Regarding out-of-sequence tcp packet drops: I have read the KB articles surrounding this, and the following two were somewhat useful in verifying what's happening:
http://kb.juniper.net/index?page=content&id=KB5814
http://kb.juniper.net/index?page=content&id=KB6116&cat=TECHNOLOGY&actp=LIST
Flow counters for the relevant interface:
tcp out of seq 90976 | mac relearn 0 | no frag sess 0
That said, I'd like to log these drops somehow. I have several high-volume proxies and a load balancer behind this particular firewall, and I need to profile ONLY the traffic getting dropped by "unset flow no-tcp-seq-check" (i.e., sequence number checking) before I blindly disable it. Note that capturing all traffic through this firewall is simply not possible with the hardwae on-hand.
Likewise, I'd like to log these same-interface drops:
auth fail 0 | loopback drop 15067 | big bkstr 0
Can that be done with a typical last-line-deny-log policy? There IS a same-interface policy in place there, so I suspect this is a protocol that doesn't match the existing list.
I.e., "from <same.zone> to <same.zone> any any any deny log count" at the end of that section?
Thanks!
#seq