Crypto Map Policy Not Found – Troubleshooting

Sorry.. I'm new to Cisco IOS so if I need to present more info, please let me know.

Using IOS 9.1(6), ASDM 7.10(1) on a Cisco 5510, connecting to an Azure VNET. (Yes, UsePolicyBasedTrafficSelectors is set to true)

I am creating a VPN from us (with a single network range) to another site that has several network ranges. But, the VPN only seems to come up on one range. The rest get a "Crypto Map Policy not found" error.

Here is the access list I've defined (well.. it was automatically defined when I created the VPN entry in ASDM):

ciscoasa(config)# show access-list AT&T_cryptomap
access-list AT&T_cryptomap; 5 elements; name hash: 0x395898
access-list AT&T_cryptomap line 1 extended permit ip 172.16.1.0 255.255.255.240 object-group DM_INLINE_NETWORK_2 (hitcnt=2) 0xaeb5bef0 
access-list AT&T_cryptomap line 1 extended permit ip 172.16.1.0 255.255.255.240 10.3.0.0 255.255.255.0 (hitcnt=2) 0x41216cae 
access-list AT&T_cryptomap line 1 extended permit ip 172.16.1.0 255.255.255.240 10.3.1.0 255.255.255.224 (hitcnt=4) 0xee40b1de 
access-list AT&T_cryptomap line 1 extended permit ip 172.16.1.0 255.255.255.240 10.3.2.0 255.255.255.0 (hitcnt=4) 0xbdd4449d 
access-list AT&T_cryptomap line 1 extended permit ip 172.16.1.0 255.255.255.240 10.3.224.0 255.255.255.0 (hitcnt=4) 0xa8646d01 
access-list AT&T_cryptomap line 1 extended permit ip 172.16.1.0 255.255.255.240 10.3.254.0 255.255.254.0 (hitcnt=4) 0xbf2c68a9

The tunnel comes up on the last one in the list (10.3.254.0) but all the rest give errors. Example is:

Crypto Map Policy not found for remote traffic selector 10.3.2.0/10.3.2.0/0/65535/0 local traffic selector 172.16.1.0/172.16.1.15/0/65535/0!

I should also note that, if I modify the ACL to only include any one (but just one) of the routes, the VPN comes up on that route. So, all routes seem good, but I can only get one of them at a time.

Update: It appears that when I use the set ranges that the first one to cause a tunnel build works. All the child SAs fail from that point on, regardless of who tries to initiate it.

One thing I did notice… when the child SA requests came in from Azure, the IP ranges were not ranges. They were simply the first IP of the range.

(27):      3c 6f b0 28 6d 24 1d 3e 5d f1 4b eb 94 ad 2f f7
(27):      15 b5 0c a8 d6 eb fe 0c 2a 31 f2 10 43 58 50 66
(27):      ea 54 73 8e 20 0f bd e3 8f 5d 41 e1 63 a3 c5 ec
(27):  TSi(27):   Next payload: TSr, reserved: 0x0, length: 24
(27):     Num of TSs: 1, reserved 0x0, reserved 0x0
(27):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(27):     start port: 0, end port: 65535
(27):     start addr: 10.3.0.0, end addr: 10.3.0.0
(27):  TSr(27):   Next payload: NONE, reserved: 0x0, length: 24
(27):     Num of TSs: 1, reserved 0x0, reserved 0x0
(27):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(27):     start port: 0, end port: 65535
(27):     start addr: 172.16.1.0, end addr: 172.16.1.15

The 10.3.0.0 is part of the 10.3.0.0/24 range.

Also, when the Cisco unit tried to initiate the child SA due to a request to connect from my end, the child SA contained 2 TS's (not sure what that means, btw), one for the single IP I was trying to reach and the other for the correct range of IPs.

(22):      a9 0d f0 fd 71 a5 a9 02 b8 67 9e 91 b5 45 c6 b4
(22):      56 19 a5 0a c1 65 13 8e 3c 2c fb 75 9d 7a f3 9b
(22):      3e 7a 8b 16 58 18 6c 08 e3 7d 27 01 0d 2a f5 a6
(22):      a0 f5 d9 52 f5 8a 60 d4 1b ad f3 bf 85 cb a4 a8
(22):      20 5b eb 81 83 eb 95 28 4d b9 6f 7a 04 f4 e5 67
(22):      ba 23 a3 21 e2 3e 44 2f 62 b8 93 4d 39 93 4f e2
(22):      a3 f8 02 38 58 04 d4 3b ec 7e fb 4a d0 af 61 3c
(22):      c3 97 c8 82 fb 04 7e 4f 0c 8e 2a bb 20 1e 9e 9e
(22):      ab 52 2c 17 84 23 08 cf 06 44 54 39 65 02 cc 2d
(22):      80 71 9b 16 d4 51 4c 0e d2 d3 82 9a de 9b 81 46
(22):      c2 2b 49 54 fb 4d b5 be 9d c1 f6 46 39 e1 3a 0b
(22):      90 d0 fe e9 0d e7 39 a6 1c b9 d0 97 24 20 c2 87
(22):  TSi(22):   Next payload: TSr, reserved: 0x0, length: 40
(22):     Num of TSs: 2, reserved 0x0, reserved 0x0
(22):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(22):     start port: 0, end port: 65535
(22):     start addr: 172.16.1.1, end addr: 172.16.1.1
(22):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(22):     start port: 0, end port: 65535
(22):     start addr: 172.16.1.0, end addr: 172.16.1.15
(22):  TSr(22):   Next payload: NONE, reserved: 0x0, length: 40
(22):     Num of TSs: 2, reserved 0x0, reserved 0x0
(22):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(22):     start port: 0, end port: 65535
(22):     start addr: 10.3.2.20, end addr: 10.3.2.20
(22):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(22):     start port: 0, end port: 65535
(22):     start addr: 10.3.2.0, end addr: 10.3.2.255

10.3.2.20 is the IP I was trying to hit that caused the Cisco to try to build the child tunnel.

Am I misunderstanding how this should all work?

What am I missing?