Hello Folks,

I am trying to do a VPN connection between my asa and AWS VPC and it is not working. Could you please check it and help me ?

There you have my configuration: 

Publics IPs changed:

crypto ikev1 policy 9
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800

object-group network DST_VPN_L2L_AWS-ACID_Labs_stagging
network-object 171.0.10.0 255.255.255.0
network-object 171.0.11.0 255.255.255.0

object-group network SRC_VPN_L2L_AWS-ACID_Labs_stagging
network-object host 10.1.3.16
network-object host 10.1.3.23
network-object host 10.1.3.58
network-object host 10.1.3.55
network-object host 10.1.3.15
network-object host 10.1.3.22
network-object host 10.1.2.102

access-list ACL-L2L-VPN-AWS-ACID_Labs_stagging extended permit ip object-group SRC_VPN_L2L_AWS-ACID_Labs_stagging object-group DST_VPN_L2L_AWS-ACID_Labs_stagging

nat (Interna,outside) source static SRC_VPN_L2L_AWS-ACID_Labs_stagging SRC_VPN_L2L_AWS-ACID_Labs_stagging destination static DST_VPN_L2L_AWS-ACID_Labs_stagging DST_VPN_L2L_AWS-ACID_Labs_stagging

crypto ipsec ikev1 transform-set VPN-COPEC_AWS-ACID_Labs_stagging esp-aes-256 esp-sha-hmac

crypto map segurovpn 15 match address ACL-L2L-VPN-AWS-ACID_Labs_stagging
crypto map segurovpn 15 set pfs
crypto map segurovpn 15 set peer 1.1.1.1 2.2.2.2
crypto map segurovpn 15 set ikev1 transform-set VPN-COPEC_AWS-ACID_Labs_stagging
crypto map segurovpn 15 set security-association lifetime seconds 3600

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key abc
isakmp keepalive threshold 10 retry 10

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
ikev1 pre-shared-key cde
isakmp keepalive threshold 10 retry 10

I have an IP SLA on my core:

ip sla 20
icmp-echo 171.0.10.131 source-interface Vlan41
frequency 5
ip sla schedule 20 life forever start-time now
ip sla 30
icmp-echo 171.0.11.212 source-interface Vlan41
frequency 5
ip sla schedule 30 life forever start-time now

I did the debug and it shows:

packet-tracer input interna icmp 10.1.3.16 8 0 171.0.10.131 de

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.2.0 255.255.254.0 Interna

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Interna in interface Interna
access-list Interna extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x73a0f890, priority=13, domain=permit, deny=false
hits=64111047, user_data=0x6f59ec80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Interna, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7378d138, priority=0, domain=inspect-ip-options, deny=true
hits=2793297518, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Interna, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x747d4960, priority=70, domain=inspect-icmp, deny=false
hits=28975364, user_data=0x747d3940, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=Interna, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7378cd10, priority=66, domain=inspect-icmp-error, deny=false
hits=28977323, user_data=0x7378c328, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=Interna, output_ifc=any

Phase: 7
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x75d57938, priority=13, domain=debug-icmp-trace, deny=false
hits=383796209, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=Interna, output_ifc=any

Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Interna,outside) source static SRC_VPN_L2L_AWS-ACID_Labs_stagging SRC_VPN_L2L_AWS-ACID_Labs_stagging destination static DST_VPN_L2L_AWS-ACID_Labs_stagging DST_VPN_L2L_AWS-ACID_Labs_stagging
Additional Information:
Static translate 10.1.3.16/0 to 10.1.3.16/0
Forward Flow based lookup yields rule:
in id=0x774d52c0, priority=6, domain=nat, deny=false
hits=10, user_data=0x76b60a00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.1.3.16, mask=255.255.255.255, port=0
dst ip/id=171.0.10.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=Interna, output_ifc=outside

Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x74ed1578, priority=70, domain=encrypt, deny=false
hits=3127, user_data=0x2bb320bc, cs_id=0x7700da58, reverse, flags=0x0, protocol=0
src ip/id=10.1.3.16, mask=255.255.255.255, port=0
dst ip/id=171.0.10.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=any, output_ifc=outside

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x747d5ea0, priority=0, domain=user-statistics, deny=false
hits=2944520092, user_data=0x746a7cb0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=outside

Phase: 11
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x74ef6d98, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=3127, user_data=0x2c247f14, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=171.0.10.0, mask=255.255.255.0, port=0
dst ip/id=10.1.3.16, mask=255.255.255.255, port=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 12
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x76e27a38, priority=13, domain=debug-icmp-trace, deny=false
hits=400754464, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x737671b0, priority=0, domain=inspect-ip-options, deny=true
hits=2873324028, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 14
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x747d66e8, priority=0, domain=user-statistics, deny=false
hits=2860347337, user_data=0x746a7cb0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=Interna

Phase: 15
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2906792974, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_dbg_icmp
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_dbg_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: Interna
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

show crypto ipsec sa peer 1.1.1.1
peer address: 1.1.1.1
Crypto map tag: segurovpn, seq num: 15, local addr: 3.3.3.3

access-list ACL-L2L-VPN-AWS-ACID_Labs_stagging extended permit ip host 10.1.3.22 171.0.11.0 255.255.255.0
local ident (addr/mask/prot/port): (10.1.3.22/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (171.0.11.0/255.255.255.0/0/0)
current_peer: 1.1.1.1

#pkts encaps: 54536, #pkts encrypt: 54536, #pkts digest: 54536
#pkts decaps: 163624, #pkts decrypt: 163624, #pkts verify: 163624
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 54536, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 109090

local crypto endpt.: 3.3.3.3/4500, remote crypto endpt.: 1.1.1.1/4500
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 9C8BFD41
current inbound spi : D0C785FD

inbound esp sas:
spi: 0xD0C785FD (3502736893)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, }
slot: 0, conn_id: 86343680, crypto-map: segurovpn
sa timing: remaining key lifetime (kB/sec): (4373963/3434)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x9C8BFD41 (2626420033)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, }
slot: 0, conn_id: 86343680, crypto-map: segurovpn
sa timing: remaining key lifetime (kB/sec): (4373990/3434)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

in ASDM:

IPSEC: Received an ESP packet (SPI=0xB3D438FD, sequence number = 0x7E3) from 1.1.1.1 (user=1.1.1.1) to 3.3.3.3.
The decapsulated inner packet doesn't match the negotiated policy in the SA.
The packet specifies its destination as 10.1.3.16, its source as 171.0.10.131, and its protocol as icmp. The SA specifies its local proxy as 10.1.3.22/255.255.255.255/ip/0 and its remote_proxy as 171.0.11.0/255.255.255.0/ip/0.