Topology like below
spokeA(SSG 192.168.1.0) <--- tunnel.1A (VPN) ---> Hub (DataCenter SSG) <--- tunnel.1B ---> spokeB(PA 172.16.2.0)
<--- tunnel.2A (P2P) --->
Previously, I set route from spokeA to spoke B use tunnel.1A. But route from Hub to spokeA use tunnel.2A. And I change spokeA to spokeB to use tunnel.2A now.
After changed:
1. Both spokes gateway can ping each other. (Success)
2. SpokeB gateway/workstations can ping spokeA gateway/workstations (Success)
3. SpokeA workstations can ping spokeB gateway (Success)
4. SpokeA gateway/workstations cannot ping spokeB workstations (Fail)
pcap file genereated from PA show the reply were all drop
1 0.000000 172.16.2.11 192.168.1.1 ICMP 146 Echo (ping) reply id=0x0400, seq=6968/14363, ttl=127 2 0.988816 172.16.2.11 192.168.1.1 ICMP 146 Echo (ping) reply id=0x0400, seq=7068/39963, ttl=127 3 1.988057 172.16.2.11 192.168.1.1 ICMP 146 Echo (ping) reply id=0x0400, seq=7168/28, ttl=127 4 2.988217 172.16.2.11 192.168.1.1 ICMP 146 Echo (ping) reply id=0x0400, seq=7268/25628, ttl=127 5 3.987972 172.16.2.11 192.168.1.1 ICMP 146 Echo (ping) reply id=0x0400, seq=7368/51228, ttl=127
pcap also show transmit all "no response found"
1 0.000000 192.168.1.1 172.16.2.11 ICMP 146 Echo (ping) request id=0x0400, seq=6968/14363, ttl=61 (no response found!) 2 0.988672 192.168.1.1 172.16.2.11 ICMP 146 Echo (ping) request id=0x0400, seq=7068/39963, ttl=61 (no response found!) 3 1.988291 192.168.1.1 172.16.2.11 ICMP 146 Echo (ping) request id=0x0400, seq=7168/28, ttl=61 (no response found!) 4 2.988150 192.168.1.1 172.16.2.11 ICMP 146 Echo (ping) request id=0x0400, seq=7268/25628, ttl=61 (no response found!) 5 3.988147 192.168.1.1 172.16.2.11 ICMP 146 Echo (ping) request id=0x0400, seq=7368/51228, ttl=61 (no response found!)