By default, the IDP has ARP spoof detection enabled, and thus the logs (ARP_TARGET_ HW _MISMATCH) will be implicitly dropped. To instead allow this traffic through, you must disable ARP spoof detection.
Juniper Networks FW/IPSec VPN platforms can be deployed in transparent mode in scenarios where there is asymmetric traffic, however asymmetric traffic in transparent mode is not support ed for HW sessions in ASIC-based systems such as ns5000 Series and ISG Series.
In the following config, slot 3 has a 10 gig card. Packet comes in on e2/1 and goes out of e3/2, and the reply comes back on e3/1. Debugs report st_ hw _proc_pak: mismatch chip, incoming 2, session 3 :