How to Configure FTP Over VPN on Cisco ASA 5505

If both the Buffalo and the 5505 are doing NAT then yes you are bypassing best practices.

Unless you need the further level of security I would look to disable the routing abilities of the Buffalo and use it just as a wireless AP (as that is why I'm guessing you have it).

This may be as simple as turning off the DHCP server on the Buffalo and plugging the ASA into a LAN port on the Buffalo rather than the WAN port.

In terms of why your VPN doesn't work behind the Buffalo I am guessing it is blocking the VPN traffic, make sure that the Buffalo has something like 'VPN passthrough' enabled.

You do have asymmetrical routing, but that shouldn't be the issue. Instead, I suspect the issue is link delay involving your 3G link. Since IPSec IKE uses UDP/500 or UDP/4500 with NAT-Traversal, there's no guarantee of packet delivery. Your VPN client -- the IKE initiator -- sends the first IKE message and is awaiting a response from your ASA. The ASA IKE response message is either dropped or delayed too long that your VPN client sends another IKE message, causing the ASA to log the Duplicate first packet received.

I would think your DSL link is more reliable -- less delay, less jitter, less packet loss -- than the 3G mobile network. Any reason that's not your default gateway? To test the 3G link as the issue, force the DSL to be your default.