Thanks for your reply, 

there is no routing in the core switch where ASA is plugged. 

the network is very small and simple, multiple access switches are connected to the core switch, and uplink with different VLAN to the ASA inside (ASA is playing the role of the router on a stick)  and ASA natting traffic to internet via the OUTSIDE interface, 

Any other ideas based on what i shared? 

Which other subinterface works?  I am a little uncertain how another subinterface will work.  You need to configure hairpining by using the command same-security-traffic permit intra-interface to allow ingress and egress of the same traffic flow on the same interface (traffic entering and exiting on the same interface).  I suggest adding this command and then test again.

Hello @Marius Gunnerud , 

 security-traffic permit intra-interface   is enabled,

I enabled ssh and https from anywhere just to troubleshoot this issue, i'll ABSOLUTELLY restrict access shortly 

Regards,

thanks.

in the configuration you posted the same-security-traffic permit intra-interface command is missing.  I only see the same-security-traffic permit inter-interface command.

Also, just an observation, if this is a production network I suggest removing or at the very least specify more specific addresses for your http and ssh configuration on the outside interface.

ssh 0.0.0.0 0.0.0.0 OUTSIDE

http 0.0.0.0 0.0.0.0 OUTSIDE

It looks a lot like asymmetric routing - traffic goes out one way and tries to go back another.

Does the core switch where the multiple VLANs are configured have any SVIs in those VLANs at all? Even without ip routing configured, a connected interface will affect traffic flow.

Hello Marvin, 

your approach looks good, yes I have SVIs in core switch I tried  to verify one more time everything, run Wireshark in all ends but results are weird, 

for instance look at this capture from ASA, 

the crazy thing here is, "Routing failed to locate next hop for TCP fromvms:10.10.30.10 to Aruba-MCs:172.16.210.20" 

one thing i can't understand, Aruba-MCs:172.16.210.20, Aruba-MCs is the subinterface for 10.10.62.0/24 (refer to run config). how can we explain that?  any idea?

I specifically asked if there was routing on the switch and you said "no", and now you are saying there is?  Adding IP to SVIs on a layer 3 switch enables routing between the SVIs unless they are placed in their own VRF (routing instance).  If you set the default gateway on the end devices to the ASA instead of the switch you will get asynchronous routing which you are now seeing.  This is where the end device in VLAN 333 sends traffic destined for VLAN 30 to the ASA, the ASA sends this traffic to VLAN 30, but the endpoint in VLAN 30 sends the traffic directly to the end point in VLAN 333.  And then the process continues.  The ASA drops the next traffic flow indicating "no connection" as it did not see the return traffic from VLAN 30.

You need to set the default gateway to the switch SVI IP or remove the SVI IP for one or both of the VLANs and make sure that the correct default gateway is set on the endpoints.

The error you are getting for routing and the drop error is because you do not have the same-security-traffic permit intra-interface command (or at least it was not present in the configuration you posted earlier).

if you issue the command show run | in same-security-traffic on the ASA do you see entries for both inter-interface as well as intra-interface?

in the initial configuration you posted for the ASA I only saw an entry for inter-interface.

I suggest adding the command same-security-traffic permit intra-interface and then check connectivity.  If it still doesn't work please post a fresh configuration of the ASA as well as the core switch (remember to remove any public IPs, usernames and passwords).  Also please indicate which interface is connected to the ASA.

Screenshot from the configuration file you posted.

I can see both inter/intra see attached run config 

I added also run config of core switch (it's an Aruba s1500) looks similar to cisco switch, 

coreswitch (port ge/0/0/11) --> connect to --> ASA (port 0/1)