Another fun topic, asymmetric routing. One thing to keep in mind when it comes to Palo Alto firewalls is that they session match on Zone and not Interface. This means if you have two interfaces in the same Zone, it will session match, and your traffic will not get dropped. Just remember you can have multiple paths and have traffic sent on Path-A, received on Path-B, and have no issues routing traffic as long as the Palo Alto FW is sending and/or receiving in the same Zone. Fun fact, there’s asymmetric routing going on right now on the internet and it’s working fine.
Now let’s say you do have asymmetric routing going on but now it’s an issue on the Palo Alto side because you’re NOT passing through the same Zone. Typically, this happens in vWire environments where you have dynamic routing protocols controlling the traffic with redundant paths. I’ve already blogged about this here:
The thing to remember is how a TCP connection starts, and that’s with a 3-way handshake, SYN, SYN-ACK, ACK. If Palo Alto doesn’t get an SYN for the first packet for some reason, it will discard it. That’s why you need to change the settings NOT to reject non-SYN and bypass the asymmetric path on all Zones in the path.