Yes, you need to apply the ACL but on all of them, this is an example.
ACL from ASA1-subnet to ASA3-subnet
On crypto sequence to ASA1
ACL from ASA3-subnet to ASA1-subnet
On crypto sequence to ASA3
ACL from ASA1-...
You can follow this guide and you should be able to make the changes properly to make it work, the trick is on the "Hub" device and for information purposes, Cisco refers to this configuration as "VPN Spoke to Spoke"... https://...
I would suggest to get the DART for the machine since the problem is only one PC, I think the tshoot should be focused on the PC, here is the link for the DART: https://community.cisco.com/t5/security-documents/how-to-collect-the-...
I was checking your configuration and you need to keep in mind a detail with VPNs with AWS VPC, based on this link https://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_ASA.html, the ASA needs to have an ACL only with...
You can try EEM, if you can ping from the inside you can schedule that command and keep the tunnel UP, the feature is called "VPN PREEMPT".