Core issue
This issue is documented in Cisco bug ID CSCsc10806.
In the Virtual Private Network (VPN) wizard, the Adaptive Security Device Manager (ASDM) creates and applies a crypto Access Control List (ACL) on the dynamic crypto map. This crypto ACL is automatically created based on the IP address pool configured.
The crypto ACL works well for most software VPN clients. However, problems occur when the software VPN client uses split-tunneling. Similarly, hardware clients can face problems. For example, the tunnel does not come up in VPN3002 when the hardware client is used in Port Address Translation (PAT)/client mode or in network-extension mode.
Resolution
For a workaround, remove the crypto dynamic-map command configuration from the PIX configurations as shown in this example.
Hostname(config)#no crypto dynamic-map < vpnif_dyn_map >20 match address < vpnif_cryptomap_dyn_20 >