What makes you think this is a firewall related issue?
Have you try to enable log and check if such connection is visible within list of dropped connection?
This:
Oct 30 11:14:46 jmbgw kernel: [514160.659574] zentyal-firewall drop IN=eth0 OUT=eth0 MAC=[removed] SRC=10.30.20.10 DST=10.200.200.2 LEN=172 TOS=0x00 PREC=0x00 TTL=62 ID=57030 DF PROTO=TCP SPT=49520 DPT=444 WINDOW=115 RES=0x00 ACK PSH URGP=0
Interestingly, connection to any other IP in the object containing the 10.200.200.2, will work just fine. It is only this one.
I have removed MAC from the object too, just in case something happened there, I removed it all together from the object, saved and re-added it.
The same goes for connecting from any other IP in the network, it blocks access to this address. There are two more addresses acting like this, for no apparent reason. I do not have them added to any other rules different to other IPs within the object, why I can not see why Zentyal chose to single out these IPs as unaccessible.
I deactivated IDS too.
Still no-go.
BUT--- Access from the outer world, WAN, via port-forward, will work without a problem to any of the IPs in question.
Very interesting little issue this.