I have an ASA as a hub for multiple VPN connections. In this case I have users coming into either IPSEC or SSL VPN's terminating on this ASA. They are able to reach anything except for one site. This site (other spoke) is configured on the ASA for dynamic IPSEC VPN. This remote site is an 1800 router on a DSL line.
If I ping from the VPN clients to the remote site internal network I get no response and the IPSEC SA does not start up for that subnet to subnet. If I ping from the remote site to an internal location it works fine and the IPSEC SA is up and active for that traffic. If I ping from the remote site to a VPN user it takes a second but then brings up the correct IPSEC SA for that traffic as well. Once that's active I can ping from the VPN client to the remote site.
What's going on here that I can't establish that IPSEC SA from the VPN clients and yet once the SA is active it works fine?