Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Redundant Paths to a single FW

Redundant Paths to a single FW

Redundant Paths to a single FW

Has anyone successfully set up scenario with multilple paths from the user side to a DMZ behind a firewall without running into issues with asymmetric routing?  Here is the network.  Users are in a VRRP connected vlan to two core routers.  Each core has a routed link to a firewall.  The ospf path cost back to the user is equal.  With asymmetric routing on the return session the users intermittently lose connectivity to the servers.  Is this a common problem with all firewalls.  The firewall does not send traffic back through the same physical port that originated it.  I haven't tried forcing traffic back on one link by increasing the path cost of the other but that will defeat the load sharing of links for the return traffic.

thnks in advance

RE: Redundant Paths to a single FW

Without knowing the full network architecture i cannot give you a full answer.  If the firewalls are separate entities, I.E not in a cluster and not sharing session tables then I guess your main problem is each firewall will not know about current sessions for other firewall for the reply packets.  You could source nat on the firewall to ensure that the session that the firewall was created on goes back through the correct firewall, but as mentioned need to know more details.  Other questions pop into my head such as are the sessions load balanced on the routers(Equal cost paths) per packet or per destination etc...



RE: Redundant Paths to a single FW

This is a single PaloAlto firewall.  Two routed links in and one DMZ link.  With VRRP at the user vlan each user is directed to one of two core routers as their gateway.  The firewall has one routed link to each core router.  So the user will always enter the firewall on a known inbound port.  What we see is that the returning session from the server behind the firewall will not always come back out the same port it went in on.  Hence the asymmetric route.  Users fail intermittently with lose of connections.  In general the consensus I've heard is that firewalls don't handle this kind of network topology very well.  Two firewalls with one in standby is the answer.  I am trying to see if this is the only answer or does someone have this working.


Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close