Hello @suthomas1,   I would suggest to get the DART for the machine since the problem is only one PC, I think the tshoot should be focused on the PC, here is the link for the DART: https://community.cisco.com/t5/security-documents/how-to-collect-the-dart-bundle-for-anyconnect/ta-p/3156025   Upload the file and we can check what is the problem.    HTH Gio ... View more

Hello @arunnnarayanan,    You can try EEM, if you can ping from the inside you can schedule that command and keep the tunnel UP, the feature is called "VPN PREEMPT".   https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html   HTH Gio ... View more

Hello @filip00011,   Can you share the configuration for both devices in order to check them further?   Gio ... View more

Hello @Craddockc,    The log you provided means they are trying to setup the VPN tunnel but they are unable to do it, you see 2 attempts is because the "refresh" for the Router is a little bit slow and that´s why you see 2 but htere is no worries since the second one is deleted and it takes a while to dissapear:   dst                       src                         state                      conn-id status 50.x.y.30       64.w.z.111      MM_NO_STATE       0 ACTIVE 50.x.y.30       64.w.z.111      MM_NO_STATE       0 ACTIVE (deleted) --> No longer negotiating 64.w.z.111     50.x.y.30        MM_NO_STATE        0 ACTIVE (deleted) --> No longer negotiating   HTH Gio ... View more

Hello @James Davies,    As mentioned before you need to do the following:    HUB access-list VPN-Site2 extended permit ip Site1-Subnet Site2-Subnet access-list VPN-Site1 extended permit ip Site2-Subnet Site1-Subnet SPOKE - SITE 1 access-list VPN-HUB permit ip Site1-Subnet Site2-Subnet   SPOKE B - SITE 2 access-list VPN-HUB permit ip Site2-Subnet Site1-Subnet   Now, if you like you can share your VPN configuration and I can help with the exacts commands you need on your environment.    HTH Gio ... View more

Hello @James Davies,    Yes you can do it through the HUB but you have also the option to do it from Site 1 to Site 2, that´s basically your choice :)   For option one, you need to add the following:    On Site 1 1. Site 1 subnet --> Site 2 Subnet 2. Check NAT Exemption and include the subnets.   On Site 2 1. Site 2 subnet --> Site 1 Subnet 2. Check NAT Exemption and include the subnets.   On the HUB VPN Site 1 1. Site 2 subnet --> Site 1 subnet   On the HUB VPN Site 2 1. Site 1 subnet --> Site 2 subnet   Check also for the same-security-traffic sommand in order to do the U-Turn. You can follow this link: https://supportforums.cisco.com/t5/security-documents/how-to-configure-site-to-site-vpn-with-hairpinning-on-cisco-asa/ta-p/3157388   HTH Gio ... View more

Hello @filip00011,    When you have this scenario, you need to go deeper and check the ESP packets since from second ASA are reaching the other and they are replying but for some reason the second ASA is not receiving the traffic back.    Check the path for the ASAs (involve ISP) and verify if this is the case with this command:    capture cap interface outside match ip host <Peer IP> any   HTH Gio ... View more

Hello @ketansoni1,    As @Marius Gunnerud already mentioned, you need to verify the NAT outside, outside for the traffic and also the same-security-traffic configuration.    But based on your statement, we need to check the configuration:    Once connected, i am not able to browse the internet but i am able to ssh/http onto my servers.  I suspect i have not configured DNS, i believe split tunnelling is turned on my default. Looking for any solutions please.    My question is, would like to do Split-Tunnel or Tunnel All? Just for reference the default is tunnel all, and if you want to use split-tunnel you don´t need to do all the other stuff mentioned before.   If you can share the configuration that would be really helpful too.    HTH Gio ... View more

Hello @Benjamin Saito,   I would suggest using EEM for this as workaround since as you said you cannot use the inside interface to setup the SLA monitoring, for that use EEM based on this link: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html   You should be able to send the require ping through the VPN tunnel and keep the tunnel up.    HTH Gio ... View more

Hello @viplove07,    In order to know why the VPN is getting stuck we need to focus on the Logs, can you share them in case you have them?.   HTH Gio ... View more

Hello @gavinv123,    I´m sorry for the ate response, I was checking the Logs and this seems to be a problem with SA that is not completing and for that reason the VPN tunnel is failing:   Mar 29 08:58:39 [IKEv1 DEBUG]Group = 206.128.13.147, IP = 206.128.13.147, IKE Deleting SA: Remote Proxy 10.60.0.0, Local Proxy 10.60.1.0 --> This is not working, the SA is not matching and for that reason the ASA is dropping the packets for the entire VPN tunnel.  Mar 29 08:58:39 [IKEv1]Group = 206.128.13.147, IP = 206.128.13.147, Removing peer from correlator table failed, no match!   Mar 29 08:58:39 [IKEv1]IP = 206.128.13.147, Received encrypted packet with no matching SA, dropping --> Sometimes when the ASA doesn´t match the SA, it drops the entire tunnel. You need to verify with the remote end if everything is being matched.    HTH Gio ... View more

Hello @M Mohammed,   Checking the results for the command show vpn-sessiondb .... your VPN tunnel has the correct ACL for it:   IKEv1: Tunnel ID : 51311.1 UDP Src Port : 4500 UDP Dst Port : 4500 IKE Neg Mode : Main Auth Mode : preSharedKeys Encryption : AES256 Hashing : SHA1 Rekey Int (T): 28800 Seconds Rekey Left(T): 26341 Seconds D/H Group : 2 Filter Name : amzn-filter   My first suggestion is to remove the line denying ANY ANY:    no access-list amzn-filter extended deny ip any any   For that to take the change you need to bounce the VPN tunnel, on the other hand I don´t know what is the configuration you have on object gc-it, it could be a subnet or host but the thing here is that you need to run the packet-tracer with the traffic that is not allowed and we should see the drop on the following phase:    Phase: 10 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information:   Phase: 11 Type: ACCESS-LIST Subtype: filter-aaa Result: ALLOW Config: Additional Information:   Also, try to run the packet-tracer with detail at the end: packet-tracer input inside match icmp x.x.x.x 0 8 y.y.y.y detailed   HTH Gio ... View more

Hello @mmalwatte,    In order to know whatis going on you will need to collect the DART file and share it, since it will be the only to really know what is happening.    If you can share it I can help you with that.   HTH Gio ... View more