Phil
Yes you have it correct.
1.1.1.1 peer-address
10.200.6.0/24 CISCO-LAN
192.168.254.0/24 FGT-LAN
Ede, yes the unreachable is coming from the VPN-peer endpoint 1.1.1.1 in my case, but it' s carried
within the tunnel known as VPNtun.
I dumped on the cisco ASA tunnel side and see that it' s being dropped as what i suspected. I believe on my pb-vpn, the unreachable comes outside of the tunnel and via the egresss interface ip_addresss
oh forgot to show you the errors on the ASA;
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 647
This is not a bug but how icmp unreachable works. The src of this icmp.type icmp.messages is NOT the lan that your trying to connect on, it' s the egresss interface of the device sending the code