Found the solution for the last issue.
In Palo Alto. Beside of routing and security policies. There is a "Policy Based Forwarding" setting. This determine the traffic from differnet zones use the designate interface to the destination.
Since the problem was the ping (reply) from spokeB(PA) back to spokeA(SSG) were drop. Found that the "Policy Based Forwarding" source zone - "172.16.2.0" to destination subnet - "192.168.1.0" was missing.
Add "192.168.1.0" in destination list of this policy solve the problem.
Thanks for telling me to check the packet trace, then the direction policy. I rely on these 2 things to make the hub and spoke work.
Confirm hairpin NAT is not necessary too.