Thread Info
Options
Suggested

Traffic getting sent to wrong VPN interface

Suporte Braveo

Hey guys, hope all is going well. We have an interesting issue happening with two of our VPNs.

Site A, the Sophos, connects to Sites B and C through tunnel-based IPsec VPNs. SD-WAN routes are in use to get to Site B, while static routes are used for Site C. The issue is, when we try to ping any address on Site C’s LAN, the traffic gets sent to Site B’s xfrm interface, not Site C’s.

Here’s the setup:

Site A subnet: 10.100.0.0/16

Site B subnet: 192.168.5.0/24

Site C subnet: 10.122.0.0/16

Site B tunnel:

Site C tunnel:

Site B route:

Site C route:

Logs:

What could be causing the issue?

We feel it's someting simple that we're missing. Do you guys see anything wrong with this setup?

Thanks!



Added TAGs
[edited by: Raphael Alganes at 2:43 PM (GMT -7) on 1 Aug 2025]
  • 0 in reply to Sreenivasulu Naidu

     ,

    I have attempted the setup similar to yours and things are working fine as expected.


    Pls. have few checks on SiteA:


    * Verify the gateway is UP and SFOS generated ping to 192.168.5.1 (SiteB's LAN client) is working fine; the client behind SiteB should have reachability to xfrm subnet of SiteA; you can alternatively use xfrm ip of SiteB in SiteA's Gateway --> Health check --> Monitoring condition; ensure to turn ON ping flag on VPN zone (from Administration --> Device Access) on SiteB. This is needed for ping on xfrm to work.

    * Verify SDWAN profile and SDWAN route status are GREEN.

    Verify SiteA does not have any static route to reach 192.168.5.0/24 subnet.

    If it is not working, you may want to pass on the access-id of SiteA in a DM to me to check further.