I recently went through the process of upgrading a customer’s ASA from 7.2 to 8.4 code.  After the upgrade was finished, I noticed that internet access for my VPN users coming in over a full-tunnel connection was failing.  The debugging I did led me to seeing TCP connections being torn down due to “no valid adjacency.”  This was caused by a NAT rule sourcing from any destined for my VPN subnet. Based on looking at the configuration, I believe the NAT rule was used to NAT exempt internal network traffic to the VPN users.

In the examples below, these are the object groups:

object-group network Inside_LAN
network-object 10.1.1.0 255.255.255.0

object-group network VPN_Clients
network-object 10.1.250.0 255.255.255.0

The NAT rule causing the problem was:

nat (inside,any) source static any any destination static VPN_Clients VPN_Clients

I fixed the issue by setting up a more restricted NAT rule:

nat (inside,any) source static Inside_LAN Inside_LAN destination static VPN_Clients VPN_Clients