Hello everyone. I am repurposing an ASA for my company at a remote site, and have to use a Dynamic L2L Configuration, with Split Tunnelling enabled. We have used these in the past and they worked great, and I referenced the official Cisco documentation for setting it up. Currently I am having a problem where I am unable to pass traffic on the Remote LAN over the VPN tunnel (it won't even trigger the tunnel to form). However, if I issue the following command into the Remote ASA:

ping inside 192.168.9.1

I get ICMP responses. Also, this traffic will cause the VPN Tunnel to be created as shown by Show ISA SA:

1 IKE Peer: xx.xx.xx.xx

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

Here is the IP Addressing scheme:

Remote Network (with the problem ASA): 192.168.12.0/24

Core Network (Hub): 192.168.9.0/24

Other Spokes: 192.168.0.0/16

Config:

ASA Version 8.2(1)
!
hostname xxxxxxxxx
domain-name xxxxxxxxxxx.local
enable password xxxxxxxx
passwd xxxxxxxxx
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.12.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name xxxxxxxx.local
same-security-traffic permit intra-interface
access-list to_hq extended permit ip 192.168.12.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 192.168.0.0 255.255.0.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 10 match address to_hq
crypto map outside_map 10 set peer CORE.ASA.WAN.IP
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 192.168.9.2 208.67.222.222
!
dhcpd address 192.168.12.101-192.168.12.131 inside
dhcpd lease 86400 interface inside
dhcpd domain xxxxxxxxx.local interface inside
dhcpd option 66 ip 192.168.9.50 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group CORE.ASA.WAN.IP type ipsec-l2l
tunnel-group CORE.ASA.WAN.IP ipsec-attributes
pre-shared-key xxxxxxxxxxxx
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context

Once the tunnel comes up, LAN Traffic at the Remote Site will NOT pass through the VPN Tunnel even though it is up. At the Core ASA Side, I was able to Telnet into the Remote ASA just fine, but couldn't ping the remote Access Point.

Anyone have any insight into my problem?