Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2854
Views
0
Helpful
3
Replies

Cisco WAAS and Check Point Firewall

metzgersimon
Level 1
Level 1

‎08-02-2012 11:34 PM

Hello,

our WAAS-Appliance doesnt work correctly with Check Point Firewall. It seems that the Firewall has problems with the packets modified by WAAS. The Check Point is not between the two WAEs, but however the problem appears.

The Check Point log says that this two rules are dropping the packets: "TCP SYN Modified Retransmission" and "TCP Segment Limit Enforcement".

At the attached file you can see our topology. With the ASA-Firewall there are no problems.

Do you think disabling the two Check Point IPS rules would help us to get WAAS working?

Regards,

Simon

Preview file
24 KB
0 Helpful
3 Replies 3

Felix Arrieta
Cisco Employee
Cisco Employee

‎08-03-2012 10:21 AM

What is exactly going on with WAAS?   ( are you having trouble with an specific application ? if that is the case can you get one testing pc for getting outputs from it's connection  to see what is WAAS doing to the traffic?)

I  would  disable WAAS for an specfic testing connection to make sure if the Check Point really  does not like the traffic coming from the WAE device.

regards,

0 Helpful

metzgersimon
Level 1
Level 1
In response to Felix Arrieta

‎08-06-2012 12:30 AM

- In a first step we disabled the WAE at the remote office. But this didnt resolve the problems.

One active WAE at the data center was enough to cause problems at the Check Point Firewall.

- Then we disabled the WAE at the data center. After this the problems were solved.

-> So it seems that the Check Point Firewall has problems with the packets marked by the WAEs. And the marked packets for Autodiscovery seem to be enough to get in troubles.

0 Helpful

Felix Arrieta
Cisco Employee
Cisco Employee
In response to metzgersimon

‎08-06-2012 07:53 AM

ok, as I understand your topology  the firewall is on the LAN site of WAAS and it should not be a problem for WAAS discovery methods, I must be missing something ... anyways I did some research  I found the following  post helpful can you review it?

https://supportforums.cisco.com/thread/2002326

Also firewalls should not block SYN/SYN,ACK with tcp option 0x21

Regards,

0 Helpful
Customers Also Viewed These Support Documents