When we are facing this type of issue, first we need to take debug flow filter in both source side firewall, if you observe traffic is flowing out of IPSEC tunnel interface then you should take debug flow filter in other end firewall.
Debug flow filter commands:
diag debug reset
diag debug flow filter addr a.b.c.d ——>a.b.c.d is the destination IP which you are pinging
diag debug flow filter proto 1———->This is to capture ping traffic
diag debug flow show function-name enable
diag debug flow trace start 1000——>This is to capture 1000 packets
diag debug enable
Once you capture all the packets, you can disable debug by executing this command “diag debug disable”
How to analyse this debug output:
In the first line you will from which interface traffic is coming to the firewall.
In the second line you will see if there is any existing session.
In the third line it will try to offload session from your internal interface to outgoing interface, here is the important thing outgoing interface should be your IPSEC VPN interface. In case if the traffic is not going to VPN interface, there is routing issue in the firewall. You should focus on the policy routes and sd wan rules, might be the traffic is getting forwarded through wrong interface by matching the policy routes.
In the fourth line, you will see if there is any NAT happening, usually IPSEC traffic should not get NATed to any IP address so you have to disable NAT in the corresponding IPSEC firewall policy. If traffic is getting NATed to outgoing interface the traffic might get dropped, because the outgoing interface IP address will not be there in local phase 2 selectors, so the traffic might get dropped saying like phase2 selector drop.
In the fifth line you will be able to see which interface the traffic is going out, it should be IPSEC interface.
In the sixth line, you will be able to see the reason for dropping, it could be either “denied by forward policy check” this means, there is no matching firewall policy or this could be “no matching phase 2 selector drop”, this means source and destination IP address are not there in local and remote phase 2 selectors.
If all is going good, then you need to take debug flow filter in other end firewall that should help you.
If still the issue is not resolved, you can comment here.
Have a great day 🙂