This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Help understanding Asymmetric Path issue

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Help understanding Asymmetric Path issue

Go to solution
shyrus
L0 Member

‎04-21-2024 06:44 AM

Hoping that someone can help me to understand my asymmetric path issue (out of sync). I have a single virtual firewall with 2 virtual routers.

 

Interfaces:

  • Client (in zone 'client'). Is gateway for subnet.
  • VPN (in zone 'vpn'). Is gateway for subnet.

Machines:

  • Client-01 - (192.168.1.3) 1 interface in 'client' zone.
  • VPN-01 - 2 interfaces, (192.168.2.2) interface in 'vpn' zone. (192.168.1.2) interface in 'client' zone.
    • Runs IPTables to forward traffic from 192.168.1.0/24 to 192.168.2.2 interface, SNAT to 192.168.2.2.

Virtual Routers:

  • default -
    • has route to WAN (single ISP).
    • has route to 'untrusted' (192.168.1.0/24 via VR 'untrusted')
  • untrusted -
    • default route to IP of VPN (default route via '192.168.1.2')

I found that this works for ICMP (presumably UDP). However after running tcpdumps on both the vpn and client as well as the PA, I found that traffic was being dropped. Specifically TCP traffic. I found an old Palo article from what appears to be a similar situation (https://live.paloaltonetworks.com/t5/general-topics/routing-between-virtual-routers-in-same-firewall...). Which led me to find that I am dropping packets, I set 'asymmetric path' to 'bypass', which resolves the issue. However, I'm not understanding where the problematic route is. Most issues I'm finding online involve 2 or more ISP providers, which doesn't apply to my scenario.

 

Scenario : client-01 to WAN

All traffic from  'client-01' to WAN will forward to 'vpn-01' and get NAT'd with a source IP of 192.168.2.2. The Palo will then NAT it to the public IP on the firewall and return traffic will hit the WAN interface on the FW, it will be sent back to 192.168.2.2, which will then be sent back to 'client-01'. I have tried removing the route on the default VR '192.168.1.0/24 via VR untrusted', but this didn't change anything. 

 

This works fine for stateless traffic, but I have dropped packets unless 'asymmetric path' is set to 'bypass' for TCP traffic. Can anyone help me understand what am I missing that would cause packets to arrive out of order? Thanks for any assistance provided.

 

Network topology:
Screenshot from 2024-04-21 09-14-11.png

 

 

 

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎04-21-2024 09:55 AM

Hello,

Anytime you have more than one possible path from one node to another, you might get asymmetrical routing. Its a pain, but can be controlled. I know it doesn't really answer your questions, just a fact in any product/routing network.

Regards,

View solution in original post

0 Likes Likes
3 REPLIES 3

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎04-21-2024 09:55 AM

Hello,

Anytime you have more than one possible path from one node to another, you might get asymmetrical routing. Its a pain, but can be controlled. I know it doesn't really answer your questions, just a fact in any product/routing network.

Regards,

0 Likes Likes

Go to solution
rmfalconer
L5 Sessionator

‎04-22-2024 04:34 PM

Int. Client won't see the syn-ack in what you've described. vpn-01 and client-01 are on the same subnet so return traffic just forwards, the firewall won't see it. 

0 Likes Likes

Go to solution
shyrus
L0 Member

‎04-22-2024 04:58 PM

Thanks for the replies.

0 Likes Likes
  • 1 accepted solution
  • 896 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks