Virtual router does not work

Hi,

This is the setup i'm trying to achieve:

Whe an attack is detected, the scrubber announces via BGP to the router the attacked IP with:

1. Mask /32

2. BGP community XXXXX:667

3. Next-hop set to the scrubber.

The scrubber itself is a Linux based machine with L3 forwarding enabled. It has static routes to customers via eth4.

Here is more detailed scheme when under attack:

Now, when there is an attack going to the customer having the IP 192.168.17.154, the router has the route 192.168.17.154/32 with next-hop the the scrubber via ge-2/0/9.

The packet reaches the scrubber, passes the firewall and exits via the eth4 interface (because there is a static route).

When it enters the ge-2/0/10 interface on the router, it enters a routing instance that has a route 192.168.17.0/24 to the customer vlan.

That's how it should work. In real life when the packet comes from the scrubber to the router, it goes back to the scrubber until the TTL expires (although there is no such route 192.168.17.154/32 in the table RI-DDOS-CLEAN.inet.0).

Here is the config:

# show routing-instances RI-DDOS-CLEAN
instance-type virtual-router;
interface ge-2/0/10.0;
routing-options {
    rib RI-DDOS-CLEAN.inet6.0 {
        static {
            route ::/0 discard;
        }
    }
    static {
        route 0.0.0.0/0 discard;
    }
    instance-import PS-IMPORT-FROM-MAIN-TO-DDOS-CLEAN;
}

# show policy-options policy-statement PS-IMPORT-FROM-MAIN-TO-DDOS-CLEAN
/* Reject all /32 prefixes having the XXXXX:667 community */
term diverted {
    from {
        instance master;
        community CM-DDOS-DIVERT;
    }
    then reject;
}
term ipv4 {
    from {
        instance master;
        route-filter 192.168.17.0/24 upto /32;
    }
    then accept;
}
term other {
    then reject;
}

# show interfaces ge-2/0/9
description "Scrubber - eth5";
unit 0 {
    family inet {
        address 10.10.102.1/24;
    }
}

# show interfaces ge-2/0/10
description "Scrubber - eth4";
unit 0 {
    family inet {
        address 10.10.103.1/24;
    }
}

Here are the routes:

> show route 192.168.17.154 table inet.0

inet.0: 24604 destinations, 72709 routes (24603 active, 0 holddown, 23785 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.17.154/32  *[BGP/170] 02:12:01, localpref 200, from 10.10.104.2
                      AS path: I, validation-state: unverified
                    > to 10.10.102.2 via ge-2/0/9.0

> show route 192.168.17.154 table RI-DDOS-CLEAN.inet.0

RI-DDOS-CLEAN.inet.0: 146 destinations, 146 routes (146 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.17.0/24    *[Direct/0] 01:14:28
                    > via vlan.105

Apparently even there is direct route to 192.168.17.0/24 via vlan105 in the RI-DDOS-CLEAN.inet.0, the router uses the route /32 from main table.

Can somebody explain why ?