I'm trying to setup an IKEv1 site-to-site vpn in a lab environment.  I followed the wizard in asdm on both ends and I can see an AES256 connection when I go to Monitoring -> VPN -> Sessions under the IPsec Site-to-Site menu.  The problem is I can't reach any devices on private remote networks.  What is confusing is that I don't see anythign in my logs when I try to ping the remote network or reach website on remote network however packet-tracer says everything should go through.  The only time packet-tracer fails is when the IPsec site-to-site tunnel is down, but after that fail it prompts the asa to bring it online, I run it again and it works.  Here is output from my packet tracer command.

ASA1(config)# packet-tracer input inside tcp 10.1.50.51 80 10.1.60.2 80 det

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xac412500, priority=0, domain=inspect-ip-options, deny=true

        hits=103, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static NETWORK_OBJ_10.1.50.0_24 NETWORK_OBJ_10.1.50.0_24 destination static NETWORK_OBJ_10.1.60.0_24 NETWORK_OBJ_10.1.60.0_24 no-proxy-arp route-lookup

Additional Information:

Static translate 10.1.50.51/80 to 10.1.50.51/80

Forward Flow based lookup yields rule:

in  id=0xac47ce18, priority=6, domain=nat, deny=false

        hits=11, user_data=0xac47a828, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=10.1.50.0, mask=255.255.255.0, port=0

        dst ip/id=10.1.60.0, mask=255.255.255.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=outside

Phase: 4

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xac43d998, priority=0, domain=host-limit, deny=false

        hits=11, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 5

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xac362ba8, priority=70, domain=encrypt, deny=false

        hits=3, user_data=0x0, cs_id=0xacc24588, reverse, flags=0x0, protocol=0

        src ip/id=10.1.50.0, mask=255.255.255.0, port=0

        dst ip/id=10.1.60.0, mask=255.255.255.0, port=0, dscp=0x0

        input_ifc=any, output_ifc=outside

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ASA1(config)#

Here it is again right after running the command:

ASA1(config)# packet-tracer input inside tcp 10.1.50.51 80 10.1.60.2 80 det

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xac412500, priority=0, domain=inspect-ip-options, deny=true

        hits=105, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static NETWORK_OBJ_10.1.50.0_24 NETWORK_OBJ_10.1.50.0_24 destination static NETWORK_OBJ_10.1.60.0_24 NETWORK_OBJ_10.1.60.0_24 no-proxy-arp route-lookup

Additional Information:

Static translate 10.1.50.51/80 to 10.1.50.51/80

Forward Flow based lookup yields rule:

in  id=0xac47ce18, priority=6, domain=nat, deny=false

        hits=12, user_data=0xac47a828, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=10.1.50.0, mask=255.255.255.0, port=0

        dst ip/id=10.1.60.0, mask=255.255.255.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=outside

Phase: 4

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xac43d998, priority=0, domain=host-limit, deny=false

        hits=12, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 5

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xac401b98, priority=70, domain=encrypt, deny=false

        hits=1, user_data=0x38334, cs_id=0xacc24588, reverse, flags=0x0, protocol=0

        src ip/id=10.1.50.0, mask=255.255.255.0, port=0

        dst ip/id=10.1.60.0, mask=255.255.255.0, port=0, dscp=0x0

        input_ifc=any, output_ifc=outside

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xa87bb8f8, priority=69, domain=ipsec-tunnel-flow, deny=false

        hits=1, user_data=0x43c54, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=10.1.60.0, mask=255.255.255.0, port=0

        dst ip/id=10.1.50.0, mask=255.255.255.0, port=0, dscp=0x0

        input_ifc=outside, output_ifc=any

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xac439f80, priority=0, domain=inspect-ip-options, deny=true

        hits=437, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=outside, output_ifc=any

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 443, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_encrypt

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_ipsec_tunnel_flow

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

ASA1(config)#

ASA1(config)# show crypto ikev1 sa

IKEv1 SAs:

   Active SA: 2

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 2

1   IKE Peer: 68.231.6.110

    Type    : user            Role    : responder

    Rekey   : no              State   : AM_ACTIVE

2   IKE Peer: 65.23.153.227

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE