Were you able to have access to the device? yes

Were you able to ping the default gateway? If you are talking about F's default gateway, then yes, because I wouldn't be able to get to it otherwise because there is only one connection, the outside interface.

Any logs showed up in the console? Good question!  Just looked over our syslog.  Nothing reported other than the reloads dropping the tunnel between F and N.

Were you able to ping the ASA from the internal hosts? Wouldn't be able to access F if this was the case.

Thank you for such a quick response!

Tracey;

That brings some other questions then :). 

When you did the upgrade, you did it while you were connected to the firewall on the outside interface, is this correct? 

The fact that the hosts were able reach the firewall and that the firewall had internet access at the time of the issue only points to 2 things... An Access rule (Module, WCCP, Access list or any other type of rule) or a NAT issue. 

If it was NAT, Mostlikely a log would have showed up. Did you by any chance run a packet tracer as a troubleshooting step? Did you do any other troubleshooting step?

Mike. 

Mike,

Yes!  I conducted the reload command remotely via the outside interface connection on F ASA.

We were able to make the first vpn from N to F, we could see this in the real time log and monitoring VPN sessions ( session showed TX was "0", because it wasn't sending data back to ASA N;  additionally, ASA N was TXing like mad, but not RXing anything).

We did run the packet tracker, but we can not remember what it told us now (will do again when we try again).

What is most puzzling about this, is that there was not a config change!  This was solely an IOS change and now we don't work.  Roll back and we work as configured.  This makes me think that there is something in the new IOS that is messing our connection up.