Any specific reason not to use rstp instead of stp?
I noticed you defined:
dynamic-vpn {
access-profile remote_access_profile;
clients {
startup_rvpn_group {
remote-protected-resources {
0.0.0.0/0;
I suggest try this as part of the test configuration:
set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/24
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn startup_rvpn
set security dynamic-vpn clients all user rcarongt
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services ping
Do a "commit check" first.
If that config fails the check, enter rollbak 0 (return to candidate config) then instead of clients "all" use set security dynamic-vpn clients startup_rvpn_group
Like this:
set security dynamic-vpn clients startup_rvpn_group remote-protected-resources 10.0.0.0/24
set security dynamic-vpn clients startup_rvpn_group remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients startup_rvpn_group ipsec-vpn startup_rvpn
set security dynamic-vpn clients startup_rvpn_group user rcarongt
Also do a commit check
If either one check pass, then commit confirmed and test. It will rollback after 10 minutes (default) or commit confirmed 5 for applying config for 5 minutes only
