No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.

Knowledge Base

Asymetric routing on USG6600

Publication Date:  2016-10-30  |   Views:  712  |   Downloads:  0  |   Author:  b00745015  |   Document ID:  EKB1000345545


Issue Description

firewall is dropping the connection because of asymmetric routing, the return path is different that outgoing path. 

Software: USG6600 V100R001C30SPC600
ESN: 210235G7G410G3000042

Topology is below:

We have a client sending an http request to the Server
Server may respond back to the client but via as the server is doing load balancing in order to get full use of both network interface cards.

By default firewall will drop the return traffic, because it is coming via a different interface.

How to make it work?


We have to disable stateful inspection.

Stateful inspection detects the legitimacy of TCP connections. If the forward and return paths of packets are different, the device may not receive the first packet and therefore cannot establish a session for legitimate traffic. In this case, we must disable stateful inspection.

<sysname> system-view
[sysname] undo firewall session link-state check

Note that this operation might cripple the security function of the firewall. Be careful.