As it appears, that was not the solution
After I got it to work, I set the route to ASA peer to use the IP address of the WAN2 gateway (it is in the same subnet as WAN2 address) and it continued to work?!? So then I rebooted the router and there it was the same problem again! So I changed the route again to use the WAN2 interface, and nothing happened, still no tunnel! Rebooted, same problem. Disabled "Allow Fast Path", reboted, same problem...
Long story short, when I disable and then enable the WAN1 interface - the IPSec tunnel starts working! And continues to work (using WAN2) even if I disable the ASA peer route and redirect the traffic via WAN1!
So here is what I think happens:
When the router boots, it takes a bit longer for WAN2 interface to come up than WAN1, so when the IPSec service/daemon tries to connect to ASA, it goes via WAN1 as that is it's default gateway. I can confirm this from the logs, IPSec service tries to connect before WAN2 comes up, it takes 5-6 seconds for WAN2 to come up after rebooting the Mikrotik, maybe it is some feature of the cable modem, who knows (it is a Cisco cable modem/router, maybe it has portfast turned off on that interface so it listens for loops before enabling the interface, just guessing).
When WAN2 interface comes up, it changes the routing table so that traffic to ASA peer goes via WAN2. But the IPSec service does not detect this and it continues to go through WAN1 interface!
No matter what I change in the routing table, IPSec service continues to go through WAN1. The only way to make it switch to WAN2 is to shortly disable/enable the WAN1 interface. The service then re-reads the routing table, switches the traffic to ASA peer via WAN2 and the IPSec tunnel establishes successfully.
I could be wrong about this, but that is what my tests show. I have no idea if this is a bug or if it is intentional, but I think that the IPSec service should monitor the routing table and if it affects any of it's peers, restart the negotiation phase with that peer (or simply restart the IPSec service).
Thanks again for all the help.