We are seeing an issue where we have a multiple GRE tunnels configured for ZONE: Zscaler - When we enable monitoring of GRE tunnels with health probe its send a packet with GRE tunnel Interface Private IP address as a source and Destination as a Peer Tunnel Private IP. We are noticing FW few times a days start dropping a packets because it unable to tie destination interface for return packet. We can see this behavior with packet capture with drop filter : Ex : Tunnel 11 is configured in Zscaler zone with IP address 172.19.220.201/30 --> Peer IP 172.19.220.202 - Intrazone Traffic. When packet return from destination it unable to bind dest interface as a Tunnel 11 - So FW put packet in internet zone and drop the packet due to interzone policy.
Routing table snap shots :
@GRE-Tunnel, #paloalto @routing
