Applicable to Version: 10.00 onwards
Asymmetric routing is an unwanted situation in an IP network. Asymmetric routing is a situation where for one reason or another, packets flowing in i.e. TCP connections flow through different routes to different directions.
Asymmetrical routing occurs when a packet takes a certain path from source host A across the network to destination host B but then a return packet takes a separate path from the source host B to destination host A. For normal data, this is not an issue, but for some special cases, like data traveling through stateful-inspection firewalls, this routing behavior can cause some issues.
This document describes the procedure to Overcome Asymmetric routing in Cyberoam.
Consider a hypothetical example as given below
In the figure above Client B behind Router A within the subnet 10.1.1.0/ 24 is trying to access the server within the subnet 192.168.1.0/24 whose IP is 192.168.1.2. In this scenario, when client B sends a TCP SYN segment to server 192.168.1.2, the Server replies back with SYN/ACK and send the traffic to its default gateway which is 192.168.1.1 (Cyberoam) since Client B and the server are in different subnets.
Being a Stateful Inspection Firewall, Cyberoam would drop the packet since there is no Related State/Previous Record for this particular packet. Hence the TCP handshake never completes and Client B never gets access to the server.
However, Client A (192.168.1.3) does not face issues as the TCP SYN/ACK segment never gets sent to the Cyberoam (as Depicted in the above diagram). This is because Client A (192.168.1.3) is within the same subnet as that of the server.
Enabling source NAT on any of the routers will help overcome the issue of Asymmetric routing but the client would have to give away with identity based firewall.
Thus to bypass to networks from the Cyberoam Stateful Inspection, refer the Solution section.
Follow the below mentioned steps to overcome asymmetric routing in Cyberoam.
The entire configuration is to be done from CLI console.
- Log on to CLI Console (Telnet or SSH)
- Choose option 4 – Cyberoam Console and press Enter
Execute the below command to bypass subnets from Cyberoam Stateful Inspection.
console> set advanced-firewall bypass-stateful-firewall-config add source_network 10.1.1.0 source_netmask 255.255.255.0 dest_network 192.168.1.0 dest_netmask 255.255.255.0
console> set advanced-firewall bypass-stateful-firewall-config add source_network 192.168.1.0
source_netmask 255.255.255.0 dest_network 10.1.1.0 dest_netmask 255.255.255.0
Once this is executed the SYN/ACK segment from the server while communicating back to Client B would be routed to Router A by the Cyberoam.
- It is assumed that Cyberoam has all the routing information required to reach the remote subnet 10.1.1.0/24.
- If you are bypassing specific network from the advance firewall, Scanning and NATing will not apply to that network.
Document Version: – 1.0 – 09/08/2011