SYN-ACK Issues with Asymmetric Routing

SYN-ACK Issues with Asymmetric Routing

75089
Created On 09/25/18 17:19 PM - Last Modified 04/20/20 21:49 PM


Resolution

Issues

Common issues for asymmetric routing are:

  • Websites loading only partially
  • Applications not working

Cause

By default, the TCP reject non-SYN flag is set to yes. This means that the connection must be initiated through the same firewall for application data to be allowed. If the SYN packet enters through one firewall and the SYN/ACK packet exits the network through another firewall, the SYN/ACK packet is rejected because the connection's first packet used a different firewall.

Check the flow_tcp_non_syn_drop global counter for non-SYN TCP.

> show counter global | match drop

name                    value    rate severity  category  aspect    description

-----------------------------------------------------------------------------------

flow_rcv_err            1705        0 drop      flow      parse    Packets dropped: flow stage receive error

flow_rcv_dot1q_tag_err  7053        0 drop      flow      parse    Packets dropped: 802.1q tag not configured

flow_no_interface        7053        0 drop      flow      parse    Packets dropped: invalid interface

flow_ipv6_disabled      20459        0 drop      flow      parse    Packets dropped: IPv6 disabled on interface

flow_tcp_non_syn_drop    156        0 drop      flow      session  Packets dropped: non-SYN TCP without session match

flow_fwd_l3_mcast_drop  14263        0 drop      flow      forward  Packets dropped: no route for IP multicast

flow_parse_l4_cksm          1        0 drop      flow      parse    Packets dropped: TCP/UDP checksum failure

flow_host_decap_err        31        0 drop      flow      mgmt      Packets dropped: decapsulation error from control plane

flow_host_service_deny  90906        0 drop      flow      mgmt      Device management session denied

flow_lion_rcv_err        1700        0 drop      flow      offload  Packets dropped: receive error from offload processor

Run the show counter global | match drop  command multiple time to see the drop counters (value field) incrementing.

To verify the current setting:

> show session info

-------------------------------------------------------------------------------

number of sessions supported:                  262143

number of active sessions:                      1

number of active TCP sessions:                  0

number of active UDP sessions:                  0

number of active ICMP sessions:                0

number of active BCAST sessions:                0

number of active MCAST sessions:                0

number of predict sessions:                    0

session table utilization:                      0%

number of sessions created since system bootup: 7337

Packet rate:                                    8/s

Throughput:                                    3 Kbps

-------------------------------------------------------------------------------

session timeout

  TCP default timeout:                          3600 seconds

  TCP session timeout before 3-way handshaking:    5 seconds

  TCP session timeout after FIN/RST:              30 seconds

  UDP default timeout:                            30 seconds

  ICMP default timeout:                            6 seconds

  other IP default timeout:                      30 seconds

  Session timeout in discard state:

    TCP: 90 seconds, UDP: 60 seconds, other IP protocols: 60 seconds

-------------------------------------------------------------------------------

session accelerated aging:                      enabled

  accelerated aging threshold:                  80% of utilization

  scaling factor:                              2 X

-------------------------------------------------------------------------------

session setup

  TCP - reject non-SYN first packet:            yes

  hardware session offloading:                  yes

  IPv6 firewalling:                            no

-------------------------------------------------------------------------------

application trickling scan parameters:

  timeout to determine application trickling:  10 seconds

  resource utilization threshold to start scan: 80%

  scan scaling factor over regular aging:      8

-------------------------------------------------------------------------------

Resolution

There are two workarounds for this issue:

  • Change the network architecture to eliminate asymmetric routing, such that all return traffic passes through the same firewall in which the traffic originated
  • Turn off the option (tcp-reject-non-syn) to reject connections where the first packet wasn't a SYN packet

Run the following commands to disable TCP reject non-SYN temporarily (until reboot)

> set session tcp-reject-non-syn no

Run the following commands to disable the option permanently:

> configure

# set deviceconfig setting session tcp-reject-non-syn no

# commit

Run the following command to confirm that sessions will be established for non-SYN tcp packets on the firewall

> show session info

. . . .

--------------------------------------------------------------------------------

Session setup

  TCP - reject non-SYN first packet:            False

  Hardware session offloading:                  True

  IPv6 firewalling:                              True

owner: panagent



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEwCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language