I am trying to SSH to a new spoke office served by Comcast. The device at the spoke is an ISR 1111 and should become part of my DMVPN. But the immediate issue is I can't SSH to the thing. I can ping it. But nmap shows now reply from inside my main network. The inside Windows host private IP last two octet is 48.189 the destination is 110.229 and the PAT source leaving the ASA is 129.2. The ASA properly NATs the traffic so that the SYN has the same source port with that 129.2 NAT source IP and the destination is as expected 110.229:22. 

I decided to run a debug for traffic from the spoke 110.229 as I was stuck from figuring out why these sessions weren't completing. Normally if I ssh to a remote site through the ASA logging with a filter for the destination as the source doesn't yield anything because the destination's reply traffic is just permitted by the stateful firewall. But if you note in this case I first see rejected SYN ACKs and ACKs from port 577 to a port 1088. The ASA is not seeing this traffic as part of a proper conversation so it's dropped. Eventually the conversation I'd started to TCP port 22 goes into teardown.

Does anyone have a thought as to what could be breaking the TCP conversation in this way? Why might these SYN ACKs and SYNs be arriving at the ASA without the expected source port 22?