The valid IP Address of the NAT device was changed to a new IP but still encrypted with the old SPI's associated with the previous IP before it was changed.
As a result, the reply packet from the Check Point Security Gateway is sent to the old "known" IP.
The entries contained in orig_route_params table are not taken from the ARP table or the source, but from the MAC address that appears on the packet that the Security Gateway got from the peer. Accordingly, it contains the real MAC address and not the VMAC as in the ARP table.
The entry in the orig_route_params table is not updated when only the next hop MAC is changed.