×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco WAAS and Check Point Firewall

Unanswered Question
Aug 2nd, 2012
User Badges:

Hello,


our WAAS-Appliance doesnt work correctly with Check Point Firewall. It seems that the Firewall has problems with the packets modified by WAAS. The Check Point is not between the two WAEs, but however the problem appears.

The Check Point log says that this two rules are dropping the packets: "TCP SYN Modified Retransmission" and "TCP Segment Limit Enforcement".


At the attached file you can see our topology. With the ASA-Firewall there are no problems.


Do you think disabling the two Check Point IPS rules would help us to get WAAS working?


Regards,

Simon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
metzgersimon Mon, 08/06/2012 - 00:30
User Badges:

- In a first step we disabled the WAE at the remote office. But this didnt resolve the problems.

One active WAE at the data center was enough to cause problems at the Check Point Firewall.


- Then we disabled the WAE at the data center. After this the problems were solved.



-> So it seems that the Check Point Firewall has problems with the packets marked by the WAEs. And the marked packets for Autodiscovery seem to be enough to get in troubles.

Felix Arrieta Mon, 08/06/2012 - 07:53
User Badges:
  • Cisco Employee,

ok, as I understand your topology  the firewall is on the LAN site of WAAS and it should not be a problem for WAAS discovery methods, I must be missing something ... anyways I did some research  I found the following  post helpful can you review it?

https://supportforums.cisco.com/thread/2002326


Also firewalls should not block SYN/SYN,ACK with tcp option 0x21


Regards,

Felix Arrieta Fri, 08/03/2012 - 10:21
User Badges:
  • Cisco Employee,

What is exactly going on with WAAS?   ( are you having trouble with an specific application ? if that is the case can you get one testing pc for getting outputs from it's connection  to see what is WAAS doing to the traffic?)


I  would  disable WAAS for an specfic testing connection to make sure if the Check Point really  does not like the traffic coming from the WAE device.


regards,

Actions

This Discussion

Related Content