Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
654
Views
0
Helpful
4
Replies

ECMP through Transparent Firewall

webmastadj
Level 1
Level 1

‎07-18-2014 12:45 PM - edited ‎03-11-2019 09:29 PM

I have an interesting question.  We are going to try and run equal-cost multi-pathing through a transparent firewall.  There will be two routers on one side and two on the other running eigrp between them.  The question is, if a packet leaves one port but the response comes back on a different port, would this cause issues?

 

I can explain more if needed.

Labels:
0 Helpful
4 Replies 4

nkarthikeyan
Level 7
Level 7

‎07-19-2014 07:18 AM

Hi,

 

When you run Equal cost multi path in ASA, you will not get a return packet on a different port. It will not do round robin fashion. Below mentioned excerpt from cisco document will clarify your doubt.

 

This document provides information on how to configure the Adaptive Security Appliance (ASA) with up to three equal cost routes to the same destination network per interface. The ASA hashes the source and destination IP addresses of the outbound packet to determine which route it will use to determine the next hop for the packet (the ASA does not employ a round-robin algorithm to choose the next hop). As opposed to round-robin load balancing, packets with the same source and destination pair are always sent towards the same next hop, as per the computed hash.
 

Regards

Karthik

0 Helpful

webmastadj
Level 1
Level 1
In response to nkarthikeyan

‎08-06-2014 08:31 AM

That is true with a firewall in Routed mode.  This firewall is in transparent mode therefore no routing is taking place on the firewall it self.  The SYN would come in and leave on one set of interfaces (bridge group) but the SYN-ACK would return on another set of interfaces (different bridge group).

I have built this in the lab and confirmed the ASA will drop the packet breaking the connection.

I would like to know if there is any way around this?

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to webmastadj

‎08-06-2014 10:21 AM

I wonder how do you do ECMP in a FW transparent?

 

Regards

Karthik

0 Helpful

webmastadj
Level 1
Level 1

‎08-06-2014 04:17 PM

I have found the answer.  You must enable tcp state bypass.  This just doesn't work for transparent only but also routed.  (documentation here)

I will post my scenario with Visio once completed.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card