Allow Asymmetrical Route not working

PeterUK
PeterUK Posts: 2,656  Guru Member
First Anniversary 10 Comments Friend Collector First Answer
edited April 2021 in Security

So I was do some testing and testing new setup and I think I found that Allow Asymmetrical Route with my setup don't work. On top of that there are two new ideas I have one is a check box per Policy Control rule to allow Asymmetrical Route. TCP Symmetrical Route works well and I don't want fixing Asymmetrical Route to break TCP Symmetrical Route what I call TCP on SYN which was broken when the USG40 came out and flagged that up and was fixed.

So here is the setup

https://us.v-cdn.net/6029482/uploads/editor/47/fyu7ipp2kmkj.png


In short Symmetrical Route cares for TCP handshake and Asymmetrical Route should not care about  TCP handshake.

Comments

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @PeterUK  

    The Asymmetrical route function for TCP traffic is only support when incoming and outgoing traffic are belonging to same interface.

    But in your scenario, the traffic already separate to 2 devices.

     

    Packet direction of three handshake:

    SYN:                PC -> ZyWALL110 -> USG40 -> Server

    SYN, ACK:     Server -> USG40 -> PC

    ACK:              PC -> ZyWALL110 -> USG40 -> Server

    The TCP session will only generate after three handshake progress is completely.

    But it doesn’t complete on ZyWALL110, so session did not created on ZyWALL110.

    So the data is unable pass to ZyWALL110 continually.

    And it is the reason that ICMP/ UDP traffic without routing issue.

  • PeterUK
    PeterUK Posts: 2,656  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2020

    Hi @PeterUK  

    The Asymmetrical route function for TCP traffic is only support when incoming and outgoing traffic are belonging to same interface.

    Symmetrical route supports any interface so packets go out USG 40 OPT come in on USG 40 wan1 bridge for the handshake to complete.

    True Asymmetrical route should not need the handshake and if you turn off the firewall on ZyWALL 110 TCP works but it should work when Allow Asymmetrical Route is enabled. 

    Or to put another way how do I keep ZyWALL110 firewall on and make TCP work in this setup if not its not Asymmetrical route ?


  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2020

    Hi @PeterUK
    Asymmetrical route will not take effect when the TCP session does not exist.

    We will add it into idea section and evaluate for future enhancement.

    Thanks for your suggestion.  :+1:

Security Highlight