isn't even trying to work

If you're doing a policy based VPN, you won't use loopbacks, you won't route the inside IPs of the other end and your crypto ACL should match at least for what you have on the ASA.

I haven't even taken a look at the router yet.

Thanks, I have correct the errors. I have taken off the Loopbacks and have actual hosts on each end, I have taken off the routes you mentioned. My ACL matches exactly. Now, I can't ping each end though. I am sure routing might be screwed up between the asa and router but I tried few things but was unsuccessful, can you look now? I have attached new configs and map
Router.txt
ASA.txt
NewMap.jpg

your crypto ACL has to permit ICMP at both ends.

I added the icmp permit to crypto maps. When I ping 192.168.10.10 from 19.19.19.19 for example I get the below:


R11#ping 192.168.10.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)


R11#trace 192.168.10.10
Type escape sequence to abort.
Tracing the route to 192.168.10.10

  1 19.19.19.1 16 msec 20 msec 20 msec
  2 5.5.5.1 36 msec 44 msec 44 msec
  3  *


On R1 O have 0.0.0.0 0.0.0.0 interface f0/0 same on the other end. The asa is 0.0.0.0 0.0.0.0 outside int.

atleast now i am getting debugs.

*Mar  1 03:07:13.179: ISAKMP (0:3): purging node -1424824910
*Mar  1 03:07:13.179: ISAKMP (0:3): purging node -297005755
*Mar  1 03:07:13.195: ISAKMP (0:4): retransmitting phase 1 MM_NO_STATE...
*Mar  1 03:07:13.195: ISAKMP (0:4): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar  1 03:07:13.195: ISAKMP (0:4): retransmitting phase 1 MM_NO_STATE
*Mar  1 03:07:13.199: ISAKMP (0:4): sending packet to 16.16.16.1 my_port 500 peer_port 500 (I) MM_NO_STATE
R1#
*Mar  1 03:07:23.163: ISAKMP: received ke message (3/1)
*Mar  1 03:07:23.163: ISAKMP (0:4): peer does not do paranoid keepalives.

*Mar  1 03:07:23.167: ISAKMP (0:4): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 16.16.16.1) input queue 0
*Mar  1 03:07:23.171: ISAKMP (0:3): peer does not do paranoid keepalives.

*Mar  1 03:07:23.175: ISAKMP (0:4): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 16.16.16.1) input queue 0
*Mar  1 03:07:23.175: ISAKMP (0:4): deleting node -1842580298 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar  1 03:07:23.179: ISAKMP (0:4): deleting node -917118891 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar  1 03:07:23.179: ISAKMP (0:4): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  1 03:07:23.183: ISAKMP (0:4): Old State = IKE_I_MM1  New State = IKE_DEST_SA

*Mar  1 03:07:23.183: ISAKMP (0:3): purging SA., sa=82B1F78C, delme=82B1F78C
*Mar  1 03:07:23.207: ISAKMP: received ke message (1/1)
*Mar  1 03:07:23.207: ISAKMP (0:0): SA request profile is (NULL)
*Mar  1 03:07:23.207: ISAKMP: local port 500, remote port 500
*Mar  1 03:07:23.211: ISAKMP: set new node 0 to QM_IDLE
*Mar  1 03:07:23.215: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 82B1F78C
*Mar  1 03:07:23.215: ISAKMP (0:5): Can not start Aggressive mode, trying Main mode.
*Mar  1 03:07:23.215: ISAKMP: Looking for a matching key for 16.16.16.1 in default : success
*Mar  1 03:07:23.215: ISAKMP (0:5): found peer pre-shared key matching 16.16.16.1
*Mar  1 03:07:23.219: ISAKMP (0:5): constructed NAT-T vendor-07 ID
*Mar  1 03:07:23.219: ISAKMP (0:5): constructed NAT-T vendor-03 ID
*Mar  1 03:07:23.219: ISAKMP (0:5): constructed NAT-T vendor-02 ID
*Mar  1 03:07:23.223: ISAKMP (0:5): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar  1 03:07:23.223: ISAKMP (0:5): Old State = IKE_READY  New State = IKE_I_MM1

*Mar  1 03:07:23.227: ISAKMP (0:5): beginning Main Mode exchange
*Mar  1 03:07:23.227: ISAKMP (0:5): sending packet to 16.16.16.1 my_port 500 peer_port 500 (I) MM_NO_STATE

Let's start with the ASA:

You have this crypto ACL:

   access-list LIST extended permit ip 19.19.19.0 255.255.255.0 192.168.10.0 255.255.255.0
   access-list LIST extended permit ip 192.168.10.0 255.255.255.0 19.19.19.0 255.255.255.0

There should be one entry from your inside subnet to their inside subnet.  You have it going both ways and that's wrong.

Also, I don't see where either 192.168.10.2/24 or 19.19.19.0/24 exist on the ASA.

and on asa debug

Nov 30 00:48:51 [IKEv1 DEBUG]: IP = 16.16.16.2, IKE SA MM:d6df9aa9 terminating:  flags 0x01000022, refcnt 0, t                           uncnt 0
Nov 30 00:48:51 [IKEv1 DEBUG]: IP = 16.16.16.2, sending delete/delete with reason message
Nov 30 00:48:51 [IKEv1]: IP = 16.16.16.2, Removing peer from peer table failed, no match!
Nov 30 00:48:51 [IKEv1]: IP = 16.16.16.2, Error: Unable to remove PeerTblEntry

OK, here is my ASA crypto acl
access-list LIST line 1 extended permit ip 19.19.19.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list LIST line 2 extended permit icmp any any

Here is the routers
Extended IP access list LIST
    10 permit ip 192.168.10.0 0.0.0.255 19.19.19.0 0.0.0.255
    30 permit icmp any any (11 matches)

The  19.19.19.0 network is on the routers end and the 192.168.10.0 is at the asa's side.
The R4 has int 192.168.10.1 going to 192.168.10.10(host)

This is how I have this configured.
192.168.10.10 > 192.168.10.1 > 9.9.9.2 >9.9.9.1 >16.16.16.1 || 16.16.16.2 < 5.5.5.1 <5.5.5.2 < 19.19.19.1 <19.19.19.19

Also, my isakmp phase 1 on the router comes up  momentarily but no on the ASA


Router1#show crypto isakmp sa
dst             src             state          conn-id slot
16.16.16.1      16.16.16.2      MM_NO_STATE          1    0 (deleted)

The problem that I'm having with all of this is that none of your subnets for the inside interfaces and the subnets in the crypto ACL match.

If your inside interface on the ASA is 9.9.9.0/24, then *that* subnet needs to be permitted in the ACL to the inside subnet at the other end of the tunnel.

9.9.9.0 is the inside.  So it should be more like this?
 
ASA
access-list LIST line 1 extended permit icmp any any (hitcnt=0) 0x76474e5f
access-list LIST line 2 extended permit ip 19.19.19.0 255.255.255.0 192.168.10.0 255.255.255.0

ROUTER
Extended IP access list LIST
    30 permit icmp any any (38 matches)
    40 permit ip 9.9.9.0 0.0.0.255 19.19.19.0 0.0.0.255

and where do the 19.19.19.0/24 and 192.168.10.0/24 subnets come into play?

I added these, am I still missing something?

ASA
access-list LIST line 1 extended permit ip 19.19.19.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list LIST line 3 extended permit ip 5.5.5.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list LIST line 2 extended permit icmp any any

Router
Extended IP access list LIST
    10 permit ip 192.168.10.0 0.0.0.255 19.19.19.0 0.0.0.255
    30 permit icmp any any
    40 permit ip 9.9.9.0 0.0.0.255 19.19.19.0 0.0.0.255

On the ASA, I see two subnets:  
   16.16.16.0/24
   9.9.9.0.24

The first cannot be a part of the encryption domain since it's also the peer IP.

I don't see 5.5.5.0/24 or 19.19.19.0/24 configured anywhere on the ASA.

On the router, I see two subnets:
   16.16.16.0/24
   5.5.5.0/24

The first cannot be a part of the encryption domain since it's also the peer IP

I don't see 192.168.10.0/24 or 9.9.9.0/24 configured anywhere on the router.

I would expect the ASA to look like this:
  access-list ASA extended permit icmp 9.9.9.0 255.255.255.0 5.5.5.0 255.255.255.0
  access-list ASA extended permit ip 9.9.9.0 255.255.255.0 5.5.5.0 255.255.255.0

I would expect the ROUTER to look like this:
  ip access-list extended ROUTER
   10 permit icmp 5.5.5.0 0.0.0.255 9.9.9.0 0.0.0.255
   20 permit ip 5.5.5.0 0.0.0.255 9.9.9.0 0.0.0.255

You keep referring to subnets in your configurations that I do not see.

I only showed you the configs of the ASA and the router that has the tunnel on. Did you look at the network map I attached? I also inserted the above image of it, There are two networks on the inside of the ASA. One network connect a ASA to router and then there is another network connecting that router to another network, The F0/1 on R4 is 192.168.10.1, R2 on the other end is 18.18.18.1 going to 18.18.18.2

thanks, unfortunately, I still can't get the tunnel up though.

here is what i get on the routers isakmp and debug

R1#show crypto isakmp sa
dst             src             state          conn-id slot
16.16.16.2      9.9.9.1         MM_NO_STATE          3    0
16.16.16.2      9.9.9.1         MM_NO_STATE          2    0 (deleted)

*Mar  1 01:17:31.271: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar  1 01:17:31.271: ISAKMP (0:1): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar  1 01:17:31.275: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar  1 01:17:31.275: ISAKMP (0:1): sending packet to 16.16.16.1 my_port 500 peer_port 500 (I) MM_NO_STATE
R1#
*Mar  1 01:17:41.219: ISAKMP: received ke message (3/1)
*Mar  1 01:17:41.219: ISAKMP (0:1): peer does not do paranoid keepalives.

*Mar  1 01:17:41.223: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 16.16.16.1) input queue 0
*Mar  1 01:17:41.227: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 16.16.16.1) input queue 0
*Mar  1 01:17:41.231: ISAKMP (0:1): deleting node -1746173240 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar  1 01:17:41.231: ISAKMP (0:1): deleting node 112806183 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
R1#
*Mar  1 01:17:41.235: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  1 01:17:41.235: ISAKMP (0:1): Old State = IKE_I_MM1  New State = IKE_DEST_SA






ASA

DEBUG
Nov 30 00:02:53 [IKEv1 DEBUG]: IP = 16.16.16.2, IKE MM Initiator FSM error history (struct &0xd89d4c50)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Nov 30 00:02:53 [IKEv1 DEBUG]: IP = 16.16.16.2, IKE SA MM:81ed1904 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Nov 30 00:02:53 [IKEv1 DEBUG]: IP = 16.16.16.2, sending delete/delete with reason message
Nov 30 00:02:53 [IKEv1]: IP = 16.16.16.2, Removing peer from peer table failed, no match!
Nov 30 00:02:53 [IKEv1]: IP = 16.16.16.2, Error: Unable to remove PeerTblEntry

We can work on this on Monday I have to leave the office. I am not sure what else could it be.

the source on the output of show crypto isa sa is 9.9.9.1 is that even right?

resolved.

Forgot the "crypto isakmp enable OUTSIDE"

I've requested that this question be closed as follows:

Accepted answer: 0 points for Zack Gil's comment #a40599608

for the following reason:

resolved.

Forgot the "crypto isakmp enable OUTSIDE"

also, the only ACL statements I needed were these

ASA
ciscoasa(config)# show access-l LIST
access-list LIST; 2 elements
access-list LIST line 1 extended permit icmp 192.168.10.0 255.255.255.0 19.19.19.0 255.255.255.0 (hitcnt=2)
access-list LIST line 2 extended permit ip 192.168.10.0 255.255.255.0 19.19.19.0 255.255.255.0

Router

R1(config)#do show access-l LIST
Extended IP access list LIST
    70 permit icmp 19.19.19.0 0.0.0.255 192.168.10.0 0.0.0.255 (64 matches)
    80 permit ip 19.19.19.0 0.0.0.255 192.168.10.0 0.0.0.255