Publication Date: 2016-10-30 | Views: 712 | Downloads: 0 | Author: b00745015 | Document ID: EKB1000345545
firewall is dropping the connection because of asymmetric routing, the return path is different that outgoing path.
Software: USG6600 V100R001C30SPC600
Topology is below:
We have a client 192.168.1.1 sending an http request to the Server 10.10.0.2.
Server may respond back to the client but via 126.96.36.199 as the server is doing load balancing in order to get full use of both network interface cards.
By default firewall will drop the return traffic, because it is coming via a different interface.
How to make it work?
We have to disable stateful inspection.
Stateful inspection detects the legitimacy of TCP connections. If the forward and return paths of packets are different, the device may not receive the first packet and therefore cannot establish a session for legitimate traffic. In this case, we must disable stateful inspection.
[sysname] undo firewall session link-state check
Note that this operation might cripple the security function of the firewall. Be careful.