A network engineer has configured an IPsec site-to-site VPN between two offices. The tunnel is established and shows as active. However, users at the branch office (10.0.1.0/24) cannot reach servers at the main office (192.168.1.0/24). Both routers have the correct VPN policies and firewall rules permitting IPsec traffic. What should the engineer check next?
Correct. Without routes for the remote network pointing to the tunnel interface, traffic will not be sent through the VPN.
Why this answer
The tunnel being active means Phase 1 and Phase 2 of IPsec are established, but traffic still cannot flow because the routers lack routes to the remote subnets. Without a route for 10.0.1.0/24 on the main office router (or 192.168.1.0/24 on the branch router), packets will be dropped or sent out the wrong interface, even though the VPN policy and firewall rules are correct. The engineer must verify that static routes or a dynamic routing protocol (e.g., OSPF over the tunnel) are in place to direct traffic into the IPsec tunnel interface.
Exam trap
Cisco often tests the misconception that a 'green light' tunnel status guarantees traffic flow, but candidates forget that routing is a separate layer that must explicitly direct traffic into the tunnel interface.
How to eliminate wrong answers
Option A is wrong because DNS server addresses affect name resolution, not IP-level reachability; if the tunnel is up and routing is correct, users could still reach servers by IP even with misconfigured DNS. Option C is wrong because an MTU mismatch typically causes fragmentation issues or packet loss, not a complete inability to reach the remote subnet; the tunnel is already established, and MTU problems would manifest as intermittent connectivity or performance degradation, not a total black hole.