Screen OS

I know I'm missing something but everything is working, except for DNS on a SSG140.

DNS and DHCP is being handled internally with windows domain controllers, which the SSG is configured to use the internal DNS servers. I setup two zones having interface 0/2 (active) and 0/4 (failover) using the untrust zone, with DNS working.

The new zone (untrust2) has a new ISP on interface 0/3.  All zones are using the same Vsys "root".

PC1 (0/0)------------(NAT ) Firewall --(untrust)--------- 0/2 (0/4) 

                                                                                          |(untrust2)-------- 0/3

I tested the untrust2 zone by unplugging interface 0/2 and 0/4, disabled monitoring for 0/2, lowered the preference for the 0/3 gateway and then powered off/powered on the SSG. I can access internal and external IP's, but DNS fails showing "Closed - Age out" events, even with untrust2 policy application set to "Ignore".

Currently I've reset the 0/3 interface gateway preference and DNS is now working.

Below is the debug log filtering on src of my PC to dst of IPS's DNS when preference is lowered on the 0/3 interface gateway. Any help would be greatly appreciated.

****** 120038.0: <Trust/ethernet0/0> packet received [104]******
  ipid = 5246(147e), @1d5b6114
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/0:192.168.11.15/62031->64.222.84.243/53,17<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0>, out <N/A>
  [ Dest] 1.route 192.168.11.15->0.0.0.0, to ethernet0/0
  chose interface ethernet0/0 as incoming nat if.
  flow_first_routing: in <ethernet0/0>, out <N/A>
  search route to (ethernet0/0, 192.168.11.15->64.222.84.243) in vr trust-vr for
 vsd-0/flag-0/ifp-null
  [ Dest] 33.route 64.222.84.243->71.181.5.57, to ethernet0/3
  routed (x_dst_ip 64.222.84.243) from ethernet0/0 (ethernet0/0 in 0) to etherne
t0/3
  policy search from zone 2-> zone 102
 policy_flow_search  policy search nat_crt from zone 2-> zone 102
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 64.2
22.84.243, port 53, proto 17)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 107/53/0x9
  Permitted by policy 107
  No src xlate   choose interface ethernet0/3 as outgoing phy if
  no loop on ifp ethernet0/3.
  session application type 78, name IGNORE, nas_id 0, timeout 300sec
 1
  outgoing wing prepared, ready
  handle cleartext reverse route
  search route to (ethernet0/3, 64.222.84.243->192.168.11.15) in vr trust-vr for
 vsd-0/flag-3000/ifp-ethernet0/0
  [ Dest] 1.route 192.168.11.15->192.168.11.15, to ethernet0/0
  route to 192.168.11.15
  arp entry found for 192.168.11.15
  ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
  flow got session.
  flow session id 43618
  flow_main_body_vector in ifp ethernet0/0 out ifp ethernet0/3
  flow vector index 0x1, vector addr 0x1e3e2f4, orig vector 0x1e3e2f4
  post addr xlation: 192.168.11.15->64.222.84.243.
  send packet to traffic shaping queue.
ntry found for 192.168.11.15
  ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
  flow got session.
  flow session id 43995
  flow_main_body_vector in ifp ethernet0/0 out ifp ethernet0/3
  flow vector index 0x1, vector addr 0x1e3e2f4, orig vector 0x1e3e2f4
  post addr xlation: 192.168.11.15->64.222.84.243.
  send packet to traffic shaping queue.
  flow_ip_send: 147e:192.168.11.15->64.222.84.243,17 => ethernet0/3(104) flag 0x
20020, vlan 0
 pak has mac
  Send to ethernet0/3 (118)
  flow_ip_send: 44d2:192.168.21.206->192.168.11.50,6 => ethernet0/0(1390) flag 0
x24000, vlan 0
 pak has mac
  Send to ethernet0/0 (1404)
****** 120040.0: <Trust/ethernet0/0> packet received [83]******
  ipid = 5268(1494), @1d5f3114
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/0:192.168.11.15/62213->64.222.84.243/53,17<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0>, out <N/A>
  [ Dest] 1.route 192.168.11.15->0.0.0.0, to ethernet0/0
  chose interface ethernet0/0 as incoming nat if.
  flow_first_routing: in <ethernet0/0>, out <N/A>
  search route to (ethernet0/0, 192.168.11.15->64.222.84.243) in vr trust-vr for
 vsd-0/flag-0/ifp-null
  [ Dest] 33.route 64.222.84.243->71.181.5.57, to ethernet0/3
  routed (x_dst_ip 64.222.84.243) from ethernet0/0 (ethernet0/0 in 0) to etherne
t0/3
  policy search from zone 2-> zone 102
 policy_flow_search  policy search nat_crt from zone 2-> zone 102
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 64.2
22.84.243, port 53, proto 17)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 107/53/0x9
  Permitted by policy 107
  No src xlate   choose interface ethernet0/3 as outgoing phy if
  no loop on ifp ethernet0/3.
  session application type 78, name IGNORE, nas_id 0, timeout 300sec
ALG vector is not attached
1.15
  ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
  flow got session.
  flow session id 45832
  flow_main_body_vector in ifp ethernet0/0 out ifp ethernet0/3
  flow vector index 0x1, vector addr 0x1e3e2f4, orig vector 0x1e3e2f4
  post addr xlation: 192.168.11.15->64.222.84.243.
  send packet to traffic shaping queue.
  flow_ip_send: 159e:192.168.11.15->64.222.84.243,17 => ethernet0/3(84) flag 0x2
0020, vlan 0
 pak has mac
  Send to ethernet0/3 (98)
  flow_ip_send: 39eb:192.168.21.206->192.168.11.50,6 => ethernet0/0(1390) flag 0
x24000, vlan 0
 pak has mac
  Send to ethernet0/0 (1404)
  flow_ip_send: 3aeb:192.168.21.206->192.168.11.50,6 => ethernet0/0(1390) flag 0
x24000, vlan 0
 pak has mac
  Send to ethernet0/0 (1404)
ession id 46175
  flow_main_body_vector in ifp ethernet0/0 out ifp ethernet0/3
  flow vector index 0x1, vector addr 0x1e3e2f4, orig vector 0x1e3e2f4
  post addr xlation: 192.168.11.15->64.222.84.243.
  send packet to traffic shaping queue.
  flow_ip_send: 1494:192.168.11.15->64.222.84.243,17 => ethernet0/3(83) flag 0x2
0020, vlan 0
 pak has mac
  Send to ethernet0/3 (97)
  flow_ip_send: 79d3:192.168.21.206->192.168.11.50,6 => ethernet0/0(1390) flag 0
x24000, vlan 0
 pak has mac
  Send to ethernet0/0 (1404)
  flow_ip_send: 7ad3:192.168.21.206->192.168.11.50,6 => ethernet0/0(1390) flag 0
x24000, vlan 0
 pak has mac
  Send to ethernet0/0 (1404)
****** 120041.0: <Trust/ethernet0/0> packet received [68]******
  ipid = 5270(1496), @1d564914
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/0:192.168.11.15/63586->64.222.84.243/53,17<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 46838
  flow_main_body_vector in ifp ethernet0/0 out ifp N/A
  flow vector index 0x1, vector addr 0x1e3e2f4, orig vector 0x1e3e2f4
  post addr xlation: 192.168.11.15->64.222.84.243.
  send packet to traffic shaping queue.
****** 120042.0: <Trust/ethernet0/0> packet received [68]******
  ipid = 5271(1497), @1d5a8114
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/0:192.168.11.15/63322->64.222.84.243/53,17<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0>, out <N/A>
  [ Dest] 1.route 192.168.11.15->0.0.0.0, to ethernet0/0
  chose interface ethernet0/0 as incoming nat if.
  flow_first_routing: in <ethernet0/0>, out <N/A>
  search route to (ethernet0/0, 192.168.11.15->64.222.84.243) in vr trust-vr for
 vsd-0/flag-0/ifp-null
  [ Dest] 33.route 64.222.84.243->71.181.5.57, to ethernet0/3
  routed (x_dst_ip 64.222.84.243) from ethernet0/0 (ethernet0/0 in 0) to etherne
t0/3
  policy search from zone 2-> zone 102
fp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
  flow got session.
  flow session id 46444
  flow_main_body_vector in ifp ethernet0/0 out ifp ethernet0/3
  flow vector index 0x1, vector addr 0x1e3e2f4, orig vector 0x1e3e2f4
  post addr xlation: 192.168.11.15->64.222.84.243.
  send packet to traffic shaping queue.
interface ethernet0/3 as outgoing phy if
  no loop on ifp ethernet0/3.
  session application type 78, name IGNORE, nas_id 0, timeout 300sec
ALG vector is not attached
  service lookup identified service 0.
/53,17<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0>, out <N/A>
  [ Dest] 1.route 192.168.11.15->0.0.0.0, to ethernet0/0
  chose interface ethernet0/0 as incoming nat if.
  flow_first_routing: in <ethernet0/0>, out <N/A>
  search route to (ethernet0/0, 192.168.11.15->64.222.84.243) in vr trust-vr for
 vsd-0/flag-0/ifp-null
  [ Dest] 33.route 64.222.84.243->71.181.5.57, to ethernet0/3
  routed (x_dst_ip 64.222.84.243) from ethernet0/0 (ethernet0/0 in 0) to etherne
t0/3
  policy search from zone 2-> zone 102
 policy_flow_search  policy search nat_crt from zone 2-> zone 102
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 64.2
22.84.243, port 53, proto 17)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 107/53/0x9
  Permitted by policy 107
  No src xlate   choose interface ethernet0/3 as outgoing phy if
  no loop on ifp ethernet0/3.
  session application type 78, name IGNORE, nas_id 0, timeout 300sec
ALG vector is not attached
  service lookup identified service 0.
  flow_first_final_check: in <ethernet0/0>, out <ethernet0/3>
  existing vector list 1-b6a5ee4.
  Session (id:44617) created for first pak 1
  flow_first_install_session======>
  route to 71.181.5.57
  arp entry found for 71.181.5.57
  ifp2 ethernet0/3, out_ifp ethernet0/3, flag 00800800, tunnel ffffffff, rc 1
  outgoing wing prepared, ready
  handle cleartext reverse route
  search route to (ethernet0/3, 64.222.84.243->192.168.11.15) in vr trust-vr for
 vsd-0/flag-3000/ifp-ethernet0/0
  [ Dest] 1.route 192.168.11.15->192.168.11.15, to ethernet0/0
  route to 192.168.11.15
  arp entry found for 192.168.11.15
  ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
  flow got session.
  flow session id 44617
  flow_main_body_vector in ifp ethernet0/0 out ifp ethernet0/3
  flow vector index 0x1, vector addr 0x1e3e2f4, orig vector 0x1e3e2f4
  post addr xlation: 192.168.11.15->64.222.84.243.
  send packet to traffic shaping queue.


 

I think the issue is with the "Xlated Src IP" for the untrust2 zone. It is showing the internal network, where it should be showing the external network. Any Ideas?

================================================================================
============================
Date       Time       Duration Source IP        Port Destination IP   Port Servi
ce  SessionID In Interface
Reason                Protocol Xlated Src IP    Port Xlated Dst IP    Port ID
    PID       Out Interface
================================================================================
============================
2013-07-10 07:45:49    0:05:01 192.168.11.15   62847 64.222.84.243      53 DNS
       45631    ethernet0/0
Close - AGE OUT             17 192.168.11.15   62847 64.222.84.243      53
               107    ethernet0/3
2013-07-10 07:45:33    0:04:59 192.168.11.15   62885 64.222.84.243      53 DNS
       47538    ethernet0/0
Close - AGE OUT             17 192.168.11.15   62885 64.222.84.243      53
               107    ethernet0/3
2013-07-10 07:45:17    0:04:59 192.168.11.15   62766 64.222.84.243      53 DNS
       45236    ethernet0/0
Close - AGE OUT             17 192.168.11.15   62766 64.222.84.243      53
               107    ethernet0/3
2013-07-10 07:45:05    0:05:01 192.168.11.15   63031 64.222.84.243      53 DNS
       45141    ethernet0/0
Close - AGE OUT             17 192.168.11.15   63031 64.222.84.243      53
               107    ethernet0/3
2013-07-10 07:45:01    0:05:00 192.168.11.15   61635 64.222.84.243      53 DNS
       45798    ethernet0/0
Close - AGE OUT             17 192.168.11.15   61635 64.222.84.243      53
               107    ethernet0/3
2013-07-10 07:44:49    0:05:01 192.168.11.15   63062 64.222.84.243      53 DNS
       47863    ethernet0/0
Close - AGE OUT             17 192.168.11.15   63062 64.222.84.243      53
               107    ethernet0/3
2013-07-10 07:44:35    0:05:01 192.168.11.15   62213 64.222.84.243      53 DNS
       46509    ethernet0/0
Close - AGE OUT             17 192.168.11.15   62213 64.222.84.243      53
               107    ethernet0/3
2013-07-10 07:44:17    0:04:59 192.168.11.15   63703 64.222.84.243      53 DNS
       43955    ethernet0/0
Close - AGE OUT             17 192.168.11.15   63703 64.222.84.243      53
               107    ethernet0/3
2013-07-10 07:44:11    0:05:00 192.168.11.15   62773 64.222.84.243      53 DNS
       46377    ethernet0/0
Close - AGE OUT             17 192.168.11.15   62773 64.222.84.243      53
               107    ethernet0/3
2013-07-10 07:44:09    0:05:00 192.168.11.15   61901 64.222.84.243      53 DNS
       45037    ethernet0/0
Close - AGE OUT             17 192.168.11.15   61901 64.222.84.243      53
               107    ethernet0/3
2013-07-10 07:44:07    0:05:01 192.168.11.15   62008 64.222.84.243      53 DNS
       46898    ethernet0/0
Close - AGE OUT             17 192.168.11.15   62008 64.222.84.243      53
               107    ethernet0/3
2013-07-10 07:44:03    0:05:00 192.168.11.15   63174 64.222.84.243      53 DNS
       47508    ethernet0/0
Close - AGE OUT             17 192.168.11.15   63174 64.222.84.243      53
               107    ethernet0/3
2013-07-10 07:44:03    0:04:59 192.168.11.15   62855 64.222.84.243      53 DNS
       44663    ethernet0/0
Close - AGE OUT             17 192.168.11.15   62855 64.222.84.243      53
               107    ethernet0/3
2013-07-10 07:43:47    0:04:59 192.168.11.15   62631 64.222.84.243      53 DNS
       46489    ethernet0/0
Close - AGE OUT             17 192.168.11.15   62631 64.222.84.243      53
               107    ethernet0/3
2013-07-10 07:43:39    0:05:02 192.168.11.15   63401 64.222.84.243      53 DNS
       45451    ethernet0/0
Close - AGE OUT             17 192.168.11.15   63401 64.222.84.243      53
               107    ethernet0/3
2013-07-10 07:43:33    0:04:59 192.168.11.15   63669 64.222.84.243      53 DNS
       44157    ethernet0/0
Close - AGE OUT             17 192.168.11.15   63669 64.222.84.243      53
               107    ethernet0/3
2013-07-10 07:43:19    0:05:01 192.168.11.15   63179 64.222.84.243      53 DNS
       46382    ethernet0/0
Close - AGE OUT             17 192.168.11.15   63179 64.222.84.243      53
               107    ethernet0/3
2013-07-10 07:43:07    0:05:02 192.168.11.15   63359 64.222.84.243      53 DNS
       46119    ethernet0/0
Close - AGE OUT             17 192.168.11.15   63359 64.222.84.243      53
               107    ethernet0/3
2013-07-10 07:43:03    0:04:59 192.168.11.15   63364 64.222.84.243      53 DNS
       44384    ethernet0/0
Close - AGE OUT             17 192.168.11.15   63364 64.222.84.243      53
               107    ethernet0/3
2013-07-10 07:42:59    0:05:00 192.168.11.15   62488 64.222.84.243      53 DNS
       46004    ethernet0/0
Close - AGE OUT             17 192.168.11.15   62488 64.222.84.243      53
               107    ethernet0/3
2013-07-10 07:42:49    0:05:01 192.168.11.15   61824 64.222.84.243      53 DNS
       46642    ethernet0/0
Close - AGE OUT             17 192.168.11.15   61824 64.222.84.243      53
               107    ethernet0/3
2013-07-10 07:42:35    0:05:00 192.168.11.15   63606 64.222.84.243      53 DNS
       44660    ethernet0/0
Close - AGE OUT             17 192.168.11.15   63606 64.222.84.243      53
               107    ethernet0/3
2013-07-10 07:42:35    0:05:01 192.168.11.15   63319 64.222.84.243      53 DNS
       46075    ethernet0/0
Close - AGE OUT             17 192.168.11.15   63319 64.222.84.243      53
               107    ethernet0/3
burl-fw->

Take a look at policy 107 and make sure that under the advanced section you have the NAT Source Translation box checked and have "Non (Use Egress Interface IP)" or are using the correct DIP that you want for this traffic   

  Permitted by policy 107
  No src xlate   choose interface ethernet0/3 as outgoing phy if

Thank you! that took care of the issue!