On 09/20/2011 04:06 AM, Stefan Fouant wrote:
'unset flow tcp-syn-check' is what you want but unfortunately it is a global setting, so all or nothing...
Are you sure? I don't think that's what he wants; as suggested by the name, this relaxes the requirement for the 1st packet to be a syn/syn+ack pair, but the firewall will still expect to see both sides of the flow IIRC; in a previous iteration of our network, we were prone to asymmetric routing causing our firewalls problems, and we've run with "unset flow tcp-syn-" from day one.
It is possible I am mis-remembering it of course... _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
