Having both boxes running side-by-side and being able to match the config makes this relatively easy. There was only one thing that had me stumped. Disclaimer: IANACCSE (I Am Not A Cisco Certified Something Enginner)
On the old ASA-5505 EZVPN was being liberally used with hardware clients to create site-to-site tunnels. This is a very common use case when dealing with double-NAT and/or dynamic IPs. As the name suggests, configuring it is rather "easy".
So you can imagine that I was stumped when the EZVPN tunnels would not come up on the 5508-X, despite mirroring the configuration.
In the log I saw errors like these:
Rejecting IPSec tunnel: no matching crypto map entry for remote proxy a.b.c.d...
Session is being torn down. Reason: crypto map policy not found...This is EZVPN after all, so there is no need to create a specific crypto-map. Or so I thought. Well think again. Apparently there is a default crypto-map on the ASAs that matches any traffic. This dynamic crypto-map does not exist in the default config on a 5508-X running 9.6(1) apparently.
So i had to create it manually, but then it matched literally any traffic. So in the end I had to create a specific crypto-map for each EZVPN client. Well, that definitely makes the EZVPN less "easy"...
Here's the relevant parts of the config nonetheless:
access-list outside_cryptomap_65535.1 extended permit ip 10.100.1.0 255.255.255.0 10.100.2.0 255.255.255.0
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 match address outside_cryptomap_65535.1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev1 transform-set ESP-3DES-SHAObviously this was created in ASDM, where I had to disable the default dynamic crypto map as well.
access-list outside_cryptomap_65535.65535 extended deny ip any4 any4
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 match address outside_cryptomap_65535.65535This then caused all traffic to flow regularly again.
What had me stumped is that ASDM did show a default dynamic policy, even though it clearly wasn't there in the config before. I have not tried to remove the match directive on the console, ASDM would not let me do that. So I had to disable it. YMMV.
Better create a specific crypto-map for your EZ-VPN peers if you use site-to-site tunnels, otherwise: no dice.