I have reviewed the basics so far,

We have a firewall rule that allows SSH connection to ClusterXL HA members.

We are trying to connect via RA VPN.

Our RA VPN segment is allowed in the VPN Domain of the RA VPN community, but what I have "noticed" is that when we are connected to the VPN, we do not get the route to manage the 192.168.61.x segment.

We consult the route table on each PC, with the command "route print".

In the LOGS nothing is seen (as if no traffic attempt is generated by SSH), and the "FW CTL ZDEBUG + DROP | GREP IP", does not tell us anything wrong.

Greetings.

What does route print show? If such a route is missing on the firewall, then it wont get "injected" when clients connect either.

Andy

We have a rule, where our origin is the segment of the RA VPN connections, and the destination is the GW of the Cluster.

Destination IPs: 192.168.61.2 and x.x.61.3

The route print does not show me this segment, for some strange reason.
I guess that's why we can't reach both GWs, but the strangest thing is that both IPs are within the VPN Domain of the RA VPN community.

The only way to access the GWs is jumping from the SMS.

I share a txt with what it shows me at the level of a connected user.

Whats mgmt IP? Can you send route print?

Andy

I share with you the "route print" from a remote user connection.

Routing is your issue, there is nothing for 192.168.61.x subnet. Check proper route exists for it on the cluster.

Andy

To fix the route, from what "perspective", from the same GW of the Cluster?

Because those IPs, 192.168.61.2 and x.x.x.3, belong to the GWs,
They are their management IPs.

You mean validate the route, to reach the network of my VPN remote user connection pool, 192.168.9.0?

I did not understand that last part of your comment.

Sorry, Buddy

The vpn clients are not getting route to that subnet because its not getting propagated from the gateway itself. I would call TAC and do a quick remote for this, Im sure its something simple missing.

Andy