Hi everyone, I just experienced a very strange issue. We have a pair of ISG2000s with IDP modules in an Active/Passive NSRP configuration. A few policies have IDP processing enabled in Inline Tap mode. We're running 6.1.0r3.0-IDP.
For no obvious cause (no one updated the config at all), sessions through the firewalls began dropping approximately 10-20% of all final ACK packets in the three-way TCP handshake. No messages were logged. Flow debugging indicated that SM_RULEs were sucessful and that session installation was completed. Pushing policy to disable Inline Tap processing on the four or five policies with it enabled fixed the problem instantly. Qualitatively, it looked as if the IDP module was inline and out of TCP reassembly buffers.... except that the modules were in tap mode. Almost all of the IDP module bugs I've seen include no logging of action taken. But I don't know what to think about the fact that the modules were in tap mode. Has anyone seen anything similar? -- Ross Vandegrift r...@kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp