Technical Tip: Auxiliary session & Asymmetric routing behavior with combination of Policy based routing

sgiannogloudis · ‎04-12-2023

Description

This article describes the behavior of FortiOS when auxiliary sessions or asymmetric routing co-exist with policy based routing in certain environments.

Scope

FortiGate v6.4.10, v7.0.1, v7.2.0 and v7.4.0.

Solution

The main purpose of auxiliary sessions is to control the return traffic path.

More information regarding this setting can be found in the following public documentation:

https://docs.fortinet.com/document/fortigate/6.2.0/new-features/14295/controlling-return-path-with-a...

There are certain environments where network administrators need to enable auxiliary sessions with a combination of policy-based routing.

Policy-based routing behaves differently when auxiliary session settings is switched on and there are two possible states which could occur:

1) When the 'auxiliary-session' is set as disabled the return traffic always follows the originating interface. If PBR uses a different interface, it will ignore the PBR.

2) When the 'auxiliary-session' is set to 'enabled', the return traffic will always respect PBR.

A similar behavior can be also noticed with the combination of asymmetric routing in conjunction with policy based routing.

More information regarding asymmetric routing feature can be found in the following article:

https://community.fortinet.com/t5/FortiGate/Technical-Note-How-the-FortiGate-behaves-when-asymmetric...

3) When asymmetric routing is enabled, the return traffic will always respect PBR.

4) When asymmetric routing is disabled, the behavior is the same as in 1.

Technical Tip: Auxiliary session & Asymmetric routing behavior with combination of Policy based routing

You are leaving our website