On Tue, 20 Sep 2011 08:31:33 +0100, Phil Mayers wrote:
'unset flow tcp-syn-check' is what you want but unfortunately it is
a global setting, so all or nothing...
Are you sure? I don't think that's what he wants; as suggested by the
name, this relaxes the requirement for the 1st packet to be a
syn/syn+ack pair, but the firewall will still expect to see both
sides
of the flow IIRC; in a previous iteration of our network, we were
prone to asymmetric routing causing our firewalls problems, and we've
run with "unset flow tcp-syn-" from day one.
We had this (unset flow typ-syn-check) running on a large cluster the
other day and once we turned the flow feature on, some dual-homed hosts
stopped working due to incorrect routing tables. Up to that point our
cluster only saw one side of the connection, without any problems. That
has been ScreenOS 5.4 (back in the days). Don't know if this has changed
in the 6.x line, we haven't turned it off since :)
best regards,
Stephan
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
