I found when i delete ike service on external interface (only keep ike on untrust zone) then can pass traffic. But traffic vpn is not stable, sometime ping miss package. When traffic down, i check flow session on branche
show security flow session destination-prefix 192.168.6.5
Session ID: 14513, Policy name: self-traffic-policy/1, Timeout: 56, Valid
In: 192.168.3.1/0 --> 192.168.6.5/7738;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 192.168.6.5/7738 --> 192.168.3.1/0;icmp, If: st0.0, Pkts: 0, Bytes: 0