I will start by sharing the initial problem and then maybe if needed I can share all the config because this does not sound any problem with config.
Key factor I think is that my WAN transport is already an IPSec tunnel between the two endpoints (SDWAN).
The problem we facing is that everything seems to be working fine minus a very limited amount of websites. Default route is being advertised on BGP as well so all internet goes via HUB. But in general we can ping everything. This is at a very early stage to say if everything else works because there is not much else. I’ve seen some weird behavior deploying other stuff so perhaps that traffic is also affected.
Example, Facebook works and Google does not work.
A pcap on the tunnel interface for the IP of the website in question showed that a lot of return traffic is missing.
I do not have any MTU or MSS changes.