The NVS tunnel between the gateway and the checkpoint firewall will be up however, we will not see the bi-directional traffic in the gateway.

End point should be checkpoint firewall.

In the gateway we could see the packet coming in however, we will not see any response from the checkpoint firewall.

In the child SA we see the outbound packet counter will be incrementing. We also see multiple child sa for inbound and counter will be 0

The checkpoint firewall supports ISP redundancy where they can use both ISP link as a same link to establish the IPSEC tunnel. Which is not supported by the Velocloud.

Disabling the ISP redundancy in the checkpoint firewall will resolve the issue.