Have you tried using traceroute instead of tracepath? Tracepath uses a range of User Datagram Protocol (UDP) ports, one or many of which might be blocked at the firewall. I suspect this is what’s happening, although I recommend further testing and analysis to figure out the root cause. Also, sometimes tools with lower privilege levels have limitations. For your situation, I suggest trying traceroute and also verifying the firewall protocols. Given what you’ve described, the IP routing appears to be functional.
View other responses to this question on the IT Knowledge Exchange (please note: SearchEnterpriseWAN.com and IT Knowledge Exchange registration are the same): Able to ping L3 VPN but unable to do tracepath
Email your VPN-related questions to firstname.lastname@example.org
Dig Deeper on Network Security
Related Q&A from Rainer Enders
Rainer Enders explains how to allow certain users to access a VPN client while restricting others. Continue Reading
In this Ask the Expert response, Rainer Enders explains how to disable VPN passthrough and what the benefits and drawbacks are. Continue Reading
In this Ask the Expert response, VPN expert Rainer Enders explains why BGP-4 support is necessary when configuring a router for a Layer-3 MPLS VPN. Continue Reading