With A/A you can have assymetrical flows. But they do need to maintain the zone relationship that match the session for the flow. So make sure the policy that permits the traffic has the zone to zone setup needed for the communication across the two devices.
Easiest way to troubleshoot this kind of flow is to do the trace route from both devices and then map the interfaces hit by the packets in the flow on the two PA devices. Then lookup the zone assignments and confirm the policy is in place in the correct direction by initiator of the traffic.
Thanks for the response.
We have all interfaces in the same zone and have a policy to permit any any (testing right now). I did move interfaces around in different zones, making sure both FW's matched. We still had the same results.
Doing a show counters global, I didn't see any hits on the stat: flow_tcp_non_syn_drop. Reading up, and appears that would be an indication of the FWs dropping traffic due to asynchronous routing. However, I did notice these two stats get hit constantly (only traffic going through these guys is protocol traffic (BGP) and pings:
Been playing aroudnd with subinterfaces and what not, and still no go. Everything works as is, but when I introduce asynchronous routing, routes to an opposing side break.
Are you certain that both directions of the flow cross the A/A firewall pair?
Based on your description, there should be no asymmetrical flow drops on the firewall. Unless there is a path that can bypass BOTH firewalls in the commuications flow in question.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!