Can you confirm that the traffic involved is 'in-VPN'? The source VLAN needs to be VPN enabled in the Spoke MXs Addressing & VLANs config and the destination for the traffic needs to lie within a range of addresses advertised from (or via) one of the VPN Hubs.
... View more
