AWS client VPN endpoint - some client ip's do not allow access to resources

I am using AWS client VPN endpoint with 2 VPC's:

• VPN VPC (10.100.0.0/16)
• App VPC (10.200.0.0/16)
• VPC peering between the 2 VPC and Route table rules to communicate both.

My resources in the 'App VPC' are hosted in subnets that have route rules to the peering connection to the 'VPN VPC'.

The Security Group used by the resources in 'App VPC' allows traffic from 10.100.0.0/16

The problem is when I connect to the VPN and I get assigned IP's such as 10.100.20.132, 10.100.20.162, 10.100.20.165, 10.100.20.167 it is not able to reach the resources.

But when I get assigned IP's such as 10.100.20.2, 10.100.20.3, 10.100.20.6, 10.100.20.34 it does work.

I ran a few reachability Analyzer to validate traffic from the VPN is able to reach the resources which always shows success with the trace: 'VPC peering' -> 'NACL' -> 'SG(10.100.0.0/16)' -> 'ENI' - 'Instance'

Network is not my field, any insight on where to look is appreciated.

My mistake was in the routing tables from the 'Associations' subnets. I have 2 subnets, for one I did add the route for CIDR block of the 'App VPC' in the Route Table:

Subnet 1

• 10.200.0.0/16 -> VPC peering(VPN to APP)
• 10.100.0.0/16 -> local
• 0.0.0.0/0 -> igw

But I forgot to do it in the Route Table of the second Associated subnet.

Subnet 2

• 10.100.0.0/16 -> local
• 0.0.0.0/0 -> igw

I just added the missing route and it worked.