Central site has 3845 and spoke site a 2811 and they have an IPsec tunnel between them. Say central site LAN 10.10.1.0/24 and remote site LAN 10.10.2.0/24. RTR address central 10.10.1.1 and remote 10.10.2.1. I ran packet level debug and I see that when the archive with tftp command is run - the source address winds up being the WAN interface IP rather than the LAN. So the traffic does not get processed by the crypto map. Is there any way that to get the archive command to work from a spoke site whose only connectivity is via IPsec tunnel?
If the router is acting as a TFTP client, you can set the source interface with:
ip tftp source-interface [interface_name]
This command will change the behavior to use the closest interface to the destination network.