I' ve seen a couple posts that didn' t seem to resolve this issue and after struggling through it (with help from user Selective), here' s how I was able to get it to work:
1. You have two offices, a headquarters (HQ) and a branch office (BO)
2. You have an interface/route based IPsec VPN between the two offices (that works).
3. You have an SSL-VPN to the HQ that works to the HQ subnets, but not to the BO.
On the BO FG:
Note -- it' s likely that your BO FG is capable of being an SSL-VPN host as well; make sure not to confuse the BO SSL-VPN with the HQ SSL-VPN.
1. Add a Static Route to the HQ SSL-VPN Subnet, Device: IPsec VPN
2. In the IPsec VPN -> Internal Policy, add the HQ SSL-VPN subnet as a source address.
On the HQ FG:
1. In the wan -> internal SSL-VPN policy (where Action is SSL-VPN) add the BO subnet(s) as destination addresses.
2. Add an ssl.root -> IPsec VPN policy with the HQ SSL-VPN Pool as the source address and the BO subnet(s) as the destination address.