There was some remote IP (X.X.X.X/32) in untrust zone not rechable from our network. Customer want to know in which router there is problem. so they want us to enable trace route function between trust and untrust zone, also between local and untrust zone.
We check all the interzone ACL configuration everything was ok. we even tried allowing all IP as "rule 100 permit ip" between trust and untrust, local and untrust interzone acl but still can not do trace function.
so later we realise that we have enable the defend tracert function as "firewall defend tracert enable" which was not allowing to do trace route between diffrent zone.