I have a site ipsec tunnel between a c7204vxr and a c1941isr. The tunnel is established successfully but I am noticing packet drops on the ingress to the c7204 from the c1941. Specifically, there is an ssl website that is being accessed that is behind the 1941. When a node from behind the 7204 is accessing it, 27 packets traverse successfully from the 7204 to the 1941. On the return, 38 packets are sent from the 1941 and only 21 make it to the 7204(this is determined from tracking acl hit counts placed at inside interfaces of the 1941 and 7204). The log at the 7204 shows even less packets then that arrived(only two). The c7204 ios does not have ability for ip inspect log drop-pkt. The crypto acl is a full ip acl(access-list 105 permit ip <net> <mask> <net> <mask>). There are no other firewalls or natting happening between the endpoints. I can ping nodes on both sides of the tunnel successfully with no loss or drops. A packet capture of the access attempt shows the node behind the 1941 continually sending tls, ssl, and tcp packets to the node behind the 7204 without response. What other tools could be used to interrogate this?