Antispoofing error message

[rn4it]

I've recently added 2 sites of a business partner to the allow access list for internal users. I've also added these to sites to our DMZ anti-spoof group. For whatever reason these 2 sites are receiving the standard anti-spoof error msg. there are a number of other sites wich are configured to be apart of this group and are working. So why don't these 2, I've checked their IPs, and confirmed a few times that whey were in the group.

any ideas
thanks
John

[gavvys]

Hi
What logs do you see at the gateway when a request comes from that source.Might be some NAT ip will be coming that is not added in the antispoofing group.Kindly check the logs adn let me know what do u see there for there request.

Regards
Ranjit

[rn4it]

HI
It's an outgoing request from internal to DMZ, we send it in it's origional state the business partner then NAT's it. We see it being accepted then below it a message stating antispoofing. The weird thing is the rule is set up as follows:

internal net =>businesspartnet(group) allowed service accept log

This rule is working all i should have had to do is add the 2 new hosts into the group. None of these hosts connect into us, it's just us into them.

I'll check the other objects in that group just to see.

thanks

[MarioL]

I'd check what interface is generating the logs, maybe the packets aren't being routed properly.

[rn4it]

Thanks, but traceroutes show they're getting onto the DMZ switch. However, I still check what the logs show.

Any other thoughts if it's not that?
thanks

[rn4it]

routing is correct and it's the DMZ interface that's reporting the anti-spoofing msg.

Any other ideas? Any way of debuging it? It's CP NG-AI R54 build 243 on an IPSO 3.7 IP530.

thanks

[rn4it]

This has been resolved, there was a typo on a static route of the DMZ switch, so the traffic was bouncing back to the firewall.

thanks for you assistance.