Cloud Managed Networks

it generally comes down to the routes. what are the routes that are advertised to the VPNC?

Yes, VPNC receives OAP Bc routes  from microbranch AP. AP sees routes from VPNS. 

Switch is connected over AP eth2 port and switch IP gets a role, which is allowing all traffic and doing PBR.

In the PBR policies list there is 1 policy which says "forward" traffic and 2 policy which says "forward to next-hop-list" which is my VPNC cluster.

And does the network behind the VPNC (your management network) have a route pointing back at the Microbranch network through the VPNC?

Yes, VPNC receives OAP Bc routes  from microbranch AP. AP sees routes from VPNS. 

Switch is connected over AP eth2 port and switch IP gets a role, which is allowing all traffic and doing PBR.

In the PBR policies list there is 1 policy which says "forward" traffic and 2 policy which says "forward to next-hop-list" which is my VPNC cluster.

it generally comes down to the routes. what are the routes that are advertised to the VPNC?

yes as Carson said, thats the key, so the both ends have a valid route to get to the dest IP network.  perhaps yu want to share the details of the routes/subnets

And does the network behind the VPNC (your management network) have a route pointing back at the Microbranch network through the VPNC?

Yes, VPNC receives OAP Bc routes  from microbranch AP. AP sees routes from VPNS. 

Switch is connected over AP eth2 port and switch IP gets a role, which is allowing all traffic and doing PBR.

In the PBR policies list there is 1 policy which says "forward" traffic and 2 policy which says "forward to next-hop-list" which is my VPNC cluster.

it generally comes down to the routes. what are the routes that are advertised to the VPNC?

I can ping to my switch IP from remote locations or from GW cluster. I think it is not routing, but something with ACL. 

I am apply these  role rules to my switch IP and all clients which connects to this switch. 

My PBR configured to forward  local subnets locally, and PBR all other traffic to IPsec tunnel over Microbranch to VPNC cluster

yes as Carson said, thats the key, so the both ends have a valid route to get to the dest IP network.  perhaps yu want to share the details of the routes/subnets

And does the network behind the VPNC (your management network) have a route pointing back at the Microbranch network through the VPNC?

Yes, VPNC receives OAP Bc routes  from microbranch AP. AP sees routes from VPNS. 

Switch is connected over AP eth2 port and switch IP gets a role, which is allowing all traffic and doing PBR.

In the PBR policies list there is 1 policy which says "forward" traffic and 2 policy which says "forward to next-hop-list" which is my VPNC cluster.

Also on my VPNCs I apply Routed ACL, which routes all traffic to my central site firewall,

VPNCs are connected with G0/0 to internet directly and with G0/1  to the firewall., to which I am PBRing all traffic from  Microbanches.

Maybe I need to apply Session ACL to Overlay?

Also I see the my G0/0, has session ACL, but if I correctly understand it is applied only to traffic which tries dirrectlly to access my VPNC interface G0/0, 

 it is not applied to overlay traffic.

I can ping to my switch IP from remote locations or from GW cluster. I think it is not routing, but something with ACL. 

I am apply these  role rules to my switch IP and all clients which connects to this switch. 

My PBR configured to forward  local subnets locally, and PBR all other traffic to IPsec tunnel over Microbranch to VPNC cluster

yes as Carson said, thats the key, so the both ends have a valid route to get to the dest IP network.  perhaps yu want to share the details of the routes/subnets

And does the network behind the VPNC (your management network) have a route pointing back at the Microbranch network through the VPNC?

Yes, VPNC receives OAP Bc routes  from microbranch AP. AP sees routes from VPNS. 

Switch is connected over AP eth2 port and switch IP gets a role, which is allowing all traffic and doing PBR.

In the PBR policies list there is 1 policy which says "forward" traffic and 2 policy which says "forward to next-hop-list" which is my VPNC cluster.