The first issue sounds like there is an issue with Radius authentication. Things to check there are: can ASA reach the Radius server? Is ASA configured as a Radius client? Is the shared key correct on ASA and on Radius server?
With regards to another issue, if you are using split tunneling, there might be an access list in place, restricting access to anything other than internet. It is hard to say more without seeing any of the config.
Thanks for response Sergey.
Authentication issue has been resolved, I used below commands to see the interesting traffic and isolate the same.
PS : I just placed 'password-management' command under group-policy and issue got resolved.
test aaa-server authentication <aaa-server group name> username <username>
debug radius all
Second issue is still persist,where user is unable to access their remote sites--- i need your help here.
Could you confirm what would be the ingress and egress port for the traffic on ASA so that i can capture packets and see the live traffic??
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet1/1 primary_wan unassigned unassigned DHCP
GigabitEthernet1/1.10 primary_management 100.127.x.y 255.255.255.254 CONFIG
GigabitEthernet1/1.20 primary_internet 174.78.x.y 255.255.255.240 CONFIG
GigabitEthernet1/1.30 primary_vpls 192.168.1.1 255.255.255.0 CONFIG
GigabitEthernet1/3.13 guest 192.168.13.1 255.255.255.0 CONFIG
GigabitEthernet1/3.35 inside 192.168.35.254 255.255.255.0 CONFIG
GigabitEthernet1/8 firepower 192.168.222.2 255.255.255.252 CONFIG
Fixing the first issue by using password management would mean that MSCHAPv2 is required for the communication between the ASA and the authentication RADIUS server.
Regarding the second issue, if the ASA will be used as a transitive device, then you should verify the encryption domains and the NAT rules on both the transitive ASA and the remote ASA or routers. On the transitive ASA you should have a U-Turn NAT rule for the traffic coming from the AnyConnect clients destined to the remote sites on the same interface. Another thing to verify if you have applied the command same-security-traffic permit intra-interface which is required in this case.
As Aref stated you should permit sam-security-traffic if the same interface is used to terminate AnyConnect and route to the remote site. If the remote site is accessible through a different interface make use you have NAT and a route to it. Use packet-tracer to see the egress and ingress interface.
packet-tracer input PRIMARY_INTERNET tcp AC_CLIENT_IP 1234 REMOTE_IP 4567.