This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

Asymmetric routing

nwallette
Not applicable

‎04-10-2012 05:33 PM

Does anyone else have a multi-site network with asymmetric routing?  I'm having some issues getting from site to site.

Here's what's going on:

We have two datacenters -- one for the eastern US, the other for the western US.  Each datacenter has a PA-2020.  Our satellite offices use PA-500s, ASA 5505s, and ASA 5520s.  There is an IPSec tunnel from each site to both datacenters.

Our IP scheme is such that western sites use one subnet (including the DC), and the eastern sites use another subnet.  Each of those is broken down into smaller subnets for the individual sites.  Each site subnet is broken down further for production, DMZ, and local VPN pools.

The problem I'm having is that, for example, traffic from a site on the west is not able to reach resources on the east.  Every site can access either datacenter with no trouble at all.  Both datacenters can access any site without problems as well.  It's only site-to-site where we see problems.

The tunnel routing is such that, from the site, outbound traffic is routed to whichever datacenter is "home" to the destination site.  For instance, a site in California would send traffic through its tunnel to the east datacenter to hit a site in Florida.  This becomes an issue when the Florida site replies, as it will reply back to the western datacenter to get back to California.  As such, the datacenter firewalls will likely not see the entire session.

All of the routing is static right now, and fairly simple.  Each DC has routes to the other DC, and to every site's supernet via its local IPSec tunnel.  The sites' routing is east supernet to east DC, west supernet to west DC, and the default gateway for local Internet.

I've followed the advice in this article (https://live.paloaltonetworks.com/docs/DOC-1260) to turn off TCP SYN checking.  The connection is initially established, but it will frequently time out while loading a web page.  ICMP seems to work fine.  SSH seems OK too.

To make things even more confusing, we have Blue Coat proxy appliances at each site, and at each datacenter.  They do content filtering at the site level, and deduplication between sites and DCs.  They're all configured as transparent in-line proxies.

At this point, there are so many variables that I just don't know where to start troubleshooting.  I talked to one support rep at PA, who told me that asymmetric routing will cause problems, plain and simple.  Then I found the article about the SYN flags, and that helped... but not completely.  So, I'm wondering if anyone else is doing anything similar, and if so, is it working for you?

1 person had this problem.
Labels:
0 Likes Likes
Who Me Too'd this topic
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks