I am using VTIs. I have the following route that should sent the traffic through the tunnel:

ip route 10.11.12.13 255.255.255.0 Tunnel15

The only NAT involved is a 1-to-1 of another set of IPs that go over the same tunnel:

ip nat inside source static xxx.xxx.xxx.xx2 xxx.xxx.xxx.xx3

Tunnel interface 15 has ip nat outside, the LAN interface on the router has ip nat inside.

I also have an in access-list applied to int tunnel 15, but that should affect this since the issue is the return traffic. I also removed the access-list, bounced the tunnel and it made no difference.

@mcunetworking have you got a VTI or Multi SA (tunnel interface with an ACL defining interesting traffic)? You shouldn't have multiple SAs if you were using a VTI. Or do you have a legacy crypto map configuration left over that should be removed?

Provide the configuration, even it is it only the pertinent configuration for this tunnel would help speed things up.

Masking table definition:

1.1.1.1 = my public IP

1.1.1.2 = my public IP's gateway

2.2.2.2 = remote peer Public IP

10.0.0.1 =  some internal IP 1

10.0.0.2 =  some internal IP 2

10.0.0.3 =  some internal IP 3

10.0.0.4 =  some internal IP 4

172.16.0.0/24 = Remote internal subnet

Config:

no crypto isakmp default policy
crypto isakmp policy 15
  encr aes 256
  hash sha512
  authentication pre-share
  group 14
!

!

crypto ipsec transform-set ProblemTunnel esp-aes 256 esp-sha512-hmac
 mode tunnel
!

!

crypto ipsec profile ProblemTunnel
  set transform-set ProblemTunnel
  set pfs group14
!

!

interface Tunnel15
  description ProblemTunnel
  ip address 10.0.15.1 255.255.255.0
  ip access-group ProblemTunnel in
  ip nat outside
  ip virtual-reassembly in
  tunnel source 1.1.1.1
  tunnel mode ipsec ipv4
  tunnel destination 2.2.2.2
  tunnel protection ipsec profile ProblemTunnel

interface GigabitEthernet0/1
  description LAN
  ip address 10.0.0.5 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
!

!

ip nat inside source static 10.0.0.3 10.0.0.4

ip route 0.0.0.0 0.0.0.0 1.1.1.2

ip route 172.16.0.0 255.255.255.0 Tunnel15

!

!

ip access-list extended ProblemTunnel
permit tcp 172.16.0.0 0.0.0.255 host 10.0.0.1 eq 1024
permit tcp 172.16.0.00 0.0.0.255 host 10.0.0.3 eq 1024
permit tcp 172.16.0.0 0.0.0.255 host 10.0.0.4 eq 1024
permit tcp 172.16.0.0 0.0.0.255 host 10.0.0.2 eq 443
deny ip any any

Let me know if I am missing something in the configuration.

I will say, and this could be the problem, the PEER side has configured 4 separate tunnels(they are not using a Cisco ISR), my side essentially has one. It has pretty much always worked, just occasionally gone down. Could this be a situation where the traffic that works, works because it was the first traffic to go over the newly created tunnel(s) and/or newly re-negotiated SAs and the rest of the traffic is what breaks? Sort of like a first come first serve? The traffic to the 10.0.0.1 server is the primary traffic that goes over this tunnel, the 10.0.0..2-4 traffic is for testing. I am currently researching the best way to split my side up into 4 tunnel too, although that might be improbable since they have the same peers.

Edit: I just tested and there are situations where I can bounce the tunnel and the traffic for 10.0.0.1 doesn't even work, even if it is the first traffic that tries to traverse the tunnel. Took me bouncing the tunnel 7 times to correct it. The traffic for 10.0.0.2 still doesn't traverse correctly though. 

Reading this line in a cisco "IPsec Virtual Tunnel Interfaces" document makes me think the different SA's is what is causing the issue:

"Static VTIs (SVTIs) support only a single IPsec SA that is attached to the VTI interface." Link here: Link.

I am able to create a separate VTI with the same peer IP address, but now I have to figure out how to route the same destination IP address over 2 different VTIs depending on the source IP. I might be able to do a plain jane policy route with a route-map but I am still testing.

@mcunetworking yes, like I said you shouldn't have multiple SAs if you are using a VTI. You should have 0.0.0.0/0.0.0.0 as the proxy ID. It's the routing that determines what traffic is sent over the tunnel.

It sounds like your peer has configured a policy based VPN and you've got a Route Based VPN, determine what configuration your peer has and mirror their configuration or get them to mirror yours with a VTI.

You don't need to create another VTI to the same destination, you create multiple static routes via the tunnel interface.

The problem is that they are using a GUI that isn't Cisco, and they just add another config like it is a completely separate tunnel. 

For example, they say "Oh now we need to connect to 10.0.0.5, just create another tunnel". So their tunnels are destination based.

The other end has 3 or 4 IP addresses that contact me, lets say:

172.16.0.1

172.16.0.2

172.16.0.3

172.16.0.4

They are trying to contact the following on my side(as a recap), and it could be any of the above connecting to any of the below:

10.0.0.1

10.0.0.2

10.0.0.3

10.0.0.4

So your comment "create multiple static routes via the tunnel interface", are you saying instead of having one routed subnet:

ip route 172.16.0.0 255.255.255.0 Tunnel15

I should instead have this:

ip route 172.16.0.1 255.255.255.0 Tunnel15
ip route 172.16.0.2 255.255.255.0 Tunnel15
ip route 172.16.0.3 255.255.255.0 Tunnel15
ip route 172.16.0.4 255.255.255.0 Tunnel15

I tried creating PBRs, and used one ACL to say anything coming from 10.0.0.1 go to Tunnel15 and everything coming from 10.0.0.2 go to Tunnel16 in order to try and match their config, but it didn't work. After the fact I was thinking is can't really since I don't know which tunnel they cam to me on. So I kind of see what you mean about one VTI, but I don't quite get how to get get the traffic to merge over one SA.

I also came across Cisco's "Configure Multi-SA Virtual Tunnel Interface on IOS-XE router" webpage. Which makes it look like I would need to upgrade to IOS 16, change a couple of things and my issue would be fixed. I am currently on 15.0(1r)M16.

@mcunetworking if the peer does not want to change to a route based VPN, then change your configuration to policy based VPN using a crypto map. In the ACL to define the interesting traffic just define your local ip address(es) as the source, with the destination as their IP addresses. Essentially you need to mirror each others configuration in regards to the local/remote networks that define the interesting traffic.

I came across more Cisco documentation that says VTI is not compatible with 3rd parties. I am trying to revert back to a crypto map setup for them.

I was finally able to get the crypto map setup, which I now remember why I went away from them. I will just have to upgrade the IOS in order to get Multiple-SA VTIs.