By default, the IDP has ARP spoof detection enabled, and thus the logs (ARP_TARGET_ HW _MISMATCH) will be implicitly dropped. To instead allow this traffic through, you must disable ARP spoof detection.
Juniper Networks FW/IPSec VPN platforms can be deployed in transparent mode in scenarios where there is asymmetric traffic, however asymmetric traffic in transparent mode is not support ed for HW sessions in ASIC-based systems such as ns5000 Series and ISG Series.
In the following config, slot 3 has a 10 gig card. Packet comes in on e2/1 and goes out of e3/2, and the reply comes back on e3/1. Debugs report st_ hw _proc_pak: mismatch chip, incoming 2, session 3 :
This can occur in relation to other messages in the syslog, such as one or more of the following: fpc1 PPE PPE HW Fault Trap: Count 17680, PC dc, 0x00dc: egress_proc_start 0x00dc: egress_proc_start fpc1 PPE PPE HW Fault Trap: Count 50086065588, PC 8f, 0x008f: load_stream_entry