Hi Safwan,

I tried that command on HQ, but still nothing.  Any other thoughts?  What is the best way to capture the logs for this issue?

just run the logs? What I suspect is the issue that there is no translation rule configured for vpn pool on outside interface to outside interface and hence traffic is dropping.

Just check the log having source as 10.10.11.x to your colo network. IF it says no translation found, try adding

static (outside,outside) 10.10.11.0 10.10.11.0 netmask 255.255.255.0

Logging may be enabled by

logging enable

logging level 7

and then try to generate traffic from your client towards colo.

to stop do:

un all

Hi Nitin,  I tried adding that command as well...but no luck.  Here is a debugging log when I attempted to ping from VPN client (10.10.11.0) to Colo (172.16.16.0)

-------------------------------------

I see a mismatch in crypto acl:

On HQ:

access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 Colospace_Network_172.16.16.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip Colospace_Network_172.16.16.0 255.255.255.0 10.10.11.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.10.11.0 255.255.255.0 Colospace_Network_172.16.16.0 255.255.255.0

There is no need of the second line

access-list outside_1_cryptomap extended permit ip Colospace_Network_172.16.16.0 255.255.255.0 10.10.11.0 255.255.255.0

as Colospace network is remote and not local.

Thanks for your help!  I had to grapple with a split-dns issue but it's up and running.  Thanks!

Clear the crypto the tunnel using below command, because whatever change you are making its not applied untill you re initiate the tunnel.

clear crypto isakmp sa

clear crypto ipsec sa

note: do it for both HQ and colo

With Regards,

Safwan

Got it, Thanks!