hello spuluka,
I try the test more simple without the workstations involved. I ping each other gateways IP at both spokes.
The status of "Close Reason" in policy log of ScreenOS make me doubt about the ping was actually failed.
When ping from spokes to hub (success). The "Close Reason" is "Close - RESP".
When ping between the 2 spokes (timed out). The "Close Reason" is "Close - AGE OUT".
Is "AGE OUT" means timed out?
Studying how to use "snoop" and will try capture the packet in ScreenOS.
In the meantime, I capture the packet (pcap) in Palo Alto.
When ping from SSG (spokeA 192.168.1.1) to PA (spokeB 172.16.2.254). PA detect the ping request and reply
1 0.000000 192.168.1.1 172.16.2.254 ICMP 142 Echo (ping) request id=0x0400, seq=46236/40116, ttl=62 (reply in 2) 2 0.000152 172.16.2.254 192.168.1.1 ICMP 146 Echo (ping) reply id=0x0400, seq=46236/40116, ttl=64 (request in 1)
When ping from PA (spokeB 172.16.2.254) to SSG (spokeA 192.168.1.1). PA show no response found
1 0.000000 172.16.2.254 192.168.1.1 ICMP 102 Echo (ping) request id=0x119e, seq=1/256, ttl=64 (no response found!)