Thanks Marc; a well structured response, as usual 🙂
I have sorted out the highlighted issues; the primary problem still persists, I still cannot access protected resources on the network.
Latest config is attached.
the remote-protected-resources IP is set to 10.1.1.1/32 - if I ping that IP I get a timeout; if however I ping 10.1.1.30 for example, I get a "general error"; so the packet is getting through, but it is being lost somewhere.
VPN IP: 10.10.10.2 (dmz zone)
Restricted resource: 10.1.1.1 (trust zone)
command: ping -S 10.10.10.2 10.1.1.1
flow debug output:
<10.10.10.2/434->10.1.1.1/1;1> matched filter dmz_to_trust:
packet [60] ipid = 187, @0x436a1dd0
---- flow_process_pkt: (thd 2): flow_ctxt type 1, common flag 0x0, mbuf 0x436a1b80, rtbl_idx = 0
in_ifp <junos-host:.local..0>
flow_process_pkt_exception: setting rtt in lpak to 0x680feed0
pkt out of tunnel.Proceed normally
ge-0/0/15.0:10.10.10.2->10.1.1.1, icmp, (8/0)
find flow: table 0x510e1138, hash 24339(0xffff), sa 10.10.10.2, da 10.1.1.1, sp 434, dp 1, proto 1, tok 20489
no session found, start first path. in_tunnel - 0x5d0f7f90, from_cp_flag - 0
flow_first_create_session
flow_first_in_dst_nat: in <ge-0/0/15.0>, out <N/A> dst_adr 10.1.1.1, sp 434, dp 1
chose interface N/A as incoming nat if.
flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 10.1.1.1(1)
flow_first_routing: vr_id 5, call flow_route_lookup(): src_ip 10.10.10.2, x_dst_ip 10.1.1.1, in ifp ge-0/0/15.0, out ifp N/A sp 434, dp 1, ip_proto 1, tos 0
Doing DESTINATION addr route-lookup
routed (x_dst_ip 10.1.1.1) from dmz (ge-0/0/15.0 in 0) to ge-0/0/15.0, Next-hop: 195.xx.xx.97
flow_first_policy_search: policy search from zone dmz-> zone dmz (0x0,0x1b20001,0x1)
Policy lkup: vsys 0 zone(9:dmz) -> zone(9:dmz) scope:0
10.10.10.2/2048 -> 10.1.1.1/19369 proto 1
app 0, timeout 60s, curr ageout 60s
permitted by policy default(4)
packet passed, Permitted by policy.
flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False
flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
dip id = 0/0, 10.10.10.2/434->10.10.10.2/434 protocol 0
choose interface ge-0/0/15.0 as outgoing phy if
is_loop_pak: No loop: on ifp: ge-0/0/15.0, addr: 10.1.1.1, rtt_idx:5
-jsf : Alloc sess plugin info for session 307386
[JSF]Normal interest check. regd plugins 19, enabled impl mask 0x0
-jsf int check: plugin id 2, svc_req 0x0, impl mask 0x0. rc 4
-jsf int check: plugin id 3, svc_req 0x0, impl mask 0x0. rc 4
-jsf int check: plugin id 5, svc_req 0x0, impl mask 0x0. rc 4
-jsf int check: plugin id 6, svc_req 0x0, impl mask 0x0. rc 4
-jsf int check: plugin id 7, svc_req 0x0, impl mask 0x0. rc 4
-jsf int check: plugin id 8, svc_req 0x0, impl mask 0x0. rc 4
-jsf int check: plugin id 12, svc_req 0x0, impl mask 0x0. rc 4
-jsf int check: plugin id 15, svc_req 0x0, impl mask 0x0. rc 4
+++++++++++jsf_test_plugin_data_evh: 3
-jsf int check: plugin id 16, svc_req 0x0, impl mask 0x0. rc 4
-jsf int check: plugin id 22, svc_req 0x0, impl mask 0x0. rc 4
-jsf int check: plugin id 23, svc_req 0x0, impl mask 0x0. rc 4
-jsf int check: plugin id 26, svc_req 0x0, impl mask 0x0. rc 4
-jsf int check: plugin id 27, svc_req 0x0, impl mask 0x0. rc 2
-jsf int check: plugin id 28, svc_req 0x0, impl mask 0x0. rc 4
[JSF]Plugins(0x0, count 0) enabled for session = 140069716, impli mask(0x0), post_nat cnt 307386 svc req(0x0)
-jsf : no plugin interested for session 307386, free sess plugin info
flow_first_service_lookup(): natp(0x5d14f390): app_id, 0(0).
service lookup identified service 0.
flow_first_final_check: in <ge-0/0/15.0>, out <ge-0/0/15.0>
flow_first_complete_session, pak_ptr: 0x50a2ee38, nsp: 0x5d14f390, in_tunnel: 0x5d0f7f90
construct v4 vector for nsp2
existing vector list 0x204-0x48c08dd0.
Session (id:307386) created for first pak 204
flow_first_install_session======> 0x5d14f390
nsp 0x5d14f390, nsp2 0x5d14f410
make_nsp_ready_no_resolve()
reverse route is optional
no need update ha
Installing s2c NP session wing
flow got session.
flow session id 307386
vector bits 0x204 vector 0x48c08dd0
skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0
encap vector
no more encapping needed
mbuf 0x436a1b80, exit nh 0x100010
flow_process_pkt_exception: Freeing lpak 0x50a2ee38 associated with mbuf 0x436a1b80
----- flow_process_pkt rc 0x0 (fp rc 0)