The following is a technical description of a layer 2 problem found at a customer site.
There is an unexplained traffic block occuring at the OSI layer 2 of TCP/IP traffic between hosts of two different network when traversing a transparent mode vdom on the client' s Fortigate.
Hosts on network A attempt connection to a Mail exchanger on network B, through router B1. The SYN attempt traffic crossing the TP vdom is seen at the interface wan1 as being sent by IP on net A to IP of MX on net B, having source MAC address of router B1 and destination MAC address of MX host.
The original SYN packet is properly transmitted through wan2 and the return traffic SYN-ACK is seen only on interface wan2 and is comprised of the reverse IP flow, with destination MAC address of router B1 but having a source MAC address of router B2.
Seemingly, the MX host is using a router higher on network B as default gateway, and this router, we' ll call B2, is sending the traffic back to router B1 as the appropriate recipient for network A, thus crossing the TP vdom with a new source MAC.
Traffic cannot dropped, as Policies dictate for all traffic to and from MX host is allowed. (at a Layer 3 level) It seems the layer 2 packet is simply not bridged by the FG from interface wan2 to wan1, although [destination] MAC address of router B1 is clearly located on the wan1 interface. (and is the proper Ethernet destination of the SYN-ACK packet)
Note 1: An intermittent solution does occur, and is probably due to an ICMP redirect packet advising the MX hosts of a direct route through router B1. During the lifetime of this non-permanent route, host MX is reachable from network A.
Note 2: We are unable to add a static route on MX host
Note 3: In a lab, I am able to reproduce the scenario, yet communication works.