https://live.paloaltonetworks.com/t5/general-topics/help-understanding-asymmetric-path-issue/m-p/584415#M116738 <P>Hello,</P> <P>Anytime you have more than one possible path from one node to another, you might get asymmetrical routing. Its a pain, but can be controlled. I know it doesn't really answer your questions, just a fact in any product/routing network.</P> <P>Regards,</P> Sun, 21 Apr 2024 16:55:58 GMT OtakarKlier 2024-04-21T16:55:58Z https://live.paloaltonetworks.com/t5/general-topics/help-understanding-asymmetric-path-issue/m-p/584409#M116737 <P>Hoping that someone can help me to understand my asymmetric path issue (out of sync). I have a single virtual firewall with 2 virtual routers. </P> <P>&nbsp;</P> <P><STRONG>Interfaces:</STRONG></P> <UL> <LI><U>Client</U> (in zone 'client'). Is gateway for subnet.</LI> <LI><U>VPN</U> (in zone 'vpn'). Is gateway for subnet.</LI> </UL> <P><STRONG>Machines:</STRONG></P> <UL> <LI><U>Client-01</U> - (192.168.1.3) 1 interface in 'client' zone.</LI> <LI><U>VPN-01</U> - 2 interfaces, (192.168.2.2) interface in 'vpn' zone. (192.168.1.2) interface in 'client' zone. <UL> <LI>Runs IPTables to forward traffic from 192.168.1.0/24 to 192.168.2.2 interface, SNAT to 192.168.2.2.</LI> </UL> </LI> </UL> <P><STRONG>Virtual Routers:</STRONG></P> <UL> <LI><U>default</U> - <UL> <LI>has route to WAN (single ISP).</LI> <LI>has route to 'untrusted' (192.168.1.0/24 via VR 'untrusted')</LI> </UL> </LI> <LI><U>untrusted</U> - <UL> <LI>default route to IP of VPN (default route via '192.168.1.2')</LI> </UL> </LI> </UL> <P>I found that this works for ICMP (presumably UDP). However after running tcpdumps on both the vpn and client as well as the PA, I found that traffic was being dropped. Specifically TCP traffic. I found an old Palo article from what appears to be a similar situation (<A href="https://live.paloaltonetworks.com/t5/general-topics/routing-between-virtual-routers-in-same-firewall/td-p/40320" target="_blank">https://live.paloaltonetworks.com/t5/general-topics/routing-between-virtual-routers-in-same-firewall/td-p/40320</A>). Which led me to find that I am dropping packets, I set 'asymmetric path' to 'bypass', which resolves the issue. However, I'm not understanding where the problematic route is. Most issues I'm finding online involve 2 or more ISP providers, which doesn't apply to my scenario. </P> <P>&nbsp;</P> <P><STRONG>Scenario : client-01 to WAN</STRONG></P> <P>All traffic from&nbsp; 'client-01' to WAN will forward to 'vpn-01' and get NAT'd with a source IP of 192.168.2.2. The Palo will then NAT it to the public IP on the firewall and return traffic will hit the WAN interface on the FW, it will be sent back to 192.168.2.2, which will then be sent back to 'client-01'. I have tried removing the route on the default VR '192.168.1.0/24 via VR untrusted', but this didn't change anything.&nbsp;</P> <P>&nbsp;</P> <P>This works fine for stateless traffic, but I have dropped packets unless 'asymmetric path' is set to 'bypass' for TCP traffic. Can anyone help me understand what am I missing that would cause packets to arrive out of order? Thanks for any assistance provided. </P> <P>&nbsp;</P> <P>Network topology:<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot from 2024-04-21 09-14-11.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/59172iB3A9F5535D8D265C/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screenshot from 2024-04-21 09-14-11.png" alt="Screenshot from 2024-04-21 09-14-11.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Sun, 21 Apr 2024 13:44:19 GMT https://live.paloaltonetworks.com/t5/general-topics/help-understanding-asymmetric-path-issue/m-p/584409#M116737 shyrus 2024-04-21T13:44:19Z https://live.paloaltonetworks.com/t5/general-topics/help-understanding-asymmetric-path-issue/m-p/584415#M116738 <P>Hello,</P> <P>Anytime you have more than one possible path from one node to another, you might get asymmetrical routing. Its a pain, but can be controlled. I know it doesn't really answer your questions, just a fact in any product/routing network.</P> <P>Regards,</P> Sun, 21 Apr 2024 16:55:58 GMT https://live.paloaltonetworks.com/t5/general-topics/help-understanding-asymmetric-path-issue/m-p/584415#M116738 OtakarKlier 2024-04-21T16:55:58Z https://live.paloaltonetworks.com/t5/general-topics/help-understanding-asymmetric-path-issue/m-p/584567#M116761 <P>Int. Client won't see the syn-ack in what you've described. vpn-01 and client-01 are on the same subnet so return traffic just forwards, the firewall won't see it.&nbsp;</P> Mon, 22 Apr 2024 23:34:30 GMT https://live.paloaltonetworks.com/t5/general-topics/help-understanding-asymmetric-path-issue/m-p/584567#M116761 rmfalconer 2024-04-22T23:34:30Z https://live.paloaltonetworks.com/t5/general-topics/help-understanding-asymmetric-path-issue/m-p/584576#M116762 <P>Thanks for the replies.</P> Mon, 22 Apr 2024 23:58:53 GMT https://live.paloaltonetworks.com/t5/general-topics/help-understanding-asymmetric-path-issue/m-p/584576#M116762 shyrus 2024-04-22T23:58:53Z