Hi nz_monkey,
I noticed a very common issue while doing this and managed to hack my way out of it although doesn’t feel ideal.
The syn packet is received in the VRF but the response was being sent via the main routing table for some reason and not using the VRF which has the directly connected interface
In the end i had to add a mangle rule in the output chain forcing traffic destined to the remote BGP peer to be placed in the VRF routing table
This also required me to enable multi-hop on the BGP peer and everything started to work properly.
I see you mentioned you have this running without having to fiddle around with the mangle rule… I do have the instance to the correct routing-mark and the peer in the right instance
i’m curious how you got it working without the mangle rule i think i might be missing something.