Core issue
The VPN tunnel can fail to come up on the router if traffic hits the deny ip any any statement before the permit statements in the access-group bound to the outside interface.
Once the traffic reaches the outside interface of the router, the router checks it against the access-group. If the deny statement comes before the permit statements, the router drops the packet even if interesting traffic is permitted in the permit statement.
Resolution
In order to resolve this issue, make sure that permit statements come before the deny ip any any statement in the access-group bound to the outside interface.
Here are a few other common reasons:
- The wrong IP address is configured in the pre-share key or crypto map.
- The crypto map is not bound to the outside interface.
- There are mis-matched access control lists on the peers.
- The ISP blocks UDP port 500.