Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Return traffic

Is the return traffic taking the same route path as it has traversed? Or the destination end router will change the path if there is a specific route entry in routing table that directs the packet to another path. Both end are using cisco router with static route set.

7 REPLIES
Silver

Re: Return traffic

Forward and return traffic are 2 independent processes(mutually independent). The return packets can come along any path and it depends on the routing table of the routers along the path. If you want symmetrical routing (for security reasons) , there is something known as Unicast RPF.

New Member

Re: Return traffic

Thanks for the reply,because I get confused.

I made changes to routing table of my end router, which will direct the packet to the path other than previous one. So remote site packet will come in path A, but my packet go there in path B.

End up I could not access remote site services, e.g. lotus notes, but I can ping with inconsistent reply.

Could anyone enlighten me whether is this so-called 'out of state' packet?

Silver

Re: Return traffic

What do you mean by an out of state packet ? Are you sure the routing is fine along the other path ? No bandwidth choking or route flapping ec. We do a lot of asymmetrical routing and they work fine. Can u paste ur config if possible

New Member

Re: Return traffic

Thanks again for the reply :). I can only access the router at my end but not other sites, so I dun think if I paste the configuration here will be meaningful.

And I am sure the other path work just fine.

Because the scenario above gave me 'out of state packet' and therefore being blocked in my checkpoint firewall(stateful), and only after I remove the specific route entry in my routing table so that the packet destined for remote site will follow the same path as how remote site will come to my site, it would back to normal.

Any issue with asymmetric routing and firewall?

Silver

Re: Return traffic

If i have a firewall, i would prefer always a symmetric path simply because unlike a router which looks at the routing table, a firewall would look at state ( flow). So i wudnt take any risks . I think it would be worth a try . Let me know the results if you do try it.

New Member

Re: Return traffic

Yes, the result is known. The destination end firewall will block the traffics and put a reason 'TCP packet out of state:xxxx', possibly the TCP Sync and Sync ACK not received in order.

As this is a feature to prevent DoS pattern of attack.

Silver

Re: Return traffic

Cool. This is like a RPF on a router to block DOS attacks. Thanx a lot

154
Views
3
Helpful
7
Replies
CreatePlease login to create content