What’s Asymmetric Routing?
Let’s start at the beginning. Asymmetric routing happens when network packets sent from a source to a destination take one path through your network firewall, but the response traffic takes a totally different way back. Imagine sending someone a letter, but instead of them writing back to your home address, they reply to your office. You’d probably miss the response, right? That’s essentially what your firewall “feels” when asymmetric routing occurs.
Why Firewalls Don’t Like Asymmetric Routing
Firewalls, especially next-gen solutions like Palo Alto, are designed to keep a keen eye on every packet in both directions. They love symmetry. When traffic from a session (say, a TCP connection) comes in via one interface or VR, they expect the return traffic to follow the same route back. Why? It’s all about stateful inspection. Firewalls track each connection, ensuring packets are legit and nothing sneaky is happening.
When asymmetric routing throws things out of whack, the firewall might:
- Drop returning packets because it didn’t see the start of the session.
- Miss critical parts of the handshake (imagine a TCP SYN coming through one path and the SYN/ACK coming back through another).
- Flag sessions as incomplete or invalid.
An Analogy
Think of your firewall as a club bouncer. When you enter through the front door, your name is on the guest list. If you try to exit through a secret side door the bouncer doesn’t monitor, security could freak out thinking someone’s sneaking in or out. That’s how asymmetric routing looks to a firewall — suspicious and untracked.
When Does Asymmetric Routing Occur?
This problem usually crops up in more complex networks, such as:
- Organizations with multiple internet connections or ISPs.
- Networks housing several virtual routers (VRs) or interfaces.
- Environments using redundant links for failover.
- Hybrid cloud and on-premises setups.
- Data centers with both internal and external segments traversing separate paths.
A classic scenario is where outbound traffic leaves via one ISP, but the response comes in through another because of how routing tables and VRs are configured. Or, in Palo Alto setups, when you have a single firewall but multiple VRs trying to steer traffic across various links.
How to Spot Asymmetric Routing Problems on Palo Alto
Troubleshooting asymmetric routing doesn’t have to be a nightmare. Here’s a step-by-step approach:
1. Identify Asymmetric Paths
Use Packet Captures
Start with built-in packet captures. Palo Alto lets you set these up on both ingress and egress interfaces. Capture the session from both ends to see if the traffic is taking different routes.
How-to:
- Go to your firewall GUI: Monitor > Packet Capture.
- Select interfaces you suspect are involved (e.g., your WAN and internal links).
- Initiate a capture and analyze if outgoing traffic and responses match up.
TIP:
If you see SYN packets on one interface and SYN/ACK or ACKs on another, that’s your first clue.
2. Check Session Logs & Counters
Review your session logs under Monitor > Traffic and system logs. Look for:
-
Sessions marked “Incomplete” or “Discarded.”
-
TCP state anomalies (unacknowledged SYNs, RST flags, etc.).
-
System counters that reveal issues with asymmetric routes:
-
session.tcp.rst_drop
-
session_misc.asymmetric_route
-
flow_asymmetric
These counters often spike during asymmetric routing events.
3. Review Routing Tables and VRs
Routing is at the heart of these issues. Double-check:
- All static routes in each VR.
- Default gateways (ensure only one default exists unless you’re deliberately multi-homing).
- Connections between VRs (inter-VR routes) that might unintentionally steer traffic along different paths.
Common Pitfall:
Multiple VRs might overlap coverage for the same IP spaces or lack clear default routes, causing return traffic to take a less predictable way back.
4. Examine NAT Policies
Especially in networks with NAT, double-check:
- Which VR/interface is assigned to your public or translated IPs.
- If a session is initiated through a NAT-mapped interface, the return path must traverse the same NAT mapping for the firewall to recognize it.
5. Adjust the Asymmetric Path Setting
Palo Alto firewalls have a configurable option for asymmetric traffic. By default, the firewall requires symmetric paths for all sessions (strict statefulness).
To adjust:
-
Set "Asymmetric Path" to "Bypass" (not recommended as a permanent fix, but helpful for troubleshooting):
-
On the CLI:
set session asymmetric-path global let-allow
-
In the web interface:
Device > Setup > Session > Session Settings > Asymmetric Path Handling
Warning:
While this lets traffic flow, it disables state checks for asymmetric sessions which could introduce risk.
6. Implement Policy-Based Forwarding or BGP Tuning
If your design calls for multiple ISPs or redundant links:
- Use Policy-Based Forwarding (PBF) to pin flows through specific interfaces.
- If using BGP, tweak metrics/weights to define primary and backup paths, preventing split flows.
Best Practice:
Keep all packets in a single session on the same path!
7. Redesign Network Topology if Needed
In some persistent cases, consider network redesign, such as:
- Restructuring VRs so all in/out traffic for a zone passes through a single VR and path.
- Placing your firewall at a single choke point, not between multiple VRs with overlapping routes.
- Reducing the number of egress points or at least ensuring each connection’s return stays on the same path.
Quick Pros and Cons of Palo Alto’s Approach to Asymmetric Routing
| Pros |
Cons |
| Strong stateful inspection blocks tricky attack vectors |
Can unintentionally block legit, multi-path traffic |
| Flexible routing (multiple VRs, PBF, BGP support) |
Setting “Bypass” disables state inspection for those flows |
| Detailed troubleshooting tools (logs, packet captures) |
Complex to configure in large, multi-path topologies |
| Supports granular policies and NAT with VR interaction |
Difficult to track traffic if routes/NAT overlap |
Best Practices to Avoid & Fix Asymmetric Routing
- Design with simplicity: Try to keep your default routes and NAT mappings clean and predictable.
- Limit VRs: Use the minimum number necessary and establish clear boundaries for each.
- Stick to a single egress: Where possible, send all traffic through one outbound link/firewall or use PBF/BGP to avoid split flows.
- Regularly review routes: Audit your static and dynamic routes after any change in topology.
- Leverage session logs: Make it a habit to check log counters and session status for signs of trouble.
- Only use "Bypass" as a last resort: If you must, document where and why, and tighten policies elsewhere.
For more deep-dive guides, check out our resources at NetSec Technologies. If symmetric routing is giving you a headache, our team’s real-world experience can help design, audit, or fix your setup for maximum uptime and security.
Trouble with asymmetric routing? You're not alone, but with the right tools and practices, your Palo Alto firewalls can operate at full force—no dropped packets, no confusion, just smooth and secure connections.
What’s Asymmetric Routing?
Let’s start at the beginning. Asymmetric routing happens when network packets sent from a source to a destination take one path through your network firewall, but the response traffic takes a totally different way back. Imagine sending someone a letter, but instead of them writing back to your home address, they reply to your office. You’d probably miss the response, right? That’s essentially what your firewall “feels” when asymmetric routing occurs.
Why Firewalls Don’t Like Asymmetric Routing
Firewalls, especially next-gen solutions like Palo Alto, are designed to keep a keen eye on every packet in both directions. They love symmetry. When traffic from a session (say, a TCP connection) comes in via one interface or VR, they expect the return traffic to follow the same route back. Why? It’s all about stateful inspection. Firewalls track each connection, ensuring packets are legit and nothing sneaky is happening.
When asymmetric routing throws things out of whack, the firewall might:
An Analogy
Think of your firewall as a club bouncer. When you enter through the front door, your name is on the guest list. If you try to exit through a secret side door the bouncer doesn’t monitor, security could freak out thinking someone’s sneaking in or out. That’s how asymmetric routing looks to a firewall — suspicious and untracked.
When Does Asymmetric Routing Occur?
This problem usually crops up in more complex networks, such as:
A classic scenario is where outbound traffic leaves via one ISP, but the response comes in through another because of how routing tables and VRs are configured. Or, in Palo Alto setups, when you have a single firewall but multiple VRs trying to steer traffic across various links.
How to Spot Asymmetric Routing Problems on Palo Alto
Troubleshooting asymmetric routing doesn’t have to be a nightmare. Here’s a step-by-step approach:
1. Identify Asymmetric Paths
Use Packet Captures
Start with built-in packet captures. Palo Alto lets you set these up on both ingress and egress interfaces. Capture the session from both ends to see if the traffic is taking different routes.
How-to:
TIP:
If you see SYN packets on one interface and SYN/ACK or ACKs on another, that’s your first clue.
2. Check Session Logs & Counters
Review your session logs under Monitor > Traffic and system logs. Look for:
Sessions marked “Incomplete” or “Discarded.”
TCP state anomalies (unacknowledged SYNs, RST flags, etc.).
System counters that reveal issues with asymmetric routes:
session.tcp.rst_dropsession_misc.asymmetric_routeflow_asymmetricThese counters often spike during asymmetric routing events.
3. Review Routing Tables and VRs
Routing is at the heart of these issues. Double-check:
Common Pitfall:
Multiple VRs might overlap coverage for the same IP spaces or lack clear default routes, causing return traffic to take a less predictable way back.
4. Examine NAT Policies
Especially in networks with NAT, double-check:
5. Adjust the Asymmetric Path Setting
Palo Alto firewalls have a configurable option for asymmetric traffic. By default, the firewall requires symmetric paths for all sessions (strict statefulness).
To adjust:
Set "Asymmetric Path" to "Bypass" (not recommended as a permanent fix, but helpful for troubleshooting):
On the CLI:
set session asymmetric-path global let-allowIn the web interface:
Device > Setup > Session > Session Settings > Asymmetric Path Handling
Warning:
While this lets traffic flow, it disables state checks for asymmetric sessions which could introduce risk.
6. Implement Policy-Based Forwarding or BGP Tuning
If your design calls for multiple ISPs or redundant links:
Best Practice:
Keep all packets in a single session on the same path!
7. Redesign Network Topology if Needed
In some persistent cases, consider network redesign, such as:
Quick Pros and Cons of Palo Alto’s Approach to Asymmetric Routing
Best Practices to Avoid & Fix Asymmetric Routing
For more deep-dive guides, check out our resources at NetSec Technologies. If symmetric routing is giving you a headache, our team’s real-world experience can help design, audit, or fix your setup for maximum uptime and security.
Trouble with asymmetric routing? You're not alone, but with the right tools and practices, your Palo Alto firewalls can operate at full force—no dropped packets, no confusion, just smooth and secure connections.
What’s Asymmetric Routing? Let’s start at the beginning. Asymmetric routing…
Read MoreWhat is Palo Alto’s shared Gateway? Shared Gateway It’s an…
Read MoreThoughts I am sure some of you who have never…
Read MoreWhat’s fragmentation It’s the approach of breaking down data packets…
Read MoreFirstly, Let’s understand what a DoS attack is. Here’s a…
Read MoreWhat’s multi-factor authentication? Multi-factor authentication (MFA) is a security method…
Read MoreWhat’s Palo Alto Auto Tagging? Auto-tagging in Palo Alto Networks firewalls is an advanced…
Read MoreWhat Are External Dynamic Lists (EDLs) In simple terms, it…
Read MoreBrief Analogy You know. There was a time when every…
Read More