I've checked and double-checked everything. This is a duplicate (ip and ACLs changed to protect the innocent) of another situation which works fine. But this one does not.
I can't get any debug info on the 2821 side (?) but right-now I'm concerned that when I do try and bring it up from the ASA it appears in "sh cryp isa sa" as type: user (with State: MM_WAIT_MSG2) in stead of type: L2L
The packet-tracer on the ASA falls down at:
Forward Flow based lookup yields rule:
out id=0x4a38e38, priority=70, domain=encrypt, deny=false
hits=2, user_data=0x0, cs_id=0x4bbabd0, reverse, flags=0x0, protocol=0
src ip=10.180.0.0, mask=255.255.192.0, port=0
dst ip=10.180.67.0, mask=255.255.255.0, port=0
Drop-reason: (acl-drop) Flow is denied by configured rule
Here is some config - I can definitely send through more if it helps to help me. Below is a bit.
crypto map VPN 40 match address CRYPTO-LONDON
crypto map VPN 40 set peer ip.ip.ip.ip
crypto map VPN 40 set transform-set ESP-AES-256-SHA
tunnel-group ip.ip.ip.ip type ipsec-l2l
tunnel-group ip.ip.ip.ip ipsec-attributes
Really, really appreciate any help.