ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

TCP Sequence Check

‎01-07-2011 04:20 AM

Hi,

 

I have a question about the TCP Sequence Check Flow option.

We have two IP based PBX systems in diff loactions connected with two NS5400 via Internet. A backup connection  for Signaling Survivability exists, if the main connection fails. The TCP Signaling connection roams samless between the main and the backup path during lack of connection.

The problem is that if the Signaling TCP session jumps back to the main connection (through the fiewalls) the session gets dropped due to sequence mismatsches...

 

It works without any probles if the seq-check flow options is globaly deactivated. Is there a way to switch off the seq-check only for specific TCP ports within a policy 

 

Thanks

Michael

3 REPLIES 3
ScreenOS Firewalls (NOT SRX)

Re: TCP Sequence Check

‎01-15-2011 08:26 AM

Hi...has nobody any idea ?

 

Is any of the CLI flow options configurable within a vsys system, or is it a global option ?

 

How can I handle such TCP Sessions ?

 

Thanks Michael

ScreenOS Firewalls (NOT SRX)

Re: TCP Sequence Check

‎01-16-2011 02:20 PM

Hi Michael

 

There is a way to turn it off :

 

set flow no-tcp-seq-check

 

Unfortunately, this is not filter/rule specific but a global change.

 

I hope it helps..

 

Jude

ScreenOS Firewalls (NOT SRX)

Re: TCP Sequence Check

‎01-17-2011 01:37 AM

Hi Jude,

yes thats the way I've got it working. But I don't want to switch off the seq-check globaly, cause it's a essential security feature.

 

Ist it possible to have a dedicated vsys for the VoIP environment, to switch off the flow options only within the vsys ?

 

Thanks

Michael