Strange Issue with Multi Subnet VPN
Hope someone can offer some advice as I'm stuck with an odd error with my site to site VPN.
I have it working fine, and am trying to alter the subnet by expanding it from a /23 to a /20 on the tunnels (The network config is already /20). But as soon as I make the change I can't get any traffic into the Firebox form the other side (VMWare Edge). If I flip it back to a /23 it works again fine. When I check the VPN Diagnostic report I can see this:
tunnel route#2(10.60.0.0/23<->10.0.0.0/24) - Established Incoming VPN traffic was detected for this tunnel after the diagnostic report started. Outgoing VPN traffic was detected for this tunnel after the diagnostic report started. The firewall policy "BOVPN-Allow.out-00" is matched for the outgoing traffic. The incoming traffic for tunnel route (10.0.0.0/24<->10.60.0.0/23) is denied by firewall policy (Inconclusive). Recommendation: Check your firewall policy configuration.
Anyone any ideas what tis means? I have tried removing all the tunnels, saving config, then reapplying. I have also removed the BOVPN policy and re-added it - no difference.
Weirdly I can ping from the Firebox side to the VMWare side, but not the other way.
I can't get any reporting from the VMWare side unfortunately, but wanted to rule out anything WatchGuard side first.