SRX

Expand all | Collapse all

HOW IS ASYMMETRIC ROUTING reflected in log session-end message

Jump to Best Answer
  • 1.  HOW IS ASYMMETRIC ROUTING reflected in log session-end message

    Posted 05-11-2017 10:40

    we have from time to time communication problems via SRXdue to asymetric routing, the return traffic does use different way not touching the firewall at all.

    I know how to handle that situation (interface nat or static route)

     

    but due to specific cloud solutions we often do neither know sourceaddress, or destination adress or port, so detection is difficult

     

    so my question: is there a specific searchable info in the security log written at session-end which helps us find such flows ? (where typically the return flow has 0 packets or any specific close-state)

     

    thanks in advanc for help

    Alexander


    #syslog
    #asymetricflow
    #SRX


  • 2.  RE: HOW IS ASYMMETRIC ROUTING reflected in log session-end message

    Posted 05-12-2017 11:46

    Hi,

     

    There could be 2 scenarios in an asymmetric alow :-

    Source A ------   SRX ------- Destination B

     

    1) Traffic from A to B traverses through the SRX. Session would be created, no reply packets would be seen as the replies are taking a different path.

    2) A to B does not traverse the SRX, however, the replies from B to A reach the SRX. For TCP  traffic, the packets would be dropped saying "First packet not sync".

     

    I do not think that security logs would be helpful to identify this as this can be seen in security flow traceoptions.

     

    Regards,

    Sahil Sharma

    Please mark my response as Solution if it Helps, Kudos are Appreciated as well.



  • 3.  RE: HOW IS ASYMMETRIC ROUTING reflected in log session-end message
    Best Answer

    Posted 04-26-2018 01:04

    If in a-sync traffic the syn in seen but the syn-ack is not because of a direct path, two things will hapen:

     

    A) The session is created  with a intial time-out of 20 sec. 

     

    B) When the the syn-ack is not seen with this timeframe the session is closed with reason age-out. 

     

    So when you see  sessions in your log with close reason age-out and a duration between 19 and 21 seconds (the 20 is not allways exact) you can savely assume you have async routing somewhere.  Think second router on same subnet, think loadbalancer doing "half-nat".