ECMP OSPF - will stateful firewall drop Asymmetric response?

Question

I am wondering if someone could help me with this solution.

I have an FG Cluster and I want to configure 2 x point-to-point OSPF links (OSPF-LINK-1 and OSPF-LINK-2) on the FG CLuster to 2 different upstream Cisco switches (OSPF-LINK-1 --> CISCO-SW1 and OSPF-LINK-2 --> CISCO-SW2) .

In addition I want to run ECMP across the OSPF links from the FG to the upstream switches.

I have enabled the ECMP capability on the FG Cluster:

config system settings set ecmp-max-paths 2 end

ECMP is configured throughout the upstream network and also on the return path downstream to the FG Cluster so I expect that there will be an asymmetric condition whereby traffic egressing out OSPF-LINK-1 port on the FG could be ingressing back via OSPF-LINK-2 port and visa versa.

The topology and scenario is quiet similar to that shown here, however I am using OSPF with ECMP load-balancing to the upstream devices:

http://kb.fortinet.com/kb....do?externalID=FD30895

As such I am wondering will I have to enable asymmetric routing on the VDOM as follows:

config system settings set asymroute enable end

Initially I thought that I would have to enable asymmetric routing due to the RPF (Anti-Spoofing) feature however from reading all of the documentation that I could find it states:

The FortiGate implements a mechanism called RPF (Reverse Path Forwarding), or Anti Spoofing, which prevents an IP packet to be forwarded if its Source IP does not either:

[ul]

belong to a locally attached subnet (local interface), or

be in the routing of the FortiGate from another source (static route, RIP, OSPF, BGP)[/ul] If those conditions are not met, the FortiGate will silently drop the packet. In my topology, both OSPF Routing ports OSPF-LINK-1 and OSPF-LINK-2 on the FG are in the same OSPF Area and would be learning the exact same routing table over both ports on the FG (although with different next-hop address to each of the Cisco Switches for each of the learned subnets). So my question is, does that now satisfy the RPF check and allow egress traffic on each of the OSPF ports on the FG cluster regardless of which port it ingressed from or will I still have to enable asymmetric routing in the VDOM to allow this traffic? Also I was wondering is there any other issue with the FG being Stateful and dropping packets that might ingress and egress on the different OSPF ports on the FG as per above scenario. Many thanks in advance for any assistance you could give me.

Jzhang_FTNT · Answer

Hi,

Enable NAT in firewall policy is good practice to avoid asymroute happening.

In your case, no need to enable asymroute. if ECMP happen, that means routes to source address of reply traffic exist on both links, so no RPF drop. But the session may not offload to NPU.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded