We have remote access VPN setup via Cisco AnyConnect, terminating on the outside interface of the FTD. We also have a site to site VPN in place, from the FTD to a company, and one of the remote access users needs to connect via HTTPS to a server (172.16.x.x) over the site to site VPN while connected via remote access. On the FTD we have routing in place to send traffic destined for the server out of the outside interface of the FTD, ie over the S2S VPN, which is how it should be.
I would expect traffic from the VPN user to hit the firewall on its outside interface then go straight out again, and we have a hairpin rule in place to allow exactly that. What is happening though is that the incoming traffic is being directed inwards, despite the route telling it to go outwards, hitting the core switch then being routed back to the internal interface of the FTD where it is blocked because there is no inside to outside rule allowing that traffic flow. If I connect to RA VPN and do a traceroute the first hop is the core switch, then it times out.
It appears the FTD is considering the ip address of the server as an internal address despite it being included in the "protected networks" part of the S2S VPN configuration.
Can anyone suggest any configuration that I should check to ensure it flows as expected?