Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
huud
New Contributor III

Created on ‎06-11-2024 02:38 AM Edited on ‎06-11-2024 02:40 AM

Clarity on Symmetric and Asymmetric Routing ?!

Hi,

This question is tied to this issue I had earlier.

 

Solved: Connectivity Issue Between 2 Fortigate ?! - Fortinet Community

 

I have the below network, the 192.168.9.181/182 is a 1Gbps physical link, and the 192.168.10.181/182 is a 10Gbps physical link. The 1Gbps physical link is for Management traffic, and the 10Gbps link is for Storage, and vMotion. Not all VLANs are shown here.

 

Network.png

 

BGP is setup as below.

 

FW1

Routing table for VRF=0
C 10.11.30.0/24 is directly connected, VLAN30
C 10.11.40.0/24 is directly connected, VLAN40
B 10.21.30.0/24 [20/0] via 192.168.9.182 (recursive is directly connected, port1), 00:18:07, [1/0]
B 10.21.40.0/24 [20/0] via 192.168.10.182 (recursive is directly connected, port2), 00:17:40, [1/0]
C 192.168.9.0/24 is directly connected, port1
C 192.168.10.0/24 is directly connected, port2

 

FW2

Routing table for VRF=0
B 10.11.30.0/24 [20/0] via 192.168.9.181 (recursive is directly connected, port1), 00:18:47, [1/0]
B 10.11.40.0/24 [20/0] via 192.168.10.181 (recursive is directly connected, port2), 00:18:15, [1/0]
C 10.21.30.0/24 is directly connected, VLAN2130
C 10.21.40.0/24 is directly connected, VLAN2140
C 192.168.9.0/24 is directly connected, port1
C 192.168.10.0/24 is directly connected, port2

 

The initial issue was that VM behind FW1 with IP 10.11.30.200 would not ping VM with IP 10.21.40.200 behind FW2. After much reading I got to know about Symmetric and Asymmetric routing, and that this issue seems to be due to Asymmetric routing.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Differences-between-asymmetric-routing-and...

 

If I enable Asymmetric setting in Fortigate VMs can talk to each other without issues, but Fortigate says the below in the link above.

 

If this solves the blocked traffic issue, asymmetric routing is the cause.
However, allowing asymmetric routing is not an ideal solution because it reduces the security of the network.

For a long-term or permanent solution, it is recommended to change the routing configuration or change how the FortiGate connects to the network.

 

Can someone advise how to overcome this issue, what routing configuration needs to be changed, or how to setup Fortigate correctly to connect to the network to make it work without enabling asymmetric Routing.

Labels:
411
0 Kudos
5 REPLIES 5
wormenhi
New Contributor

Created on ‎06-11-2024 03:23 AM Edited on ‎06-25-2024 01:00 AM

Yes, perfectly normal. Think about it this way. You might be ingress to Google via Cox, but the best route back to you from Google might be via another ISP. Symmetric paths on the internet are VERY rare in multi-homed environments https://mobdro.bio/ .

387
0 Kudos
huud
New Contributor III
In response to wormenhi

Created on ‎06-11-2024 03:34 AM Edited on ‎06-11-2024 03:34 AM

Thanks @wormenhi 

 

I got to know of an alternate solution to this issue, BGP AS Path Prepending, I'm understanding how it works, and how it can be used..

380
0 Kudos
sanjayputhalath_FTNT
Staff
Staff

Created on ‎06-11-2024 04:21 AM

Hi,

 

Based on the routing output, I assume the issue is an RPF (reverse path forwarding) failure. The IP 10.11.30.200 behind FW1 is reaching FW2 via Port2; however, for FW2, the best path to reach the source IP is via Port1. Consequently, the RPF check fails, and the packet is dropped.

There are different ways to solve this issue. Since you are using EBGP neighborship between the firewalls, one of the easiest solutions is enabling ebgp-multipath in the BGP configuration. This will help install both interfaces for the same destination (assuming that both routes are advertised over both links but only one link is selected as the best path)

config router bgp
    set ebgp-multipath enable 
end

 However this will do a load-balance of the traffic therefore traffic may flow through any interface. If you need to route traffic over spesific interface then you may need to use a PBR (assuming that you don't have SDWAN, otherwise SDWAN rules are fine). 

https://community.fortinet.com/t5/FortiGate/Technical-Note-Reverse-Path-Forwarding-RPF-implementatio...

 

Sanjay
374
huud
New Contributor III
In response to sanjayputhalath_FTNT

Created on ‎06-11-2024 06:09 AM

Thanks @sanjayputhalath_FTNT 

 

I have not configured ebgp-multipath I will need to check this, and Policy Based Routing as well..

352
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to huud

Created on ‎06-25-2024 08:45 AM

I don't recommend PBR but do recommend SDWAN. The PBR defeats the purpose of having a routing protocol/BGP to be redundant. If the link goes down but a PBR is pointing the traffic to the down link, the traffic dies there. Never reroute to the other link even the routes are there.

Toshi

41
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.