Knowledge Search


[MX] Solving ICMP asymmetric traffic drops by IPSec tunnels on MX routers equipped with MS-MPC

  [KB33836] Show Article Properties


This article describes how to avoid Internet Control Message Protocol (ICMP) asymmetric traffic from being dropped by IPSec tunnels on MX routers that are equipped with MS-MPC.



In the following setup, there are two IPSec tunnels that terminate on one router. Traffic through them is asymmetric where traffic from Destination A to Destination B moves through the R01-R03 tunnel and the reverse traffic moves through the R02-R03 tunnel. In this case, reverse traffic through the R02-R03 tunnel would be dropped. See PR1059940.



The default behavior of IPSec tunnels on MX routers that are equipped with MS-MPC is to drop reply packets if they are not going through the same tunnel from which the request packets came (ICMP asymmetric traffic).



To allow ICMP traffic via an asymmetric path, where for example, the ICMP echo request comes from one IPSec tunnel and the ICMP echo reply goes through another IPSec tunnel, the enable-asymmetric-traffic-processing configuration knob must be configured under service-set for all configured service-sets.

set services service-set sset-name service-set-options enable-asymmetric-traffic-processing  <<This knob allows ICMP asymmetric traffic.
set services service-set sset-name next-hop-service inside-service-interface ms-1/1/0.1
set services service-set sset-name next-hop-service outside-service-interface ms-1/1/0.2
set services service-set sset-name ipsec-vpn-options local-gateway <ip-address>
set services service-set sset-name ipsec-vpn-rules sset-rule


Related Links: