Cisco has been hard at work bringing IKEv2 support to the ASA firewall, but the feature set still lacks an important item currently only available using IKEv1 on the ASA. This feature is “Multiple peers used for redundancy” and is configured with the “set peer” command. It sounds like they are considering this a bug but I’m not sure if or when they plan to release a fix. I noticed this on some of my ASA systems when I was migrating to a new public IP which was configured as a secondary failover IP on the remote ASA site-to-site crypto map entries. The tunnels came up quickly after the IP change, but they were all using IKEv1 because the remote systems had switched away from the primary (first) peer in the crypto map entry peer list. See the following Cisco article for details.
“Multiple peers used for redundancy is not supported with IKEv2 on the ASA. In IKEv1, for redundancy purposes, one can have more than one peer under the same crypto map when you enter the set peer command. The first peer will be the primary and if it fails, the second peer will kick in. Refer to Cisco bug ID CSCud22276”
The Cisco bug report CSCud22276 is available online only to registered Cisco customers. Here is a quote regarding suggested workarounds. The bug is listed as an “enhancement request” and is still open (no fix provided yet).
1) remove all but one peer from the crypto map
2) use IKEv1 instead of IKEv2”