hi @GioGonza,

below is the config i am using for vpn-filter

 access-list amzn-filter extended permit ip remote subnet local subnet

access-list amzn-filter extended deny ip any any

group-policy filter internal

group-policy filter attributes

vpn-filter value amzn-filter

tunnel-group x.x.x.xgeneral-attributes

default-group-policy filter exit tunnel-group x.x.x.x

general-attributes default-group-policy filter

exit

hi @GioGonza

do need any more information?

hi @ GioGonza

do need any more information?

Hello @M Mohammed, 

Can you share the information for the ACL you have on the filter? vpn-filter value amzn-filter

Also can you try a packet-tracer from your ASA in order to verify what is happening with the packet?, 

packet-tracer input inside match icmp x.x.x.x 0 8 y.y.y.y

Share the output for this command: show vpn-sessiondb detail l2l filter <IP address>

HTH

Gio

@GioGonza

ACL you have on the filter? vpn-filter value amzn-filter

access-list amzn-filter extended permit ip object AWS-10.200.0.0_16 object gc-it
access-list amzn-filter extended deny ip any any

packet-tracer input inside match icmp x.x.x.x 0 8 y.y.y.y

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static gc-it gc-it destination static AWS-10.200.0.0_16 AW-10.200.0.0_16
Additional Information:
NAT divert to egress interface outside
Untranslate 10.200.200.172/0 to 10.200.200.172/0

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.10.10.1 using egress ifc inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside control-plane
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 object-group DM_INLINE_NETWORK_23 any
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_23
network-object object gc-it
Additional Information:

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
description class-default
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static gc-it gc-it destination static AWS-10.200.0.0_16 AWS-10.200.0.0_16
Additional Information:
Static translate 10.10.9.13/0 to 10.10.9.13/0

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
description class-default
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: ACCESS-LIST
Subtype: filter-aaa
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static gc-it gc-it destination static AWS_US_10.200.0.0_16 AWS_US_10.200.0.0_16
Additional Information:

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 129376265, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

show vpn-sessiondb detail l2l filter <IP address>

Session Type: LAN-to-LAN Detailed

Connection : x.x.x.x
Index : 51311 IP Addr : x.x.x.x
Protocol : IKEv1 IPsecOverNatT
Encryption : IKEv1: (1)AES256 IPsecOverNatT: (1)AES128
Hashing : IKEv1: (1)SHA1 IPsecOverNatT: (1)SHA1
Bytes Tx : 2030735772 Bytes Rx : 2201564526
Login Time : 13:05:10 GMT/BDT Mon Apr 9 2018
Duration : 9d 20h:37m:15s

IKEv1 Tunnels: 1
IPsecOverNatT Tunnels: 1

IKEv1:
Tunnel ID : 51311.1
UDP Src Port : 4500 UDP Dst Port : 4500
IKE Neg Mode : Main Auth Mode : preSharedKeys
Encryption : AES256 Hashing : SHA1
Rekey Int (T): 28800 Seconds Rekey Left(T): 26341 Seconds
D/H Group : 2
Filter Name : amzn-filter

IPsecOverNatT:
Tunnel ID : 51311.2
Local Addr : 0.0.0.0/0.0.0.0/0/0
Remote Addr : 10.200.0.0/255.255.0.0/0/0
Encryption : AES128 Hashing : SHA1
Encapsulation: Tunnel PFS Group : 2
Rekey Int (T): 3600 Seconds Rekey Left(T): 2476 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4604122 K-Bytes
Idle Time Out: 15 Minutes Idle TO Left : 15 Minutes
Bytes Tx : 2030747628 Bytes Rx : 2201586217
Pkts Tx : 6479463 Pkts Rx : 7061222

Hello @M Mohammed,

Checking the results for the command show vpn-sessiondb .... your VPN tunnel has the correct ACL for it:

IKEv1:
Tunnel ID : 51311.1
UDP Src Port : 4500 UDP Dst Port : 4500
IKE Neg Mode : Main Auth Mode : preSharedKeys
Encryption : AES256 Hashing : SHA1
Rekey Int (T): 28800 Seconds Rekey Left(T): 26341 Seconds
D/H Group : 2
Filter Name : amzn-filter

My first suggestion is to remove the line denying ANY ANY: 

no access-list amzn-filter extended deny ip any any

For that to take the change you need to bounce the VPN tunnel, on the other hand I don´t know what is the configuration you have on object gc-it, it could be a subnet or host but the thing here is that you need to run the packet-tracer with the traffic that is not allowed and we should see the drop on the following phase: 

Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: ACCESS-LIST
Subtype: filter-aaa
Result: ALLOW
Config:
Additional Information:

Also, try to run the packet-tracer with detail at the end: packet-tracer input inside match icmp x.x.x.x 0 8 y.y.y.y detailed

HTH

Gio