Hi there. Removing this option seems to have solved our issue.
Thanks, Josh. -----Original Message----- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Phil Mayers Sent: Tuesday, 20 September 2011 19:32 To: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Netscreen Firewalls and TCP States/Bypass On 09/20/2011 04:06 AM, Stefan Fouant wrote: > 'unset flow tcp-syn-check' is what you want but unfortunately it is a global setting, so all or nothing... Are you sure? I don't think that's what he wants; as suggested by the name, this relaxes the requirement for the 1st packet to be a syn/syn+ack pair, but the firewall will still expect to see both sides of the flow IIRC; in a previous iteration of our network, we were prone to asymmetric routing causing our firewalls problems, and we've run with "unset flow tcp-syn-" from day one. It is possible I am mis-remembering it of course... _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp