VPN kernel debug in CoreXL ('fw ctl debug -m VPN + multik tagging cluster') shows that much traffic is forwarded to the lowest CoreXL FW Instance #0, which is the only one that processed the VPN traffic (by design in R77.30 and lower):
;vpnk_multik_forward (in): checking if packet is vpn and should be forwarded to vpn instance
;vpnk_multik_forward (in): packet is forwarded to vpn instance (enc 0, decision 3, ipp XXX, sport XXX, dport XXX);
;vpn_get_peerGW_for_stickyDF_key_cpip: Clear packet that will encrypted at the outbound to the peer: X.X.X.X;
;vpn_inbound_tagging_ex: AFTER considering comm-based domains, client location: 'Other GW encdom', server location: 'Other GW encdom'
IPSec VPN blade was enabled in the Security Gateway's object (and policy was installed), but VPN encryption domain was not defined in the Security Gateway's object.