Why I cannot ping to the remote site from ASA?

I recently implemented ASA5508 on multiple sites, and realized I was not able to ping to IP address on remote site over S2S VPN from local ASA.  However, I was able to ping to remote site’s IP from the PC connected to local ASA’s inside interface.

Topology

Issue

1. Unable to ping from 10.1.1.254/24 to 10.0.30.0/24, and unable to ping from 10.0.30.254/24 to 10.1.1.0/24
2. Can ping from the PC on site A (10.1.1.110) to 10.0.30.0/24, and can ping from PC on site B (10.0.30.110) to 10.1.1.0/24

Solution

You need to enable management access on interface.

#management-access inside

Once it’s enabled, you can reach to the remote site.

ASA5508-HA(config)# ping inside 10.0.30.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.30.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA5508-HA(config)#

What management-access do is to allow you to manage the device from the far side of a VPN tunnel via specific interface. According to Cisco,

This command allows you to connect to an interface other than the one you entered the ASA from when using a full tunnel IPSec VPN or SSL VPN client (AnyConnect 2.x client, SVC 1.x) or across a site-to-site IPSec tunnel. For example, if you enter the ASA from the outside interface, this command lets you connect to the inside interface using Telnet, or you can ping the inside interface when entering from the outside interface.

Tips

• Management access can be enabled on single interface only.
• The remote site needs to be have the same setting.
• When you ping, you need to specify the source interface

To stop management, simply execute no management-interface command.