hello panita,
Destination based route were set in the 2 spoke firewall.
Both routes set destinate to another spoke subnet. And choose to use the tunnel interface.
Without those routes. I think those ping traffic records won't show in the log.
But when I use tracert/pathping in the workstation (at spokeA). The 1st hop go to the gateway(spokeA). The 2nd hop go to the public IP of the hub. And then all timeout start from the 3rd.
Tracert/pathping show that the ping never reach the other side (spokeB). Why spokeB firewall can detect ping from spokeA and show in the traffic log?
This situation happen in both of the spoke (SSG and PA device). SSG side ping to PA. PA has record. PA side ping to SSG. SSG has record too
About NAT. This is why my subject mention about. Is hub and spoke vpn scenario really need NAT policy?