Amer Networks E5Web GUI User Manual
Page 728

Default: DropLog
TCP Sequence Numbers
Determines if the sequence number range occupied by a TCP segment will be compared to the
receive window announced by the receiving peer before the segment is forwarded.
TCP sequence number validation is only possible on connections tracked by the state-engine
(not on packets forwarded using a FwdFast rule).
Possible values are:
Ignore - Do not validate. Means that sequence number validation is completely turned off.
ValidateSilent - Validate and pass on.
ValidateLogBad - Validate and pass on, log if bad.
ValidateReopen - Validate reopen attempt like normal traffic; validate and pass on.
ValidateReopenLog - Validate reopen attempts like normal traffic; validate, log if bad.
ReopenValidate - Do not validate reopen attempts at all; validate and pass on.
ReopenValidLog - Do not validate reopen attempts at all; validate, log if bad.
Default: ValidateLogBad
Notes on the TCPSequenceNumbers setting
The default ValidateLogBad (or the alternative ValidateSilent) will allow the de-facto behavior of
TCP re-open attempts, meaning that they will reject re-open attempts with a previously used
sequence number.
ValidateReopen and ValidReopenLog are special settings giving the default behavior found in
older cOS Core versions where only re-open attempts using a sequence number falling inside the
current (or last used) TCP window will be allowed. This is more restrictive than
ValidateLogBad/ValidateSilent, and will block some valid TCP re-open attempts. The most
significant impact of this will be that common web-surfing traffic (short but complete
transactions requested from a relatively small set of clients, randomly occurring with an interval
of a few seconds) will slow down considerably, while most "normal" TCP traffic will continue to
work as usual.
Using either ValidateReopen or ValidateReopenLog is, however, not recommended since the same
effect can be achieved by disallowing TCP re-open attempts altogether. These settings exist
mostly for backwards compatibility.
ReopenValidate and ReopenValidLog are less restrictive variants than ValidateLogBad or
ValidateSilent. Certain clients and/or operating systems might attempt to use a randomized
sequence number when re-opening an old TCP connection (usually out of a concern for security)
and this may not work well with these settings. Again, web-surfing traffic is most likely to be
affected, although the impact is likely to occur randomly. Using these values instead of the
default setting will completely disable sequence number validation for TCP re-open attempts.
Once the connection has been established, normal TCP sequence number validation will be
Allow TCP Reopen
Allow clients to re-open TCP connections that are in the closed state.
Default: Disabled
Chapter 12: Advanced Settings