[cisco-voip] checkpoint firewall-1 with cm612?

[Wes Sisk]

Anyone using a checkpoint firewall-1 and doing sccp inspection with 
cm612?  Were any updates required to go from cm413 to cm612?

2 key differences we know exist between the cm versions:
1. customized windows tcp stack to redhat enterprise linux tcp stack
2. sccp version 6 to sccp version 15

Everything appears fine when cm413 is the active cm version.  When we 
make cm612 the active cm version we observe 2 problems:
1. incomplete tcp handshake - cm receives tcp syn, responds with tcp syn 
ack.  The endpoint (across the firewalls) never responds with tcp ack.  
Either cm's (syn,ack) is not reaching the device or the device's ack is 
not reaching cm.  packet captures were taken from a span port of cm so 
we know what packets were and were not on wire.  we see this signature 
for both tcp 2000 (sccp) and tcp 2428 (mgcp backhaul)

2. complete traffic filtering and tcp session aborts - devices are 
registered with tcp sessions established.  cm is accepting ~10 new 
inbound tcp sessions per second.  Suddenly all inbound tcp sessions 
stop, no new tcp sessions are received.  Then established tcp sessions 
begin receiving TCP RST (resets) which abort the session and cause 
device unregistrations. TCP sessions for sccp (2000) and mgcp (2428) are 
affected.  The devices that have tcp sessions aborted with RST are 
quickly able to establish new TCP sessions and re-register.

All of the network signatures indicate to me that a device performing 
stateful inspection must be at play and likely at fault.  Are any 
updates to checpoint required to get support for new versions of SCCP?  
What checkpoint versions support sccp version 15?

Any thoughts greatly appreciated. 

/Wes