I'm troubleshooting a site-to-site VPN tunnel between our Cat 6506 w/ VPN module to peer's PIX-515. The peer's crypto config appears to be incorrect and has two tunnels built between it and our VPN module.
crypto map mymap 1 match address acl1
crypto map mymap 1 set peer 184.108.40.206
crypto map mymap 1 set transform-set myset
crypto map mymap 2 match address acl2
crypto map mymap 2 set peer 220.127.116.11
crypto map mymap 2 set transform-set myset
access-list acl1 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list acl2 permit ip 10.10.0.0 0.0.255.255 host 10.255.255.1
My question is how does the PIX determine which crypto peer (and subsequent SA) to send a packet to? In this example if a packet is sent from 10.10.1.1 to 10.255.255.1, does it match acl1 because it is sequentially higher than the next peer, or does it match acl2 because it is the longest-match for that packet?
I've tried looking through Cisco's website and documentation, but I cannot find the order of precedence for crypto tunnels and how packets are selected/sent.
Anyone here know?