You should first check your syslogs to see why the traffic is being denied. Once in the failed state, you can also check the packet-tracer output for some VPN traffic to see why the ASA isn't forwarding it.
At the time of the failure, does either endpoint have the appropriate isakmp or ipsec sa's built?
Thanks,
Brendan