Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Redundant Paths to a single FW

Status
Not open for further replies.

vnt90

IS-IT--Management
Jun 21, 2011
2
US
Has anyone successfully set up scenario with multilple paths from the user side to a DMZ behind a firewall without running into issues with asymmetric routing? Here is the network. Users are in a VRRP connected vlan to two core routers. Each core has a routed link to a firewall. The ospf path cost back to the user is equal. With asymmetric routing on the return session the users intermittently lose connectivity to the servers. Is this a common problem with all firewalls. The firewall does not send traffic back through the same physical port that originated it. I haven't tried forcing traffic back on one link by increasing the path cost of the other but that will defeat the load sharing of links for the return traffic.

thnks in advance
vnt90
 
Without knowing the full network architecture i cannot give you a full answer. If the firewalls are separate entities, I.E not in a cluster and not sharing session tables then I guess your main problem is each firewall will not know about current sessions for other firewall for the reply packets. You could source nat on the firewall to ensure that the session that the firewall was created on goes back through the correct firewall, but as mentioned need to know more details. Other questions pop into my head such as are the sessions load balanced on the routers(Equal cost paths) per packet or per destination etc...

Lee.

LEEroy
CCNP,CCIP
 
This is a single PaloAlto firewall. Two routed links in and one DMZ link. With VRRP at the user vlan each user is directed to one of two core routers as their gateway. The firewall has one routed link to each core router. So the user will always enter the firewall on a known inbound port. What we see is that the returning session from the server behind the firewall will not always come back out the same port it went in on. Hence the asymmetric route. Users fail intermittently with lose of connections. In general the consensus I've heard is that firewalls don't handle this kind of network topology very well. Two firewalls with one in standby is the answer. I am trying to see if this is the only answer or does someone have this working.

thnks
vnt90
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top