NCM config backup Cisco ASA

What type of connection are you trying to use to the ASA over the VPN?  Telnet or SSH.  This isn't the issue I'm sure I just want to know what type of connection you are trying over the VPN since both protocols are entirely different in the way they communicate.

I would also look at the NCM logs and see why these are failing or do a test download and do a packet capture at the ASA and from NCM using Wireshark to see what else maybe going on in the session set up.

I would imagine somewhere down the line this comes back to how traffic is handled on the VPN, or timeout issues with grabbing the script and sending it back to NCM in a timely manner..  This could go many directions since it's a VPN tunnel and there are a few variables we have to rule out first.

This first thing I would do is make sure the NCM config on the devices is correct, especially the User/Device credentials. I had one or two devices not backing up and I found that I had forgotten to set the credentials (defaulted to Device and we used User). Another thing is the connection. I have run into an issue before where I couldn't back up, and the connection was set to telnet. Once I corrected to SSH, I was able to back up. Try manually backing up the configs to see what kind of results you get testing the backup against one of the problematic nodes. Many times the output there has helped me narrow down the problem. Also, try connecting directly to the device, outside of Orion, using your preferred connection method (telnet or SSH) and see what kind of results you get.

If you are sending out the EMail report of the completion of downloads it will tell you if you are having Login issues.  It would stand out for you unless you aren't sending the EMail notification out showing the Completion report which is usually followed by a report comparing the New downloaded config to the Last downloaded config to compare any changes that were made.

This isn't a default setting, but should be an option you have set up to give you visibility to what is completing successfully and what isn't.

With ASAs you can setup access rules for who can login to ASDM/Telnet/SSH. What you likely need to do is setup a rule so the IP address of you NCM server is allowed to make an SSH connection to the device. Even though you can get SNMP access to the ASA doesn't mean you can SSH to it. A good way to test it is to download putty or another SSH client to your NCM server and attempt to login to the ASA with the same credentials. If you're having login issues, that will tell you. it's a pretty simple allow statement or you can use ASDM and allow it under the Device Management tab.