Cisco ASA how to find why packet is not going in or out through VPN

For example we want to check access through INSIDE interface from 10.10.100.100 outside client's tcp port 30000 to the 10.20.100.100 internal server's 3389 tcp port (Windown RDP).

First you need to check packet "movement":

packet-tracer input INSIDE tcp 10.10.100.100 30000 10.20.100.100 3389 detailed

Correct all problems appeared in each Phase. If the only "Drop" result is on VPN Phase, then:

sh run route | grep 10.20.100.100 # found gateway is 10.30.100.100

sh run group-policy | grep 10.30.100.100 # found group-policy name is GP_10.30.100.100

sh run group-policy GP_110.30.100.100 | grep vpn-filter # found ACL name is INSIDE.30.100.100.vpn.filter

No you can verify this ACL and add needed permissions