Help understanding Asymmetric Path issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Help understanding Asymmetric Path issue

L0 Member

Hoping that someone can help me to understand my asymmetric path issue (out of sync). I have a single virtual firewall with 2 virtual routers.

 

Interfaces:

  • Client (in zone 'client'). Is gateway for subnet.
  • VPN (in zone 'vpn'). Is gateway for subnet.

Machines:

  • Client-01 - (192.168.1.3) 1 interface in 'client' zone.
  • VPN-01 - 2 interfaces, (192.168.2.2) interface in 'vpn' zone. (192.168.1.2) interface in 'client' zone.
    • Runs IPTables to forward traffic from 192.168.1.0/24 to 192.168.2.2 interface, SNAT to 192.168.2.2.

Virtual Routers:

  • default -
    • has route to WAN (single ISP).
    • has route to 'untrusted' (192.168.1.0/24 via VR 'untrusted')
  • untrusted -
    • default route to IP of VPN (default route via '192.168.1.2')

I found that this works for ICMP (presumably UDP). However after running tcpdumps on both the vpn and client as well as the PA, I found that traffic was being dropped. Specifically TCP traffic. I found an old Palo article from what appears to be a similar situation (https://live.paloaltonetworks.com/t5/general-topics/routing-between-virtual-routers-in-same-firewall...). Which led me to find that I am dropping packets, I set 'asymmetric path' to 'bypass', which resolves the issue. However, I'm not understanding where the problematic route is. Most issues I'm finding online involve 2 or more ISP providers, which doesn't apply to my scenario.

 

Scenario : client-01 to WAN

All traffic from  'client-01' to WAN will forward to 'vpn-01' and get NAT'd with a source IP of 192.168.2.2. The Palo will then NAT it to the public IP on the firewall and return traffic will hit the WAN interface on the FW, it will be sent back to 192.168.2.2, which will then be sent back to 'client-01'. I have tried removing the route on the default VR '192.168.1.0/24 via VR untrusted', but this didn't change anything. 

 

This works fine for stateless traffic, but I have dropped packets unless 'asymmetric path' is set to 'bypass' for TCP traffic. Can anyone help me understand what am I missing that would cause packets to arrive out of order? Thanks for any assistance provided.

 

Network topology:
Screenshot from 2024-04-21 09-14-11.png

 

 

 

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello,

Anytime you have more than one possible path from one node to another, you might get asymmetrical routing. Its a pain, but can be controlled. I know it doesn't really answer your questions, just a fact in any product/routing network.

Regards,

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

Anytime you have more than one possible path from one node to another, you might get asymmetrical routing. Its a pain, but can be controlled. I know it doesn't really answer your questions, just a fact in any product/routing network.

Regards,

L5 Sessionator

Int. Client won't see the syn-ack in what you've described. vpn-01 and client-01 are on the same subnet so return traffic just forwards, the firewall won't see it. 

L0 Member

Thanks for the replies.

  • 1 accepted solution
  • 597 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!