is my packet going out of the firewall or not!?

Hi all

I need a bit of help with one, cause I am very new to NetScreen so I am a bit confused by this debug trace that I took.

It seems to me that my packet is leaving the firewall, but at the same time I am not quite sure.

So A.A.A.A is my source, B.B.B.B is my destination. C.C.C.C is my default gw. 

The log seems to indicate that the packet is leaving the packet. I see the line that says routed to my gw C.C.C.C. 

but then there is the line asking for arp and I don't know why.

 route to C.C.C.C
 wait for arp rsp for C.C.C.C
 nsp2 wing prepared, not ready
 cache mac in the session
 make_nsp_ready_no_resolve()

Ad then there is the following line:

   search route to (ethernet1/2.1, B.B.B.B->A.A.A.A) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet1/2.9
 [ Dest] 14.route A.A.A.A->A.A.A.A, to ethernet1/2.9
 route to A.A.A.A

which seems to show that suddenly my dest is sending something back to my source. Which is weird because my filter is from source to destnation only with debug flow basic. Exactly as per documentation here.

So if anyone could help me in clarifying what's going on here that would be great.

I have attached a picture of my network and a copy of the log. 



****** 3059960.0: <Project/ethernet1/2.9> packet received [84]******
 ethernet1/2.9:A.A.A.A/1->B.B.B.B/31574,1(8/0)<Root>
 no session found
 flow_first_sanity_check: in <ethernet1/2.9>, out <N/A>
 chose interface ethernet1/2.9 as incoming nat if.
 search route to (ethernet1/2.9, A.A.A.A->B.B.B.B) in vr trust-vr for vsd-0/flag-0/ifp-null
 [ Dest] 361.route B.B.B.B->C.C.C.C, to ethernet1/2.1
 routed (x_dst_ip B.B.B.B) from ethernet1/2.9 (ethernet1/2.9 in 0) to ethernet1/2.1
 policy search from zone 1005-> zone 1017
 Permitted by policy 1111
 No src xlate choose interface ethernet1/2.1 as outgoing phy if
 flow_first_final_check: in <ethernet1/2.9>, out <ethernet1/2.1>
 route to C.C.C.C
 wait for arp rsp for C.C.C.C
 nsp2 wing prepared, not ready
 cache mac in the session
 make_nsp_ready_no_resolve()
 search route to (ethernet1/2.1, B.B.B.B->A.A.A.A) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet1/2.9
 [ Dest] 14.route A.A.A.A->A.A.A.A, to ethernet1/2.9
 route to A.A.A.A