Hello
Maybe you can get something from this cli log I made, this log is the result of a Ping between 192.168.3.23 and 192.168.4.100, the ping didn' t respond but here is the log
CXRFTG # diag debug enable
CXRFTG # diag debug flow filter daddr 192.168.4.100
CXRFTG # diag debug flow show console enable
show trace messages on console
CXRFTG # diag debug flow trace start 1000
CXRFTG # id=13 trace_id=1001 msg=" vd-root received a packet(proto=1, 192.168.3.23:1->192.168.4.100:8) from internal."
id=13 trace_id=1001 msg=" allocate a new session-00b43f7f"
id=13 trace_id=1001 msg=" Match policy routing: to 192.168.4.1 via ifindex-30"
id=13 trace_id=1001 msg=" find a route: gw-192.168.4.1 via Castellana"
id=13 trace_id=1001 msg=" use addr/intf hash, len=4"
id=13 trace_id=1001 msg=" find SNAT: IP-192.168.3.1, port-62464"
id=13 trace_id=1001 msg=" Allowed by Policy-9: SNAT"
id=13 trace_id=1001 msg=" SNAT 192.168.3.23->192.168.3.1:62464"
id=13 trace_id=1001 msg=" enter IPsec interface-Castellana"
id=13 trace_id=1001 msg=" send to IP-B via intf-wan1"
id=13 trace_id=1001 msg=" encrypting, and send to IP-B with source IP-A"
id=13 trace_id=1002 msg=" vd-root received a packet(proto=1, 192.168.3.23:1->192.168.4.100:8) from internal."
id=13 trace_id=1002 msg=" Find an existing session, id-00b43f7f, original direction"
id=13 trace_id=1002 msg=" SNAT 192.168.3.23->192.168.3.1:62464"
id=13 trace_id=1002 msg=" enter IPsec interface-Castellana"
id=13 trace_id=1002 msg=" send to IP-B via intf-wan1"
id=13 trace_id=1002 msg=" encrypting, and send to IP-B with source IP-A"