Hi Damien,
The debug log - is it complete or tuncated inbetween? The packet is not triggering VIP lookup.
But anyhow, the flow will fail because reverse-route validation will fail, in turn triggerng IP spoof protection.
This is because, the Source IPs are from the internet and they reach the FW on e3. But, the reverse route lookup will pull the e4 route as the active route. So, the firewall will classify these packets as 'IP spoof' packets and drop them.
You can either:
1. If e3 and e4 are in same zone, enable spoof protection on zone level, rather than interface level (not sure if it is available on older firmware, given that you have an NS-25) or
2. disable spoof protection on the e3 zone and test once