Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kebin23
Participant

Asymmetric traffic using ECMP with static routes

Hello checkpoint community.

I am experiencing an asymmetric traffic problem in my lab when I try to use ECMP to advertise a server to 2 IPs from different ISPs at the same time.

I have configured the following default route for my two gateways from each ISP.

 

route.png

 

 

Leave the ECMP configuration by default at GAIA.

ECMP.png

 

 

 

 

 

 

 

 

 

 

 

When both ISP links are UP, I reach the IP with which the server is published on ISP2 through port eth03 but the response returns through eth0, as shown in the following image.

Checkpoint_LAB_2.png

 

 

 

 

 

 

 

 

 

When I run the fw monitor, I see that it sends it through eth0, because that is the default route and that route also uses the public segment of my site 1 from where I am doing the test, I show the image of the fw monitor.

FW_monitor_1.png

 

 

 

 

 

 

 

 

 

 

 

When I download eth0, the default route that the firewall is considering for all traffic, the traffic is no longer asymmetric since my new default route goes through ISP2 where my server is published. I attach the image of the fw monitor.

FW_monitor_2.png

 

 

 

 

 

 

 

 

 

 

What remaining configuration in the firewall or ECMP am I missing so that the queries to the published server with an IP from ISP2 are symmetrical?

Laboratory topology

Checkpoint_LAB.png

 

 

 

 

 

 

0 Kudos
5 Replies
G_W_Albrecht
Legend Legend
Legend

Why not consult TAC for this isssue ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
PhoneBoy
Admin
Admin

This "feels" like a SecureXL issue.
You can somewhat test this theory by temporarily disabling templating with fwaccel off.
Note this may not stop accelerating the traffic: https://support.checkpoint.com/results/sk/sk162492
Either way, I strongly suggest consulting with the TAC: https://help.checkpoint.com

Kebin23
Participant

Hi @PhoneBoy .

Thanks for the information, I will try disabling acceleration if that solves it.

0 Kudos
Kebin23
Participant

Hi @PhoneBoy .

Disable the acceleration and the problem with that link is solved, but the asymmetry now occurs in eth0, which previously worked correctly. In short, the problem continues, only now on the side of ISP1.

SecureXL_off.png

 

 

 

 

 

 

Asimetria_eth0_ISP1.png

 

0 Kudos
PhoneBoy
Admin
Admin

As suggested previously, a TAC case will likely be necessary to resolve the issue.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events