Disable TCP session inspection NS5GT
copacetic last edited by
I have a scenario where a NS5GT (ScreenOS 5.4.0r8.0) will have to pass packets belonging to a TCP session, which has already been established via a different route (i.e. disable stateful inspection and just pass packets). Background: Terminal RDP Session should continue, after a backup route has become active. The session will already have been established via the primary route, but packets will need to be forwarded through a netscreen on the backup route.
I have disabled screening between the relevant zones, and TCP SYN checking on the device (see “get flow” output below). Is there anything else that needs to be done/configured for it to work?
ns5gt-> get flow
flow action flag: 1075
flow GRE outbound tcp-mss is not set
flow GRE inbound tcp-mss is not set
flow change tcp mss option for all packets is not set
flow change tcp mss option for vpn packets = 1392
flow deny session disabled
TCP syn-proxy syn-cookie disabled
Allow dns reply pkt without matched request : NO
Check TCP SYN bit before create session : NO
Check TCP SYN bit before create session for tunneled packets : NO
Use Hub-and-Spoke policies for Untrust MIP traffic that loops on same interface
Check unknown mac flooding : YES
Skip sequence number check in stateful inspection : YES
ICMP path mtu discovery : NO
ICMP time exceeded : NO
TCP RST invalidates session immediately : NO
flow log info: 0.0.0.0/0->0.0.0.0/0,0
flow initial session timeout: 20 seconds
flow session cleanup time: 2 seconds
early ageout setting:
high watermark = 100 (2064 sessions)
low watermark = 100 (2064 sessions)
early ageout = 2
RST seq. chk OFF
MAC cache for management traffic: OFF
Fix tunnel outgoing interface: OFF
session timeout on route change is not set
Would be grateful for any advice!
marty last edited by
Try below command.
unset flow tcp-syn-check
Unfortunately, there is no option to disable stateful inspection on ScreenOS.