result

#diagnose sniffer packet any "icmp" 4 0 l

192.168.1.25 - local PC

192.168.8.3 - device behind GRE

GRE tunel is UP, in GRE tunel we have IPSec - also UP.

I can ping but I get no response from ICMP.

When nothing changed, and I go back to 7.4.1 - ping and all connections are working fine.

My debug:

#diag debug flow filter addr 192.168.8.
#diag debug flow filter proto
#diag debug flow trace start 10
#diag debug flow show function-name enabl

#diag debug console timestamp enabl
#diag debug en

------- RESULT ------------

2024-06-02 09:51:35 id=65308 trace_id=123 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=1, 217.153.10.135:61596->192.168.8.3:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=61596, seq=56027."
2024-06-02 09:51:35 id=65308 trace_id=123 func=resolve_ip_tuple_fast line=5967 msg="Find an existing session, id-036d06ec, original direction"
2024-06-02 09:51:35 id=65308 trace_id=123 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface CoXXXXX, tun_id=0.0.0.0"
2024-06-02 09:51:35 id=65308 trace_id=123 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel ComXXXX, tun_id=212.xxx.xxx, vrf 0"
2024-06-02 09:51:35 id=65308 trace_id=123 func=ipsec_common_output4 line=901 msg="No matching IPsec selector, drop"
2024-06-02 09:51:36 id=65308 trace_id=124 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=1, 192.168.8.3:6xxxx->10.xx.xx.:0) tun_id=212.x.x.x from gre_plus. type=0, code=0, id=61597, seq=55959."
2024-06-02 09:51:36 id=65308 trace_id=124 func=resolve_ip_tuple_fast line=5967 msg="Find an existing session, id-036d08f7, reply direction"
2024-06-02 09:51:36 id=65308 trace_id=124 func=ipsec_input4 line=281 msg="anti-spoof check failed, drop"
di2024-06-02 09:51:36 id=65308 trace_id=125 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=1, 10.x.x.x:xxxx->192.168.8.3:xxx) tun_id=0.0.0.0 from local. type=8, code=0, id=61597, seq=55960."
2024-06-02 09:51:36 id=65308 trace_id=125 func=resolve_ip_tuple_fast line=5967 msg="Find an existing session, id-036d08f7, original direction"
2024-06-02 09:51:36 id=65308 trace_id=125 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface Coxx, tun_id=0.0.0.0"
2024-06-02 09:51:36 id=65308 trace_id=125 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Com-XXX, tun_id=212.x.x.x, vrf 0"
2024-06-02 09:51:36 id=65308 trace_id=125 func=esp_output4 line=876 msg="IPsec encrypt/auth"
2024-06-02 09:51:36 id=65308 trace_id=125 func=ipsec_output_finish line=666 msg="send to 217.x.x.x via intf-wan1"
2024-06-02 09:51:36 id=65308 trace_id=126 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=1, 217.xx.xx.xx->192.168.8.3:xx) tun_id=0.0.0.0 from local. type=8, code=0, id=61599, seq=56028."
2024-06-02 09:51:36 id=65308 trace_id=126 func=init_ip_session_common line=6063 msg="allocate a new session-036d0adc"
2024-06-02 09:51:36 id=65308 trace_id=126 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface CoXXXX, tun_id=0.0.0.0"
2024-06-02 09:51:36 id=65308 trace_id=126 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Com-to-Plus, tun_id=212.x.x.x, vrf 0"
2024-06-02 09:51:36 id=65308 trace_id=126 func=ipsec_common_output4 line=901 msg="No matching IPsec selector, drop"
2024-06-02 09:51:36 id=65308 trace_id=127 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=1, 192.168.8.3:xxx->10.x.x.x:0) tun_id=212.x.x.x from gre_plus. type=0, code=0, id=61597, seq=55960."
2024-06-02 09:51:36 id=65308 trace_id=127 func=resolve_ip_tuple_fast line=5967 msg="Find an existing session, id-036d08f7, reply direction"
2024-06-02 09:51:36 id=65308 trace_id=127 func=ipsec_input4 line=281 msg="anti-spoof check failed, drop"
s2024-06-02 09:51:36 id=65308 trace_id=128 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=1, 192.168.1.25:1->192.168.8.3:2048) tun_id=0.0.0.0 from lan. type=8, code=0, id=1, seq=546."
2024-06-02 09:51:36 id=65308 trace_id=128 func=resolve_ip_tuple_fast line=5967 msg="Find an existing session, id-0363dece, original direction"
2024-06-02 09:51:36 id=65308 trace_id=128 func=npu_handle_session44 line=1224 msg="Trying to offloading session from lan to gre_plus, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x00000101"
2024-06-02 09:51:36 id=65308 trace_id=128 func=fw_forward_dirty_handler line=442 msg="state=00010204, state2=00000005, npu_state=00000101"
2024-06-02 09:51:36 id=65308 trace_id=128 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface Com-to-Plus, tun_id=0.0.0.0"
2024-06-02 09:51:36 id=65308 trace_id=128 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Com-to-Plus, tun_id=212.x.x.x, vrf 0"
2024-06-02 09:51:36 id=65308 trace_id=128 func=esp_output4 line=876 msg="IPsec encrypt/auth"
2024-06-02 09:51:36 id=65308 trace_id=128 func=ipsec_output_finish line=666 msg="send to 217.x.x.x via intf-wan1"

========================

gate # show full system settings | grep asym
set asymroute disable
set asymroute-icmp disable
set asymroute6 disable
set asymroute6-icmp disable

gate # show full | grep src-check
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check disable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set strict-src-check disable

=======================

MAIN PROBLEM

"anti-spoof check failed, drop"