Welcome to Zyxel
As your scenario,
SSL VPN client is able access to HQ subnet but unable access to branch subnet.
You can go to make
sure if you have added routing for SSL VPN client on both of devices.
(1) On HQ device. The
“branch subnet” have to add into network list of SSL VPN.
(2) Add policy route on
subnet, NextHop: VPN tunnel.
(3) Add policy route
on Branch device.
a. Incoming: ZyWALL,
Destination IP: SSL VPN Pool. NextHop: VPN (It is for access to Branch ZyWALL)
b. Incoming: any,
Destination IP: SSL VPN Pool, NextHop: VPN (It is for access to branch subnet)