Interesting that you see zero decaps on both firewalls. Could you please try to set some packet capture on PT firewall on the outside interface including the VPN decrypted traffic similar to the following, and then initiate some traffic from a client in subnet 172.16.4.0/24 in the HQ site?

capture VPN interface WAN include-decrypted match icmp any any

This will show us if PT firewall receives the VPN traffic and decrypts it from the HQ. If so, the PT firewall should show some decaps on the IPsec SA between the 172.16.4.0 and 172.31.1.0 subnets.

If the above is not successful, then I would try to remove the route maps under the LAN interfaces on both firewalls and change the AD value on the static default routes from 2 to 1 and see if that makes any difference.

I draw this topolgy to clear the trouble point 
please share the output in order I list in my draw

thanks for waiting 

MHM

Here I also run packet tracer from both site HQ and PT to assist of some point that might helps.

** HQ **

# packet-tracer input LAN icmp 172.16.4.16 8 0 172.31.1.3

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER SERVER destination static PT_SERVER PT_SERVER

Additional Information:

NAT divert to egress interface WAN

Untranslate 172.31.1.3/0 to 172.31.1.3/0

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group INSIDE_ACCESS_IN in interface LAN

access-list INSIDE_ACCESS_IN extended permit object-group IP_Allow object-group ALL_INSIDE_LAN any log

object-group protocol IP_Allow

protocol-object ip

protocol-object pim

protocol-object gre

protocol-object esp

protocol-object ah

protocol-object ospf

protocol-object nos

object-group network ALL_INSIDE_LAN

description: # All vlan from inside interface

network-object object LEVEL_G

network-object object LEVEL_2

network-object object LEVEL_3

network-object object LEVEL_4

network-object object LEVEL_5

network-object object LEVEL_6

network-object object WIFI

network-object host 172.17.9.1

network-object object SERVER

network-object object WIFI_B

Additional Information:

Phase: 4      

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

class-map class-default

match any

policy-map global_policy

class class-default

  set connection decrement-ttl

service-policy global_policy global

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER SERVER destination static PT_SERVER PT_SERVER

Additional Information:

Static translate 172.16.4.16/0 to 172.16.4.16/0

Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Phase: 9

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER SERVER destination static PT_SERVER PT_SERVER

Additional Information:

Phase: 12

Type: VPN     

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 13

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 14

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 15

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:       

Additional Information:

New flow created with id 186199012, packet dispatched to next module

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WAN

output-status: up

output-line-status: up

Action: allow

** PT **

# packet-tracer input LAN icmp 172.31.1.0 8 0 172.16.4.16

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER SERVER destination static HQ_SERVER HQ_SERVER

Additional Information:

NAT divert to egress interface WAN

Untranslate 172.16.4.16/0 to 172.16.4.16/0

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group INSIDE_ACCESS_IN in interface LAN

access-list INSIDE_ACCESS_IN extended permit object-group IP_Allow object-group ALL_INSIDE_LAN any log

object-group protocol IP_Allow

protocol-object ip

protocol-object pim

protocol-object gre

protocol-object esp

protocol-object ah

protocol-object ospf

protocol-object nos

object-group network ALL_INSIDE_LAN

network-object object WIFI_BENGKEL

network-object object WIFI_JTK

network-object object WIFI_JKE_A

network-object object WIFI_JKE_B

network-object object WIFI_HEP

network-object object WIFI_HOSTEL_LELAKI

network-object object WIFI_HOSTEL_PEREMPUAN

network-object object JTP

network-object object JTM

network-object object HEP

network-object object BENGKEL

network-object object CISCO

network-object object JTK

network-object object JKE_A

network-object object JKE_B

network-object object SERVER

network-object object WIFI_JTP

network-object object WIFI_JTM

network-object object WIFI_DEWAN_A

network-object object WIFI_DEWAN_B

network-object object JTA

network-object object JKP

network-object object WIFI_JTA_JKP

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER SERVER destination static HQ_SERVER HQ_SERVER

Additional Information:

Static translate 172.31.1.0/0 to 172.31.1.0/0

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Phase: 8

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER SERVER destination static HQ_SERVER HQ_SERVER

Additional Information:

Phase: 11

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 12

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 13

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 14

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 26111606, packet dispatched to next module

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WAN

output-status: up

output-line-status: up

Action: allow

From the packet tracer I found that HQ dont have VPN "ipsec-tunnel-flow" which PT have.

Phase: 11

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

which PT have

I have updated the static route as per below

HQ
route WAN 0.0.0.0 0.0.0.0 10.152.25.33 2
route LAN 172.16.4.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.1.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.2.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.3.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.4.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.5.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.6.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.7.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.8.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.9.0 255.255.255.0 172.16.100.51 1
route WAN 172.31.1.0 255.255.255.0 10.152.25.33 1

PT 
route WAN 0.0.0.0 0.0.0.0 10.151.21.1 2
route WAN 172.16.1.0 255.255.255.0 10.151.21.1 1
route LAN 172.31.0.0 255.255.224.0 172.31.100.1 1
route LAN 172.31.1.0 255.255.255.0 172.31.100.1 1

** And I rerun packet tracer 

HQ

# packet-tracer input LAN icmp 172.16.4.16 8 0 172.31.1.3 detailed

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER SERVER destination static PT_SERVER PT_SERVER

Additional Information:

NAT divert to egress interface WAN

Untranslate 172.31.1.3/0 to 172.31.1.3/0

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group INSIDE_ACCESS_IN in interface LAN

access-list INSIDE_ACCESS_IN extended permit object-group IP_Allow object-group ALL_INSIDE_LAN any log

object-group protocol IP_Allow

protocol-object ip

protocol-object pim

protocol-object gre

protocol-object esp

protocol-object ah

protocol-object ospf

protocol-object nos

object-group network ALL_INSIDE_LAN

description: # All vlan from inside interface

network-object object LEVEL_G

network-object object LEVEL_2

network-object object LEVEL_3

network-object object LEVEL_4

network-object object LEVEL_5

network-object object LEVEL_6

network-object object WIFI

network-object host 172.17.9.1

network-object object SERVER

network-object object WIFI_B

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2aaac8f84a30, priority=13, domain=permit, deny=false

hits=5368178, user_data=0x2aaabdbd79c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=172.16.4.0, mask=255.255.255.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=LAN, output_ifc=any

Phase: 3

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

class-map class-default

match any

policy-map global_policy

class class-default

  set connection decrement-ttl

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2aaacf306280, priority=7, domain=conn-set, deny=false

hits=24242097, user_data=0x2aaacf3037c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=LAN, output_ifc=any

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER SERVER destination static PT_SERVER PT_SERVER

Additional Information:

Static translate 172.16.4.16/0 to 172.16.4.16/0

Forward Flow based lookup yields rule:

in  id=0x7f4f8e3504d0, priority=6, domain=nat, deny=false

hits=11479, user_data=0x7f4f8e34ff50, cs_id=0x0, flags=0x0, protocol=0

src ip/id=172.16.4.0, mask=255.255.255.0, port=0, tag=any

dst ip/id=172.31.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0

input_ifc=LAN, output_ifc=WAN

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2aaac7eb3e40, priority=0, domain=nat-per-session, deny=true

hits=190167865, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:       

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2aaac8bc2cb0, priority=0, domain=inspect-ip-options, deny=true

hits=24394434, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=LAN, output_ifc=any

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7f4f77213030, priority=70, domain=inspect-icmp, deny=false

hits=355796, user_data=0x7f4f77211310, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

input_ifc=LAN, output_ifc=any

Phase: 8

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2aaac8bc24c0, priority=66, domain=inspect-icmp-error, deny=false

hits=728352, user_data=0x2aaac8bc1a30, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

input_ifc=LAN, output_ifc=any

Phase: 9

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x7f4f61a8dbd0, priority=70, domain=encrypt, deny=false

hits=290, user_data=0xacee74, cs_id=0x2aaac99988d0, reverse, flags=0x0, protocol=0

src ip/id=172.16.4.0, mask=255.255.255.0, port=0, tag=any

dst ip/id=172.31.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0

input_ifc=any, output_ifc=WAN

Phase: 10

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER SERVER destination static PT_SERVER PT_SERVER

Additional Information:

Forward Flow based lookup yields rule:

out id=0x7f4f8e352e90, priority=6, domain=nat-reverse, deny=false

hits=11352, user_data=0x7f4f8e350050, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=172.16.4.0, mask=255.255.255.0, port=0, tag=any

dst ip/id=172.31.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0

input_ifc=LAN, output_ifc=WAN

Phase: 11

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:       

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0x7f4f61a8d0e0, priority=70, domain=ipsec-tunnel-flow, deny=false

hits=290, user_data=0xad004c, cs_id=0x2aaac99988d0, reverse, flags=0x0, protocol=0

src ip/id=172.31.1.0, mask=255.255.255.0, port=0, tag=any

dst ip/id=172.16.4.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0

input_ifc=WAN, output_ifc=any

Phase: 12

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0x2aaac7eb3e40, priority=0, domain=nat-per-session, deny=true

hits=190167867, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 13

Type: IP-OPTIONS

Subtype:      

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0x2aaac8b61bc0, priority=0, domain=inspect-ip-options, deny=true

hits=185829553, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=WAN, output_ifc=any

Phase: 14

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 186331150, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_inspect_icmp

snp_fp_translate

snp_fp_adjacency

snp_fp_encrypt

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_ipsec_tunnel_flow

snp_fp_translate

snp_fp_inspect_icmp

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WAN

output-status: up

output-line-status: up

Action: allow

PT

# packet-tracer input LAN icmp 172.31.1.3 8 0 172.16.4.16 detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x557285a350, priority=1, domain=permit, deny=false

        hits=1527511922, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=LAN, output_ifc=any

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER SERVER destination static HQ_SERVER HQ_SERVER

Additional Information:

NAT divert to egress interface WAN

Untranslate 172.16.4.16/0 to 172.16.4.16/0

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group INSIDE_ACCESS_IN in interface LAN

access-list INSIDE_ACCESS_IN extended permit object-group IP_Allow object-group ALL_INSIDE_LAN any log

object-group protocol IP_Allow

protocol-object ip

protocol-object pim

protocol-object gre

protocol-object esp

protocol-object ah

protocol-object ospf

protocol-object nos

object-group network ALL_INSIDE_LAN

network-object object WIFI_BENGKEL

network-object object WIFI_JTK

network-object object WIFI_JKE_A

network-object object WIFI_JKE_B

network-object object WIFI_HEP

network-object object WIFI_HOSTEL_LELAKI

network-object object WIFI_HOSTEL_PEREMPUAN

network-object object JTP

network-object object JTM

network-object object HEP

network-object object BENGKEL

network-object object CISCO

network-object object JTK

network-object object JKE_A

network-object object JKE_B

network-object object SERVER

network-object object WIFI_JTP

network-object object WIFI_JTM

network-object object WIFI_DEWAN_A

network-object object WIFI_DEWAN_B

network-object object JTA

network-object object JKP

network-object object WIFI_JTA_JKP

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x5573ccf720, priority=13, domain=permit, deny=false

        hits=70924, user_data=0x556082d200, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=172.31.1.0, mask=255.255.255.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none

        input_ifc=LAN, output_ifc=any

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER SERVER destination static HQ_SERVER HQ_SERVER

Additional Information:

Static translate 172.31.1.3/0 to 172.31.1.3/0

Forward Flow based lookup yields rule:

in  id=0x55757c8af0, priority=6, domain=nat, deny=false

        hits=3458, user_data=0x55784abc90, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=172.31.1.0, mask=255.255.255.0, port=0, tag=any

        dst ip/id=172.16.4.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none

        input_ifc=LAN, output_ifc=WAN

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x556e727770, priority=0, domain=nat-per-session, deny=true

        hits=27324636, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none

        input_ifc=any, output_ifc=any

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x5572863330, priority=0, domain=inspect-ip-options, deny=true

        hits=32302387, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none

        input_ifc=LAN, output_ifc=any

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x557518d940, priority=70, domain=inspect-icmp, deny=false

        hits=1034843, user_data=0x557518bb80, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0, nsg_id=none

        input_ifc=LAN, output_ifc=any

Phase: 8

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x5572862b40, priority=66, domain=inspect-icmp-error, deny=false

        hits=1034843, user_data=0x5572862190, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0, nsg_id=none

        input_ifc=LAN, output_ifc=any

Phase: 9

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x55797339f0, priority=70, domain=encrypt, deny=false

        hits=4, user_data=0x21afc94, cs_id=0x5574abf0f0, reverse, flags=0x0, protocol=0

        src ip/id=172.31.1.0, mask=255.255.255.0, port=0, tag=any

        dst ip/id=172.16.4.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none

        input_ifc=any, output_ifc=WAN

Phase: 10

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER SERVER destination static HQ_SERVER HQ_SERVER

Additional Information:

Forward Flow based lookup yields rule:

out id=0x55771404a0, priority=6, domain=nat-reverse, deny=false

        hits=3458, user_data=0x5573700210, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=172.31.1.0, mask=255.255.255.0, port=0, tag=any

        dst ip/id=172.16.4.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none

        input_ifc=LAN, output_ifc=WAN

Phase: 11

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0x55766e11d0, priority=70, domain=ipsec-tunnel-flow, deny=false

        hits=4, user_data=0x21b0a34, cs_id=0x5574abf0f0, reverse, flags=0x0, protocol=0

        src ip/id=172.16.4.0, mask=255.255.255.0, port=0, tag=any

        dst ip/id=172.31.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none

        input_ifc=WAN, output_ifc=any

Phase: 12

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0x556e727770, priority=0, domain=nat-per-session, deny=true

        hits=27324638, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none

        input_ifc=any, output_ifc=any

Phase: 13

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0x5571b4bfe0, priority=0, domain=inspect-ip-options, deny=true

        hits=20156901, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none

        input_ifc=WAN, output_ifc=any

Phase: 14

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 26266351, packet dispatched to next module

Module information for forward flow ...

snp_fp_inspect_ip_options

snp_fp_inspect_icmp

snp_fp_translate

snp_fp_adjacency

snp_fp_encrypt

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Module information for reverse flow ...

snp_fp_inspect_ip_options

snp_fp_ipsec_tunnel_flow

snp_fp_translate

snp_fp_inspect_icmp

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WAN

output-status: up

output-line-status: up

Action: allow

sorry for late reply but sometime idea need lab to test, 
anyway 
this simple lab two ASA 
the packet tracer is UP and OK and the encrypt count OK but the decrypt count is Zero 
the issue is 
you run ACL in OUTside of one or both FW
and you not use 
sysopt connection permit-vpn 
for (FPR with FDM or FMC) the option of bypass ACL is not enabled 

MHM