Asymmetric routing with the same interface

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Asymmetric routing with the same interface

L0 Member

I have to deploy the WAN firewall which have 2 WAN link. The requirement was egress traffic from the firewall to WAN will be send to Link A but the response traffic will be ingress from the Link B. 

If I've set both of these interface in the same zone, untrust zone, does the firewall will be dropped because of asymmetric routing?? Or firewall wiil inspect traffic as usual becuase it return in the same zone, different interface but same zone?? 

2 REPLIES 2

Cyber Elite
Cyber Elite

@Sahaswetch,

Thats ..... a very odd way of doing things. Sessions are aware of the ingress and egress interface and session match expects this to always be true. I wouldn't expect the firewall to drop the traffic, but it would create a new session for all return traffic as it no longer matches the established session. Your security policies would then need to account for this. 

I'm honestly more wondering how your service provider is handling this; they would run into the same issues as you are going to be presented and it just seems like a really odd way to configure things. 

the zones are more important than the interface from a session perspective, so you shouldn't see issues of multiple sessions or dropped packets

 

I do wonder if your ISP doesn't have a nicer means to solve this than to present you with this challenge 😉

Is there no way for them to aggregate the lines onto a single device so at least from your perspective you're communicating with just one host ?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 2193 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!