Re: Riverbed and firewalls

aype · 03-10-2010

OK,

thanks

cgeary · 06-28-2010

This is sufficiently complex that I would recommend opening a new support case. Please send in a sysdump from both Steelheads, the SMC and the mobile client.

--------------------------------------------
Chris Geary - Riverbed Support
--------------------------------------------
If this answered your question, please click "Accept as Solution" ------->

aype · 03-10-2010

Hello,

I am dealing with packets sending and coming from Riverbed in-path interfaces to the mobile client (in branch mode or coming from the Internet through a VPN). The customer uses full address transparency with reset and OOB transparency full. This configuration is enabled for the steelhead appliances and the SMC.

For this kind of configuration, are the in-path interfaces still in used ?

It seems that Yes it is still in used as we see in the firewall logs some drops packets:

Type:              Log
Action:            Drop
Service:          Svc_Riverbed_tcp7800 (7800)
Source Port:   3740
Source:            host IP address (in the lan subnet hosted in the datacenter)
Destination:    local steelhead appliance (or also remote steelheade appliance).InPath0_0 (X.X.X.X)
Protocol:         tcp
Information:    TCP packet out of state: First packet isn't SYN
                       tcp_flags: RST

The path is :

mobile client in the datacenter lan ----> juniper FW -----> steelhead appliance -----> Checkpoint FW -----> VPN

-----> VPN -------> remote Checkpoint FW -----> remote steelhead appliance -------> cisco L3 device ------> LAN

How to solve this issue ?

We noticed that the packet coming from the mobile client to the steelhead appliance hosted in the datacenter should not be seen by the Checkpoint FW. It appears that simplified routing dest-only is not working ...

thanks for your help.

Steelhead Mobile

Re: Riverbed and firewalls

Re: Riverbed and firewalls

Riverbed and firewalls