We are looking to send microsoft patches from a WSUS server behind the MX450, via multiple MX450 headends from our data center via WAN2, down via the spokes' MX84 or MX85 WAN2. This is so that WAN1 of both SD-WAN headends and spokes remains relatively free for other production applications. We configured VPN traffic custom expression of the following on both MX450 headends and MX84 and MX85 spokes:
protocol: any, source: ip address of wsus server 10.105.x.x, source port: any, destination: any, destination port: any
We see this traffic flowing over WAN2 on the MX450s, but we DO NOT see this traffic flowing over WAN2 for MX84 or MX85 spokes. I verified this by doing packet capture for "site-to-site vpn over internet1" and "site-to-site vpn over internet2". Active-Active autovpn is enabled on all spokes, so autovpn is established on both WAN1 and 2 on all spokes.
please advise what can be the issue.