OK here is a sample of my working config.

At a second look, it looks like your colo ASA does have a public IP assigned to it, but it seems to be routing all of your 10.4.0.0 traffic through your colo router instead of directly out its public interface.

name 10.1.5.253 Colo-R description Colo Router

route Inside-Route 10.4.0.0 255.255.0.0 10.1.5.253 1

when you are creating your tunnel on your sdf asa, are you pointing it at the colo router public IP, or the colo ASA public IP?

EDIT: Didn't upload site a config... oops

Thanks very much for taking a look at this!

The SDF ASA is pointing at the Colo ASA public IP.  I'm double checking but I didn't think that router even had a public IP (might be something leftover from a different setup).

I spent a while banging my head on the ikev1 vs isakmp without getting anywhere - I was going forward on the assumption that the 9.2 version just translates the isakmp command into ikev1 (our startup config on the SDF ASA just has the isakmp line, and when I clear all the VPN information out and readded it using isakmp (NOT ikev1) then did 'show run' the line came back as ikev1.

Thank you very much for those examples - I'm going through them now; it helps a lot just knowing for sure that it *can* work between the two versions.

Yeah it works flawlessly for me.

If your tunnel endpoint is the colo ASA public IP, i'd look at this route statement in your config:

route Inside-Route 10.4.0.0 255.255.0.0 10.1.5.253 1

From what I can tell from your tunnel configuration, the local IP you're trying to route to your SDF site is 10.4.4.128, and would be affected by that route.

It is possible that return traffic is being sent to [and probably dropped by] the colo router at 10.1.5.253. Is that router on the inside of the ASA then? Is that where that traffic is supposed to go?

Oops that's probably the problem... the local IP at the SDF site is 10.122.x.x; the 10.4.4.128 is behind the CoLo ASA.

From what I can tell though the tunnel should be set up that way (but I've been staring at it so long that everything's running together)/it doesn't look backwards anywhere.  Do you remember what was set up the wrong way (with it pointing 10.4.4.128 traffic to SDF/Site B)?

on the colo ASA, it looks like it is sending traffic bound for 10.4.0.0 through 10.1.5.253, which is why I was asking. That would happen to any traffic arriving at the colo ASA destined for a 10.4.0.0 device.

That configuration might be correct, but only if the device at 10.1.5.253 is between 10.4.0.0 and your colo ASA. That was why I was asking.

if you run 'show crypto ipsec sa' what does it show for traffic over the tunnel?

Oh; I misunderstood then.  ^^;  The router/10.1.5.253 is between the two.

I had to generate some traffic from the SDF side but here's the results:

Colo/Site A (just for this VPN):

interface: Outside-Route
Crypto map tag: outside_map, seq num: 6, local addr: <redacted-PublicIP-SiteA>

access-list Outside-Route_6_cryptomap extended permit ip 10.4.4.128 255.255.255.128 10.122.80.0 255.255.255.0
local ident (addr/mask/prot/port): (10.4.4.128/255.255.255.128/0/0)
remote ident (addr/mask/prot/port): (10.122.80.0/255.255.255.0/0/0)
current_peer: <redacted-PublicIP-SiteB>

#pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 11
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 11, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: <redacted-PublicIP-SiteA>, remote crypto endpt.: <redacted-PublicIP-SiteB>

path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: D0D5D381
current inbound spi : B40B6913

inbound esp sas:
spi: 0xB40B6913 (3020646675)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 4182016, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/27601)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xD0D5D381 (3503674241)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 4182016, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373998/27601)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

SDF/Site B:

interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: <redacted-PublicIP-SiteB>

access-list outside_25_cryptomap extended permit ip 10.122.80.0 255.255.255.0 10.4.4.128 255.255.255.128
local ident (addr/mask/prot/port): (10.122.80.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (RCS-IS/255.255.255.128/0/0)
current_peer: <redacted-PublicIP-SiteA>

#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: <redacted-PublicIP-SiteB>/0, remote crypto endpt.: <redacted-PublicIP-SiteA>/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: B40B6913
current inbound spi : D0D5D381

inbound esp sas:
spi: 0xD0D5D381 (3503674241)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 15671296, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/27704)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xB40B6913 (3020646675)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 15671296, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914999/27704)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

have you tried adding ikev1 to the tunnel protocol in your group-policy on colo ASA?

As far as I can tell there isn't a way to do that/it already is added - I'm not 100% sure on this, but it seems like the 'Enable IPSec' option in the asdm/the ipsec line in the config on the 8.2 version is the same as the ikev1 option/config line in the 9.iforgot version.

I'll double check tomorrow though - my shift just ended and I don't have access to the ASAs anymore.

Thank you again for your help on this - I've been working on it for a week now and it's been driving me bonkers.

I went through and looked for a way to add ikev1 to the group policy; I can't find a way either in ASDM or the CLI.  I found an 'ipsec-udp' command but that didn't do anything one way or the other.

I've done some ikev1? exploring in the colo ASA's cli and it doesn't seem to have options for it, at least not where the later version has them (there's no crypto ipsec ikev1, for instance).