Screen OS

Greetings Everyone,

I've set up a new VR to isolate my VoIP network from my Data network as much as possible. I've created the VoIP-WAN (eth0/1) and VoIP-LAN (eth0/3) zones and added them to the VoIP-VR. On the Trust-VR I have the Trust (bgroup0/0) and Untrust (eth0/0) zones. The VoIP-WAN and Untrust zones each have a seperate internet connection.

Everything is working as intended with this setup for outbound, but not inbound connections. Specifically, if I try to create VIPs for VoIP-WAN (eth0/1), the traffic will come in eth0/0, will be allowed based on the policy I have created, but return traffic is routed out Untrust (eth0/0):

1.1.1.1 = Remote IP
2.2.2.2 = VoIP-WAN interface
3.3.3.3 = Untrust interface
2.2.2.254 = VoIP-WAN next hop gateway
3.3.3.254 = Untrust next hop gateway
10.0.91.0/24 = VoIP-LAN subnet

****** 436776.0: <VoIP-WAN/ethernet0/1> packet received [52]******
  ipid = 30315(766b), @03916418
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/1:1.1.1.1/56531->2.2.2.2/10000,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/1>, out <N/A>
  self check, not for us
  chose interface ethernet0/1 as incoming nat if.
  flow_first_routing: in <ethernet0/1>, out <N/A>
  search route to (ethernet0/1, 1.1.1.1->10.0.91.9) in vr trust-vr for vsd-0/flag-0/ifp-null
  cached route 7 for 10.0.91.9
  [ Dest] 7.route 10.0.91.9->3.3.3.254, to ethernet0/0
  routed (x_dst_ip 10.0.91.9) from ethernet0/1 (ethernet0/1 in 0) to ethernet0/0
  policy search from zone 100-> zone 1
 policy_flow_search  policy search nat_crt from zone 100-> zone 10
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 2.2.2.2, port 10000, proto 6)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 12/12/0x9
  Permitted by policy 12
  dip id = 2, 1.1.1.1/56531->3.3.3.3/1028
  choose interface ethernet0/0 as outgoing phy if
  no loop on ifp ethernet0/0.
  session application type 0, name None, nas_id 0, timeout 1800sec
  service lookup identified service 0.
  flow_first_final_check: in <ethernet0/1>, out <ethernet0/0>
  existing vector list 103-42657fc.
  Session (id:7881) created for first pak 103
  flow_first_install_session======>
  route to 3.3.3.254
  bypass L2 prepare if, nsp ready.
  ifp2 ethernet0/0, out_ifp ethernet0/0, flag 10002800, tunnel ffffffff, rc 1
  outgoing wing prepared, ready
  handle cleartext reverse route
  search route to (ethernet0/0, 10.0.91.9->1.1.1.1) in vr VoIP-VR for vsd-0/flag-3000/ifp-ethernet0/1
  cached route 7 for 1.1.1.1
  [ Dest] 7.route 1.1.1.1->2.2.2.254, to ethernet0/1
  route to 2.2.2.254
  bypass L2 prepare if, nsp ready.
  ifp2 ethernet0/1, out_ifp ethernet0/1, flag 00002801, tunnel ffffffff, rc 1
  flow got session.
  flow session id 7881
  flow_main_body_vector in ifp ethernet0/1 out ifp ethernet0/0
  flow vector index 0x103, vector addr 0x42657fc, orig vector 0x42657fc
  adjust tcp mss.
  tcp seq check.
  Got syn, 1.1.1.1(56531)->2.2.2.2(10000), nspflag 0x3801, 0x10002800
  post addr xlation: 3.3.3.3->10.0.91.9.
  send out through normal path.
  flow_ip_send: 766b:3.3.3.3->10.0.91.9,6 => ethernet0/0(52) flag 0x0, vlan 0
  packet send out to 2ce412826963 through ethernet0/0

So I know enough to figure out what is causing the problem, but not enough to fix it. Any suggestions would be greatly appreciated.

Thanks,

semose

*facepalm* Figured it out instantly after posting. Just needed to add destination based route in Trust-VR for traffic destined for the 10.0.91.0/24 subnet to be routed to the VoIP-VR.

Almost deleted, but thought I'd leave it incase someone else has a similar issue.