thanks for you response, please see the ASA config:

ASA Version 9.1(2)
!
hostname FirewallTest
domain-name xxxx
enable password XgqE2ti75e5Du.lY encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.240
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 0
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
clock timezone GMT 0
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
 domain-name acstest
object network local_network
 subnet 192.168.10.0 255.255.255.0
object network remote_network
 subnet 172.30.0.0 255.255.0.0
access-list inside_access_in extended permit ip object local_network any
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit icmp any any
access-list outside_cryptomap extended permit ip object local_network object remote_network
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static local_network local_network destination static remote_network remote_network no-proxy-arp route-lookup
!
nat (inside,outside) after-auto source dynamic local_network interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set vpntest esp-3des esp-md5-hmac

 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set ikev1 transform-set vpntest
crypto map outside_map 1 set security-association lifetime seconds 86400
crypto map outside_map interface outside
crypto ca trustpool policy

crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.10.101-192.168.10.200 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username testadmin password .hnKhTzJUM6CVX4W encrypted
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 23
  subscribe-to-alert-group configuration periodic monthly 23
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f7a99df13cbe0f735efb01ce7c371029
: end

Hi

I'm reading it through my smartphone and it's a little bit hard :-)

I think you are missing a route.

Could you try a ping from router LAN to ASA LAN and run a logging console on ASA to see logs? Could you please share it?

If not working, could you try to add a route :

route 172.30.0.0 255.255.0.0 x.x.x.255 (ASA outside interface).

In the mean time, I will re-read your config this evening when I'm back home to check because again through a smartphone it's quite hard.

In any case, I will share you a sketch with configs, then you will be able to compare if needed

although the VPN tunnel is showing up, i am still not able to reach the ASA inside network.

this is the output of debug cry isa on the router:

un  9 15:16:00.819: ISAKMP:(1002):purging node -1560853873
*Jun  9 15:16:10.819: ISAKMP (1002): received packet from x.x.x.x dport 500 sport 500 Global (R) QM_IDLE      
*Jun  9 15:16:10.819: ISAKMP: set new node -922729395 to QM_IDLE      
*Jun  9 15:16:10.819: ISAKMP:(1002): processing HASH payload. message ID = 3372237901
*Jun  9 15:16:10.819: ISAKMP:(1002): processing NOTIFY DPD/R_U_THERE protocol 1
        spi 0, message ID = 3372237901, sa = 0x48824C5C
*Jun  9 15:16:10.819: ISAKMP:(1002):deleting node -922729395 error FALSE reason "Informational (in) state 1"
*Jun  9 15:16:10.819: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jun  9 15:16:10.819: ISAKMP:(1002):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Hi

Sorry for the late answer. I've went through your config and everything seems to be working fine.

Could you add a design of your infrastructure?

I've done a quick lab with your configs (see attachment) and when I initiate ICMP request from PC behind Router, the tunnel came up. I have also added a logging when the VPN was coming up.

Here the small lab I've done:

Here the ping initiated from PC2. There were timeouts as VPN was down and after it cames up:

it's good to know that connecting directly  was working fine. but i still  need to figure out what the issue is if the traffic getting through the Internet.

please see the network diagram.

Hi

On my router R1, that simulates a Internet cloud, itès a very simple config with 2 static routes. 

Your issue is on remote sites. Are you sure concerning the traffic going out?

Did you do some traces on ASA (Debug, captures,...) ?

Thanks

yes, i debugged the traffic on ASA, it captured the ICMP getting in but no answer.

What does that means? No traffic coming on ASA?

Could you share your router config?

sorry for the late answer.

i tried ping the host 192.168.10.101 that is connected to the ASA internal network from the router side switch 172.30.0.10 that is connected to the router directly and 

i captured the information on ASA as follows:

it looks like the traffic from the router could hit the ASA internal network, but there was no answer sending back to the router.

• 1: 00:01:29.807605 172.30.0.10 > 192.168.10.101: icmp: echo request
• • 2: 00:01:31.813724 172.30.0.10 > 192.168.10.101: icmp: echo request
  • • 3: 00:01:36.556611 172.30.0.10 > 192.168.10.101: icmp: echo request

While the IPSEC is UP. Is it UP on both end?

Could you issue the command show route 172.30.0.0 and give the output?

on the Firewall:

FirewallTest# sh cry isa sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 206.x.x.x
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs

===============================================

on the router:

Router_Site_R#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
206.x.x.x   72.x.x.x    QM_IDLE           1005 ACTIVE


Router_Site_R#sh cry ipsec sa

interface: GigabitEthernet0/0
    Crypto map tag: maptest, local addr 206.x.x.x

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.30.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
   current_peer 72.x.x.x  port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 772, #pkts encrypt: 772, #pkts digest: 772
    #pkts decaps: 876, #pkts decrypt: 876, #pkts verify: 876
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 206.x.x.x, remote crypto endpt.: 72.x.x.x
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x2A1DF98C(706607500)
     PFS (Y/N): N, DH group: none

you can see actually the VPN tunnel is up, but i am still not able to ping the ASA host from the router inside network.

Could you send output of show route from ASA to join Remote LAN?

From ASA-LAN-INSIDE to Remote LAN, are your ping responding?