Create a Post
Showing results for 
Search instead for 
Did you mean: 

Can't ping to a host behind center gateway of VPN Site to Site from satellite gateway

Hi all,

I have a problem when setup VPN site to site.

Site A (HQ) connects to other branches (I name them site B from here) via WAN link. 

Normally, internet traffic will go out on each gateway at each site and intranet traffic will route through WAN. 

Then I setup a star VPN site-to-site with site A (center gateway) and other sites  B (satellite) and this is a backup link when WAN link is down.

I have made all test connection between hosts behind these gateways when WAN down, and all passed.

But then I found that, all satellite gateway B can't ping to any hosts behind the center gateway

When I traceroute, the traffic flows through VPN link not WAN link as before setup VPN site-to-site.I think this is  because the VPN domain has higher priority.

Now all satellite gateway B can't access to AD so that Identity Awareness set up before have failed. 

I have tried removing the AD subnet from VPN domain in center gateway but no hope, and the traffic also flows through the VPN site to site link, not back to WAN link (the internal interface of center gateway is on the same subnet of AD).


Please advise me on this issue.


0 Kudos
3 Replies

Is this a domain-based VPN or a route-based VPN?
In general, domain VPN routes have higher priority.
Possible you may need to use a route-based VPN configuration for this.
0 Kudos

Please provide the actual topology diagram.

Depending on how the WAN is configured, what the default gateways of the hosts at each site are and if you are using dynamic routing, the behavior may differ significantly.


I am particularly interested in seeing any and all routing devices that may be traversed by the local and WAN traffic.

0 Kudos

There are 2 options to make this work properly:
Setup route based VPN's with dynamic routing and use proper priorities for the different links
Have the MPLS provider setup VPN's through your FW's to the other sites using DM-VPN (Cisco's mesh topology) if they are willing.

The latter does require a free IP to be able to be used for NAT to/from those routers.
Regards, Maarten
0 Kudos