I've a problem where a 2910 occasionally switches a working VPN route to be via the WAN connection (which blocks the route), and wondered if anyone had any ideas of how to solve.

The 2910 with fw 3.2.1 is on network A, with a VPN to network B and C. Network C with a 2820 also connects to B (2800). This all works well for the most part and each network can reach machines on the other two. Exchange of RIP between networks is disabled.

Periodically, a device on network A (a DECT/SIP phone) fails to reach its server on B, which when I check the NAT sessions table for the 2910 is because the 2910 has added a route for the SIP traffic to be via the WAN instead of the VPN as it should be. Once the session has dropped from a reboot or unplugging the phone for a few minutes, the phone successfully re-registers over the VPN and all is well until it happens again, which could be in a few hours or a few days. It also doesn't happen for similar phones on network C connecting to B, but the phones are different models and C has a 2820 rather than a 2910.

I tried adding an explicit route for the server to the VPN via the "More" button on VPN TCP/IP settings for the 2910 and then rebooting, just in case that would stop the conflicting route from being created, but as expected it didn't stop it happening again.

I've a vague feeling that this could happen if there's a temporary connectivity issue between A and B, but that might well not be it at all.

Settings for each VPN have "My Wan IP" as 0.0.0.0, "Remote Gateway IP" as 0.0.0.0, "Remote Network IP" as 192.168.x.0 (x is 4, 3 or 1), and "Remote Network Mask" as 255.255.255.0.

The setup seems to be correct as the VPN's work well generally, and I'm not aware of similar problems for other devices on the various networks, and I can't see why the bogus route would be added. I also couldn't find any way via the CLI to explicitly drop the session to avoid the reboot or unplugging.

Any hypotheses and suggestions to try gratefully received!