@GIdenJoe that's what I thought, but having an ASA behind an FTD with NAT enabled required me to specifically add protocol 50 (ESP) to the ACL...  With the NAT I had allowed all protocols, so that didn't cause the issue.  As the MX has only the options of TCP, UDP or ICMP, I'm guessing that it would just allow other protocols through, but haven't actually tested it.

That's strange because the whole reason the UDP/4500 header is added in front of the ESP header is to get through NAT since NAT on most devices only supports TCP, UDP and ICMP.  The only reason you would get an ESP header right behind an IP header if the two VPN endpoints can reach each other without NAT unless for some reason NAT-T was disabled but then it would not be able to pass through a NAT.

So if you had an MX without NAT then you would never be able to match purely on ip protocol 50 or 51 since that is not supported on the MX.  You would have to allow all IP traffic towards that destination.

Indeed, it was a surprise to me when with the original ACL of UDP500 and UDP4500, the IPSEC VPNs passed through the FTD and were NATed to the ASA where they all came up, but no traffic passed...  Once I added ESP to the ACL all was well in the world.  I double checked that NAT traversal was enabled on the VPNs, even though as they were using port 4500, it was pretty likely, so can only assume that if I'd had an MX instead of an FTD, it would either ignore ESP or you'd have to allow all ports 🤔