Clients behind VPN Concentrator can't ping a subnet, but the concentrator can. Routes in place.

Hello and thank you for reading,

We have a VPN Concentrator 3000, it works for all the sites except for a new one we just added. There is communication between the Concentrator and the office, but we can't ping the clients behind the concentrator.

Traceout shows that the traffic reaches the concentrator, but it never makes it back. There is no firewall in between.

Office switch:

Tracing the route to <- VPN Client
VRF info: (vrf in name/id, vrf out name/id)
1 10 msec 0 msec 0 msec
2 30 msec 20 msec 20 msec
3 20 msec 30 msec 20 msec
4 20 msec 20 msec 20 msec
5 20 msec 20 msec 30 msec
6 20 msec 20 msec 30 msec
7 20 msec 20 msec 20 msec  <- VPN Concentrator

The configuration is the same on all the switches, and I added the new subnet to the list of static routes on the VPN Concentrator. 

Any help on this will be greatly appreciated.


Philip D'Ath
Windows firewall?

The subnet pool for the VPN Clients ( is different than the internal subnet ( So, can you verify if you have the proper routes for the VPN pool subnet?

Please share the configuration of the concentrator as well.

Hi ndhingr3,

Thank you for your reply. As you can see in my original post, the "Traceroute" to 172.18.X.X does travel all the way to the VPB Concentrator, so the routes are there. For some reason, the VPN concentrator does not route it.

Here's the routing table of the VPN Conc. 2 Default 0 1 1 Static 0 1 1 Static 0 2 1 Static 0 2 1 Static 0 2 1 Static 0 1 2 Local 0 1 1 Static 0 2 1 Local 0 1

10.4.X.X is the subnet having issues. However, I can ping the inside of the concentrator.

Thanks in advance!