https://live.paloaltonetworks.com/t5/general-topics/issues-with-asymetric-routing/m-p/65379#M39048 <P>To identify the asymmetric routing issue one of the possible way is to do a ping from a host and then check if the s2c byte are 0 or not if the s2c are 0 and ping is sucessful then reply is not comint through firewall<BR /><BR /><BR />Refer to following document for non syn packets<BR /><BR /><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Set-the-Palo-Alto-Networks-Firewall-to-Allow-non-Syn/ta-p/62868" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Set-the-Palo-Alto-Networks-Firewall-to-Allow-non-Syn/ta-p/62868</A></P> Thu, 01 Oct 2015 22:37:55 GMT pankaku 2015-10-01T22:37:55Z https://live.paloaltonetworks.com/t5/general-topics/issues-with-asymetric-routing/m-p/65363#M39039 <P>Hello Community,</P><P>&nbsp;</P><P>I need your help to how to identify the asymetric routing in my PA-3020? and what are the best way to allow or bypass these traffic until solve the routing issue the third party device?.</P><P>&nbsp;</P><P>Best Regards</P><P>Andres Padilla</P> Thu, 01 Oct 2015 16:12:34 GMT https://live.paloaltonetworks.com/t5/general-topics/issues-with-asymetric-routing/m-p/65363#M39039 Apadilla 2015-10-01T16:12:34Z https://live.paloaltonetworks.com/t5/general-topics/issues-with-asymetric-routing/m-p/65365#M39041 <P>Depending on what assimetric routing the firewall is seeing, the most agressive/global is&nbsp;</P><P>set session tcp-reject-non-syn no</P><P>&nbsp;</P><P>You can also add a a Zone protection profile in this one select&nbsp;"packet based attack protection", uncheck mismatched overlapping TCP segment, reject non-syn tcp: no, asymetric path: bypass. And attach it to the zone where the assimetric traffic is arriving.</P><P>&nbsp;</P><P>regards,</P><P>Gerardo</P> Thu, 01 Oct 2015 16:57:53 GMT https://live.paloaltonetworks.com/t5/general-topics/issues-with-asymetric-routing/m-p/65365#M39041 glastra1 2015-10-01T16:57:53Z https://live.paloaltonetworks.com/t5/general-topics/issues-with-asymetric-routing/m-p/65367#M39042 <P>I set up a protection zone the following way.</P><P>&nbsp;</P><P>And assinged to untrust zone.</P><P>&nbsp;</P><P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/536i11DE65C0441644FD/image-size/original?v=mpbl-1&amp;px=-1" alt="issue asymetric routing.JPG" title="issue asymetric routing.JPG" border="0" /></P><P>&nbsp;</P><P>After performed this change I see the</P><P>the numer 51303508 not changed.</P><P>flow_tcp_non_syn_drop&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 51303508&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 drop&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; flow&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; session&nbsp;&nbsp; Packets dropped: non-SYN TCP without session match</P><P>&nbsp;</P><P>But this number always increase 51316034.</P><P>flow_tcp_non_syn&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 51316034&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4 info&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; flow&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; session&nbsp;&nbsp; Non-SYN TCP packets without session match</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 01 Oct 2015 17:10:04 GMT https://live.paloaltonetworks.com/t5/general-topics/issues-with-asymetric-routing/m-p/65367#M39042 Apadilla 2015-10-01T17:10:04Z https://live.paloaltonetworks.com/t5/general-topics/issues-with-asymetric-routing/m-p/65379#M39048 <P>To identify the asymmetric routing issue one of the possible way is to do a ping from a host and then check if the s2c byte are 0 or not if the s2c are 0 and ping is sucessful then reply is not comint through firewall<BR /><BR /><BR />Refer to following document for non syn packets<BR /><BR /><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Set-the-Palo-Alto-Networks-Firewall-to-Allow-non-Syn/ta-p/62868" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Set-the-Palo-Alto-Networks-Firewall-to-Allow-non-Syn/ta-p/62868</A></P> Thu, 01 Oct 2015 22:37:55 GMT https://live.paloaltonetworks.com/t5/general-topics/issues-with-asymetric-routing/m-p/65379#M39048 pankaku 2015-10-01T22:37:55Z https://live.paloaltonetworks.com/t5/general-topics/issues-with-asymetric-routing/m-p/65384#M39053 <P>the numer 51303508 not changed.</P><P>flow_tcp_non_syn_drop&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 51303508&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 drop&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; flow&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; session&nbsp;&nbsp; Packets dropped: non-SYN TCP without session match</P><P>&nbsp;</P><P>But this number always increase 51316034.</P><P>flow_tcp_non_syn&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 51316034&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4 info&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; flow&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; session&nbsp;&nbsp; Non-SYN TCP packets without session match</P><P>&nbsp;</P><P>&nbsp;</P><P>That means you are no longer dropping asymmetric TCP sessions, but there are still such sessions happening. Now you have to resolve your routing and when both counters stop increasing you know you don't have any asymmetric routing any longer. Then start dropping non-SYN sessions again.</P> Fri, 02 Oct 2015 07:12:33 GMT https://live.paloaltonetworks.com/t5/general-topics/issues-with-asymetric-routing/m-p/65384#M39053 santonic 2015-10-02T07:12:33Z