Asymmetric Routing Between IPSec tunnels

27726

Created On 07/17/20 22:28 PM - Last Modified 08/20/20 08:50 AM

Dynamic Routing

IPSec

Layer 3

Zones

Best Practice

VPNs

Zone and DoS Protection

Remote Networks

Hardware

PAN-OS

VM-Series

Symptom

In asymmetric environments where traffic may route out one tunnel but return through another tunnel, the firewall drops the traffic.
The workaround to asymmetric routing does not resolve the issue.
The global counters may also indicate a session installation error/hash insert error for the filtered traffic.
In this case, the server to client (s2c) traffic is returning through a different tunnel.

Environment

Dual IPsec tunnel environments
All versions of PAN-OS
IPsec on Palo Alto NGFW hardware and VM-series
Asymmetric routing environments

Cause

This is caused by a hashing failure. The global counters may indicate a session installation error/hash insert failure for the filtered traffic. In this case, the server to client (s2c) traffic is returning through a different tunnel.

Global counters:
Elapsed time since last sampling: 12.70  seconds

name                                   value     rate severity  category  aspect    description
--------------------------------------------------------------------------------
pkt_sent                                   1        0 info      packet    pktproc   Packets transmitted
session_allocated                          2        0 info      session   resource  Sessions allocated
session_freed                              1        0 info      session   resource  Sessions freed
session_installed                          1        0 info      session   resource  Sessions installed
session_install_error                      1        0 warn      session   pktproc   Sessions installation error
session_install_error_s2c                  1        0 warn      session   pktproc   Sessions installation error s2c
session_hash_insert_duplicate              1        0 warn      session   pktproc   Session setup: hash insert failure due to duplicate entry

Resolution

To resolve this issue, place both tunnel interfaces in the same security zone.

Global counters:
Elapsed time since last sampling: 12.659 seconds

name                                   value     rate severity  category  aspect    description
--------------------------------------------------------------------------------
pkt_recv                                   1        0 info      packet    pktproc   Packets received
pkt_sent                                   1        0 info      packet    pktproc   Packets transmitted
pkt_sent_host                              1        0 info      packet    pktproc   Packets successfully transmitted to host interface
session_allocated                         13        1 info      session   resource  Sessions allocated
session_freed                              4        0 info      session   resource  Sessions freed
session_installed                         13        1 info      session   resource  Sessions installed
flow_fwd_mtu_exceeded                     10        0 info      flow      forward   Packets lengths exceeded MTU
flow_ipfrag_frag                          20        1 info      flow      ipfrag    IP fragments transmitted
flow_host_pkt_xmt                        393       31 info      flow      mgmt      Packets transmitted to control plane

Additional Information