I used CCA 2.1 to initially configure EZVPN connection between remote site SR520 and Main site UC520. (Now using CCA 2.2.)
However, main site cannot access remote site subnets.
Users at the remote site can access the main site data network with no issues.
1. a PC at the remote teleworker location can access all main site subnets;
2. spa525 phone at the remote teleworker location even registers and is able to make calls via the UC520
So I am happy with this functionality.
A PC at main site, cannot ping the remote teleworker site PC, or other devices on remote subnet.
Using CCA I created a virtual pool for the remote teleworker EZVPN SR520 router clients.
Here is a partial copy of UC520 route table to indicate their virtual addresses:
S 192.168.61.4 [1/0] via 0.0.0.0, Virtual-Access2
S 192.168.61.7 [1/0] via 0.0.0.0, Virtual-Access3
S 192.168.61.2 [1/0] via 0.0.0.0, Virtual-Access5
My UC520 data network vlan has an IP address of 192.168.66.254
My SR520 data network vlan has an IP address of 192.168.77.1
On my UC520 PC on my data network, whenever I try to ping a PC on the remote teleworker network, I get no replies.
So I thought I would try something.
For testing, we added a static route into my UC520, pointing to the remote teleworker site with next hop of the dynamically assigned VPN IP address from my pool. Here is the route I added
ip route 192.168.77.0 255.255.255.0 192.168.61.7
This now allowed pings to the remote subnet. Obviously, this is not a long-term fix since the dynamically assigned VPN address will change if re-negotiated.
Shouldn't the UC520 dynamically learn about the remote teleworker LAN subnets and route automatically?
What is the work around for this issue?