Asymmetrical Routing Support
For better performance and reliability, you may have the network set up with redundant connections to the same Internet Service Provider (ISP) or two different ISPs as shown in Figure 3-11. This poses a problem for PIX, as the ISP may receive traffic from one PIX but might return traffic back to the other PIX. This is because these two PIX firewall units (or pairs) do not share session information. Therefore, while the return packet is allowed by the PIX that allowed the initial connection, it is denied by the other PIX. This is also how it works in Failover mode when it is deployed with Active/Standby Mode.
Figure 3-11. Asymmetric Routing Support with Active/Active FO Setup
The same problem can occur when running active/active failover. A unit may receive a packet that belongs to its peer. If this happens, the receiving unit will forward the packet back to its peer for processing. Stateful failover must be enabled to support asymmetric routing.
Figure 3-11 shows two units running Active/Active failover, where Unit 1 has context ctx1 active and Unit 2 has context ctx2 active. An inside host initiates a connection through context ctx1 of Unit 1 (solid line). Context ctx1 creates the connection, replicates the connection to Unit 2, and then forwards the packet. If the return packet is routed through context ctx2 of Unit 2, connection information already exists in Unit 2's connection table. But, because context ctx1 is not active in Unit 2, it forwards the packet back to Unit 1 (arrows).
Following are some of the restrictions and cautions you should remember when configuring asymmetric routing in Active/Active Failover mode.
-
Remember that multiple context PIX does not support VPN, IPS, and other features.
-
Shared interface setup requires NAT.
-
Under the asymmetric routing A/A FO, packets are forwarded by Layer 2.
-
The supported scenario is for outbound traffic being routed through one unit and inbound traffic being routed to a different unit for a given connection. The scenario where traffic traveling in the same direction for a connection gets routed to different units should not happen if routing is configured properly. The upstream or downstream router should set up the load-balancing policy such that routers are not performing per packet load balancing to the High Availability (HA) cluster.
To configure asymmetric routing support, you need to use asr-group command under the interfaces of contexts. Asymmetric routing support is needed for the outside interface only; you need to have the following commands configured on both ctx1 and ctx2:
PIX/ctx1(config)# interface Ethernet 0.30
PIX/ctx1(config-if)# asr-group 1
PIX/ctx2(config)# interface Ethernet 0.40
PIX/ctx2(config-if)# asr-group 1