https://community.checkpoint.com/t5/Firewall-and-Security-Management/Asymmetric-traffic-using-ECMP-with-static-routes/m-p/194171#M36117 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;.</P><P>Thanks for the information, I will try disabling acceleration if that solves it.</P> Tue, 03 Oct 2023 18:13:21 GMT Kebin23 2023-10-03T18:13:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Asymmetric-traffic-using-ECMP-with-static-routes/m-p/193933#M36052 <P>Hello checkpoint community.</P><P>I am experiencing an asymmetric traffic problem in my lab when I try to use ECMP to advertise a server to 2 IPs from different ISPs at the same time.</P><P>I have configured the following default route for my two gateways from each ISP.</P><DIV class="">&nbsp;</DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="route.png" style="width: 754px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/22626i59616717D17A0CDD/image-dimensions/754x66?v=v2" width="754" height="66" role="button" title="route.png" alt="route.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>Leave the ECMP configuration by default at GAIA.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="ECMP.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/22627i9E235DD7303DEC14/image-size/medium?v=v2&amp;px=400" role="button" title="ECMP.png" alt="ECMP.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>When both ISP links are UP, I reach the IP with which the server is published on ISP2 through port eth03 but the response returns through eth0, as shown in the following image.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Checkpoint_LAB_2.png" style="width: 664px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/22628i6FB912B9FD730BB5/image-dimensions/664x310?v=v2" width="664" height="310" role="button" title="Checkpoint_LAB_2.png" alt="Checkpoint_LAB_2.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>When I run the fw monitor, I see that it sends it through eth0, because that is the default route and that route also uses the public segment of my site 1 from where I am doing the test, I show the image of the fw monitor.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="FW_monitor_1.png" style="width: 440px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/22629i72B83E82E52A59F3/image-dimensions/440x363?v=v2" width="440" height="363" role="button" title="FW_monitor_1.png" alt="FW_monitor_1.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>When I download eth0, the default route that the firewall is considering for all traffic, the traffic is no longer asymmetric since my new default route goes through ISP2 where my server is published. I attach the image of the fw monitor.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="FW_monitor_2.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/22630iEA4D5BDA57874956/image-size/medium?v=v2&amp;px=400" role="button" title="FW_monitor_2.png" alt="FW_monitor_2.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>What remaining configuration in the firewall or ECMP am I missing so that the queries to the published server with an IP from ISP2 are symmetrical?</P><P>Laboratory topology</P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Checkpoint_LAB.png" style="width: 712px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/22631i69B38B3E36DCF8AA/image-dimensions/712x333?v=v2" width="712" height="333" role="button" title="Checkpoint_LAB.png" alt="Checkpoint_LAB.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 01 Oct 2023 06:46:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Asymmetric-traffic-using-ECMP-with-static-routes/m-p/193933#M36052 Kebin23 2023-10-01T06:46:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Asymmetric-traffic-using-ECMP-with-static-routes/m-p/193992#M36066 <P>Why not consult TAC for this isssue ?</P> Mon, 02 Oct 2023 07:18:09 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Asymmetric-traffic-using-ECMP-with-static-routes/m-p/193992#M36066 G_W_Albrecht 2023-10-02T07:18:09Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Asymmetric-traffic-using-ECMP-with-static-routes/m-p/194035#M36076 <P>This "feels" like a SecureXL issue.<BR />You can somewhat test this theory by temporarily disabling templating with fwaccel off.<BR />Note this may not stop accelerating the traffic:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk162492" target="_blank">https://support.checkpoint.com/results/sk/sk162492</A><BR />Either way, I strongly suggest consulting with the TAC: <A href="https://help.checkpoint.com" target="_self">https://help.checkpoint.com</A></P> Mon, 02 Oct 2023 13:17:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Asymmetric-traffic-using-ECMP-with-static-routes/m-p/194035#M36076 PhoneBoy 2023-10-02T13:17:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Asymmetric-traffic-using-ECMP-with-static-routes/m-p/194171#M36117 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;.</P><P>Thanks for the information, I will try disabling acceleration if that solves it.</P> Tue, 03 Oct 2023 18:13:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Asymmetric-traffic-using-ECMP-with-static-routes/m-p/194171#M36117 Kebin23 2023-10-03T18:13:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Asymmetric-traffic-using-ECMP-with-static-routes/m-p/194185#M36123 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;.</P><P>Disable the acceleration and the problem with that link is solved, but the asymmetry now occurs in eth0, which previously worked correctly. In short, the problem continues, only now on the side of ISP1.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="SecureXL_off.png" style="width: 529px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/22684i63D95B7357FE61C9/image-dimensions/529x226?v=v2" width="529" height="226" role="button" title="SecureXL_off.png" alt="SecureXL_off.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Asimetria_eth0_ISP1.png" style="width: 450px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/22685i4D820AC1FB544285/image-dimensions/450x349?v=v2" width="450" height="349" role="button" title="Asimetria_eth0_ISP1.png" alt="Asimetria_eth0_ISP1.png" /></span></P><P>&nbsp;</P> Tue, 03 Oct 2023 21:03:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Asymmetric-traffic-using-ECMP-with-static-routes/m-p/194185#M36123 Kebin23 2023-10-03T21:03:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Asymmetric-traffic-using-ECMP-with-static-routes/m-p/194193#M36124 <P>As suggested previously, a TAC case will likely be necessary to resolve the issue.</P> Tue, 03 Oct 2023 22:23:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Asymmetric-traffic-using-ECMP-with-static-routes/m-p/194193#M36124 PhoneBoy 2023-10-03T22:23:56Z