Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Re-creating a specific routing configuration.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Re-creating a specific routing configuration.

L4 Transporter

Hello folks,


I am trying to reproduce a configuration from work where we use a Metro Line to connect our two sites.  It's working at my job, but not at home.  It seems like a simple setup and I think I am close, but having an issue.  Checking if anyone may have a comment?

 

My test is trying to connect to my esxi server from vsphere client, but unable to connect.  However, ping works everywhere.  Other traffic like web does not work either, just ping at the moment.

metrof.jpg

 

I've created static routes on the PA devices to handle traffic like it is at work.

PA 200 #1

metroc.jpg

PA 200 #2

metrob.jpg

 

Security Rule on PA 200 #2

metrod.jpg

 

1 accepted solution

Accepted Solutions

Your traffic is asymmetric.

TCP SYN traffic arrives on PA2 with a destination of the ESX server. ESX server responds with SYN ACK which goes to PA1 since that's the gateway. PA1 didn't see the initial SYN so it won't work. Ping doesn't have this problem since it doesn't need the handshake. Generally, if you see ping working but nothing else, it's asymmetry of some kind.

Any firewalls that the traffic traverses need to see the three-way handshake.

View solution in original post

5 REPLIES 5

L4 Transporter

Part of my troubleshooting.  The traffic log on PA 200 #2 does register traffic to the appropriate security rule, but says incomplete.  The pings are successful.  This example was me trying to access the esxi server IP via browser.

metroe.jpg

Hi @OMatlock,

 

I wonder if you have asynchronus routing caused by the switch 1. Can you try running a packet capture on the interface circled to see if the return traffic is coming back to the wrong interface?  As I understand it you want the traffic to be coming back to ethernet1/3 on the PA-200 #2.

 

interface.png

 

If this is the issue then I would think you can resolve it with a NAT rule.

 

hope this helps,

Ben

Thank for responding bmorris1.

I did have ip routing enabled on switch 1, but have now disabled it.  Still same issue.

 

I ran a capture on PA 200 #2 using filters for these two specific ips and ingress interface 1/2.  You can see the pings are successful, but attempting to browse the web page of this server does not work.  Works fine when client is on the same subnet.

If you have any other comments, let me know!  🙂  I will be focusing on it during my t-giving break.

 

metrog.jpg

 

I was thinking that the ingress and egress indications from the traffic log are correct.  When pinging (or attempting to access) from 192.168.32.25 to 192.168.33.143, it seems correct for egress to be 1/3 and ingress to be 1/2.  Sound/look right?

metroh.jpg

Your traffic is asymmetric.

TCP SYN traffic arrives on PA2 with a destination of the ESX server. ESX server responds with SYN ACK which goes to PA1 since that's the gateway. PA1 didn't see the initial SYN so it won't work. Ping doesn't have this problem since it doesn't need the handshake. Generally, if you see ping working but nothing else, it's asymmetry of some kind.

Any firewalls that the traffic traverses need to see the three-way handshake.

Thank you for responding rmfalconer.

I am now reading more about asymmetric networking and will try to figure this out by comparing with our network at my job.  Folks that configured it originally are gone and I am trying to catch up...

 

I will do some more research and respond to this thread this week.  I will close if can't resolve and keep updating as I make progress.

  • 1 accepted solution
  • 3463 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!