Screen OS

Hello together,

i have the problem that i am not able to access an IP in the untrust zone from the dmz zone. 

Client 10.10.19.22 from cloud-dmz wants to access server 200.200.200.193. debug flow comes up with :outgoing wing prepared, not ready. My assumption is that the ip has no arp entry because it is a vip to an internal server. access from the client dmz to the internal server ip is not allowed. 

get arp | include 200.200.200.193
-----------------------------------------------------------------------------------------
IP Mac VR/Interface State Age Retry PakQue Sess_cnt
-----------------------------------------------------------------------------------------
200.200.200.193 000000000000 untrust1-vr/eth1/7.1 PND 0 2 2 0

following configuration:

get interface:
Name IP Address Zone MAC VLAN State VSD
eth0/0 200.200.200.97/27 office 0010.dbaa.1200 - U 0
eth0/1 192.168.100.100/24 admin 0010.dbaa.1250 - D 0
eth0/2 0.0.0.0/0 HA 0021.5900.cc86 - U -
eth0/3 0.0.0.0/0 HA 0021.5900.cc87 - U -
eth1/0 0.0.0.0/0 Null 0010.dbaa.1280 - U 0
eth1/0.1 200.200.208.126/25 cloud-dmz 0010.dbaa.1280 2100 U 0
eth1/0.2 200.200.208.254/25 cloud-dmz 0010.dbaa.1280 2101 U 0
eth1/0.3 10.10.16.62/26 cloud-mgmt 0010.dbaa.1280 2400 U 0
eth1/1 0.0.0.0/0 Null 0010.dbaa.1290 - U 0
eth1/1.1 10.10.16.126/26 cloud-mgmt 0010.dbaa.1290 2401 U 0
eth1/1.2 10.10.16.190/26 cloud-mgmt 0010.dbaa.1290 2402 U 0
eth1/1.3 200.200.200.158/27 cloud-inf 0010.dbaa.1290 2404 U 0
eth1/1.4 192.168.2.1/24 untrust2-dmz 0010.dbaa.1290 2911 U 0
eth1/2 0.0.0.0/0 Null 0010.dbaa.12a0 - U 0
eth1/2.1 10.10.30.62/26 cloud-mgmt 0010.dbaa.12a0 2410 U 0
eth1/2.2 10.10.30.126/26 cloud-mgmt 0010.dbaa.12a0 2411 U 0
eth1/2.3 10.10.30.190/26 cloud-mgmt 0010.dbaa.12a0 2412 U 0
eth1/3 0.0.0.0/0 Null 0010.dbaa.12b0 - U 0
eth1/3.1 10.10.31.62/26 cloud-mgmt 0010.dbaa.12b0 2414 U 0
eth1/3.2 200.200.200.190/27 dmz 0010.dbaa.12b0 2800 U 0
eth1/3.3 10.10.17.62/26 dmz 0010.dbaa.12b0 2120 U 0
eth1/4 0.0.0.0/0 Null 0010.dbaa.12c0 - U 0
eth1/4.1 10.10.29.254/25 cloud-mgmt 0010.dbaa.12c0 2914 U 0
eth1/4.2 10.10.24.254/24 cloud-mgmt 0010.dbaa.12c0 2102 U 0
eth1/4.3 10.10.22.62/26 cloud-dmz 0010.dbaa.12c0 2500 U 0
eth1/5 0.0.0.0/0 Null 0010.dbaa.12d0 - U 0
eth1/5.2 10.10.19.254/23 cloud-dmz 0010.dbaa.12d0 2403 U 0
eth1/5.3 200.200.200.62/26 cloud-dmz 0010.dbaa.12d0 2840 U 0
eth1/5.4 200.200.200.254/27 cust-route~ 0010.dbaa.12d0 2820 U 0
eth1/6 0.0.0.0/0 Null 0010.dbaa.12e0 - U 0
eth1/6.1 199.199.199.124/29 untrust2 0010.dbaa.12e0 1901 U 0
eth1/7 0.0.0.0/0 Null 0010.dbaa.1150 - U 0
eth1/7.1 200.200.200.219/27 untrust1 0010.dbaa.1150 1900 U 0

###########################################################

get zone:
ID Name Type Attr VR Default-IF VSYS
0 Null Null Shared untrust-vr null Root
1 Untrust Sec(L3) Shared trust-vr null Root
2 Trust Sec(L3) trust-vr null Root
3 DMZ Sec(L3) trust-vr null Root
4 Self Func trust-vr self Root
5 MGT Func trust-vr null Root
6 HA Func trust-vr ethernet0/3 Root
10 Global Sec(L3) trust-vr null Root
11 V1-Untrust Sec(L2) Shared trust-vr v1-untrust Root
12 V1-Trust Sec(L2) Shared trust-vr v1-trust Root
13 V1-DMZ Sec(L2) Shared trust-vr v1-dmz Root
14 VLAN Func Shared trust-vr vlan1 Root
15 V1-Null Sec(L2) Shared trust-vr l2v Root
16 Untrust-Tun Tun trust-vr hidden.1 Root
100 untrust1-ut Sec(L3) untrust1-vr ethernet1/7.1 Root
101 untrust2-ut Sec(L3) untrust2-vr ethernet1/6.1 Root
102 cloud-dmz Sec(L3) untrust1-vr ethernet1/0.1 Root
103 cloud-mgmt Sec(L3) untrust1-vr ethernet1/0.3 Root
104 cloud-inf Sec(L3) untrust1-vr ethernet1/1.3 Root
105 dmz Sec(L3) untrust1-vr ethernet1/3.2 Root
106 cust-router-dmz Sec(L3) untrust1-vr ethernet1/5.4 Root
107 admin Sec(L3) trust-vr ethernet0/1 Root
108 office Sec(L3) office-vr ethernet0/0 Root
109 untrust2-dmz Sec(L3) untrust2-vr ethernet1/1.4 Root
110 VPN Sec(L3) untrust1-vr null Root
######################################################

debug flow basic:

****** 34479095.0: <cloud-dmz/ethernet1/5.2> packet received [60]******
ipid = 8594(2192), @2d413914
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet1/5.2:10.10.19.22/4373->200.200.200.193/0,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet1/5.2>, out <N/A>
chose interface ethernet1/5.2 as incoming nat if.
flow_first_routing: in <ethernet1/5.2>, out <N/A>
search route to (ethernet1/5.2, 10.10.19.22->200.200.200.193) in vr untrust1-vr for vsd-0/flag-0/ifp-null
[ Dest] 37.route 200.200.200.193->200.200.200.193, to ethernet1/7.1
routed (x_dst_ip 200.200.200.193) from ethernet1/5.2 (ethernet1/5.2 in 0) to ethernet1/7.1
policy search from zone 102-> zone 100
policy_flow_search policy search nat_crt from zone 102-> zone 100
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 200.200.200.193, port 15431, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 1172/0/0x9
Permitted by policy 1172
DST xlate: 200.200.200.193(0) to 200.200.200.193(0)
search route to (ethernet1/5.2, 10.10.19.22->200.200.200.193) in vr untrust1-vr for vsd-0/flag-0/ifp-null
[ Dest] 37.route 200.200.200.193->200.200.200.193, to ethernet1/7.1
routed (200.200.200.193) from ethernet1/5.2 (ethernet1/5.2 in 0) to ethernet1/7.1
No src xlate choose interface ethernet1/7.1 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet1/7.1
vsd 0 is active
no loop on ifp ethernet1/7.1.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet1/5.2>, out <ethernet1/7.1>
existing vector list 21-1bf64f94.
Session (id:24338) created for first pak 21
flow_first_install_session======>
route to 200.200.200.193
wait for arp rsp for 200.200.200.193
ifp2 ethernet1/7.1, out_ifp ethernet1/7.1, flag 00000804, tunnel ffffffff, rc 0
outgoing wing prepared, not ready
handle cleartext reverse route
search route to (ethernet1/7.1, 200.200.200.193->10.10.19.22) in vr untrust1-vr for vsd-0/flag-3000/ifp-ethernet1/5.2
[ Dest] 31.route 10.10.19.22->10.10.19.22, to ethernet1/5.2
route to 10.10.19.22
arp entry found for 10.10.19.22
ifp2 ethernet1/5.2, out_ifp ethernet1/5.2, flag 00800805, tunnel ffffffff, rc 1

##########################################################

Thanks in advance.

Regards,

Klemens

Since the address is a vip on the interface it sounds like you need to add that address to the proxy arp list there.

network > interfaces

open the physical interface

proxy arp tab

Hello Steve, 

Thanks for your fast reply, i tried to configure proxy arp on the interface but failed with following message:

###Error, one IP in range [200.200.200.193 - 200.200.200.193] is used by mip/dip/vip!

 What do you think about adding a static arp entry like https://kb.juniper.net/InfoCenter/index?page=content&id=KB26321&cat=SSG_5&actp=LIST

I'm thinking now that the direction of the flow between the two dmz is the issue as the current configuration assumes inbound from untrust.

Perhaps this could be overcome by adding dst nat to the policy between the two dmz zones.  Picking up the public address on the policy and translating it there to the internal address instead of letting it hit the vip/dip process.

Hello Steve,

perfect! That worked like a charm. Nice to see people like you around helping other!

Have a nice day wish you all the best.

Regards,

Klemens