I am trying to configure an IKEv1 IPSEC tunnel on this ASR1001X. Phase I comes up no issue. However, none of the interesting traffic specified in the ACL being used for the encryption domain is being matched and therefor Phase 2 is never established. I've confirmed my configuration with the provider on the other end of the tunnel, and I have also ran "monitor capture" commands and have confirmed that the correct traffic is making it to the router for the correct destination.
We have other IPSEC tunnels that are functioning without issue, but these tunnels are route-based as opposed to this one which is policy-based. Is it possible that there is an overlap of the routes on the router or is there something I am missing? We do have a route that points any 10.0.0.0/8 network traffic to the firewall, but the networks specified in the encryption domain ACL are more specific. Please help!
TAC was able to figure this out and it was a very simple issue. We have other route-based tunnels on this same router and one of the static routes on the router was sending all traffic destined to this new policy-based tunnel to another direction, so it was never hitting the external interface where the crypto map was applied. I added a static route for the particular network in question (10.223.251.0/24) pointing out the external interface where the crypto map is applied and this has fixed the issue.
Thanks for the update. Glad to know that TAC was able to identify the issue. Interesting that it was a mistake in the routing logic and solved by a static route for the particular network involved in the vpn.