I would stop,  draw it out and document the connections.   Post a simple Visio here so we can sanity check "our" assumptions on your setup. We may be missing an important detail filling in the blanks with our deployment expectations vs your actual setup.     "Assuming" you have configured advertised networks on the hub site to site VPN page.  I would take one of those networks in question and  confirm routes for the targets are "Green"  and  not spinning circles on the spoke side. i,e, they are going via the VPN   tunnel, not some other unexpected direct internet / vpn path.   Then I would do the same on the HUB side.  Do you see the expected spoke routes as green (not spinning).     Then use the Traceroute and MTR on the tools page of the MX's and Make sure the path is really what you expect.  I would do that from both the spoke and the hub locations to make sure the hub or spoke are not making some odd unexpected routing decision based.     Sanity check the Topology pages, make sure they match, and you don't see an odd IP in the stack that's advertising a route off the stack.  i.e. a cable modem in a non segmented port that just happens to match an IP / arp.   Seen stranger things happen.     The again I grab a wire shark during a transfer and look for any packet retries, fragmented packets or large gaps in packet sequences, TCP 0  events.   if its an https transfer, we will not see inside the data, just IP's and headers.  So happy to take a look at one if you need a set of eyes.  If your not comfortable posting the Wireshark here, feel free to hit me up out of band and we can take a look. with a screen share or a private email to send it too.        I think were all interested to figure out where the gremlin is coming from. 
						
					
					... View more