Hello,

I have weird issue with newly setup scenario in which I have vlan555 which is part of VXLAN setup and I wan to be able to use the Fortigate as gateway to other VLANS and outside to Internet, but traffic is not exiting for some reason, and I have the necessary policies to allow this. Incoming traffic however works from other Internal vlan (As example) to vlan555

config system switch-interface
    edit "sw1"
        set vdom "root"
        set member "vlan555" "vxlan555"
        set intra-switch-policy explicit
    next
end


config firewall policy
    edit 313
        set name "Internal to vxlan"   ---> Traffic gets passed
        set srcintf "INTERNAL"
        set dstintf "sw1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL_ICMP"
    next
    edit 314
        set name "vxlan to Internal" ---> Traffic does not pass
        set srcintf "sw1" "vlan555" "vxlan555" 
        set dstintf "INTERNAL"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL_ICMP"
    next
end

Running diagnostics I see two very different outputs when debugging the sessions.

For incoming traffic to VLAN555 it looks OK and I get ping replies

FW1ch-100E # id=20085 trace_id=307 func=print_pkt_detail line=5428 msg="vd-root:0 received a packet(proto=1, 172.18.11.10:16428->172.20.56.21:2048) from INTERNAL. type=8, code=0, id=16428, seq=1." id=20085 trace_id=307 func=init_ip_session_common line=5593 msg="allocate a new session-aa40d9a1" id=20085 trace_id=307 func=vf_ip_route_input_common line=2594 msg="find a route: flag=04000000 gw-172.20.56.21 via sw1" id=20085 trace_id=307 func=fw_forward_handler line=773 msg="Allowed by Policy-313:" id=20085 trace_id=307 func=__if_queue_push_xmit line=393 msg="send out via dev-vlan555, dst-mac-00:50:56:a7:a6:69" id=20085 trace_id=308 func=print_pkt_detail line=5428 msg="vd-root:0 received a packet(proto=1, 172.20.56.21:16428->172.18.11.10:0) from vlan555. type=0, code=0, id=16428, seq=1." id=20085 trace_id=308 func=resolve_ip_tuple_fast line=5508 msg="Find an existing session, id-aa40d9a1, reply direction" id=20085 trace_id=308 func=vf_ip_route_input_common line=2594 msg="find a route: flag=04000000 gw-172.18.11.10 via INTERNAL" id=20085 trace_id=308 func=fw_forward_dirty_handler line=402 msg="Allocate an auxiliary tuple, proto=1, 172.18.11.10/16428=>172.20.56.21/8, dev=38->286" id=20085 trace_id=308 func=fw_forward_dirty_handler line=420 msg="state=00000280, state2=00010008, npu_state=00040000" id=20085 trace_id=308 func=npu_handle_session44 line=1115 msg="Trying to offloading session from sw1 to INTERNAL, skb.npu_flag=00000000 ses.state=00000280 ses.npu_state=0x00040000" id=20085 trace_id=308 func=fw_forward_dirty_handler line=428 msg="state=00000280, state2=00010008, npu_state=00040000" id=20085 trace_id=309 func=print_pkt_detail line=5428 msg="vd-root:0 received a packet(proto=1, 172.18.11.10:16428->172.20.56.21:2048) from INTERNAL. type=8, code=0, id=16428, seq=2."

But when traffic is initiated from vlan555 to Internal I get no ping replies and the policy doesnt even get matched 

FW1ch-100E # id=20085 trace_id=301 func=print_pkt_detail line=5428 msg="vd-root:0 received a packet(proto=1, 172.20.56.21:2087->172.18.11.10:2048) from vlan555. type=8, code=0, id=2087, seq=343." id=20085 trace_id=301 func=init_ip_session_common line=5593 msg="allocate a new session-aa40d478" id=20085 trace_id=302 func=print_pkt_detail line=5428 msg="vd-root:0 received a packet(proto=1, 172.20.56.21:2087->172.18.11.10:2048) from vlan555. type=8, code=0, id=2087, seq=344." id=20085 trace_id=302 func=init_ip_session_common line=5593 msg="allocate a new session-aa40d503" id=20085 trace_id=303 func=print_pkt_detail line=5428 msg="vd-root:0 received a packet(proto=1, 172.20.56.21:2087->172.18.11.10:2048) from vlan555. type=8, code=0, id=2087, seq=345."

Appreciate your help on this issue.