I did everything Ede suggested:
- I deleted the explicit route to this subnet;
- I checked that in routing monitor the auto-inserted route is present;
- I disabled "auto-asic-offload" for the policy that should be used.
This is the result from the diag debug while I'm sending packets from 10.0.0.64 to 172.16.15.10.
id=20085 trace_id=5417 func=print_pkt_detail line=4930 msg="vd-root received a packet(proto=1, 10.0.0.64:1->172.16.15.10:2048) from port3. type=8, code=0, id=1, seq=22668."
id=20085 trace_id=5417 func=resolve_ip_tuple_fast line=4994 msg="Find an existing session, id-3936039d, original direction"
id=20085 trace_id=5417 func=npu_handle_session44 line=1048 msg="Trying to offloading session from port3 to port2, skb.npu_flag=00000400 ses.state=00012204 ses.npu_state=0x00001008"
id=20085 trace_id=5417 func=ids_receive line=252 msg="send to ips"
id=20085 trace_id=5417 func=__ip_session_run_tuple line=2905 msg="SNAT 10.0.0.64->22.214.171.124:62464"
I tried again the Policy lookup with these parameters:
Source interface: Port 3 (my LAN)
Source: 10.0.0.64 (my client on the LAN)
Destination: 172.16.15.10 (the PC on the VLAN I'm trying to reach)
The Policy that gets chosen is the one that forwards traffic to the internet using the WAN (port 2). That doesn't make any sense, because the routing should push the traffic on the subinterface where the VLAN Telecontrollo is connected!