Dear Nicholas Thanks a lot for sharing this with everybody.
Regards Farrukh On Fri, Sep 2, 2011 at 3:29 PM, Nicholas Oas <nicholas....@gmail.com> wrote: > An update, this issue is officially PR 677385. JTAC is working on a fix. > > Since I last posted we have observed the bug on an additional ISG-1000. To > date, we have observed this in 6.3.0r7, 6.3.0r8, and 6.2.0r9. > > We were able to get packet captures of both the V1-Untrust and V1-Trust > interface, in addition to numerous debug outputs as requested by JTAC. > > Analysis of the packet captures reveals that the ISG-1000 is actually > sending response traffic when it erroneously activates TCP Proxy. The > conversation looks like this: > > Packet 1: > 10.0.2.4:56742 10.0.1.10:80 SYN > (Correct src-mac) (Correct dst-mac) > > Packet 2: > 10.0.1.10:80 10.0.2.4:56742 SYN-ACK > (src-mac: 00:00:00:00:00:00) (dst-mac: 00:00:00:00:00:00) > > The full packet capture shows some other oddities with sequence numbers > sent > by the ISG, but the above is enough to prove the point. > > To summarize, this bug can be experienced if the following conditions are > true: > 1. ISG platform > 2. ScreenOS 6.2 or 6.3 > 3. Transparent / Layer-2 mode > 4. Undelivered TCP packets > 5. UDP and ICMP packets delivered without issue > 6. debug flow basic shows 'tcp proxy processing' > > ex: > get ff > (make sure no FF are set, if so use unset ff ) > clear db > debug flow basic > get db str | include "tcp proxy processing" > > I hope this helps if anyone else ever experiences this issue. > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp