Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Issues with Asymetric Routing

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Issues with Asymetric Routing

L3 Networker

Hello Community,

 

I need your help to how to identify the asymetric routing in my PA-3020? and what are the best way to allow or bypass these traffic until solve the routing issue the third party device?.

 

Best Regards

Andres Padilla

Best Regards
1 accepted solution

Accepted Solutions

L4 Transporter

Depending on what assimetric routing the firewall is seeing, the most agressive/global is 

set session tcp-reject-non-syn no

 

You can also add a a Zone protection profile in this one select "packet based attack protection", uncheck mismatched overlapping TCP segment, reject non-syn tcp: no, asymetric path: bypass. And attach it to the zone where the assimetric traffic is arriving.

 

regards,

Gerardo

View solution in original post

4 REPLIES 4

L4 Transporter

Depending on what assimetric routing the firewall is seeing, the most agressive/global is 

set session tcp-reject-non-syn no

 

You can also add a a Zone protection profile in this one select "packet based attack protection", uncheck mismatched overlapping TCP segment, reject non-syn tcp: no, asymetric path: bypass. And attach it to the zone where the assimetric traffic is arriving.

 

regards,

Gerardo

I set up a protection zone the following way.

 

And assinged to untrust zone.

 

issue asymetric routing.JPG

 

After performed this change I see the

the numer 51303508 not changed.

flow_tcp_non_syn_drop               51303508        0 drop      flow      session   Packets dropped: non-SYN TCP without session match

 

But this number always increase 51316034.

flow_tcp_non_syn                    51316034        4 info      flow      session   Non-SYN TCP packets without session match

 

 

Best Regards

To identify the asymmetric routing issue one of the possible way is to do a ping from a host and then check if the s2c byte are 0 or not if the s2c are 0 and ping is sucessful then reply is not comint through firewall


Refer to following document for non syn packets

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Set-the-Palo-Alto-Networks-Firewa...

the numer 51303508 not changed.

flow_tcp_non_syn_drop               51303508        0 drop      flow      session   Packets dropped: non-SYN TCP without session match

 

But this number always increase 51316034.

flow_tcp_non_syn                    51316034        4 info      flow      session   Non-SYN TCP packets without session match

 

 

That means you are no longer dropping asymmetric TCP sessions, but there are still such sessions happening. Now you have to resolve your routing and when both counters stop increasing you know you don't have any asymmetric routing any longer. Then start dropping non-SYN sessions again.

  • 1 accepted solution
  • 16200 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!