After doing the ping run this command. Show session all filter source [test PC IP addr] This should return several sessions with a session ID# Show session id xxxxx Now look at the ingress and egress interfaces. Packets should ingress from the corresponding ethernet and they should egress out interface tunnel.x. Also look at the packets sent and packets received. You will probably see one way traffic. 1 sent 0 received. Also see if NAT is being applied. This is usually undesirable and could be one reason the traffic is failing. Then stop the ping and run the test again from the other direction. Use the same commands. Ingress should be tunnel.x and egress should be the correct Ethernet. Assuming you have these zones WAN, LAN, VPN You may want to add the following rules to see if any packets are being discarded silently. Src Zone WAN, Dst Zone WAN, Any Src address, Any Dst address, Any application, allow Src Zone LAN, Dst Zone LAN, Any Src address, Any Dst address, Any application, allow Src Zone VPN, Dst Zone VPN, Any Src address, Any Dst address, Any application, allow Src Zone ANY, Dst Zone ANY, Any Src address, Any Dst address, Any application, deny Warning; The "any, any, deny" rule will break VPN (IPSEC, SSL) and routing protocols without the corresponding rules to allow traffic that sourced from Zone X to terminate on Zone X.
... View more