I had windows domain controllers where in their ipsec tunnels were not working. One of the domain controllers had CSS on the path and i suspect CSS is dropping these packets. But in another data centre i could see similar tunnel working through CSS. ...