FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 194040



This article describes the differences between asymmetric routing and auxiliary sessions.







Asymmetric Routing.

If hosts on one network are unable to reach hosts on other networks, there is a possibility that request and response packets follow different paths.
If a FortiGate recognizes the response packets, but not the requests, it blocks the packets as invalid.
Also, if a FortiGate recognizes the same packets repeated on multiple interfaces, it blocks the session as a potential attack.

This is asymmetric routing. By default, a FortiGate blocks packets or drops the session when this happens.
FortiGate can be configured to permit asymmetric routing by using the following CLI commands.


config system settings
    set asymroute enable


If VDOMs are enabled, this command needs to be enabled per VDOM. This is not a global setting.


config vdom
   edit <vdom_name>

config system settings
    set asymroute enable



If this solves the blocked traffic issue, asymmetric routing is the cause.
However, allowing asymmetric routing is not an ideal solution because it reduces the security of the network.
For a long-term or permanent solution, it is recommended to change the routing configuration or change how the FortiGate connects to the network.

Note that if asymmetric routing is enabled, antivirus and intrusion prevention systems will not be effective.
The FortiGate will not detect connections and will treat each packet individually with the CPU.
FortiGate will consequently become a stateless firewall, meaning offloading will not be possible.

Auxiliary Session.

When ECMP is enabled, TCP traffic for the same session can exit and enter the FortiGate on different interfaces.
To allow this traffic to pass through, FortiOS creates auxiliary sessions.
Allow the creation of auxiliary sessions with the following command:


config system settings
    set auxiliary-sessions {disable | enable}


By default, the auxiliary-session option is disabled.

This can block some TCP traffic when ECMP is enabled.

If this occurs, enabling auxiliary-session solves the problem.

Related articles: