I don't think I understand the network topology. But the problem appears to be asymmetrical routing.
****** 20950878.0: <Trust/redundant1> packet received [60]****** ipid = 6675(1a13), @1d6f7114 packet passed sanity check. flow_decap_vector IPv4 process redundant1:171.7x.13x.30/5331->172.23.25.11/1,1(8/0)<Root> no session found flow_first_sanity_check: in <redundant1>, out <N/A> [ Dest] 10684.route 171.7x.13x.30->0.0.0.0, to tunnel.3 packet dropped, drop by spoofing check.
This shows the packet arriving on redundant1 interface, but the route for the ip address points to the tunnel.3 interface.
So the SSG assumes the route is correct and therefore the ip address is a spoof and not from the real source.
You will need to eliminate the asymmetrical routing and have the return path the same as the ingress to no longer hit that filter.