[j-nsp] ISG IDP modules dropping traffic in tap mode

Ross Vandegrift ross at kallisti.us
Fri Apr 3 14:36:23 EDT 2009

Hi everyone,

I just experienced a very strange issue.  We have a pair of ISG2000s
with IDP modules in an Active/Passive NSRP configuration.  A few
policies have IDP processing enabled in Inline Tap mode.  We're
running 6.1.0r3.0-IDP.

For no obvious cause (no one updated the config at all), sessions
through the firewalls began dropping approximately 10-20% of all final
ACK packets in the three-way TCP handshake.  No messages were logged.
Flow debugging indicated that SM_RULEs were sucessful and that session
installation was completed.

Pushing policy to disable Inline Tap processing on the four or five
policies with it enabled fixed the problem instantly.  Qualitatively,
it looked as if the IDP module was inline and out of TCP reassembly
buffers.... except that the modules were in tap mode.

Almost all of the IDP module bugs I've seen include no logging of
action taken.  But I don't know what to think about the fact that the
modules were in tap mode.

Has anyone seen anything similar?

Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie

More information about the juniper-nsp mailing list