No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Asymetric routing on USG6600

Publication Date:  2016-10-30 Views:  148 Downloads:  0
Issue Description

firewall is dropping the connection because of asymmetric routing, the return path is different that outgoing path. 

Software: USG6600 V100R001C30SPC600
ESN: 210235G7G410G3000042

Topology is below:

We have a client 192.168.1.1 sending an http request to the Server 10.10.0.2.
Server may respond back to the client but via 20.20.0.1 as the server is doing load balancing in order to get full use of both network interface cards.

By default firewall will drop the return traffic, because it is coming via a different interface.

How to make it work?



Solution

We have to disable stateful inspection.

Stateful inspection detects the legitimacy of TCP connections. If the forward and return paths of packets are different, the device may not receive the first packet and therefore cannot establish a session for legitimate traffic. In this case, we must disable stateful inspection.

<sysname> system-view
[sysname] undo firewall session link-state check

Note that this operation might cripple the security function of the firewall. Be careful.

END