v18 - cannot ping to XG from route based VPN

The VTI is located in Zone VPN. Is Ping allowed for VPN? 

Yes, ping is allowed on the XG on both sides.

Which IP do you try to ping? And is XG able to find a route for this IP? 

Check Diagnostic to find, if the XG1 is able to find a route to XG2. 

The IP of PortA on one of the XG. If I do a route lookup in XG2 for XG1's PortA IP address, it returns saying it is located in PortB instead of the VTI interface. If I create a static route for XG1's local subnet, route lookup in XG2 will return with the VTI interface. However ping still doesn't work.

I've tried the following route precedence:

SD-WAN policy route, VPN route, Static route. (initial value as I upgraded to v18)

Static route, SD-WAN policy route, VPN route.

Both system generated traffic and reply packet routing have been enabled. 

The IP of PortA on one of the XG. If I do a route lookup in XG2 for XG1's PortA IP address, it returns saying it is located in PortB instead of the VTI interface. If I create a static route for XG1's local subnet, route lookup in XG2 will return with the VTI interface. However ping still doesn't work.

I've tried the following route precedence:

SD-WAN policy route, VPN route, Static route. (initial value as I upgraded to v18)

Static route, SD-WAN policy route, VPN route.

Both system generated traffic and reply packet routing have been enabled. 

Try to perform a Packet Capture and check, which site is dropping the Traffic. 

CLI: Advanced Shell: drppkt | grep icmp 

I've opened two SSH sessions to each XG and on one session, I run packet capture using that command. I did the ping test from the second SSH session. Unfortunately the packet capture didn't show any result from either XG.

Could you show us the tcpdump of both appliance? 

So it turns out the XG is trying to reply to the ping using the WAN port instead of the xfrm port. If I add a static route pointing to the remote XG xfrm port IP address, ping now works. Issue seems to be with the SD WAN policy then as I have to use static routes to make things work.

I followed the Sophos Support YouTube video to create the route based VPN and SD WAN policy. Slight change that I did was that I left the incoming interface blank and I added the SSL and Sophos Connect subnets of each XG in source and destination. I have tried removing this and making it the same as in the video, however the ping issue occurs without static routes.

Resolution was to set the source network to any so that it would include traffic generated from the firewall itself.