Managed container IP used for external communications?

We have an overlay network with Rancher IPSec. We have multiple environments for different types of containers and access between the environments goes through external LB and is controlled with an external firewall. All the hosts belonging to an environment are in a dedicated VLANs.

Everything is working but in the firewall we see a lot of dropped connections and the reason for the drops is that the source IP for the request is the container internal IP (in the subnet) and not the actual host IP. I expect that there should be source-natting and the requests coming out should only show the actual host IP instead of the private container IP?

It looks like there is some kind of failover mechanism, the first attempt is with the container IP as source and when this fails there is another request where source-natting has been performed? I assume we are taking a performance hit because of this and also triggering unnecessary alerts.

Is there a way to configure this behaviour or any good tricks to debug what the heck is exactly happening?

Thanks in advance!