So you are testing from HQ?

You should always test connectivity of a VPN, by connecting to a device on the inside of the ASA, rather than test "to" the ASA. However you can configure the command "management-access INSIDE" (assuming the interface name is INSIDE) to permit icmp and ssh, http management via the inside interface over a VPN tunnel.

So can you ping a device on the inside of the ASA? The switch 172.29.2.13?

SangHai-OF-ASA# sh int ip b
GigabitEthernet1/1 58.246.2.50 YES CONFIG up up
GigabitEthernet1/2 172.29.2.1 YES CONFIG up up

SangHai-OF-ASA# ping 172.29.2.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.29.2.13, timeout is 2 seconds:
!!!!!

Ok, so that confirms the tunnel is up and working for traffic "through" the ASA.
As previously mentioned you would need the "management-access <interface>" command configured to be able to ping the ASA itself over the VPN tunnel.

SW(172.29.2.13) - BR ASA ------------------ HQ ASA - PC172.16.0.0

plz help me

---

@JustTakeTheFirstStep wrote:

SW(172.29.2.13) - BR ASA ------------------ HQ ASA - PC172.16.0.0

plz help me

 

 

---

You previously confirmed you could ping the switch 172.29.2.13, so it's working

In your output text files you are running ping/traceroute from the ASA.

VPN-ASA-HQ# ping 172.29.2.1 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.29.2.1, timeout is 2 seconds:
?????

VPN-ASA-HQ# traceroute 172.29.2.1

Type escape sequence to abort.
Tracing the route to 172.29.2.1

1 172.30.1.2 1 msec 1 msec 1 msec
2 * *

...so the source will not be from an IP address defined in the crypto ACL - therefore traffic will not be encrypted.

In you last message you said "SW(172.29.2.13) - BR ASA ------------------ HQ ASA - PC172.16.0.0" which is not testing from the ASA (as per your logs). The information you are providing is confusing, not helpful and doesn't help me help you.

Test a VPN by sending traffic "through" the VPN, to a device behind the peer ASA.

Do you have routing /default route configured on the switches behind the ASAs? If yes, do the routes point to, the ASA or somewhere else?

If you are testing ping over VPN from the ASA, as Rob has mentioned you need the command management-access <interface> (where interface is the name of the source interface) and make sure the IP or subnet of that interface is allowed over the VPN in the crypto ACL.  Then when pinging from the ASA specify the source interface...for example ping inside 172.29.2.13

You are missing "inspect ICMP" command in the policy map on the Sanghai ASA and it doesn't look like you have a policy map configured on the HQ ASA.  I suggest adding inspect ICMP to Sanghai and copy paste the Sanghai policy map to the HQ ASA. and then test. (see red text below)

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options

inspect icmp
!
service-policy global_policy global