Disabling stateful inspection on hubs
When ADVPN is used, it is possible for a session to switch over from one overlay to another in the middle. For example, if the health of a link changes, it can cause a switchover. A certain TCP session might switch over from ADVPN shortcut to Spoke-to-Hub tunnel. Since the Hub is not aware of this TCP session, it will be dropped by the stateful inspection, which is not desired. As a result, when ADVPN is in use and session switchover is needed, it is important to disable stateful inspection on the Hubs for the Spoke-to-Spoke traffic. This is done as follows:
To disable stateful inspection on hub devices:
- Globally enable TCP sessions without SYN:
config system settings
set tcp-session-without-syn enable
end
- Go to Policy & Objects > Policy Packages, and select the policy package for hubs.
- Double-click the Branch to Branch policy to open it for editing.
- Expand the Advanced Options, and set the following options:
- Toggle anti-replay to OFF. (TCP sequence number validation.)
- Set tcp-session-without-syn to all.
- Click OK to save the changes.
No reason to worry: Spokes still provide stateful inspection for all the Spoke-to-Spoke traffic! And Hubs still provide it for all the other traffic, since we have only disabled it on a particular firewall rule.