5.11. Firewalls in the path

From a network point of view, firewalls are routers with a stricter set of policies than normal routers. Based on their configured policies, they can interfere with the WAN optimization.

5.11.1. Stripping of TCP options

The TCP auto-discovery option and the TCP transparency option are not officially registered TCP options with the IANA [SOURCE http://www.iana.org/assignments/tcp-parameters/tcp-parameters.txt] and therefore firewalls can chose not to trust them by default and remove them from the TCP header.

When the firewall disallows the Auto-Discovery TCP options and it is stripped away from the SYN+ packet, the auto-discovery will fail but an unoptimized TCP session will be setup as normal.

When the firewall disallows the WAN visibility TCP options and it is stripped away by firewalls, the setup of the inner-channel will fail and after the third TCP SYN packet from the client an unoptimized TCP session will be setup as normal.

When the TCP SYN packet with the auto-discovery probe is blocked, after the third TCP SYN packet from the client an unoptimized TCP session will be setup as normal.

Figure 5.57. The TCP session goes into pass-through after the third SYN from the client

SH kernel: [intercept.NOTICE] nat_check: SYN packet for already natted connection 10.0.1.1 \
    :56923 -> 192.168.1.1:80 ==> 10.0.1.1:56923 -> 10.0.1.5:7801

5.11.2. Stateful firewalls

A firewall might check state of the TCP session. The auto-discovery of the optimized TCP session consists of a SYN+ and one or more SYN/ACK+s, but no final ACK is seen. The firewall might send a TCP RST packet after a timeout to reset the TCP connection on the client and server because of this missing final TCP ACK.

The sequence numbers of the TCP SYN packets seen during the auto-discovery and the setup of the inner channel with a Full Transparency WAN visibility differs: First the firewall sees the SYN+ packet with sequence number X, a moment later it sees a TCP SYN packet with the same IP addresses and TCP ports although with transparency options with sequence number Y. A firewall might block that packet or reset the TCP session. The way around this would be using the Full Transparency with Firewall Reset WAN visibility.

In this example, the auto-discovery happened in the first three packets and then the client-side Steelhead sends the TCP RST in packet 4. After that the inner channel gets setup in packet 5:

Figure 5.58. Setup of an inner channel with Full Transparency with Firewall Reset WAN visibility

22:37:34.613669 IP 10.0.1.1.23090 > 192.168.1.1.80: Flags [S], seq 1402966182, win 65535,  \
    options [mss 1460,nop,wscale 6,sackOK,TS val 3240829280 ecr 0,rvbd-probe AD CSH:10.0.1 \
    .6 01010a0001060005,rvbd-probe EAD 0c01,nop,eol], length 0
22:37:34.913093 IP 192.168.1.1.80 > 10.0.1.1.23090: Flags [S.], seq 20020520, ack 14029661 \
    83, win 65535, options [rvbd-probe EAD 0c01,nop,nop,nop,eol], length 0
22:37:34.918955 IP 192.168.1.1.80 > 10.0.1.1.23090: Flags [S.], seq 20020520, ack 14029661 \
    83, win 65535, options [rvbd-probe AD CSH:10.0.1.6 SSH:192.168.1.6:7800 11110a000106c0 \
    a801061e78,rvbd-probe EAD 0e3d,nop,eol], length 0
22:37:34.920476 IP 10.0.1.1.23090 > 192.168.1.1.80: Flags [R], seq 1402966183, win 5840, o \
    ptions [rvbd-trans Transp sSH:10.0.1.6:40296 dSH:192.168.1.6:7800 01000a000106c0a80106 \
    9d681e78,nop,nop,nop,eol], length 0
22:37:34.920582 IP 10.0.1.1.23090 > 192.168.1.1.80: Flags [S], seq 1335892636, win 5840, o \
    ptions [mss 1460,sackOK,TS val 3241303025 ecr 0,nop,wscale 2,rvbd-trans Transp sSH:10. \
    0.1.6:40296 dSH:192.168.1.6:7800 00000a000106c0a801069d681e78], length 0
22:37:35.223347 IP 192.168.1.1.80 > 10.0.1.1.23090: Flags [S.], seq 1345286799, ack 133589 \
    2637, win 5792, options [mss 1460,sackOK,TS val 3241350970 ecr 3241303025,nop,wscale 2 \
    ,rvbd-trans Transp sSH:192.168.1.6:7800 dSH:10.0.1.6:40296 0000c0a801060a0001061e789d6 \
    8], length 0

5.11.3. Deep Packet Inspection

This is a problem for inner channels with Port Transparency or Full Transparency WAN visibility. When a DPI engine determines the protocol based on the TCP port number of the server and expects a certain protocol to be followed but gets the content of the inner channel which doesn't make sense for it: It might block or reset the TCP connection.

5.11.4. Packet direction

Firewalls can have the policy that when an IP packet comes in via a certain network interface, it should not be forwarded back out via that network interface. If an in-path interface of a Steelhead appliance has its default gateway set to a firewall and the firewall enforces this policy and there are multiple IP subnets behind the Steelhead appliance, then the firewall will block traffic to these IP subnets. The way around this is to set the default gateway to a routing host on the LAN side and use Simplified Routing.