Hi there,

We have Site-to-Site IPSec VPN between two sites using two ASAs firewalls, one site has two links connections to two different ISPs (primary and backup) and it used to work fine until this site (with 2 wan connections) has changed the IP address of their primary link to different broadband provider. So, I changed the outside interface to the new one, and updated the default-gateway to the new broadband provider and for the other branch I modified the connection profile to use the new IP address for the remote peer (VPN did fail over to backup while switching to new primary but again didn't work). Unfortunately didn't work, so I deleted the connection profiles and start from the scratch and the tunnel is up and I can see traffic encrypted and decrypted on both side the tunnel. However, I can't reach the LAN subnets from both side (e.g.: ping isn't working)

I checked the NAT and ACLs, but I couldn't find anything wrong.

What's the best method to troubleshoot this case? I tried to use packet tracer for icmp traffic but I find it very confusing which destination address to use (e.g: LAN1 : 192.168.1.10/24 & LAN2: 172.16.1.10/24)

(I used ASDM to create site-to-site IPSec VPN on both side, could it a bug in ASDM? Should I use CLI to create the tunnel instead?)

Do I need to reload the ASA for the changes to take effect?

ASA1 :  ASA5515, 8192 MB RAM, Version 9.9(2)

ASA2:   ASA5525, 8192 MB RAM, Version 9.6(3)1