03-26-2009 01:44 PM - edited 03-11-2019 08:10 AM
Hello
So far I know that WAAS sets TCP options, 0x21 if I'm not mistaken, and upon neighbor discovery it adds 2 billon to the sequence number of the traffic that is meant to be accelerated.
Since I'm running an early release I was trying to manually overcome the absence of the âinspect waasâ. Is it possible? So far, this is what I've got:
!
class-map WAE-TCPopt
match access-list WAE-TCPopt
!
class-map inspection_default
match default-inspection-traffic
!
tcp-map WAE
tcp-options range 6 7 allow
tcp-options range 9 255 allow
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect tftp
inspect netbios
inspect mgcp
class WAE-TCPopt
set connection random-sequence-number disable
set connection advanced-options WAE
class VoIP
priority
!
As you can imagine, it's not yet working.
Is there an alternative to the inspect. I would really want to keep the current release for a number of reasons. Any advice?
Thanks a lot
Guido
04-01-2009 12:55 PM
You may try using the following command:
set connection {conn-max | embryonic-conn-max} n random-seq# {enable | disable}
no set connection {conn-max | embryonic-conn-max} n random-seq# {enable | disable}
random-seq# - Enable or disable TCP sequence number randomization. Each TCP connection has two ISNs: one generated by the client and one generated by the server. The security appliance randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions.
Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new connection and potentially hijacking the new session.
TCP initial sequence number randomization can be disabled if required. For example:
â¢If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both firewalls to be performing this action, even though this action does not affect the traffic.
â¢If you use eBGP multi-hop through the security appliance, and the eBGP peers are using MD5. Randomization breaks the MD5 checksum.
â¢You use a WAAS device that requires the security appliance not to randomize the sequence numbers of connections.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide