08-02-2012 11:34 PM
Hello,
our WAAS-Appliance doesnt work correctly with Check Point Firewall. It seems that the Firewall has problems with the packets modified by WAAS. The Check Point is not between the two WAEs, but however the problem appears.
The Check Point log says that this two rules are dropping the packets: "TCP SYN Modified Retransmission" and "TCP Segment Limit Enforcement".
At the attached file you can see our topology. With the ASA-Firewall there are no problems.
Do you think disabling the two Check Point IPS rules would help us to get WAAS working?
Regards,
Simon
08-03-2012 10:21 AM
What is exactly going on with WAAS? ( are you having trouble with an specific application ? if that is the case can you get one testing pc for getting outputs from it's connection to see what is WAAS doing to the traffic?)
I would disable WAAS for an specfic testing connection to make sure if the Check Point really does not like the traffic coming from the WAE device.
regards,
08-06-2012 12:30 AM
- In a first step we disabled the WAE at the remote office. But this didnt resolve the problems.
One active WAE at the data center was enough to cause problems at the Check Point Firewall.
- Then we disabled the WAE at the data center. After this the problems were solved.
-> So it seems that the Check Point Firewall has problems with the packets marked by the WAEs. And the marked packets for Autodiscovery seem to be enough to get in troubles.
08-06-2012 07:53 AM
ok, as I understand your topology the firewall is on the LAN site of WAAS and it should not be a problem for WAAS discovery methods, I must be missing something ... anyways I did some research I found the following post helpful can you review it?
https://supportforums.cisco.com/thread/2002326
Also firewalls should not block SYN/SYN,ACK with tcp option 0x21
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide