topic ESP traffic is sent from wrong interface in Firewall and Security Management https://community.checkpoint.com/t5/Firewall-and-Security-Management/ESP-traffic-is-sent-from-wrong-interface/m-p/104978#M8312 <P>Hello all!</P><P>The actual Phase 1 and 2 tunnel are going with the right cluster IP-address as source (1.1.1.1), VPN tunnel gets established. But the actual ESP packets get a source of the another physical interface (eth2.517 2.2.2.2), and traffic is not reaching Azure network from on-prem network.</P><P>I have TAC case created, which is already a third case, but we are not getting anywhere. So maybe anyone have any idea what could be wrong</P><P>&nbsp;</P><P><STRONG>Setup:</STRONG><BR />Check Point on-prem:<BR />eth1 - 1.1.1.1 - DMZ VPN IP in Link Selection (the IP that is supposed )<BR />eth2.517 - 2.2.2.2 - External IP looking towards ISP Provider</P><P>Fortigate in Azure:<BR />3.3.3.3 - Fortigate External IP</P><P>SXL for this VPN is off.<BR />1.1.1.1. is also configured as outgoing source IP address.<BR />Current route towards Fortigate in Azure points to the gateway of interface eth2.517 (2.2.2.3)<BR />Tried to add a route via interface eth1, but it didn't make a difference.</P><P>&nbsp;</P><P><STRONG>tcpdump:</STRONG><BR />11:00:26.728559 IP 3.3.3.3.4500 &gt; 1.1.1.1.4500: isakmp-nat-keep-alive<BR />11:00:27.064264 IP 1.1.1.1.4500 &gt; 3.3.3.3.4500: NONESP-encap: isakmp: phase 2/others ? #37<BR />11:00:27.064266 IP 1.1.1.1.4500 &gt; 3.3.3.3.4500: NONESP-encap: isakmp: phase 2/others ? #37<BR />11:00:27.064267 IP 1.1.1.1.4500 &gt; 3.3.3.3.4500: NONESP-encap: isakmp: phase 2/others ? #37<BR />11:00:27.080591 IP 3.3.3.3.4500 &gt; 1.1.1.1.4500: NONESP-encap: isakmp: phase 2/others ? #37[]<BR />11:00:28.749675 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x1), length 104<BR />11:00:28.749677 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x1), length 104<BR />11:00:28.749677 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x1), length 104<BR />11:00:33.389009 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x2), length 104<BR />11:00:33.389011 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x2), length 104<BR />11:00:33.389011 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x2), length 104<BR />11:00:36.680128 IP 3.3.3.3.4500 &gt; 1.1.1.1.4500: isakmp-nat-keep-alive<BR />11:00:38.406597 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x3), length 104<BR />11:00:38.406598 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x3), length 104<BR />11:00:38.406599 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x3), length 104<BR />11:00:43.403640 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x4), length 104<BR />11:00:43.403641 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x4), length 104<BR />11:00:43.403642 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x4), length 104<BR />11:00:46.631720 IP 3.3.3.3.4500 &gt; 1.1.1.1.4500: isakmp-nat-keep-alive<BR />11:00:48.395170 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x5), length 104<BR />11:00:48.395171 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x5), length 104<BR />11:00:48.395172 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x5), length 104</P><P><STRONG>fw monitor:</STRONG><BR />[vs_0][fw_0] bond12.517:i9 (tcpt inbound)[44]: 3.3.3.3 -&gt; 1.1.1.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:i10 (IP Options Strip (in))[44]: 3.3.3.3 -&gt; 1.1.1.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:i11 (vpn multik forward in)[44]: 3.3.3.3 -&gt; 1.1.1.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:i12 (vpn decrypt)[44]: 3.3.3.3 -&gt; 1.1.1.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:i13 (l2tp inbound)[44]: 3.3.3.3 -&gt; 1.1.1.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:i14 (Stateless verifications (in))[44]: 3.3.3.3 -&gt; 1.1.1.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:i15 (fw multik misc proto forwarding)[44]: 3.3.3.3 -&gt; 1.1.1.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:i16 (vpn tagging inbound)[44]: 3.3.3.3 -&gt; 1.1.1.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:i17 (vpn decrypt verify)[44]: 3.3.3.3 -&gt; 1.1.1.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:i18 (fw VM inbound )[44]: 3.3.3.3 -&gt; 1.1.1.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:I19 (vpn policy inbound)[44]: 3.3.3.3 -&gt; 1.1.1.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:I20 (fw SCV inbound)[44]: 3.3.3.3 -&gt; 10.97.15.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:I21 (vpn before offload)[44]: 3.3.3.3 -&gt; 10.97.15.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:I22 (fw offload inbound)[44]: 3.3.3.3 -&gt; 10.97.15.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:I23 (fw post VM inbound )[44]: 3.3.3.3 -&gt; 10.97.15.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:I24 (fw accounting inbound)[44]: 3.3.3.3 -&gt; 10.97.15.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:I25 (RTM packet in)[44]: 3.3.3.3 -&gt; 10.97.15.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:I26 (passive streaming (in))[44]: 3.3.3.3 -&gt; 10.97.15.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:I27 (TCP streaming (in))[44]: 3.3.3.3 -&gt; 10.97.15.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:I28 (IP Options Restore (in))[44]: 3.3.3.3 -&gt; 10.97.15.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:I29 (Cluster Late Correction)[44]: 3.3.3.3 -&gt; 10.97.15.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:I30 (Chain End)[44]: 3.3.3.3 -&gt; 10.97.15.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:o0 (IP Options Strip (out))[44]: 10.97.15.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:o1 (vpn multik forward out)[44]: 10.97.15.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:o2 (vpn nat outbound)[44]: 10.97.15.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:o3 (TCP streaming (out))[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:o4 (passive streaming (out))[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:o5 (vpn tagging outbound)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:o6 (Stateless verifications (out))[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:o7 (fw VM outbound)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:O8 (fw post VM outbound )[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:O9 (vpn policy outbound)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:O10 (l2tp outbound)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:O11 (vpn encrypt)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:O12 (RTM packet out)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:O13 (tcpt outbound)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:O14 (fw accounting outbound)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:O15 (TCP streaming post VM)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:O16 (IP Options Restore (out))[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:O17 (Cluster Local Correction)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:O23 (Chain End)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:o0 (IP Options Strip (out))[44]: 10.97.15.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:o1 (vpn multik forward out)[44]: 10.97.15.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:o2 (vpn nat outbound)[44]: 10.97.15.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:o3 (TCP streaming (out))[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:o4 (passive streaming (out))[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:o5 (vpn tagging outbound)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:o6 (Stateless verifications (out))[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:o7 (fw VM outbound)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:O8 (fw post VM outbound )[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:O9 (vpn policy outbound)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:O10 (l2tp outbound)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:O11 (vpn encrypt)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:O12 (RTM packet out)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:O13 (tcpt outbound)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:O14 (fw accounting outbound)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:O15 (TCP streaming post VM)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:O16 (IP Options Restore (out))[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:O17 (Cluster Local Correction)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:O23 (Chain End)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -&gt; 3.3.3.3 (UDP) len=132 id=34433<BR />[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -&gt; 3.3.3.3 (UDP) len=132 id=19101<BR />[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -&gt; 3.3.3.3 (UDP) len=132 id=64551<BR />[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -&gt; 3.3.3.3 (UDP) len=132 id=52696<BR />[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -&gt; 3.3.3.3 (UDP) len=132 id=59551<BR />[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -&gt; 3.3.3.3 (UDP) len=132 id=16177<BR />[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -&gt; 3.3.3.3 (UDP) len=132 id=35105</P><P>&nbsp;</P> Thu, 10 Dec 2020 13:57:21 GMT prosto_marussia 2020-12-10T13:57:21Z ESP traffic is sent from wrong interface https://community.checkpoint.com/t5/Firewall-and-Security-Management/ESP-traffic-is-sent-from-wrong-interface/m-p/104978#M8312 <P>Hello all!</P><P>The actual Phase 1 and 2 tunnel are going with the right cluster IP-address as source (1.1.1.1), VPN tunnel gets established. But the actual ESP packets get a source of the another physical interface (eth2.517 2.2.2.2), and traffic is not reaching Azure network from on-prem network.</P><P>I have TAC case created, which is already a third case, but we are not getting anywhere. So maybe anyone have any idea what could be wrong</P><P>&nbsp;</P><P><STRONG>Setup:</STRONG><BR />Check Point on-prem:<BR />eth1 - 1.1.1.1 - DMZ VPN IP in Link Selection (the IP that is supposed )<BR />eth2.517 - 2.2.2.2 - External IP looking towards ISP Provider</P><P>Fortigate in Azure:<BR />3.3.3.3 - Fortigate External IP</P><P>SXL for this VPN is off.<BR />1.1.1.1. is also configured as outgoing source IP address.<BR />Current route towards Fortigate in Azure points to the gateway of interface eth2.517 (2.2.2.3)<BR />Tried to add a route via interface eth1, but it didn't make a difference.</P><P>&nbsp;</P><P><STRONG>tcpdump:</STRONG><BR />11:00:26.728559 IP 3.3.3.3.4500 &gt; 1.1.1.1.4500: isakmp-nat-keep-alive<BR />11:00:27.064264 IP 1.1.1.1.4500 &gt; 3.3.3.3.4500: NONESP-encap: isakmp: phase 2/others ? #37<BR />11:00:27.064266 IP 1.1.1.1.4500 &gt; 3.3.3.3.4500: NONESP-encap: isakmp: phase 2/others ? #37<BR />11:00:27.064267 IP 1.1.1.1.4500 &gt; 3.3.3.3.4500: NONESP-encap: isakmp: phase 2/others ? #37<BR />11:00:27.080591 IP 3.3.3.3.4500 &gt; 1.1.1.1.4500: NONESP-encap: isakmp: phase 2/others ? #37[]<BR />11:00:28.749675 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x1), length 104<BR />11:00:28.749677 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x1), length 104<BR />11:00:28.749677 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x1), length 104<BR />11:00:33.389009 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x2), length 104<BR />11:00:33.389011 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x2), length 104<BR />11:00:33.389011 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x2), length 104<BR />11:00:36.680128 IP 3.3.3.3.4500 &gt; 1.1.1.1.4500: isakmp-nat-keep-alive<BR />11:00:38.406597 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x3), length 104<BR />11:00:38.406598 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x3), length 104<BR />11:00:38.406599 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x3), length 104<BR />11:00:43.403640 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x4), length 104<BR />11:00:43.403641 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x4), length 104<BR />11:00:43.403642 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x4), length 104<BR />11:00:46.631720 IP 3.3.3.3.4500 &gt; 1.1.1.1.4500: isakmp-nat-keep-alive<BR />11:00:48.395170 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x5), length 104<BR />11:00:48.395171 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x5), length 104<BR />11:00:48.395172 IP 2.2.2.2.4500 &gt; 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x5), length 104</P><P><STRONG>fw monitor:</STRONG><BR />[vs_0][fw_0] bond12.517:i9 (tcpt inbound)[44]: 3.3.3.3 -&gt; 1.1.1.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:i10 (IP Options Strip (in))[44]: 3.3.3.3 -&gt; 1.1.1.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:i11 (vpn multik forward in)[44]: 3.3.3.3 -&gt; 1.1.1.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:i12 (vpn decrypt)[44]: 3.3.3.3 -&gt; 1.1.1.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:i13 (l2tp inbound)[44]: 3.3.3.3 -&gt; 1.1.1.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:i14 (Stateless verifications (in))[44]: 3.3.3.3 -&gt; 1.1.1.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:i15 (fw multik misc proto forwarding)[44]: 3.3.3.3 -&gt; 1.1.1.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:i16 (vpn tagging inbound)[44]: 3.3.3.3 -&gt; 1.1.1.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:i17 (vpn decrypt verify)[44]: 3.3.3.3 -&gt; 1.1.1.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:i18 (fw VM inbound )[44]: 3.3.3.3 -&gt; 1.1.1.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:I19 (vpn policy inbound)[44]: 3.3.3.3 -&gt; 1.1.1.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:I20 (fw SCV inbound)[44]: 3.3.3.3 -&gt; 10.97.15.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:I21 (vpn before offload)[44]: 3.3.3.3 -&gt; 10.97.15.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:I22 (fw offload inbound)[44]: 3.3.3.3 -&gt; 10.97.15.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:I23 (fw post VM inbound )[44]: 3.3.3.3 -&gt; 10.97.15.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:I24 (fw accounting inbound)[44]: 3.3.3.3 -&gt; 10.97.15.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:I25 (RTM packet in)[44]: 3.3.3.3 -&gt; 10.97.15.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:I26 (passive streaming (in))[44]: 3.3.3.3 -&gt; 10.97.15.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:I27 (TCP streaming (in))[44]: 3.3.3.3 -&gt; 10.97.15.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:I28 (IP Options Restore (in))[44]: 3.3.3.3 -&gt; 10.97.15.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:I29 (Cluster Late Correction)[44]: 3.3.3.3 -&gt; 10.97.15.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:I30 (Chain End)[44]: 3.3.3.3 -&gt; 10.97.15.1 (UDP) len=256 id=16574<BR />[vs_0][fw_0] bond12.517:o0 (IP Options Strip (out))[44]: 10.97.15.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:o1 (vpn multik forward out)[44]: 10.97.15.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:o2 (vpn nat outbound)[44]: 10.97.15.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:o3 (TCP streaming (out))[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:o4 (passive streaming (out))[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:o5 (vpn tagging outbound)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:o6 (Stateless verifications (out))[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:o7 (fw VM outbound)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:O8 (fw post VM outbound )[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:O9 (vpn policy outbound)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:O10 (l2tp outbound)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:O11 (vpn encrypt)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:O12 (RTM packet out)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:O13 (tcpt outbound)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:O14 (fw accounting outbound)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:O15 (TCP streaming post VM)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:O16 (IP Options Restore (out))[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:O17 (Cluster Local Correction)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:O23 (Chain End)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24707<BR />[vs_0][fw_0] bond12.517:o0 (IP Options Strip (out))[44]: 10.97.15.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:o1 (vpn multik forward out)[44]: 10.97.15.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:o2 (vpn nat outbound)[44]: 10.97.15.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:o3 (TCP streaming (out))[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:o4 (passive streaming (out))[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:o5 (vpn tagging outbound)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:o6 (Stateless verifications (out))[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:o7 (fw VM outbound)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:O8 (fw post VM outbound )[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:O9 (vpn policy outbound)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:O10 (l2tp outbound)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:O11 (vpn encrypt)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:O12 (RTM packet out)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:O13 (tcpt outbound)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:O14 (fw accounting outbound)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:O15 (TCP streaming post VM)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:O16 (IP Options Restore (out))[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:O17 (Cluster Local Correction)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_0] bond12.517:O23 (Chain End)[44]: 1.1.1.1 -&gt; 3.3.3.3 (UDP) len=384 id=24708<BR />[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -&gt; 3.3.3.3 (UDP) len=132 id=34433<BR />[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -&gt; 3.3.3.3 (UDP) len=132 id=19101<BR />[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -&gt; 3.3.3.3 (UDP) len=132 id=64551<BR />[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -&gt; 3.3.3.3 (UDP) len=132 id=52696<BR />[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -&gt; 3.3.3.3 (UDP) len=132 id=59551<BR />[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -&gt; 3.3.3.3 (UDP) len=132 id=16177<BR />[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -&gt; 3.3.3.3 (UDP) len=132 id=35105</P><P>&nbsp;</P> Thu, 10 Dec 2020 13:57:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ESP-traffic-is-sent-from-wrong-interface/m-p/104978#M8312 prosto_marussia 2020-12-10T13:57:21Z