I don't actually have the SR, my vendor has it. At this point I'm just grasping at straws trying to figure out what I missed.

in general, overlay traffic must match SD-WAN overlay rule.

you can attach the following outputs from both peers here if you prefer

fw monitor -F "<src>,0,<dst>,0,0" -F "<dst>,0,<src>,0,0" 
example:
fw monitor -F "192.168.1.1,0,192.168.10.1,0,0" -F "192.168.10.1,0,192.168.1.1,0,0"

fw ctl zdebug + drop while greping client or server IP
for example:
fw ctl zdebug + drop | grep 192.168.10.1

#initiate the connection

check which tunnel chosen to carry the conn:
vpn tu conn <src> - <dst> - - (run that while the conn already opened)

copy the outputs.

you can also check on which SD-WAN rule the traffic matches if you don't see it in logs by:
fw ctl zdebug -m SDWANRB + all | grep PROB
#initiate the connection

This is a pretty different scenario. This is checkpoint to checkpoint VPN with SD WAN running on the appliance. From best we can tell SD WAN isn't letting traffic be sent across the tunnels.

Some questions

1) Is tunnel up?

2) If yes to 1, is it ONLY failing one way?

3) If no to 1, which phase does ot fail on, phase 1 or 2?

4) Did you run fw monitor/tcpdump/zdebug to see why it fails?

Mostly yes to all of the above. SD WAN sees the tunnel as up. At times during testing we've been able to get traffic one way and not the other. At other times no traffic period. The monitor commands do not show why it's not being encrypted. As best we can tell SD WAN is simply not sending the traffic across the tunnel. We can see the SD WAN dashboard that traffic isn't even hitting the steering object despite having the rules from the guide in place.

Fair enough, thats good info to go on. Follow up question...how is tunnel management tab set in VPN community in smart console? I ask this, because it is 100% relevant...reason I say that is because say if you have mix of hosts/subnets in enc.domain, then it would change what option to select.

@cjames88 

And also, how is link selection set?