Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Why is some traffic dropped by the "tcp seqnr check" feature?



Article ID: KB9080 KB Last Updated: 11 Aug 2010Version: 3.0
If the host does not comply with the TCP sliding windows principle, do not use the TCP sequence check feature in the firewall.
Some types of traffic may have difficulty working properly when tcp sequence number check is enabled (unset flow no-tcp-seq-check), yet will work correctly when the feature is disabled (set flow no-tcp-seq-check).

This problem mainly occurs in file transfers in combination with packet loss. During the file transfer the session stops and is timed out.
The issue is due to the host not complying with the TCP sliding window principle and sending out more traffic than fits in the TCP sliding window.

This can cause problems when there is packet loss. When the sliding window is over filled because the sender did not limit itself to the window size indicated by the receiver, retransmissions will be dropped by the firewall. This causes the TCP session to time-out. The reason for the drop of the retransmitted packet is that its sequence number is smaller than the seqnr of the last sent packet minus the window size.

If a host acts in this (non-standard) way, we advise not to use the TCP sequence number check feature.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search