MPLS network provided by the ISP. 

We have two other Sophos UTM 9's with successful VPN tunnels to the ASA, so it does work.  I have tried to replicate the config, but it's not working.

Lets start by correcting the access list.  Delete it and replace it with:

access-list testvpn extended permit ip <ip/subnet of network attached to ASA locally> <ip/subnet of remote site>
access-list testvpn extended permit ip <ip/subnet of network known to ASA, one of our branch sites> <ip/subnet of remote site>

I had it like this originally, but the ASA kept on saying it did not match any policies.  Once i added this line it finally matched the crypto statements in 16.

I have attached the IPsec logs from the sophos as well.

Ok after removing the top line, debug log shows this:

Apr 27 12:34:34 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Static Crypto Map check, map = CMAP, seq = 16, ACL does not match proxy IDs src:10.50.0.0 dst:0.0.0.0
Apr 27 12:34:34 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Skipping dynamic map DYNMAP sequence 100: cannot match peerless map when peer found in previous map entry.
Apr 27 12:34:34 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.50.0.0/255.255.255.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside

To make things easier:

access-list testvpn line 1 extended permit ip 10.100.0.0 255.255.0.0 10.50.0.0 255.255.255.0 
access-list testvpn line 2 extended permit ip 10.10.0.0 255.255.0.0 10.50.0.0 255.255.255.0 

Your access list and the remote access list do not match.

I haven't actually set an ACL on the Sophos, are you talking about the configured firewall rules?

How does Sophos now what subnets to encrypt traffic for?

Thanks for pointing out that configuration flaw though!

Alright i have gotten the VPN connection working.

I had to uncheck pass data in compressed format on the Sophos!

Although, i cannot ping the internal subnets from the ASA > Sophos or vice versa.

Going to assume it's the routing table, the ASA has the 10.50.x.x in it's route table and pointed to the outside interface.  Now just need to figure out how to get it into the Sophos?

Ok so i used to be able to use a remote connect VPN back to the datacenter from this testsite.  Since creating the tunnel and the site to site vpn, i can no longer remote connect.

Is this going to be possible anymore?  It is the same originating IP addess.

Logs from the ASA:

(config)# Apr 27 21:48:50 [IKEv1]Group = VPNGROUP, Username = xxxx, IP = x.x.x.x, QM FSM error (P2 struct &0x00007fff9e3e2840, mess id 0x7db5 f26c)!
Apr 27 21:48:50 [IKEv1]Group = VPNGROUP Username = xxxxx IP = x.x.x.x, Removing peer from correlator table failed, no match!
Apr 27 21:48:50 [IKEv1]Group = VPNGROUP, Username = xxxxxx, IP = x.x.x.x, Session is being torn down. Reason: crypto map policy not found

What IP address does your client get?  Something from the local lan?  Something from a pool of addresses?

The IP that is getting x'd out there is the off site public IP, once connected the client would get an IP from a specified range not in the local lan.  It is specific to remote access VPN users.  If that is what you are asking?