SYN-ACK Issues with Asymmetric Routing
Resolution
Issues
Common issues for asymmetric routing are:
- Websites loading only partially
- Applications not working
Cause
By default, the TCP reject non-SYN flag is set to yes. This means that the connection must be initiated through the same firewall for application data to be allowed. If the SYN packet enters through one firewall and the SYN/ACK packet exits the network through another firewall, the SYN/ACK packet is rejected because the connection's first packet used a different firewall.
Check the flow_tcp_non_syn_drop global counter for non-SYN TCP.
> show counter global | match drop
name value rate severity category aspect description
-----------------------------------------------------------------------------------
flow_rcv_err 1705 0 drop flow parse Packets dropped: flow stage receive error
flow_rcv_dot1q_tag_err 7053 0 drop flow parse Packets dropped: 802.1q tag not configured
flow_no_interface 7053 0 drop flow parse Packets dropped: invalid interface
flow_ipv6_disabled 20459 0 drop flow parse Packets dropped: IPv6 disabled on interface
flow_tcp_non_syn_drop 156 0 drop flow session Packets dropped: non-SYN TCP without session match
flow_fwd_l3_mcast_drop 14263 0 drop flow forward Packets dropped: no route for IP multicast
flow_parse_l4_cksm 1 0 drop flow parse Packets dropped: TCP/UDP checksum failure
flow_host_decap_err 31 0 drop flow mgmt Packets dropped: decapsulation error from control plane
flow_host_service_deny 90906 0 drop flow mgmt Device management session denied
flow_lion_rcv_err 1700 0 drop flow offload Packets dropped: receive error from offload processor
Run the show counter global | match drop command multiple time to see the drop counters (value field) incrementing.
To verify the current setting:
> show session info
-------------------------------------------------------------------------------
number of sessions supported: 262143
number of active sessions: 1
number of active TCP sessions: 0
number of active UDP sessions: 0
number of active ICMP sessions: 0
number of active BCAST sessions: 0
number of active MCAST sessions: 0
number of predict sessions: 0
session table utilization: 0%
number of sessions created since system bootup: 7337
Packet rate: 8/s
Throughput: 3 Kbps
-------------------------------------------------------------------------------
session timeout
TCP default timeout: 3600 seconds
TCP session timeout before 3-way handshaking: 5 seconds
TCP session timeout after FIN/RST: 30 seconds
UDP default timeout: 30 seconds
ICMP default timeout: 6 seconds
other IP default timeout: 30 seconds
Session timeout in discard state:
TCP: 90 seconds, UDP: 60 seconds, other IP protocols: 60 seconds
-------------------------------------------------------------------------------
session accelerated aging: enabled
accelerated aging threshold: 80% of utilization
scaling factor: 2 X
-------------------------------------------------------------------------------
session setup
TCP - reject non-SYN first packet: yes
hardware session offloading: yes
IPv6 firewalling: no
-------------------------------------------------------------------------------
application trickling scan parameters:
timeout to determine application trickling: 10 seconds
resource utilization threshold to start scan: 80%
scan scaling factor over regular aging: 8
-------------------------------------------------------------------------------
Resolution
There are two workarounds for this issue:
- Change the network architecture to eliminate asymmetric routing, such that all return traffic passes through the same firewall in which the traffic originated
- Turn off the option (tcp-reject-non-syn) to reject connections where the first packet wasn't a SYN packet
Run the following commands to disable TCP reject non-SYN temporarily (until reboot)
> set session tcp-reject-non-syn no
Run the following commands to disable the option permanently:
> configure
# set deviceconfig setting session tcp-reject-non-syn no
# commit
Run the following command to confirm that sessions will be established for non-SYN tcp packets on the firewall
> show session info
. . . .
--------------------------------------------------------------------------------
Session setup
TCP - reject non-SYN first packet: False
Hardware session offloading: True
IPv6 firewalling: True
owner: panagent