It is no longer possible to access a specific Virtual Machine through an IPSec Tunnel

Hello everybody,

I'm working on a Fortigate 70G with a 7.2.11 firmware.

I've an IPSec tunnel:

Regarding this tunnel, I have two firewall rules: 

 The first policy regards the IPSEC_FULL_ACCESS user group and it allows connections to the 10.1.0.0/24 network, including a specific machine, wich address is 10.1.0.207/24. It works fine.

The second policy regards the XYZ_VM_IPSEC user group and it allows connections only to the specific 10.1.0.207/24 machine. It's been working for a while. The XYZ_VM_IPSEC users could in fact access only the 10.1.0.207/24 machine.

Since two days, this is not possible anymore. The XYZ_VM_IPSEC users can lo longer access that machine. 

The log settings are set to "all sessions" (not in the screenshot, but the screenshot is not updated) but logs are empty. Fortigate detects nothing.

But...and this is what I am not able to comprehend...if I edit that specific firewall policy, shifting the destination address from 10.1.0.207/24 to another machine of the same internal network (for example 10.1.0.214/24), it works again. In this case, the XYZ_VM_IPSEC users will access only the single 10.1.0.214/24 machine.

I don't think that the problem is the 10.1.0.207/24 machine, because if that were the case, the machine would not be accessible even in the first firewall policy.

What do you think? Do you have a clue?