Some time ago I had a Juniper SSG 140 issue where by certain connections could not be made from other networks within the WAN, in particular RDP connections, however HTTP and ping would work fine.
It turned out that for some reason there was no syn packet reaching the SSG firewall so it was doing the right thing and dropping the packet. I discovered this from the diag console and also a quick Google search resulted in some other people having the same issue.
See here: http://forums.juniper.net
Running “unset flow tcp-syn-check” fixed the problem and once we had changed all the default routing to have the data centre router handle routing the way it should, we turned tcp-syn-check back on with “set flow tcp-syn-check”.
Juniper Knowledge Base ID: KB4444 explains the details and commands.
The ScreenOS Cookbook talks about it in Chapter 9 page 306.
In short it’s a bad idea to unset this and you should only use it as a last resort or to get something resolved and then research the main problem and fix it correctly.
Here are some quotes from Google searches to back this up:
___________________________________________________________________
This is another reason why turning off syn checking to try to fix poor applications is a BAD idea because it’s a nasty slope to try to get things to work.
I think you need to really look at why the session is timing out. Why is the application going idle for so long? Can you enable keep alives on that application?
“unset flow tcp-syn-check” should only be used as last resort, it turns off … well, SYN-checking
You should resolve your routing issues, not turn off security features of your firewall.
___________________________________________________________________