we have from time to time communication problems via SRXdue to asymetric routing, the return traffic does use different way not touching the firewall at all.
I know how to handle that situation (interface nat or static route)
but due to specific cloud solutions we often do neither know sourceaddress, or destination adress or port, so detection is difficult
so my question: is there a specific searchable info in the security log written at session-end which helps us find such flows ? (where typically the return flow has 0 packets or any specific close-state)
thanks in advanc for help
There could be 2 scenarios in an asymmetric alow :-
Source A ------ SRX ------- Destination B
1) Traffic from A to B traverses through the SRX. Session would be created, no reply packets would be seen as the replies are taking a different path.
2) A to B does not traverse the SRX, however, the replies from B to A reach the SRX. For TCP traffic, the packets would be dropped saying "First packet not sync".
I do not think that security logs would be helpful to identify this as this can be seen in security flow traceoptions.
Please mark my response as Solution if it Helps, Kudos are Appreciated as well.
If in a-sync traffic the syn in seen but the syn-ack is not because of a direct path, two things will hapen:
A) The session is created with a intial time-out of 20 sec.
B) When the the syn-ack is not seen with this timeframe the session is closed with reason age-out.
So when you see sessions in your log with close reason age-out and a duration between 19 and 21 seconds (the 20 is not allways exact) you can savely assume you have async routing somewhere. Think second router on same subnet, think loadbalancer doing "half-nat".