Issues of Asymmetrical Traffic:

  1. Application identifications will not work and policies based on Application (app-qos, sd-wan, firewall policies etc) will not work.
  2. Some of UTM functionalities will not work because only one way direction traffic is seen.
  3. TCP state check machine may get bypassed because asymmetric routing requires TCP syn check to be disabled. 
  4. Session will never get closed as soon as client/server closes connection. Session get closed after default idle timeout.
    1. This causes an increased session count on Hubs or devices where there are a lot of sessions
    2. This causes high memory on Hubs or devices where there are a lot of sessions.


Note that above 4.i and 4.ii is not problem with asymmetrical traffic as long as number of sessions is less than the supported session by the hardware deployed.


Solution:

Follow the Symmetrical path and remove any Asymmetrical path in the network. 

  1. Enable SDWAN Policy to Enable Symmetric Forwarding (Enforce) on all nodes
  2. Enable per-session load-balancing and routing policies on Customer routers behind Versa Hubs so that return traffic comes back same Hub which sends traffic toward Customer routers.


Refer to this document for horizontal scale out of SD-WAN devices at Hubs and DCs by keeping traffic flows symmetrical - https://academy.versa-networks.com/docs/horizontal-scale-out-of-versa-sd-wan-appliance-at-dc-hub-site/


What is considered as Asymmetrical path:

Any Versa device which sees traffic only in one direction and does not see both direction traffic on same device is considered as Asymmetrical. Traffic is considered as asymmetric if TCP SYN check knob needs to be disabled for traffic to work.


What is not considered Asymmetrical traffic:

Any traffic going over the SD-WAN overlay using any underlay is not considered as Asymmetrical routing as long as it sees both direction traffic on same device. Load-balancing sessions across multiple devices/Hubs/Spokes is  also not considered as Asymmetrical routing as long as given session goes via same device for both forward and reverse direction.