site to site IPsec VPN tunnel is up but both sites cannot communicate with each other.
when trying to ping other site private range there is no reply.
1- checked all IPsec configuration it was ok
2- checked VPN diagnostics on USG there wasn't any errors related.
3-when checked fully diag information and inspect the selected private traffic that should pass the tunnel noticed the following:
-- there was two NAT policies the first do PAT and the second with action no NAT as we know IPSEC traffic should not be nated
-- however the second policy contain the source and destination of IPSEC interested private traffic but the first policy also contain the source of our local private range with action perform PAT in a result the traffic doesn't pass the tunnel
4- after rearrange the order of the NAT policies issue resolved and interested traffic started to bass through
Miss-ordered of NAT policies.
- Rearrange NAT policies in away that private traffic is not nated
- The interested private traffic shouldn't be NATed to avoid such issues