I have worked on this brainteaser for a long time with no success, so any new perspectives will be appreciated. It's a challenging config - you'll see why.
Hardware: Cisco 1841 Advanced Security Bundle
Interfaces: fa0/0 (internal network)
fa0/1 (backup internet connection, SDSL line) - fixed ip
WIC-ADSL-DG (primary internet connection, atm0/0/0.1 point-to-point ADSL line) - fixed ip
IOS: Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(13b)
Comments: Config uses SLA and tracking objects to insure failover internet connection from the two internet interfaces. There are two separate vpn address pools and client configuration groups, and vpn traffic is statically routed to the corresponding WAN interfaces.
o atm0/0/0.1 (primary internet connection) has a public ip address of aaa.aaa.aaa.aaa
o fa0/1 (backup internet connection) has a public ip address of bbb.bbb.bbb.bbb
o Internet ping hosts 220.127.116.11 and 18.104.22.168 are used by sla monitor 100 and sla monitor 200, respectively, to track reachability (and thereby, the internet connectivity of interfaces atm0/0/0.1 and fa0/1). Traffic to these ping hosts is statically routed.
o Crypto map SDM_CMAP_1 contains two client configuration groups (vpn-client-group_1 and vpn-client-group_2), each one with its own unique address pool (10.10.10.0/32 and 10.10.20.0/32). SDM_CMAP_1 is applied to both fa0/1 and atm0/0/0.1 Each address pool's traffic is statically routed back out through its designated interface, i.e. myvpnippool_1 source addresses go out on the fa0/1 interface while myvpnippool_2 source addresses go out on the atm0/0/0.1 interface
o The ipsec vpn tunnels are established using the Cisco vpn client software.
The problem symptoms:
o ipsec vpn tunnels can be established from the internet on both wan interfaces, individually and simultaneously. This is not a question of being able to set up and tear down tunneled vpn sessions.
o If both wan interfaces are up and connected to the internet, vpn connections on one of the interfaces (either atm0/0/0.1 or fa0/1) will allow pings and telnet sessions to the inside interface (fa0/0). However, vpn connections to the *other* interface will not allow ping or telnet to the inside interface. In the case of the latter, packets from the client are properly encrypted and transported via the tunnel, but no packets return from the tunnel endpoint on the 1841 as evidenced by the statistic that 0 packets are decrypted.
o It appears to be random which vpn connection will return traffic at any given point in time. Both 1841 tunnel endpoints will successfully route traffic to the vpn client - just not at the same time. Simultaneous tunnels to the two wan interfaces can be established and the ability to ping the fa0/0 inside interface will randomly "flip" back and forth between the two tunnels.
Excerpts from the 1841 startup-config: (see attachment)