one way connection on isa 2004 site to site vpn using ipsec tunnel mode

i am not a network guru by far but managed to setup a site to site vpn in ipsec tunnel mode (i know l2tp/ipsec is a more secure option and that is my next step) between two edge isa 2004 firewalls (see attached diagram).  both servers are 2003 and up to date and they both have two nics one for wan and one for lan.  all  protocols are working from main to branch but not vice versa.  i can ping, rdp, and everything else from main to branch but not vice versa.  ping from branch to main.  ping from branch to main shows 'negotiating ip security' which i believe is a sign of ipsec working.  using logging in isa at the main i cannot see any traffic coming from the branch but logging at branch shows traffic going out to main.  i do get a denied connection on occasion due to IP address on source adapter and destination (see attached) which i don't understand.  i don't think this is an issue with rules as i have opened everything both ways between the internals and remotes.  it seems to be a routing issue from branch to main but i thought isa takes care of routing when site to site vpn is setup.  tracert gives me the same negotiation message.  let me know if you need more info about the setup and thanks in advance for your help
ping-branch-to-main.PNG
ping-main-to-branch.PNG
branch-isa-logging.png
network.PNG