We have an environment, completely backed bij VLAN based segments (no overlay) and the overlay is only used for the service VMs.
These service VMs are Palo Alto Network firewalls we use for E/W security.

When we create a redirection rule between VMs which live on segments with just a single VLAN configured everything works fine.
However if one of the VMs lives in a segment with multiple VLANs configured, the communication fails as soon the redirection rule is activated.

When I look in `/var/log/dfwpktlogs.log`

2022-08-26T11:50:08.393Z f62c7965 INET match PBR 2033 OUT 84 ICMP 10.123.10.11->10.123.20.21  FG 0 SFG 0 FID 469762176 SCID 2 V 1 FA 1 |FWD: 00:50:56:bf:ab:d6 SI 1 SPI 9 TTL 2 |REV 00:50:56:bf:ab:d6 SI 1 SPI 10 TTL 2
2022-08-26T11:50:08.394Z 9d19be69 INET match PBR 2033 IN 84 ICMP 10.123.10.11->10.123.20.21  FG 0 SFG 0 FID 167772288 SCID 2 V 1 FA 1 |FWD: 00:50:56:bf:ab:d6 SI 1 SPI 9 TTL 2 |REV 00:50:56:bf:ab:d6 SI 1 SPI 10 TTL 2

I immediately get these lines when I start a ping.

I also see the traffic as allowed in the firewall and a packet capture on both the receiving as transmitted side shows the packets, there are no drops.

When I do a packet capture on the ingress interface of the VM it is empty.

It looks like the flow is interrupted between the egress of the firewall and the ingress of the VM.

In this example 10.123.10.11 is placed in a redirection rule, IP 10.123.20.21 lives on a segment with multiple VLANS.

VM (10.123.10.11) -OUT-> SVM -> Router (physical) -IN-> SVM -> VM (10.123.20.21)

It feels like it is failing on the last arrow.