we have tested too many times with a very very simple config
This is the test result of stress test :
http://www.filedropper.com/my-capturebuyuk2 you should download the pcap file and check the syn -> syn-ack mechanism what if work or not our config as given below and we test the same config on 6+ different firmware
If we have a mistake please s.b. tell me that i am wrong.
## Last changed: 2016-09-22 22:37:13 UTC version 12.1X47-D40.1; groups { jweb-security-logging { system { syslog { file mylog { any any; archive files 1; structured-data; } } } } } system { time-zone UTC; root-authentication { } name-server { 195.175.39.39; 8.8.8.8; } services { ssh; telnet; web-management { http { interface [ xe-1/0/0.0 xe-1/0/1.0 ae1.0 ]; } } } syslog { file messages { any any; match RT_Screen; } file mylog { any any; archive files 1; structured-data; } } license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } chassis { aggregated-devices { ethernet { device-count 2; } } } interfaces { ge-0/0/0 { gigether-options { 802.3ad ae1; } } ge-0/0/1 { gigether-options { 802.3ad ae1; } } ge-0/0/2 { gigether-options { 802.3ad ae1; } } ge-0/0/3 { gigether-options { 802.3ad ae1; } } ge-0/0/7 { unit 0 { family inet { address 37.123.98.137/29; } } } xe-1/0/0 { unit 0 { family inet { address 178.20.225.18/29; } } } xe-1/0/1 { unit 0 { family inet { address 10.10.10.9/30; } } } xe-4/0/0 { unit 0 { family inet { address 10.10.10.17/30; } } } ae1 { description DownStream; aggregated-ether-options { minimum-links 1; lacp { active; periodic fast; } } unit 0 { family inet { address 10.10.10.21/30; } } } lo0 { unit 1 { family inet { address 192.168.1.82/32; } } } } snmp { location izmir; contact "Cahit Eyigunlu"; community SALAY { authorization read-only; } } routing-options { static { route 0.0.0.0/0 next-hop 178.20.225.17; } } policy-options { policy-statement send-direct { term 1 { from protocol direct; then accept; } } } security { log { mode event; } alg { ftp disable; msrpc disable; sunrpc disable; rsh disable; sip; sql disable; talk disable; tftp disable; pptp disable; ike-esp-nat { enable; } } flow { allow-dns-reply; syn-flood-protection-mode syn-cookie; aging { early-ageout 20; low-watermark 100; high-watermark 100; } } screen { ids-option untrust-screen { icmp { ip-sweep threshold 1000000; fragment; large; flood threshold 8000; ping-death; } ip { bad-option; record-route-option; timestamp-option; security-option; stream-option; spoofing; source-route-option; loose-source-route-option; strict-source-route-option; unknown-protocol; block-frag; tear-drop; } tcp { syn-fin; fin-no-ack; tcp-no-flag; syn-frag; port-scan threshold 1000000; syn-ack-ack-proxy threshold 1000; syn-flood { alarm-threshold 25; attack-threshold 20; source-threshold 50; destination-threshold 1000; timeout 20; } land; winnuke; tcp-sweep threshold 1000; } limit-session { source-ip-based 200; } } traceoptions { file screen.log; flag all; } } forwarding-process { application-services { session-distribution-mode hash-based; } } policies { from-zone trust to-zone untrust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; log { session-init; } } } } from-zone trust to-zone trust { policy icnetwork { match { source-address any; destination-address any; application any; } then { permit; log { session-init; } } } } from-zone untrust to-zone untrust { policy DisNetwork { match { source-address any; destination-address any; application any; } then { permit; } } } default-policy { permit-all; } } datapath-debug { capture-file my-capture format pcap size 10m files 5; maximum-capture-size 1500; action-profile { do-capture { event np-egress { packet-dump; } event np-ingress { packet-dump; } } } packet-filter my-filter { action-profile do-capture; source-prefix 0.0.0.0/0; } } zones { security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { xe-4/0/0.0; ae1.0; ge-0/0/7.0; } } security-zone untrust { screen untrust-screen; host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { xe-1/0/1.0; xe-1/0/0.0; } application-tracking; } } }