https://community.checkpoint.com/t5/Firewall-and-Security-Management/Asymmetric-Routing-causing-network-slow-and-MTA-issue/m-p/64783#M13315 <P>Hi CheckMates,</P><P>Condition-based on topology (Single TE1000X, with 4-Port Bypass Interface &amp; 1 LACP MTA port), please refer to below images :</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Topology.jpeg" style="width: 256px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/2735iA530465C29D0504C/image-size/medium?v=v2&amp;px=400" role="button" title="Topology.jpeg" alt="Topology.jpeg" /></span><BR />1. All 3 switches are in L3 mode with OSPF equal cost, meaning traffic will be asymmetric. Cannot using link bonding.<BR />2. Position of Anti Spam in DMZ, and mail server in DC.</P><P><BR />I have 2 problems:<BR />1. Regarding condition 1 above, when we put TE as bridging we found 3 (Three) log that we suspect causing network slow.<BR />- TCP packet out of state First packet isn't Sync<BR />- TCP segment out of maximum allowed sequenced. Packet dropped.<BR />- ICMP reply does not match a previous request</P><P>2. Traffic from anti-spam to mail server already inspected by bridged interfaces instead of MTA.</P><P>Action :<BR />1. I already disabled TCP packet out of state First packet isn't Sync on Global Properties and expert mode. Log already not show anymore after that.</P><P>2. I already allow TCP segment out of maximum allowed sequenced on inspection setting. But log still shows these messages.</P><P>3. We also already disabled ICMP reply does not match a previous request on Global Setting and expert mode but log still shows these messages too.</P><P>Could anybody please give me suggestion for :</P><P>1. How to deploy this TE with bridge mode with this condition?<BR />2. How to bypass SMTP traffic from anti-spam to mail server on bridged mode because when there is double-checking Threat Emulation traffic will be drop. Or any best practice for this condition?</P><P>Thank you CheckMates.</P> Fri, 11 Oct 2019 06:41:59 GMT yudha_spt 2019-10-11T06:41:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Asymmetric-Routing-causing-network-slow-and-MTA-issue/m-p/64783#M13315 <P>Hi CheckMates,</P><P>Condition-based on topology (Single TE1000X, with 4-Port Bypass Interface &amp; 1 LACP MTA port), please refer to below images :</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Topology.jpeg" style="width: 256px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/2735iA530465C29D0504C/image-size/medium?v=v2&amp;px=400" role="button" title="Topology.jpeg" alt="Topology.jpeg" /></span><BR />1. All 3 switches are in L3 mode with OSPF equal cost, meaning traffic will be asymmetric. Cannot using link bonding.<BR />2. Position of Anti Spam in DMZ, and mail server in DC.</P><P><BR />I have 2 problems:<BR />1. Regarding condition 1 above, when we put TE as bridging we found 3 (Three) log that we suspect causing network slow.<BR />- TCP packet out of state First packet isn't Sync<BR />- TCP segment out of maximum allowed sequenced. Packet dropped.<BR />- ICMP reply does not match a previous request</P><P>2. Traffic from anti-spam to mail server already inspected by bridged interfaces instead of MTA.</P><P>Action :<BR />1. I already disabled TCP packet out of state First packet isn't Sync on Global Properties and expert mode. Log already not show anymore after that.</P><P>2. I already allow TCP segment out of maximum allowed sequenced on inspection setting. But log still shows these messages.</P><P>3. We also already disabled ICMP reply does not match a previous request on Global Setting and expert mode but log still shows these messages too.</P><P>Could anybody please give me suggestion for :</P><P>1. How to deploy this TE with bridge mode with this condition?<BR />2. How to bypass SMTP traffic from anti-spam to mail server on bridged mode because when there is double-checking Threat Emulation traffic will be drop. Or any best practice for this condition?</P><P>Thank you CheckMates.</P> Fri, 11 Oct 2019 06:41:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Asymmetric-Routing-causing-network-slow-and-MTA-issue/m-p/64783#M13315 yudha_spt 2019-10-11T06:41:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Asymmetric-Routing-causing-network-slow-and-MTA-issue/m-p/64861#M13316 The fact you are seeing TCP Packet Out of State and the other errors suggest you have asymmetric traffic flows.<BR />That is going to cause these and other kinds of issues.<BR /><BR />To prevent double inspection, you should be able to add a bypass rule in your Threat Prevention policy to not inspect traffic originating from your DMZ mail server to your internal mail servers. Fri, 11 Oct 2019 23:21:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Asymmetric-Routing-causing-network-slow-and-MTA-issue/m-p/64861#M13316 PhoneBoy 2019-10-11T23:21:50Z