Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco WAAS and Check Point Firewall

Hello,

our WAAS-Appliance doesnt work correctly with Check Point Firewall. It seems that the Firewall has problems with the packets modified by WAAS. The Check Point is not between the two WAEs, but however the problem appears.

The Check Point log says that this two rules are dropping the packets: "TCP SYN Modified Retransmission" and "TCP Segment Limit Enforcement".

At the attached file you can see our topology. With the ASA-Firewall there are no problems.

Do you think disabling the two Check Point IPS rules would help us to get WAAS working?

Regards,

Simon

Everyone's tags (4)
3 REPLIES
Cisco Employee

Re: Cisco WAAS and Check Point Firewall

What is exactly going on with WAAS?   ( are you having trouble with an specific application ? if that is the case can you get one testing pc for getting outputs from it's connection  to see what is WAAS doing to the traffic?)

I  would  disable WAAS for an specfic testing connection to make sure if the Check Point really  does not like the traffic coming from the WAE device.

regards,

Community Member

Cisco WAAS and Check Point Firewall

- In a first step we disabled the WAE at the remote office. But this didnt resolve the problems.

One active WAE at the data center was enough to cause problems at the Check Point Firewall.

- Then we disabled the WAE at the data center. After this the problems were solved.

-> So it seems that the Check Point Firewall has problems with the packets marked by the WAEs. And the marked packets for Autodiscovery seem to be enough to get in troubles.

Cisco Employee

Re: Cisco WAAS and Check Point Firewall

ok, as I understand your topology  the firewall is on the LAN site of WAAS and it should not be a problem for WAAS discovery methods, I must be missing something ... anyways I did some research  I found the following  post helpful can you review it?

https://supportforums.cisco.com/thread/2002326

Also firewalls should not block SYN/SYN,ACK with tcp option 0x21

Regards,

1773
Views
0
Helpful
3
Replies
CreatePlease to create content