Screen OS

I am having an issue with a route based VPN tunnel between a SSG140 and a Cisco ASA device (both sides are doing MIP translation from the original IP address to a different IP address, from 10.100.0.58->208.86.147.170 on my side, and the tunnel is just routing a single address on each side).  The tunnel comes up just fine but if the ASA initiates the tunnel, the ASA never sees return traffic from the SSG140.  I can see traffic initiated by the ASA come through the tunnel and it looks like the SSG140 is sending it back thru the tunnel back the ASA person says they don't see it.  If I initiate traffic (after the ASA brings up the tunnel), again it looks like it goes into the tunnel but the ASA person says they don't see it.  However, if the SSG140 initiates the tunnel, then the packets flow back and forth in the tunnel just fine. I have done some debug traces and I from what I can tell it looks like everything should work.  Below are the basic commands on the SSG140 side that relate to the tunnel.  I attached a debug flow that shows a packet coming from the ASA (after it brings up the tunnel) to the SSG140 and a return packet coming back to the SSG140.

set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/2" zone "Untrust"
set interface "tunnel.2" zone "Untrust"
set interface tunnel.2 ip unnumbered interface ethernet0/2
set interface "tunnel.2" mip 208.86.147.170 host 10.100.0.58 netmask 255.255.255.255 vr "trust-vr"
set address "Trust" "vsql01 in" 10.100.0.58 255.255.255.255
set address "Untrust" "discol 164-82-7-51" 164.82.7.51 255.255.255.255

set ike p1-proposal "discolp1"....
set ike p2-proposal "discolp2"....
set ike gateway ikev2 "discol gateway" address 164.82.6.11 outgoing-interface "ethernet0/2" preshare "...." proposal "discolp1"
set vpn "discol-164-82-7-51" gateway "discol gateway" no-replay tunnel idletime 0 proposal "discolp2"
set vpn "discol-164-82-7-51" id 0x63 bind interface tunnel.2
set vpn "discol-164-82-7-51" dscp-mark 0
set vpn "discol-164-82-7-51" proxy-id local-ip 208.86.147.170/32 remote-ip 164.82.7.51/32 "ANY"
set policy id 412 from "Untrust" to "Trust"  "discol 164-82-7-51" "MIP(208.86.147.170)" "ANY" permit log
set policy id 412
set log session-init
exit
set policy id 407 from "Trust" to "Untrust"  "vsql01 in" "discol 164-82-7-51" "ANY" permit log
set policy id 407
set log session-init
exit
set route 164.82.7.51/32 interface tunnel.2

Attachment(s)

vpn-capture-ASA-initiates.txt   3 KB 1 version

The debugs show the packet coming into the firewall and being sent out eth0/0.  Return traffic arrives on eth0/0, NAT'd encrypted, then sent out eth0/2 to 208.86.147.161 (via next hop mac 000ed6310c00).  Don't see anything on the NS side that indicates any issues.