So I have a pretty vanilla service graph that I can't quite get to work. I am trying to connect EGPs client and epg2 via an ASAv with device package 1.2 but I can't get it to work.

EPG client is the consumer and has a VM with an IP address of 2.2.2.201; its gateway is 2.2.2.54 on the ASAv. EPG epg2 is the provider and has a VM with an IP address of 1.1.1.201; its gateway is 1.1.1.254 on the ASAv. Ideally 2.2.2.201 should be able to ping 1.1.1.201 and vice versa.

The service graph configures the interfaces as expected, and each individual VM can ping its gateway. ACI learns their MAC address as expected. If I configure the bridge domains with unicast routing and a subnet, the VMs can ping the subnet IP and ACI learns both their MAC and IP addresses. The ASAv tells me it's building ICMP connections but pings between the VMs don't work.

For the bridge domains, currently I have each EPG in separate BDs configured purely as Layer2: unknown unicast flooding, ARP flooding, GARP endpoint detection, no unicast routing or subnet. They're both in the same VRF now but I have tried them in different VRFs as well (as well as with unicast routing and various other combinations).

There are no faults in the tenant at all. This is ACI 3.2(3i), ESXi 6.7, vCenter 6.7, ASAv 9.9(1), DVS 6.6.0 for the VMM domain. The VMs are Ubuntu 16.04.

I'm more than a bit rusty with the ASA, but I'm not using any NAT and the access-list config for the ASA is as follows. I am also not getting any denial messages.

access-list PERMIT permit ip any any
access-group PERMIT global
management-access internalIf

The json config for the entire tenant is attached; for the most part everything should be related to the service graph.

Any ideas on what I need to do here to get this working? I'm sure it's something simple.