- Our system is running a T1040 with kernel 3.12.9.x with ASF enabled
- Our WAN ethernet ports can have VLANs on them. At one point, this feature worked with ASF. Recently, we found that WAN VLANs no longer work reliably because most packets are being dropped. We've traced the source of the error. The large phase II code drop to support ASF seems to have introduced the problem. With the phase II code, SSH and FTP through our router/firewall no longer work. ICMP works which is expected since ICMP isn't offloaded to the fastpath/ASF.
- We've dug into the phase II patch for ASF and have found the code that prevents the sessions from being set up. When we backed out these few lines of changes, we were able to establish sessions. However, it appears that maintaining sessions is still a problem.
- With our changes to allow session setup, we are seeing:
1. ICMP works properly
2. SSH works properly (longer sessions not tested)
3. FTP login ok, but no more command response after that (e.g., FEAT command...)
4. HTTP a web page is ok but a large file get fails (15MB and 50MB, tcp data transfer)
I've attached the diff we have applied to the ASF code. We appreciate feedback on patch and suggestions for fixes to maintain sessions.
Original Attachment has been moved to: asf_wan_vlan.diff.zip