Screen OS

I've been trying the following scenario at my LAB, the VPN is UP and i see the logs on peer A but no log or reply from peer B.

Configs:

Peer A

    ID From     To       Src-address  Dst-address  Service Action State  
    11 Trust    Untrust  192.168.3.0~ 192.168.10.~ PING    Tunnel enabled
                                      192.168.2.0~

Peer B

    ID From     To       Src-address  Dst-address  Service Action State  
     4 Untrust  Trust    192.168.3.0~ 192.168.10.~ PING    Tunnel enabled
                                      192.168.2.0~

get sa (Peer A)

HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys

00000007<  BBBBBBBBBBB  500 esp:a128/sha1 8fb8ba70  2653 unlim A/-    -1 0
00000007>  BBBBBBBBBBB  500 esp:a128/sha1 92f9d192  2653 unlim A/-    11 0

(peer B)

HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys

00000017<  AAAAAAAAAAAAAA  500 esp:a128/sha1 92f9d192  2526 unlim A/-    -1 0
00000017>  AAAAAAAAAAAAAA  500 esp:a128/sha1 8fb8ba70  2526 unlim A/-     3 0

get db str (Peer A)

****** 1450076.0: <Trust/ethernet0/1> packet received [60]******
  ipid = 20687(50cf), @03988770
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/1:192.168.3.2/50440->192.168.2.2/768,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/1>, out <N/A>
  [ Dest] 12.route 192.168.3.2->0.0.0.0, to ethernet0/1
  chose interface ethernet0/1 as incoming nat if.
  flow_first_routing: in <ethernet0/1>, out <N/A>
  search route to (ethernet0/1, 192.168.3.2->192.168.2.2) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 11.route 192.168.2.2->GWAAAAAAAA, to ethernet0/0
  routed (x_dst_ip 192.168.2.2) from ethernet0/1 (ethernet0/1 in 0) to ethernet0/0
  policy search from zone 2-> zone 1
 policy_flow_search  policy search nat_crt from zone 2-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.2.2, port 34131, proto 1)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 11/0/0x49
  Permitted by policy 11
  No src xlate   choose interface ethernet0/0 as outgoing phy if
  no loop on ifp ethernet0/0.
  session application type 0, name None, nas_id 0, timeout 60sec
  service lookup identified service 0.
  flow_first_final_check: in <ethernet0/1>, out <ethernet0/0>
  existing vector list 5-4ff6134.
  Session (id:8045) created for first pak 5
  flow_first_install_session======>
  handle cleartext reverse route
  search route to (ethernet0/0, 192.168.2.2->192.168.3.2) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/1
  [ Dest] 12.route 192.168.3.2->192.168.3.2, to ethernet0/1
  route to 192.168.3.2
  arp entry found for 192.168.3.2
  ifp2 ethernet0/1, out_ifp ethernet0/1, flag 00800801, tunnel ffffffff, rc 1
  flow got session.
  flow session id 8045
  flow_main_body_vector in ifp ethernet0/1 out ifp ethernet0/0
  flow vector index 0x5, vector addr 0x20b7680, orig vector 0x20b7680
  post addr xlation: 192.168.3.2->192.168.2.2.
  going into tunnel 40000007.
  flow_encrypt: pipeline.
chip info: PIO. Tunnel id 00000007
(vn2)  doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec encrypt engine released
ipsec encrypt done
        put packet(3c33030) into flush queue.
        remove packet(3c33030) out from flush queue.

**** jump to packet:AAAAAAAAAAAA->BBBBBBBBBBBBBBB
  packet encapsulated, type=ipsec, len=120
  ipid = 42890(a78a), @03988744
  out encryption tunnel 40000007 gw:BBBBBBBBBBBBB
  no more encapping needed
  send out through normal path.
  flow_ip_send: a78a:AAAAAAAAAAAAAA->BBBBBBBBBBB,50 => ethernet0/0(120) flag 0x20, vlan 0
  mac 0019e2e3dfc0 in session
  packet send out to 0019e2e3dfc0 through ethernet0/0
  **** pak processing end.

(peer B)

****** 917489.0: <Untrust/ethernet0/0> packet received [120]******
  ipid = 42890(a78a), @0387b270
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/0:AAAAAAAAAAAAA/37625->BBBBBBBBBBBB/53650,50<Root>
  existing session found. sess token 4
  flow got session.
  flow session id 8055
  flow_decrypt: 33ca708(b),   flow_decrypt: 33ca708(b)pipeline.
  IPv4 encrypted pak.
  Dec: SPI = 92f9d192, Data Len = 120
  SA tunnel id=0x00000017, flag<02400063>
  chip info: PIO. Tunnel id 00000017
  ipsec decrypt prepare done
ipsec decrypt set engine done
  auth check pass!
ipsec decrypt engine released
  packet is decrypted
  ipsec decrypt done
        put packet(3c33030) into flush queue.
        remove packet(3c33030) out from flush queue.

**** jump to packet:192.168.3.2->192.168.2.2
  flow_decap_vector IPv4 process
  packet decapsulated, type=ipsec, len=60
  ipid = 20687(50cf), @0387b270
  ethernet0/0:192.168.3.2/50440->192.168.2.2/768,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0>, out <N/A>
  flow_first_routing: in <ethernet0/0>, out <N/A>
  search route to (ethernet0/0, 192.168.3.2->192.168.2.2) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 10.route 192.168.2.2->192.168.2.2, to ethernet0/1
  routed (x_dst_ip 192.168.2.2) from ethernet0/0 (ethernet0/0 in 0) to ethernet0/1
  policy search from zone 1-> zone 2
 policy_flow_search  policy search nat_crt from zone 1-> zone 2
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.2.2, port 34131, proto 1)
 policy_flow_search  in tunnel
  VPN policy= -99: szone 1 dzone 2 pid -99 ports 8008553 iphdr 387b270
  **** pak processing end.

Anyone has a clue ?

Thanks in advance,

Michel

Found the solution, just put the networks on a group and use that group on the policy.