Clarity on Symmetric and Asymmetric Routing ?!

Question

Hi,This question is tied to this issue I had earlier. Solved: Connectivity Issue Between 2 Fortigate ?! - Fortinet Community I have the below network, the 192.168.9.181/182 is a 1Gbps physical link, and the 192.168.10.181/182 is a 10Gbps physical link. The 1Gbps physical link is for Management traffic, and the 10Gbps link is for Storage, and vMotion. Not all VLANs are shown here.  BGP is setup as below. FW1Routing table for VRF=0 C 10.11.30.0/24 is directly connected, VLAN30 C 10.11.40.0/24 is directly connected, VLAN40 B 10.21.30.0/24 [20/0] via 192.168.9.182 (recursive is directly connected, port1), 00:18:07, [1/0] B 10.21.40.0/24 [20/0] via 192.168.10.182 (recursive is directly connected, port2), 00:17:40, [1/0] C 192.168.9.0/24 is directly connected, port1 C 192.168.10.0/24 is directly connected, port2 FW2Routing table for VRF=0 B 10.11.30.0/24 [20/0] via 192.168.9.181 (recursive is directly connected, port1), 00:18:47, [1/0] B 10.11.40.0/24 [20/0] via 192.168.10.181 (recursive is directly connected, port2), 00:18:15, [1/0] C 10.21.30.0/24 is directly connected, VLAN2130 C 10.21.40.0/24 is directly connected, VLAN2140 C 192.168.9.0/24 is directly connected, port1 C 192.168.10.0/24 is directly connected, port2 The initial issue was that VM behind FW1 with IP 10.11.30.200 would not ping VM with IP 10.21.40.200 behind FW2. After much reading I got to know about Symmetric and Asymmetric routing, and that this issue seems to be due to Asymmetric routing. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Differences-between-asymmetric-routing-and/ta-p/194040 If I enable Asymmetric setting in Fortigate VMs can talk to each other without issues, but Fortigate says the below in the link above. If this solves the blocked traffic issue, asymmetric routing is the cause.However, allowing asymmetric routing is not an ideal solution because it reduces the security of the network.For a long-term or permanent solution, it is recommended to change the routing configuration or change how the FortiGate connects to the network. Can someone advise how to overcome this issue, what routing configuration needs to be changed, or how to setup Fortigate correctly to connect to the network to make it work without enabling asymmetric Routing.

sanjayputhalath_FTNT · Answer

Hi,

Based on the routing output, I assume the issue is an RPF (reverse path forwarding) failure. The IP 10.11.30.200 behind FW1 is reaching FW2 via Port2; however, for FW2, the best path to reach the source IP is via Port1. Consequently, the RPF check fails, and the packet is dropped.

There are different ways to solve this issue. Since you are using EBGP neighborship between the firewalls, one of the easiest solutions is enabling ebgp-multipath in the BGP configuration. This will help install both interfaces for the same destination (assuming that both routes are advertised over both links but only one link is selected as the best path)

config router bgp     set ebgp-multipath enable 
end

However this will do a load-balance of the traffic therefore traffic may flow through any interface. If you need to route traffic over spesific interface then you may need to use a PBR (assuming that you don't have SDWAN, otherwise SDWAN rules are fine).

https://community.fortinet.com/t5/FortiGate/Technical-Note-Reverse-Path-Forwarding-RPF-implementation-and/ta-p/194382

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded