I've got 2 ASA 5520 on my network.
The first ASA (Firewall 1) realize site to site VPN between Datacenter et remote office, and the second ASA (firewall 2)do exactly the same thing, for other remote office.
As you can see on attachments, "Firewall 1" is the default gateway for datacenter LAN. Firewall 1 know routes to reach remote office managed by firewall 2 (via site to site VPN).
When a user from datacenter LAN try to ping a server or access on a server with TCP application, on a remote office using Firewall 1, it's a success.
But if a user try to do the same thing on a remote office using firewall 2, pings are OK but not TCP application.
Any idea ?