I've combed through the configs on both sides of this tunnel 4x now and the policies look like they match. I followd the note http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml

My crypto access lsits are good and my nat on the IOS side are bundled with a route map and look good. On the ASA side traffic from the ASA side to the remote tunnel is exempt from NAT. Each side already has a site to site tunnel setup, so i've added the appropriate lines to the existing crypto maps that include peer, transform set, and match address "access-list". The crypto isakmp polcies on both ends are compatible. I've attached some configs and debugs(from IOS router), but essentially the log on the ASA starts out with phase 1 completed, and then reads received non routing notify message, no proposal chosen and then it goes to IKE lost connection to remote peer, deleting connection, removing peer from correlator table failed, no match, and finally session disconnected, reason lost service.

Connection is good, their other tunnel stays up along with the remote access vpn config.

I found a note that recommends checking any security access-list, so I removed them, but no luck, and one from cisco related to a concentrator, but had some sound logic to it,

Normally appears with the

corresponding Cisco VPN 3000

concentrator message: No proposal

chosen(14). This is a result of the

connections being host-to-host.

The router configuration had the

IPSec proposals ordered so that the

proposal chosen for the router

matched the access-list, but not the

peer. The access-list had a larger

network that included the host that

was intersecting traffic.

Make the router proposal for this

concentrator-to-router connection

first in line, so that it matches the

specific host first.

however it didn't work either.

thank you,

Bill