Hello mahmoud,
Because the device is behind NAT then you will need NAT-T enabled on both devices and local-identity configured on your SRX; I can see you have both. I believe that by default the ASA shold be using the following IKE-IDs:
local-identity: ASA's public IP
remote-identity: NAT device's public IP
The above will match with the SRX configuration we have in place as of now (note it has to match in the reverse order).
Regarding the proxy-IDs, I can see you have configured:
set security ipsec vpn HQ-VPN ike proxy-identity local x.x.x.x
set security ipsec vpn HQ-VPN ike proxy-identity remote y.y.y.y
This is not needed (and I believe is not doing anything) as the SRX will populate the proxy-IDs values from the matching criteria of the secuirty-policies:
set security policies from-zone trust to-zone untrust policy Branch-To-HQ match source-address x.x.x.x
set security policies from-zone trust to-zone untrust policy Branch-To-HQ match destination-address y.y.y.y
set security policies from-zone trust to-zone untrust policy Branch-To-HQ match application any
set security policies from-zone trust to-zone untrust policy Branch-To-HQ then permit tunnel ipsec-vpn HQ-VPN
set security policies from-zone untrustt to-zone trust policy HQ-To-Branch match source-address y.y.y.y
set security policies from-zone untrustt to-zone trust policy HQ-To-Branch match destination-address x.x.x.x
set security policies from-zone untrustt to-zone trust policy HQ-To-Branch match application any
set security policies from-zone untrustt to-zone trust policy HQ-To-Branch then permit tunnel ipsec-vpn HQ-VPN
So you can delete the proxy-IDs statements.
If phase 1 is not coming up, we have either a reachability issue or a negotiation problem. Lets find it out:
1. Try the following command to confirm if we have IKE sessions and if we see phase 1 temporally up:
> show security flow sessions protocol udp destination-port 500
> show security flow sessions protocol udp destination-port 4500
> show security ike security-associations
2. If we see sessions and packets being sent/received, lets gather IKE traces to investigate further:
# set security ike traceoptions file IKE_TRACE
# set security ike traceoptions flag all
# commit
# run request security ike debug-enable local [External_SRX_IP] remote [ASA_Public_IP] level 15
# run show security ike debug-status
# run clear log IKE_TRACE
# run show log IKE_TRACE
Please upload the IKE_TRACE file output so we can check for any errors and help you.
Please mark my answer as the solution if it applies.