Not able to access IP in untrust zone from dmz zone

Hello together,

i have the problem that i am not able to access an IP in the untrust zone from the dmz zone.

Client 10.10.19.22 from cloud-dmz wants to access server 200.200.200.193. debug flow comes up with Smiley Surprised utgoing wing prepared, not ready. My assumption is that the ip has no arp entry because it is a vip to an internal server. access from the client dmz to the internal server ip is not allowed.

get arp | include 200.200.200.193
-----------------------------------------------------------------------------------------
IP Mac VR/Interface State Age Retry PakQue Sess_cnt
-----------------------------------------------------------------------------------------
200.200.200.193 000000000000 untrust1-vr/eth1/7.1 PND 0 2 2 0

following configuration:

get interface:
Name IP Address Zone MAC VLAN State VSD
eth0/0 200.200.200.97/27 office 0010.dbaa.1200 - U 0
eth0/1 192.168.100.100/24 admin 0010.dbaa.1250 - D 0
eth0/2 0.0.0.0/0 HA 0021.5900.cc86 - U -
eth0/3 0.0.0.0/0 HA 0021.5900.cc87 - U -
eth1/0 0.0.0.0/0 Null 0010.dbaa.1280 - U 0
eth1/0.1 200.200.208.126/25 cloud-dmz 0010.dbaa.1280 2100 U 0
eth1/0.2 200.200.208.254/25 cloud-dmz 0010.dbaa.1280 2101 U 0
eth1/0.3 10.10.16.62/26 cloud-mgmt 0010.dbaa.1280 2400 U 0
eth1/1 0.0.0.0/0 Null 0010.dbaa.1290 - U 0
eth1/1.1 10.10.16.126/26 cloud-mgmt 0010.dbaa.1290 2401 U 0
eth1/1.2 10.10.16.190/26 cloud-mgmt 0010.dbaa.1290 2402 U 0
eth1/1.3 200.200.200.158/27 cloud-inf 0010.dbaa.1290 2404 U 0
eth1/1.4 192.168.2.1/24 untrust2-dmz 0010.dbaa.1290 2911 U 0
eth1/2 0.0.0.0/0 Null 0010.dbaa.12a0 - U 0
eth1/2.1 10.10.30.62/26 cloud-mgmt 0010.dbaa.12a0 2410 U 0
eth1/2.2 10.10.30.126/26 cloud-mgmt 0010.dbaa.12a0 2411 U 0
eth1/2.3 10.10.30.190/26 cloud-mgmt 0010.dbaa.12a0 2412 U 0
eth1/3 0.0.0.0/0 Null 0010.dbaa.12b0 - U 0
eth1/3.1 10.10.31.62/26 cloud-mgmt 0010.dbaa.12b0 2414 U 0
eth1/3.2 200.200.200.190/27 dmz 0010.dbaa.12b0 2800 U 0
eth1/3.3 10.10.17.62/26 dmz 0010.dbaa.12b0 2120 U 0
eth1/4 0.0.0.0/0 Null 0010.dbaa.12c0 - U 0
eth1/4.1 10.10.29.254/25 cloud-mgmt 0010.dbaa.12c0 2914 U 0
eth1/4.2 10.10.24.254/24 cloud-mgmt 0010.dbaa.12c0 2102 U 0
eth1/4.3 10.10.22.62/26 cloud-dmz 0010.dbaa.12c0 2500 U 0
eth1/5 0.0.0.0/0 Null 0010.dbaa.12d0 - U 0
eth1/5.2 10.10.19.254/23 cloud-dmz 0010.dbaa.12d0 2403 U 0
eth1/5.3 200.200.200.62/26 cloud-dmz 0010.dbaa.12d0 2840 U 0
eth1/5.4 200.200.200.254/27 cust-route~ 0010.dbaa.12d0 2820 U 0
eth1/6 0.0.0.0/0 Null 0010.dbaa.12e0 - U 0
eth1/6.1 199.199.199.124/29 untrust2 0010.dbaa.12e0 1901 U 0
eth1/7 0.0.0.0/0 Null 0010.dbaa.1150 - U 0
eth1/7.1 200.200.200.219/27 untrust1 0010.dbaa.1150 1900 U 0

###########################################################

get zone:
ID Name Type Attr VR Default-IF VSYS
0 Null Null Shared untrust-vr null Root
1 Untrust Sec(L3) Shared trust-vr null Root
2 Trust Sec(L3) trust-vr null Root
3 DMZ Sec(L3) trust-vr null Root
4 Self Func trust-vr self Root
5 MGT Func trust-vr null Root
6 HA Func trust-vr ethernet0/3 Root
10 Global Sec(L3) trust-vr null Root
11 V1-Untrust Sec(L2) Shared trust-vr v1-untrust Root
12 V1-Trust Sec(L2) Shared trust-vr v1-trust Root
13 V1-DMZ Sec(L2) Shared trust-vr v1-dmz Root
14 VLAN Func Shared trust-vr vlan1 Root
15 V1-Null Sec(L2) Shared trust-vr l2v Root
16 Untrust-Tun Tun trust-vr hidden.1 Root
100 untrust1-ut Sec(L3) untrust1-vr ethernet1/7.1 Root
101 untrust2-ut Sec(L3) untrust2-vr ethernet1/6.1 Root
102 cloud-dmz Sec(L3) untrust1-vr ethernet1/0.1 Root
103 cloud-mgmt Sec(L3) untrust1-vr ethernet1/0.3 Root
104 cloud-inf Sec(L3) untrust1-vr ethernet1/1.3 Root
105 dmz Sec(L3) untrust1-vr ethernet1/3.2 Root
106 cust-router-dmz Sec(L3) untrust1-vr ethernet1/5.4 Root
107 admin Sec(L3) trust-vr ethernet0/1 Root
108 office Sec(L3) office-vr ethernet0/0 Root
109 untrust2-dmz Sec(L3) untrust2-vr ethernet1/1.4 Root
110 VPN Sec(L3) untrust1-vr null Root
######################################################

debug flow basic:

****** 34479095.0: <cloud-dmz/ethernet1/5.2> packet received [60]******
ipid = 8594(2192), @2d413914
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet1/5.2:10.10.19.22/4373->200.200.200.193/0,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet1/5.2>, out <N/A>
chose interface ethernet1/5.2 as incoming nat if.
flow_first_routing: in <ethernet1/5.2>, out <N/A>
search route to (ethernet1/5.2, 10.10.19.22->200.200.200.193) in vr untrust1-vr for vsd-0/flag-0/ifp-null
[ Dest] 37.route 200.200.200.193->200.200.200.193, to ethernet1/7.1
routed (x_dst_ip 200.200.200.193) from ethernet1/5.2 (ethernet1/5.2 in 0) to ethernet1/7.1
policy search from zone 102-> zone 100
policy_flow_search policy search nat_crt from zone 102-> zone 100
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 200.200.200.193, port 15431, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 1172/0/0x9
Permitted by policy 1172
DST xlate: 200.200.200.193(0) to 200.200.200.193(0)
search route to (ethernet1/5.2, 10.10.19.22->200.200.200.193) in vr untrust1-vr for vsd-0/flag-0/ifp-null
[ Dest] 37.route 200.200.200.193->200.200.200.193, to ethernet1/7.1
routed (200.200.200.193) from ethernet1/5.2 (ethernet1/5.2 in 0) to ethernet1/7.1
No src xlate choose interface ethernet1/7.1 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet1/7.1
vsd 0 is active
no loop on ifp ethernet1/7.1.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet1/5.2>, out <ethernet1/7.1>
existing vector list 21-1bf64f94.
Session (id:24338) created for first pak 21
flow_first_install_session======>
route to 200.200.200.193
wait for arp rsp for 200.200.200.193
ifp2 ethernet1/7.1, out_ifp ethernet1/7.1, flag 00000804, tunnel ffffffff, rc 0
outgoing wing prepared, not ready
handle cleartext reverse route
search route to (ethernet1/7.1, 200.200.200.193->10.10.19.22) in vr untrust1-vr for vsd-0/flag-3000/ifp-ethernet1/5.2
[ Dest] 31.route 10.10.19.22->10.10.19.22, to ethernet1/5.2
route to 10.10.19.22
arp entry found for 10.10.19.22
ifp2 ethernet1/5.2, out_ifp ethernet1/5.2, flag 00800805, tunnel ffffffff, rc 1

##########################################################

Thanks in advance.

Regards,

Klemens

Not able to access IP in untrust zone from dmz zone

Trending Articles

RAMAYAMPET Mandal Sarpanch | Upa-Sarpanch | Ward member Mobile Numbers Medak...

लड़कियां सेक्स के दौरान क्यों करती है उह! आह!लड़कियां सेक्स के दौरान क्यों करती...

Neem Baba Extra Questions Answer Class 6 English Poorvi

Throw Back: 4×4 — Sikilitele (Ft Castro) Prod by JQ

Rajasthan Board 10th Result 2016 Roll No wise & Name Wise

Lowe faces four theft charges

Practice Sheet of Right form of verbs for HSC Students

Mafia, Murder & Mayhem In The Motor City: Detroit Mob Hit Timeline (1937-2007)

The 10 Tennessee Cities With The Largest Black Population For 2021

Materials Around Us Class 6 Worksheet Science Chapter 6

デスクトップヒープの枯渇

Best Suvichar in Hindi |बेस्ट सुविचार |शुभ विचार हिंदी में

Kanulanu Thaake Lyrics and translation | Manam (2014)

Korean Sex Porn Videos: XXX Videos & Free Porn Movies

Teen Shot In Miami Drive-By Dies From Injuries

Download: IQ Muzatasha feat Shy D & Pmj – Ulesi NiFertilizer Yamavuto

Mahakal Attitude Status

Property developer set up cannabis factory to help pay off debts...

♡

KB: How to troubleshoot issues when adding a Hyper-V host in System Center...