Hybrid mail-flow fails from cloud to premises

Symptoms:

HCW completes successfully but hybrid mail-flow doesn’t work from Exchange Online mailboxes to Exchange on-premises mailboxes.

The sender receives the following delivery notification failure in their Exchange Online mailbox:

Delivery has failed to these recipients or groups:
{Recipient}
The server has tried to deliver this message, without success, and has stopped trying. The recipient mail server may be temporarily offline or temporarily unable to accept messages. Please try sending this message again. For more tips to resolve this issue see DSN code 4.4.7 in Exchange Online . If the problem continues contact your help desk. 
Diagnostic information for administrators:
Generating server: AM3PR04MB418.eurprd04.prod.outlook.com
{Recipient email address}
Remote Server returned '< #4.4.7 smtp;550 4.4.7 QUEUE.Expired; message expired>'

Protocol logging in EOP shows the following error:

'450 4.7.0 Proxy session setup failed on Frontend with  ''451 4.4.0 Primary target IP address responded with: "454 4.7.5 Certificate validation failure." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed

Verbose logging was enabled on all receive connectors and it was confirmed that no inbound hybrid mail-flow was hitting the ‘Inbound from Office 365’ receive connector. The logs were inspected on the Default receive connector and traffic was hitting this connector, rather than the ‘Inbound from Office 365’ receive connector.

Resolution:

The customer was using a Juniper firewall. ‘Source Translation (DIP on)’ had been enabled (checked) in Advanced Policy Settings on the inbound SMTP rule for hybrid mail flow. This setting was disabled (by unticking the check-box in the management webpage) and hybrid mail-flow started working from Exchange Online to Exchange on-premises.