cancel
Showing results for 
Search instead for 
Did you mean: 

Who Me Too'd this topic

Asymmetric routing

Not applicable

Does anyone else have a multi-site network with asymmetric routing?  I'm having some issues getting from site to site.

Here's what's going on:

We have two datacenters -- one for the eastern US, the other for the western US.  Each datacenter has a PA-2020.  Our satellite offices use PA-500s, ASA 5505s, and ASA 5520s.  There is an IPSec tunnel from each site to both datacenters.

Our IP scheme is such that western sites use one subnet (including the DC), and the eastern sites use another subnet.  Each of those is broken down into smaller subnets for the individual sites.  Each site subnet is broken down further for production, DMZ, and local VPN pools.

The problem I'm having is that, for example, traffic from a site on the west is not able to reach resources on the east.  Every site can access either datacenter with no trouble at all.  Both datacenters can access any site without problems as well.  It's only site-to-site where we see problems.

The tunnel routing is such that, from the site, outbound traffic is routed to whichever datacenter is "home" to the destination site.  For instance, a site in California would send traffic through its tunnel to the east datacenter to hit a site in Florida.  This becomes an issue when the Florida site replies, as it will reply back to the western datacenter to get back to California.  As such, the datacenter firewalls will likely not see the entire session.

All of the routing is static right now, and fairly simple.  Each DC has routes to the other DC, and to every site's supernet via its local IPSec tunnel.  The sites' routing is east supernet to east DC, west supernet to west DC, and the default gateway for local Internet.

I've followed the advice in this article (https://live.paloaltonetworks.com/docs/DOC-1260) to turn off TCP SYN checking.  The connection is initially established, but it will frequently time out while loading a web page.  ICMP seems to work fine.  SSH seems OK too.

To make things even more confusing, we have Blue Coat proxy appliances at each site, and at each datacenter.  They do content filtering at the site level, and deduplication between sites and DCs.  They're all configured as transparent in-line proxies.

At this point, there are so many variables that I just don't know where to start troubleshooting.  I talked to one support rep at PA, who told me that asymmetric routing will cause problems, plain and simple.  Then I found the article about the SYN flags, and that helped... but not completely.  So, I'm wondering if anyone else is doing anything similar, and if so, is it working for you?

Who Me Too'd this topic