https://community.checkpoint.com/t5/SASE-and-Remote-Access/S2S-VPN-and-Remote-Access/m-p/87532#M10276 That sounds like a bug and you should engage with the TAC. Mon, 08 Jun 2020 02:54:54 GMT PhoneBoy 2020-06-08T02:54:54Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/S2S-VPN-and-Remote-Access/m-p/87340#M10275 <P>Hello.</P><P>&nbsp;</P><P>I have a situation where I am trying to allow remote access users to access a LAN subnet at a remote site.</P><P>For example.</P><P>I am ABC company.</P><P>ABC have remote access solution for their employees</P><P>ABC have 1 set of HA firewalls on the perimeter</P><P>ABC have a S2S VPN (STAR) to a company called HLD</P><P>&nbsp;</P><P>ABC employees need to acccess HLD LAN from their remote access connection</P><P>&nbsp;</P><P>Issue is:</P><P>Before making any NAT changes, or before changing the remote end to point at the RA office mode subnet, this happens:</P><P>Adding HLD LAN subnet to RA Encryption domain means everyone loses access to HLD. Not just remote access, everyone on ABC LAN can no longer access HLD.</P><P>Tunnel stays up, but traffic starts routing out via GW default gateway, and not over VPN.</P><P>Removing HLD LAN from RA Enc Domain fixes issues almost immediately.</P><P>&nbsp;</P><P>Can someone provide advice on why this is happening, and the best way to configure such a set up?</P><P>&nbsp;</P><P>R80.30 running Jumbo 90 something.. 2.6 kernel. 3000 devices running HA</P> Thu, 04 Jun 2020 15:41:48 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/S2S-VPN-and-Remote-Access/m-p/87340#M10275 SCSupport 2020-06-04T15:41:48Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/S2S-VPN-and-Remote-Access/m-p/87532#M10276 That sounds like a bug and you should engage with the TAC. Mon, 08 Jun 2020 02:54:54 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/S2S-VPN-and-Remote-Access/m-p/87532#M10276 PhoneBoy 2020-06-08T02:54:54Z