Hi 

Please see the below 

Crypto map tag: test, seq num: 3, local addr: OUTSIDEIP

access-list Outside_cryptomap_2 extended permit ip 192.168.2.0 255.255.255 .0 172.21.22.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.22.0/255.255.255.0/0/0)
current_peer: x.x.x.x

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 6694, #pkts decrypt: 6694, #pkts verify: 6694
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

Thanks 

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

you not sending the traffic to the tunnle. could you show us the site-to-site vpn configuration.

what is your nat config look like? I could be you not doing nat exemption. are you using ASA or router?

here you what you required.

nat (Inside,Outside) source static LAN LAN destination static REMOTE REMOTE no-proxy-arp route-lookup

!

packet-tracer input LAN tcp 192.168.2.5 12345 172.21.22.5 3389

Hi @Sheraz.Salim and @Rob Ingram 

the below is from the same tunnel , but differnet  network  but itworks 

access-list Outside_cryptomap_2 extended permit ip 192.168.35.0 255.255.255.0 172.21.22.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.35.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.22.0/255.255.255.0/0/0)
current_peer: x.x.x.x

#pkts encaps: 3114, #pkts encrypt: 3114, #pkts digest: 3114
#pkts decaps: 3119, #pkts decrypt: 3119, #pkts verify: 3119
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3114, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

Thanks 

Great all sorted

Hi @Sheraz.Salim  and @Rob Ingram 

not sorted    I have nat exemption in place and It was working and the issue happened after I change the internet router .

from this network 192.168.35.0 255.255.255.0 i can reach in both direction 

access-list Outside_cryptomap_2 extended permit ip 192.168.35.0 255.255.255.0 172.21.22.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.35.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.22.0/255.255.255.0/0/0)

but  the below network not working 

access-list Outside_cryptomap_2 extended permit ip 192.168.2.0 255.255.255 .0 172.21.22.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.22.0/255.255.255.0/0/0)

All from the same tunnel

Thanks

@bluesea2010 provide the output of "show nat detail"

object network LOCAL192

 subnet 192.168.2.0 255.255.255.0

!

object network Remote172

 subnet 172.20.22.0 255.255.255.0

!

nat (inside,outside) source static LOCAL192 LOCAL192 dest static Remote172 Remote172 no-proxy-arp route-lookup

could you show us the "show nat detail" command.

prior to the internet router change all was working fine? would be great to see if you can show the config of this vpn tunnel. also do you manage the remote tunnel router too?

Give the full out put of this command "show crypto ipsec sa peer x.x.x.x" I know i see that one of the sa was not doing encap but was doing decap.

Is 192.168.2.0 255.255.255.0 is directly connected to firewall? if not check if you can reach 192.168.2.0/24 from your firewall forexample ping from firewall.

Just thinking if the encap does not increase it could be the traffic 192.168.2.0/24 is  not reaching the firewall. could you please confirm this.

@bluesea2010 if this other VPN is working, you may have a NAT exemption rule that applies to the local and remote networks for that VPN, but not the new VPN.

Run "show nat detail" and provide the output for review

Confirm whether you have a NAT exemption rule as previously suggested for this new VPN.

@bluesea2010 yes, you are not encrypting but you are decryptiing traffic.

Probably NAT as first suggested. Use this link for more information on creating a NAT exemption rule. A NAT exemption rule will ensure traffic between your local network and the remote network is not translated.

Here is an example for your scenario

object network LOCAL
 subnet 192.168.2.0 255.255.255.0
object network REMOTE
 subnet 172.21.22.0 255.255.255.0
!
nat (INSIDE,OUTSIDE) source static LCOAL LOCAL destination static REMOTE REMOTE

Amend accordingly (nameif of your interfaces and object names etc).

Another possiblity is that traffic is not routed to the ASA, ensure the routing is correct and traffic to the remote networks goes via the ASA's outside interface.

Hi @Rob Ingram and @Sheraz.Salim 

Below  from asa (packet capture )  firewall to the remote 

And below is nat trnslation 

97 (Inside) to (Outside) source static Insidepc Insidepc destination static cloud cloud no-proxy-arp route-lookup
translate_hits = 37287599, untranslate_hits = 39551129
Source - Origin: Testlan/24, 192.168.8.0/24, 192.168.10.0/24, 192.168.35.0/24
192.168.2.0/24, 192.168.33.0/24, 192.168.9.0/24, Translated: testlan/24, 192.168.8.0/24, 192.168.10.0/24, 192.168.35.0/24
192.168.2.0/24, 192.168.33.0/24, 192.168.9.0/24
Destination - Origin: 172.21.21.0/24, 172.21.22.0/24, 172.21.23.0/24, 172.21.24.0/24
172.21.25.0/24, 172.21.26.0/24, 172.21.27.0/24, 172.21.28.0/24, Translated: 172.21.21.0/24, 172.21.22.0/24, 172.21.23.0/24, 172.21.24.0/24
172.21.25.0/24, 172.21.26.0/24, 172.21.27.0/24, 172.21.28.0/24

I am facing problem with only 192.168.2.0/24  rest 192.168.8.0/24 and 192.168.10.0/24 all are working 

Thanks

could you pleae confirm

Crypto map tag: test, seq num: 3, local addr: OUTSIDEIP

access-list Outside_cryptomap_2 extended permit ip 192.168.2.0 255.255.255 .0 172.21.22.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.22.0/255.255.255.0/0/0)
current_peer: x.x.x.x


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 6694, #pkts decrypt: 6694, #pkts verify: 6694

you can ping from your firewall to 192.168.2.0/24 subnet?  (any server/client in range 192.168.2.0/24)
Is 192.168.2.0/24 is directly connected to inside network behind firewall?

I noted 192.168.2.155 is sending ping to remote destin network. but its not getting any reply. and this capture which interface you set it from? insde>?

Hi @Sheraz.Salim 

you can ping from your firewall to 192.168.2.0/24 subnet?  (any server/client in range 192.168.2.0/24)
Is 192.168.2.0/24 is directly connected to inside network behind firewall?

yes I can reach  from the firewall 

I noted 192.168.2.155 is sending ping to remote destin network. but its not getting any reply. could you confim if the remote side have added this subnet 192.168.2.0/24 in their vpn-tunnel? and this capture which interface you set it from? insde>?

ingress inside 

source 192.168.2.155 

Thanks

Your Nat statement like solid.

looking at the earlier output from your firewall

Crypto map tag: test, seq num: 3, local addr: OUTSIDEIP

access-list Outside_cryptomap_2 extended permit ip 192.168.2.0 255.255.255 .0 172.21.22.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.22.0/255.255.255.0/0/0)
current_peer: x.x.x.x


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 6694, #pkts decrypt: 6694, #pkts verify: 6694

192.168.2.0/24 is added on the nat statment and on the crypto-ACL. but we see there is no ecaps on this sa. normally, you see this error due to routing not in place (for example, the inside network is not directly connected to the firewall) where as in your case the 192.168.2.0/24 is directly connected to the firewall? or least you can ping this subnet 192.168.2.0/24 from your firewall so we know there is no routing issue. however we still see there are not encap on this network.

could you share the vpn configuration on this tunnel?