This is a PaloAlto FW. So all we wanted to do is create two paths to the firewall with a deterministic path to and from a user subnet to the server dmz, with failover handled by OSPF on the routed side and VRRP on the user side. I guess its a pipe dream without introducing a lot of additional configuration. Does anyone know if I take the FW out of the OSPF equation by creating static routes in the cores to the networks behind the firewall would the firewall then adhere to the placing the outbound user session on the inbound port that originated it. I know then a single default route would have to be named in the FW for any sessions originating from behind the firewall but that is few and far between. thanks again walt
>>> "D'Estienne, Michael" <Michael.D'[email protected]> 6/21/2011 7:23 PM >>> hey walt, 1) the fw by default will look at its routing table to determine where to send the packet, irrelevant to which interface the conversation entered the fw. 2) you can't force this via ospf 3) try to see if policy based routing is supported in your fw, this may work for you. i don't know which vendor's fw you're using but ecmp over multiple interfaces usually isn't supported in a fw, probably due to what you're experiencing, among other things. typically, what is supported are multiple next hops for a subnet via the same physical interface. Michael d' Estienne IT Specialist, Enterprise Operations Office of the Chief Information Officer U.S. Immigration and Customs Enforcement Department of Homeland Security Tel: (202) 732-2329 mobile: (202) 507-1733 [email protected] ICE Service Desk: (888) 347-7762 or via web https://servicedesk.ice.dhs.gov ________________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of Walter Witkowski Sent: Tuesday, June 21, 2011 11:11 AM To: Enterasys Customer Mailing List Subject: [enterasys] Asymmetric Routing Hi all, Have a question. We have a firewall that is participating in OSPF with two cores (S4's). The firewall has a dmz port C, port A is connected to a port on Core1, port B is connected to Core2. The user vlan is connected to both cores with VRRP running. When initiating an SSH session to a dmz server we see the SSH request come into port A of the firewall which is the shortest path from user to server. The response intermittently will come out of port B of the firewall. The path cost from the server back to the user is equal cost. We are experiencing intermittent connectivity issues to these servers behind the firewall, not only SSH. Nowhere else on the network are we having issues when the error occur. So far today with port B of the firewall disconnected we have not seen an issue. If we elevate the path cost on one link then all returning traffic will use that exit port but then we will lose our attempt to load balance by creating multiple return paths. My question(s) 1) shouldn't the fw send the response out the same port (A) that the request came in on?? 2) eventually we wanted to use vrrp to load balance traffic across the cores which would mean that server requests would come into both port A and B of the firewall. We would like the firewall to adhere to that load balancing by returning traffic back on the same link. Is there a way to force this using OSPF?. 3) is there another answer for doing this? thanks in advance walt * --To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys Michael.D'[email protected] --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected] --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
