Hello @Fotiosmark,   Yes, you need to apply the ACL but on all of them, this is an example.   ASA1: ACL from ASA1-subnet to ASA3-subnet   ASA2: On crypto sequence to ASA1 ACL from ASA3-subnet to ASA1-subnet   On crypto sequence to ASA3 ACL from ASA1-subnet to ASA3-subnet   ASA3: ACL from ASA3-subnet to ASA1-subnet   Obviously you need to take care for the NAT Exemption on ASA1 and ASA3, also on ASA2 check if "same-security-traffic" is enabled, look with this command show run | in same-security -traffic   That should be all,    HTH Gio ... View more

Hello @Fotiosmark,    You can follow this guide and you should be able to make the changes properly to make it work, the trick is on the "Hub" device and for information purposes, Cisco refers to this configuration as "VPN Spoke to Spoke"... https://community.cisco.com/t5/security-documents/cisco-asa-vpn-spoke-to-spoke-communication-via-the-hub/ta-p/3154011   If you like, you can upload your sanitized configuration in here and we can take a look.    HTH Gio ... View more

Hello @arunnnarayanan,    You can try EEM, if you can ping from the inside you can schedule that command and keep the tunnel UP, the feature is called "VPN PREEMPT".   https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html   HTH Gio ... View more

Hello @filip00011,   Can you share the configuration for both devices in order to check them further?   Gio ... View more

Hello @Craddockc,    The log you provided means they are trying to setup the VPN tunnel but they are unable to do it, you see 2 attempts is because the "refresh" for the Router is a little bit slow and that´s why you see 2 but htere is no worries since the second one is deleted and it takes a while to dissapear:   dst                       src                         state                      conn-id status 50.x.y.30       64.w.z.111      MM_NO_STATE       0 ACTIVE 50.x.y.30       64.w.z.111      MM_NO_STATE       0 ACTIVE (deleted) --> No longer negotiating 64.w.z.111     50.x.y.30        MM_NO_STATE        0 ACTIVE (deleted) --> No longer negotiating   HTH Gio ... View more

Hello @James Davies,    As mentioned before you need to do the following:    HUB access-list VPN-Site2 extended permit ip Site1-Subnet Site2-Subnet access-list VPN-Site1 extended permit ip Site2-Subnet Site1-Subnet SPOKE - SITE 1 access-list VPN-HUB permit ip Site1-Subnet Site2-Subnet   SPOKE B - SITE 2 access-list VPN-HUB permit ip Site2-Subnet Site1-Subnet   Now, if you like you can share your VPN configuration and I can help with the exacts commands you need on your environment.    HTH Gio ... View more

Hello @James Davies,    Yes you can do it through the HUB but you have also the option to do it from Site 1 to Site 2, that´s basically your choice :)   For option one, you need to add the following:    On Site 1 1. Site 1 subnet --> Site 2 Subnet 2. Check NAT Exemption and include the subnets.   On Site 2 1. Site 2 subnet --> Site 1 Subnet 2. Check NAT Exemption and include the subnets.   On the HUB VPN Site 1 1. Site 2 subnet --> Site 1 subnet   On the HUB VPN Site 2 1. Site 1 subnet --> Site 2 subnet   Check also for the same-security-traffic sommand in order to do the U-Turn. You can follow this link: https://supportforums.cisco.com/t5/security-documents/how-to-configure-site-to-site-vpn-with-hairpinning-on-cisco-asa/ta-p/3157388   HTH Gio ... View more

Hello @filip00011,    When you have this scenario, you need to go deeper and check the ESP packets since from second ASA are reaching the other and they are replying but for some reason the second ASA is not receiving the traffic back.    Check the path for the ASAs (involve ISP) and verify if this is the case with this command:    capture cap interface outside match ip host <Peer IP> any   HTH Gio ... View more

Hello @ketansoni1,    As @Marius Gunnerud already mentioned, you need to verify the NAT outside, outside for the traffic and also the same-security-traffic configuration.    But based on your statement, we need to check the configuration:    Once connected, i am not able to browse the internet but i am able to ssh/http onto my servers.  I suspect i have not configured DNS, i believe split tunnelling is turned on my default. Looking for any solutions please.    My question is, would like to do Split-Tunnel or Tunnel All? Just for reference the default is tunnel all, and if you want to use split-tunnel you don´t need to do all the other stuff mentioned before.   If you can share the configuration that would be really helpful too.    HTH Gio ... View more

Hello @Benjamin Saito,   I would suggest using EEM for this as workaround since as you said you cannot use the inside interface to setup the SLA monitoring, for that use EEM based on this link: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html   You should be able to send the require ping through the VPN tunnel and keep the tunnel up.    HTH Gio ... View more

Hello @viplove07,    In order to know why the VPN is getting stuck we need to focus on the Logs, can you share them in case you have them?.   HTH Gio ... View more

Hello @gavinv123,    I´m sorry for the ate response, I was checking the Logs and this seems to be a problem with SA that is not completing and for that reason the VPN tunnel is failing:   Mar 29 08:58:39 [IKEv1 DEBUG]Group = 206.128.13.147, IP = 206.128.13.147, IKE Deleting SA: Remote Proxy 10.60.0.0, Local Proxy 10.60.1.0 --> This is not working, the SA is not matching and for that reason the ASA is dropping the packets for the entire VPN tunnel.  Mar 29 08:58:39 [IKEv1]Group = 206.128.13.147, IP = 206.128.13.147, Removing peer from correlator table failed, no match!   Mar 29 08:58:39 [IKEv1]IP = 206.128.13.147, Received encrypted packet with no matching SA, dropping --> Sometimes when the ASA doesn´t match the SA, it drops the entire tunnel. You need to verify with the remote end if everything is being matched.    HTH Gio ... View more