For SMB, it is common the servers are located in the head office and the clients in branch offices need to access the server for daily works. By subscribing a WAN link, two routers connect the two network together and normally there should not have a problem. However, sometimes problem happen.

Below is a network diagram showing a typical setup of some SMB. Indeed, many of our customers are setup like this.

tcp_syn_check

On the right hand side, where the head office is, there are servers. The default gateway of the servers point to the firewall, which is 192.168.2.254. The firewall, in turn, has a static route 192.168.1.0 with next hop 192.168.2.250 configured.

On the left hand side, where the clients locate, has a default gateway configured to be 192.168.1.250, which is the WAN router.

It works perfectly well, maybe, but up to what kind of firewall you are using.

First of all, we need to know the path of the data packets. If a client initiates a connection, the packets will be routed through the two routers and then to the server. Then the server replies the connection, the data packets will be routed first to the firewall, then to the two routers and then to the client. That means the data paths of the coming and returning packets are assymmetric. For the firewall, it always receive packets from the servers to the clients, but not from the clients to the servers.

We come across cases that if it is a Juniper firewall, it will drops the connections. It is because the firewall checks the TCP SYN bit before creating a session. If the TCP packet is not a ‘syn’ packet, the firewall will drop it.

There are several methods to overcome this:

1. Add a static route entry in the servers for the IP subnet in the other offices.

2. Disable the TCP SYN check in the Juniper firewall. For details on how to do this, please refer to the link below,

http://kb.juniper.net/InfoCenter/index?page=content&id=KB4444&actp=LIST

3. I’d better implement a layer 3 switch on the right hand side network to do the routing decision.

There is no such case for other brand of firewalls, at least we haven’t been reported a case.