Good question! I've noticed this, too. I've never tested to see if it happens only to sessions in the same subnet or it happens with any two sessions on the same machine.

Also, I've noticed that you cannot establish an administrative session to a device you are tunneled to, even if you do so through a different interface and different DNS name. I think a ping to the device also fails.

I've never understood either of these phenomena.

Ken

Does your NC ACL allow for the NC network address(es) and any NAT that might be happening?

I did a VOIP at one time with no isssues. Bring up a separate VOIP then launch NC. Both tunnels work.

My NC ACL allows all traffic, and my Split-Tunneling Networks allow the Client's LAN, and the subnet used to allocate NC addresses to clients.

I don't want direct access between clients, I still want their traffic to be tunnelled, but I don't think this is supported some how (the SA doesn't seem to route between clients).

You are correct, the SA won't route between the NC clients; they will need to go out through the network. What does a TCP dump on all 3 interfaces (both NC clients and then the internal port of the IVE) show?