ISG Firewall has IDP Security Modules installed in the chassis.  There are no IDP policies configured, so it should not interfere with any traffic flow.  However, in some applications, like FTP and HTTP, these applications fail to pass through the firewall

Some applications, like FTP and HTTP,  fail to pass through the firewall when the ISG has an IDP Security Module installed in the chassis.

If IDP is installed, but not configured, and an application cannot pass traffic through the firewall, run a packet trace on the client sending the traffic.  Make sure there is no checksum errors in the TCP header.  If there is an incorrect TCP checksum, the IDP Security Module (SM) will silently drop this packet.

Example:  The following is a sniffer trace of a single frame that exhibits an incorrect checksum:

No.     Time        Source                Destination           Protocol Info
     13 0.000115    10.166.251.140       10.157.45.226        FTP      Request: USER del5fr06

Frame 13 (81 bytes on wire, 81 bytes captured)
    Arrival Time: Mar 19, 2007 22:55:45.886299000
    Time delta from previous packet: 0.000115000 seconds
    Time since reference or first frame: 0.091972000 seconds
    Frame Number: 13
    Packet Length: 81 bytes
    Capture Length: 81 bytes
    Protocols in frame: eth:ip:tcp:ftp
Ethernet II, Src: CompaqHp_9b:96:2e (00:0b:cd:9b:96:2e), Dst: All-HSRP-routers_38 (00:00:0c:07:ac:38)
    Destination: All-HSRP-routers_38 (00:00:0c:07:ac:38)
    Source: CompaqHp_9b:96:2e (00:0b:cd:9b:96:2e)
    Type: IP (0x0800)
Internet Protocol, Src: 10.166.251.140 (10.166.251.140), Dst: 10.157.45.226 (10.157.45.226)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 67
    Identification: 0x9d7a (40314)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: TCP (0x06)
    Header checksum: 0x6888 [correct]
        Good: True
        Bad : False
    Source: 10.166.251.140 (10.166.251.140)
    Destination: 10.157.45.226 (10.157.45.226)
Transmission Control Protocol, Src Port: 33126 (33126), Dst Port: ftp (21), Seq: 7, Ack: 109, Len: 15
    Source port: 33126 (33126)
    Destination port: ftp (21)
    Sequence number: 7    (relative sequence number)
    Next sequence number: 22    (relative sequence number)
    Acknowledgement number: 109    (relative ack number)
    Header length: 32 bytes
    Flags: 0x0018 (PSH, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 1... = Push: Set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 5840 (scaled)
    Checksum: 0x34e8 [incorrect, should be 0x6005]
    Options: (12 bytes)
        NOP
        NOP
        Time stamp: tsval 3625582596, tsecr 2976191555
File Transfer Protocol (FTP)
    USER del5fr06\r\n
        Request command: USER
        Request arg: del5fr06


Check the client to make sure there are no driver incompatibilities with the PC's NIC; also verify the NIC is in good operational condition.  There have been some instances where a bad NIC can cause incorrect TCP checksum errors.