Thanks for the reply. I haven't ran a debug on the HQ router yet(too busy, it might crash). Howvwer, Wireshark in front of the HQ router shows that the packets did not get to HQ router! Usually, on way traffic is either routing or interresting traffic in the ACL. In case cases, i have a summarize  route as per below(remote from the first subnet in the summarize(10.1x.200.0/23) can't ping that host in HQ, but other subnet can).  And i also have a static router pointed to HQ public IP.

Thx

Jen,

         You are correct about the route, but this isn't the issue. Also the vpn router only has ACL for interresting traffic to go throught the tunnel.

As mentioned below, packet snif inb front of the HQ vpn router prooves that the packet do not get to the HQ. At the same time trace from host on the affected subnet shows that the last hope is the remote VPN remote.

Yes, there is a pix firewall at the remote... but it does not block trajet going the subnet... I will post this FW config shortly.

Thanks,

When you sniff the packet, I assume that you are sniffing the VPN traffic (ESP), as it would still be encrypted if you sniff it in front of the HQ vpn router.

Ahhh, and btw, just realise that your crypto ACL doesn't look right. It should just be in one direction, not both as configured.

ip access-list extended remote-int-traffic

permit ip 10.1x.200.0 0.0.3.255 host 10.254.254.56

permit ip 10.1x.20.0 0.0.3.255 host 10.254.254.5

permit ip 10.1x.200.0 0.0.3.255 host 4.0.x.11

You should only have the above 3 lines configured, and on the remote end, it should also have just 3 lines, and it should mirror image.

The remote end should have:

ip access-list extended remote-int-traffic

permit ip host 10.254.254.56 10.1x.200.0 0.0.3.255

permit ip host 10.254.254.5 10.1x.20.0 0.0.3.255

permit ip host 4.0.x.11 10.1x.200.0 0.0.3.255

Otherwise, you would find all sorts of weird issues. Pls make the necessary modifications, clear the tunnels (clear cry ipsec sa, and clear cry isa sa) so the new ACL can be negotiated.

Jen,

           Thanks again for the help. I did sniff the packets at a location where i was able to see un encrypted traffic just after tyhe HQ router decrypt them(ping traffic from remote to HQ 10.254.254.56). And yes, i was able to see encrytped traffic as going to the other side well.

And yes, i am totally agree with on the crypto ACL, i just herited this from a previous admin. I guess it just created the crypto map and pasted the same one at both end....It's lazy to do so, but it does save which we don't often have enough of in the IT world, so i can blame him!  Yes, that he is the plan to remove unnecessary ACL,but i had to do that after hours.

Thanks,

Ahh, do you mean that it does arrive on the HQ router and get decrypted, however, there is no reply from the actual host?

Can you pls share the output of:

show cry ipsec sa

Also, as Mikul advised earlier, is the default gateway of the host set correctly to point back towards the HQ router? and/or does it have a host firewall that might prevent inbound connections?