Symptom
ESP or UDP/4500 packets coming from one site to another through a hub firewall show up in captures but are missing at the remote device
Conditions
ASA/FTD configured to U-turn traffic from one spoke to another and both spokes terminate on the same hub external interface and IPSec flow-offload is enabled (default)
Packets coming from offloaded IPsec tunnel are lost after forwarded to non-offloaded IPsec tunnel.
SPIs will show OFFLOADED when IPSec flow-offload is in use
in use settings ={L2L, Tunnel, IKEv2, CAN_BE_OFFLOADED, OFFLOADED, }
Workaround
1. Disable IPSec flow-offload
no flow-offload-ipsec and restart the tunnels that use flow offload.
2. Use only protocols that support IPSec flow-offload, i.e use only IKEv2
Further Problem Description
This issue is not seen with AnyConnect using TLS/SSL
