THIS HAS BEEN RESOLVED. SEE MY LATEST POST....
I've seen a lot on this issue regarding the MIP being on a different subnet than the UNTRUST interface, but not when the host IP is on a different subnet than the TRUST interface.
We have a SSG-520 with firmware 6.1.0r7. We are in the process of migrating our servers to a third party datacenter connected via a private WAN/MPLS. One of those servers is our web server. For years we've had an existing MIP forwarding to the web server. We tested the migration of the server to another subnet over the weekend and updated the MIP host IP to reflect the new IP in the new subnet. The problem is that we cannot establish a connection to the web server through the SSG-520 MIP. Connection to the web server from 5 different subnets internally is fine, but for some reason it will not communicate from a public connection.
I see entries in the logs showing the creation of my HTTP connection, but after 21 or 22 seconds, a "Close Age-Out" log entry appears.
Working MIP Setup
Trust interface IP: 10.1.0.15/16
Host IP (web server): 10.1.0.126
Netmask: 255.255.255.255
Problematic MIP Setup
Trust Interface IP: 10.1.0.15/16 or /8
Host IP (web server): 10.0.0.126
Netmask: 255.255.255.255
There is already a destination entry for the 10.0.0.0/16 subnet. All other traffic between subnets is working fine (10.0.x.x,10.1.x.x, 10.2.x.x, 10.3.x.x,10.5.x.x, and 10.7.x.x).
We will be implementing a new dedicated firewall in the target subnet listed above (10.0.0.0) once all servers have been successfully migrated. But until that time, I need to get the MIP working.
Any help would be greatly appreciated.