since ubuntu base my favorite for my desktop environtment its difficult for me, if i need to support ASA Firewall which use Java for their ASDM.  the bad thing is Firefox no longer support for JAVA (NPAPI plug-ins.) so I used ESR Firefox to support my need

1. prerequsite : Download Java and Download ESR Firefox from https://www.mozilla.org/en-US/firefox/organizations/all/ >> choose LInux 64 bit
2. Install Java
   -copy downloaded JRE to /opt

    cp -v jre-8u151-linux-x64.tar.gz /opt
   
    sudo su

   – change folder to /opt and extract
   cd /opt/

    tar -xzvf jre-8u151-linux-x64.tar.gz

   – Optional for me easy to manage if I simple rename Java folder to JAVA

    mv jre-8u151-linux-x64 JAVA

   – to logout from root

    exit

3. install JAVA PATH :

   echo JAVA_HOME="/opt/JAVA/bin/java" >> /etc/environtment

4.  enable java for our firefox

   mkdir -p ~/.mozilla/plugins/
   
   ln -s /opt/JAVA/lib/amd64/libnpjp2.so ~/.mozilla/plugins/

5.  Extract our Downloaded Firefox

cd Downloadtar -xjvf firefox-52.5.0esr.tar.bz2
cd firefox.\firefox-bin

reload our firefox and associate jnlp file tou firefox to using /opt/JAVA/bin/javaws/
tools >> preferences >> application >> search for JNLP File : use javaws

I also need to try browser that java Support something like : seamonkey, palemoon,etc

but for now I can use my Ubuntu for manage my ASA Firewall.

Topology/:

Configuration :

Verification:

ping from PC1 to PC1 whicah diffrent subnet

PC1> ping 10.0.2.10

84 bytes from 10.0.2.10 icmp_seq=1 ttl=64 time=8.256 ms
84 bytes from 10.0.2.10 icmp_seq=2 ttl=64 time=11.365 ms
84 bytes from 10.0.2.10 icmp_seq=3 ttl=64 time=7.692 ms
84 bytes from 10.0.2.10 icmp_seq=4 ttl=64 time=10.106 ms
84 bytes from 10.0.2.10 icmp_seq=5 ttl=64 time=12.254 ms

ISAKMP Status :

SA0# sh crypto isakmp sa

IKEv1 SAs:

Active SA: 1
 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 172.16.2.2
 Type : L2L Role : responder 
 Rekey : no State : MM_ACTIVE

we can see the status currently MM_ACTIVE , mean Phase 1 negotiate successfull

now we verified IPSEC does it build the tunnel up?

ASA0# sh ipsec sa
interface: outside
 Crypto map tag: abcmap, seq num: 1, local addr: 172.16.0.2

access-list L2L extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0 
 local ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
 remote ident (addr/mask/prot/port): (10.0.2.0/255.255.255.0/0/0)
 current_peer: 172.16.2.2



#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
 #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
 #pkts compressed: 0, #pkts decompressed: 0
 #pkts not compressed: 14, #pkts comp failed: 0, #pkts decomp failed: 0
 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
 #TFC rcvd: 0, #TFC sent: 0
 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
 #send errors: 0, #recv errors: 0

local crypto endpt.: 172.16.0.2/0, remote crypto endpt.: 172.16.2.2/0
 path mtu 1500, ipsec overhead 58(36), media mtu 1500
 PMTU time remaining (sec): 0, DF policy: copy-df
 ICMP error validation: disabled, TFC packets: disabled
 current outbound spi: 1FFEC8F1
 current inbound spi : E2BB0BFB

inbound esp sas:
 spi: 0xE2BB0BFB (3803909115)
 transform: esp-3des esp-md5-hmac no compression 
 in use settings ={L2L, Tunnel, IKEv1, }
 slot: 0, conn_id: 8192, crypto-map: abcmap
 sa timing: remaining key lifetime (kB/sec): (3914998/27797)
 IV size: 8 bytes
 replay detection support: Y
 Anti replay bitmap: 
 0x00000000 0x00007FFF
 outbound esp sas:
 spi: 0x1FFEC8F1 (536791281)
 transform: esp-3des esp-md5-hmac no compression 
 in use settings ={L2L, Tunnel, IKEv1, }
 slot: 0, conn_id: 8192, crypto-map: abcmap
 sa timing: remaining key lifetime (kB/sec): (3914998/27797)
 IV size: 8 bytes
 replay detection support: Y
 Anti replay bitmap: 
 0x00000000 0x00000001

Yes it does,  since we see the show command below :

local crypto endpt.: 172.16.0.2/0, remote crypto endpt.: 172.16.2.2/0
 path mtu 1500, ipsec overhead 58(36), media mtu 1500
 PMTU time remaining (sec): 0, DF policy: copy-df
 ICMP error validation: disabled, TFC packets: disabled
 current outbound spi: 1FFEC8F1
 current inbound spi : E2BB0BFB

mean the both WAN already hanshaking and tunneled m SPI ( Security Parameter Index) is unique id does it build to identify both firewall to communicate and identify its traffict as incomming and outgoing. next we would see ehat setting are use to encrypt and Access-list use to map the traffict and IKE version been used.

spi: 0xE2BB0BFB (3803909115)
 transform: esp-3des esp-md5-hmac no compression 
 in use settings ={L2L, Tunnel, IKEv1, }

I hit got problem at labs yesterday due VPC implementation for VXLAN anycast gateway dont want to get failover.

solved by this workarround :

“vpc nve peer-link-vlan xx”

this is from Cisco sites :

vPC Considerations

    A virtual IP must be configured for the vPC pair
    A virtual IP must be configured for loopback purposes.
    A peer-link switched virtual interfaces (SVI) must be only on a peer-link in external communication. A configuration example:
    vpc nve peer-link-vlan 99
    interface vlan99
    no shutdown
    no ip redirects
    ip address 99.1.1.1/24
    ip ospf cost 10
    ip router ospf 1 area 0.0.0.0
    ip pim sparse-mode
    A special peer-link SVI must be configured on the VPC pair.
    VPC peers must have identical configurations:
        Consistent VLAN to VN-segment mapping.
        Consistent NVE1 binding to the same loopback interface.
            Using the same secondary IP address.
            Using different primary IP addresses.

Reff: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5600/sw/layer2/7x/b_5600_Layer2_Config_7x/b_5600_Layer2_Config_7x_chapter_010010.html