[j-nsp] completely disable session (flow) in netscreen
Tim Eberhard
xmin0s at gmail.com
Sun Mar 7 02:11:08 EST 2010
To deal with asymmetric routing problems you can disable tcp-syn-checking.
That will disable the stateful enforcement (and greatly weaken security of
the box). I'd also ensure you disable syn-checking in the tunnel (since
you're using ipsec tunnels).
Beyond that, write your policy bi-directionally ensuring any side can create
the session and that should fit your needs. Even if the session times out
with syn-checking disabled and it's permitted by policy it will be instantly
recreated with the next packet.
Hope this helps,
-Tim Eberhard
On Sat, Mar 6, 2010 at 3:34 AM, Michel de Nostredame <d.nostra at gmail.com>wrote:
> Hi,
>
> The problem I encountered is that I am doing many route-based tunnels
> on many NetScreen boxes, and sometimes there will be asymmetric routes
> over tunnels and physical interfaces.
>
> Asymmetric paths in traditional routers / L3-switches will not be a
> problem, but in NetScreen that will cause session drops and/or
> traceroute timeouts, in my case.
>
> I am wondering if there is any way to *completely* disable the
> concepts of session (or flow ...) in a NetScreen to make it acts like
> a "router".
>
> Thanks in advance.
> --
> Michel~
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list