Hi kleinhhl,
I hope you're doing well.
Thank you for providing the flow traces, that helps eliminate a lot of causes here.
So the policy lookup, is accurately happening between VPN -> LAN, but the flow doesn't seem to think there's an existing policy that matches the IP addresses in question for the traffic.
Can you check if the source/destination/application contexts configured on your desired security policy in the VPN->LAN transit are correct? Especially check if there are NAT'd IPs specified here instead of the IP addresses the flow is reflecting just before the policy lookup?
The 2nd policy lookup occurs because the flow sees no match for VPN->LAN and goes onto to check the global rules - which is the correct behavior if there isn't a match.
Chances are, your defined source/destination/application configuration on the security policy under VPN->LAN is different.
Could you please check or alternately paste this security policy configuration, along with the address set definitions here for us?
Cheers
Pooja
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!