Hi
Thank you both for your replies!
The reason I am trying to put st0.0 and st0.1 in two different zones is because I want to simulate scenario where you have multiple subnets behind SRX and single subnet behind ASA without using policy based vpn or NHTB
Thus, I created routing instance and filter
When I do pings srx to ASA side, it works from both the hosts behind srx and I can successfully ping host behind ASA. If I understand correctly this is happening because srx already knows about the session since it initiated from srx side and so return traffic gets handled correctly
sadm@SRX240# run show security flow session
Session ID: 70780, Policy name: self-traffic-policy/1, Timeout: 1800, Valid
In: 10.102.8.126/4933 --> 10.102.100.115/22;tcp, If: ge-0/0/15.0, Pkts: 2468, Bytes: 123580
Out: 10.102.100.115/22 --> 10.102.8.126/4933;tcp, If: .local..0, Pkts: 3543, Bytes: 790045
Session ID: 107460, Policy name: self-traffic-policy/1, Timeout: 1800, Valid
In: 10.102.8.126/2490 --> 10.102.100.115/22;tcp, If: ge-0/0/15.0, Pkts: 632, Bytes: 44580
Out: 10.102.100.115/22 --> 10.102.8.126/2490;tcp, If: .local..0, Pkts: 490, Bytes: 60533
Session ID: 109957, Policy name: inbound/5, Timeout: 2, Valid
In: 172.16.130.150/4 --> 172.19.22.51/64782;icmp, If: st0.1, Pkts: 1, Bytes: 84
Out: 172.19.22.51/64782 --> 172.16.130.150/4;icmp, If: ge-0/0/14.0, Pkts: 1, Bytes: 84
Above sessions show nothing for 172.19.22.50 However on ASA I see equal no. of encaps/decaps when I look at Phase 2 SA associated with 172.19.22.50 IP (When pinging from ASA host to 22.50 host) which is really confusing
tcpdump on 172.19.22.50 shows no icmp packets hitting it
As seen here, In: 172.16.130.150/4 --> 172.19.22.51/64782;icmp, If: st0.1, Pkts: 1, Bytes: 84 the packet is incoming on st0.1 so similarly for 172.19.22.50 should coe in on st.0.0 and the reverse route check shouldn't fail?