Thank you for you answer, Jose!

When I trying to generate traffic from Router side I see the following errors in ASDM:
Group = 10.1.36.126, Username = 10.1.36.126, IP = 10.1.36.126, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
Group = 10.1.36.126, IP = 10.1.36.126, Removing peer from correlator table failed, no match!
Group = 10.1.36.126, IP = 10.1.36.126, QM FSM error (P2 struct &0x2fe6488, mess id 0x866d8b0d)!
Group = 10.1.36.126, IP = 10.1.36.126, Freeing previously allocated memory for authorization-dn-attributes

10.1.36.126 - Router
10.1.11.30 - PIX
(It's corpatate link throung ISP).

As soon I send ping behind PIX side toward Router side - IPSec UPs immidiatly. This is strange!

Here is attachment with captures and PIX Config. I ready to pay for resolve the issue.

"capture drop type asp-drop all circular-buffer" has no records related with my peers (neither 10.1.11.30 or 10.1.36.126).

Here is UDP500 port check (on PIX) from the server behind Router:

$nmap -sU -p 500 10.1.11.30
Starting Nmap 5.51 ( http://nmap.org ) at 2016-09-06 20:51 AST
Nmap scan report for 10.1.11.30
Host is up (0.015s latency).
PORT    STATE SERVICE
500/udp open  isakmp

I've forgot to tell I have another IPSec (defferent peer and intresting traffic) between the Router and Mikrotik (another brounch). Here is not such problems!
When I disconnect IPSec from both sides and generate traffic behind the Router everything works. The same when I generate traffic behind Mikrotik.

Why Cisco Router => Cisco PIX is so odd?... =|

Yura Kazakevich,

Can you share the tunnel configuration on the Router?

Hope this info helps!!

Rate if helps you!! 

-JP-

Here is:

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2

!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800

crypto isakmp key **** address 10.1.11.30

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec df-bit clear

crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to_BS_BFT
 set peer 10.1.11.30
 set security-association lifetime seconds 28800
 set transform-set ESP-3DES-SHA1
 match address 100

Intresting traffic:

access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 172.16.61.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 172.16.192.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 172.16.154.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 172.17.19.0 0.0.0.255
access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.111.0 0.0.0.255

Nat0:
access-list 101 deny   ip 192.168.3.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 101 deny   ip 192.168.3.0 0.0.0.255 172.16.192.0 0.0.0.255
access-list 101 deny   ip 192.168.3.0 0.0.0.255 172.16.177.0 0.0.0.255
access-list 101 deny   ip 192.168.3.0 0.0.0.255 172.16.61.0 0.0.0.255
access-list 101 deny   ip 192.168.3.0 0.0.0.255 172.17.19.0 0.0.0.255
access-list 101 deny   ip 192.168.4.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 101 deny   ip 192.168.3.0 0.0.0.255 host 172.16.194.100
access-list 101 deny   ip 192.168.3.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny   ip 192.168.4.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny   ip host 192.168.4.1 host 212.98.173.36
access-list 101 deny   ip host 192.168.4.1 host 212.98.162.139
access-list 101 deny   ip 192.168.4.0 0.0.0.255 host 172.31.255.1
access-list 101 deny   ip 192.168.4.0 0.0.0.255 host 172.16.194.100
access-list 101 deny   ip host 192.168.4.2 host 172.30.69.173
access-list 101 permit ip 192.168.3.0 0.0.0.255 any
access-list 101 permit ip 192.168.4.0 0.0.0.255 any

route-map SDM_RMAP_TO_BFT permit 10
 match ip address 102
 match interface FastEthernet8

ip nat inside source route-map SDM_RMAP_TO_BFT interface FastEthernet8 overload

Hope it will help)

Hi Yura Kazakevich,

After checking the config i can definitely see a phase2 mismatch on the interesting traffic, do the ACL 100 should be mirrored on the bft_5_cryptomap ACL and is not, make sure the interesting traffic is mirrored and test again.

Hope this info helps!!

Rate if helps you!! 

-JP-

I did so. I even removed all ACL entries exampt one, but without luck.

So I made it again as you advised. Now all entries are mirrored and in the same sequence.

ROUTER:

c892-datacenter#sho access-lists 100
Extended IP access list 100
    10 permit ip 192.168.3.0 0.0.0.255 192.168.111.0 0.0.0.255 (6357807 matches)
    20 permit ip 192.168.3.0 0.0.0.255 172.16.61.0 0.0.0.255 (74726 matches)
    30 permit ip 192.168.3.0 0.0.0.255 172.16.192.0 0.0.0.255 (30 matches)
    40 permit ip 192.168.3.0 0.0.0.255 172.16.154.0 0.0.0.255
    60 permit ip 192.168.3.0 0.0.0.255 172.16.10.0 0.0.0.255
    70 permit ip 192.168.3.0 0.0.0.255 172.17.19.0 0.0.0.255
    80 permit ip 192.168.4.0 0.0.0.255 192.168.111.0 0.0.0.255 (5894255 matches)

PIX:

I even rised Priority of bft_5_cryptomap to the highest as you can see in sceenshot above. No Luck(

Then for testing I've modified intresting traffic to the following:

ROUTER:

c892-datacenter#sho access-lists 100
Extended IP access list 100
    10 permit ip 192.168.3.0 0.0.0.255 192.168.111.0 0.0.0.255
c892-datacenter#

PIX:

Logs on PIX still shows:

Awesome!((( Its bug.

Oh my god))) Yes!

Here is dog was buried! How I didn't see it..........

crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to_BS_BFT
 set peer 10.1.11.30
 set security-association lifetime seconds 28800
 set transform-set ESP-3DES-SHA1
 set pfs group2
 match address 100

It seems now everything working as expected.

Jose, thank you! Send me please in email (white#maxigame.by) your paypal account. Man!