The problems with asymmetric routing

Happy Saturday to all of you!

I made some thoughts about the topic asymmetric routing. When I make network audits to new customers I often see multiple gateways in a single subnet (for example for site2site VPNs). They tell me about some weird problems with some intercommunications between those subnets. To better understand the wrong topology I made a drawing in Microsoft Visio for you:

asynchronous-routing-1

 

On the left side we have a server with IP address 192.168.1.23 using the default gateway 192.168.1.1. When the server wants to communicate to the branch office server 192.168.2.78, the send packets have the destination mac address of 192.168.1.1 and the destination IP address 192.168.2.78. Once packets are coming in to the router 192.168.1.1, a route will let him change the destination mac address to that one for 192.168.1.8 (the gateway where subnet 192.168.2.0 /24 is located via VPN). The problem is that the packets are send out of the same network where they are coming. Packets which will be answered by 192.168.2.78 are not going the same way back because the second router 192.168.1.8 sends the packets to 192.168.1.23 which is directly attached to network 192.168.1.0 /24. So the server 192.168.1.23 is getting answered packets from a mac address which he doesn’t send to. This is a problem with many protocols like secured connections (HTTPS tcp 443, LDAP SSL tcp 636, LDAP GC SSL tcp 326, etc.) because those systems and also local firewalls recognized those grievances as something like a man-in-the-middle attack like ARP spoofing. Past weeks ago, a customer had problems with running a synchronized domain-membership with this topology. My colleague Frank documented this here.

To solve this problem you have two options. Option #1 is the fastest (and maybe cheapest) way. Just add a permanent route (blue letters) to the server which has more than one gateway on its subnet:

asynchronous-routing-2

Because you have more than only one server 🙂 or devices which can’t have routes added (like printers) there is a way better method for this which I recommend. Put a small subnet between the main gateway and the VPN gateway with a subnetmask 255.255.255.252 (two usable hosts) and configure static routes on this gateways like this:

asynchronous-routing-3_new

When your main-gateway has an additional and free interface it also doesn’t cost additional money 🙂

Feel free to comment and suggest additional ideas!

 

9 thoughts on “The problems with asymmetric routing”

  1. Hello,

    Thank you for a good article.

    I have some problems in implementing what I have read. I cannot have Internet access from 192.168.2.78.
    Can you please tell me if router 10.20.30.2 from your diagram has to be one with two WAN ports ( RV042G for example ) or it will work only with one WAN.

    Thank you

    • I think I didn’t understand your requirement. What do you want exactly? You just need an additional interface and so you can do routing between it. It doesn’t need to be a “WAN” interface or so

      • Hello Michel,

        The main router in a RV042G ( connected to Internet ). I need to create a VPN connection to a second site ( connected directly by fiber, not over the Internet ). I had began with the first version. VPN is working well but I cannot have Internet acces from second site. Then I have tried the third solution. I had the same results. All routers are RV042G.
        – Computer from both sites can see each other.
        – Computers from site 1 have Internet access
        – Computer from site 2 cannot acces Internet ( ping to google by name or by IP it’s not working)

        Thank you

        • Hi Nimca,

          every hop (router) needs to have the default route. So if we look at the third picture: 192.168.2.1 needs to configure default-route pointed to 192.168.1.8, 192.168.1.8 needs a default route to 192.168.1.1.

          From the second site: Do a “tracert 8.8.8.8” where did the traceroute end?

  2. Thanks for the great article. In the second diagram, shouldn’t the 192.168.1.8 ip on the vpn gateway be deleted? That device will only have a 10.20.30.2 address and a vpn address right?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.