SD-WAN Symmetric Packet Return

Example SD-WAN Topology

An SD-WAN Security Gateway is connected to two ISPs:
- Interface eth2 connects to ISP #1.
  
  The default route on the SD-WAN Security Gateway is through the interface eth2 (ISP #1).
- Interface eth4 connects to ISP #2.
Two internal servers connect to the SD-WAN Security Gateway:
- FTP Server connects to the interface eth1.
- Web Server connects to the interface eth3.

Traffic Flow Through an SD-WAN Security Gateway Without Symmetric Packet Return

Note - The asymmetric packet return is the default behavior in these Security Gateway versions:

R81.20 Jumbo Hotfix Accumulator, Take 76 and lower
R81.20 without the R81.20 Jumbo Hotfix Accumulator
Quantum Spark Gateway from R81.10.05 to R81.10.10

A request traffic "Client-to-Server" ("C2S") arrives from a Client (through an ISP) to the SD-WAN Security Gateway (in our example, at either interface eth2 or interface eth4).
The SD-WAN Security Gateway passes the request traffic (if the Security Policy allows it) to the internal Server (in our example, through either interface eth1 or interface eth3).
A response traffic "Server-to-Client" ("S2C") from an internal Server arrives at the SD-WAN Security Gateway (in our example, at either interface eth1 or interface eth3).
The SD-WAN Security Gateway passes the response traffic (if the Security Policy allows it) to the Next Hop Gateway.

By default, the SD-WAN Security Gateway always passes the response traffic to the Next Hop Gateway based on the configured default route (in our example, through the interface eth2).

Based on our example:
- If a request traffic arrived through ISP #1 at the interface eth2, then the Security Gateway sends response traffic through the same interface eth2.
- If a request traffic arrived through ISP #2 at the interface eth4, then the Security Gateway also sends response traffic through the interface eth2.
As a result, these issue occur:
- A stateful Firewall at an ISP that did not pass the original request traffic, may drop this response traffic.
- Traffic distribution through the Security Gateway interfaces is not optimal, because it sends all outbound traffic through the same interface.
Possible workarounds:
- Configure Policy Based Routing (PBR) rules based on the internal source IP address for the return (that is the original destination of the inbound traffic).
  
  See the Gaia Advanced Routing Administration Guide for your version.
- Configure the default route in which the next hop gateway is the ISP, from which the inbound traffic arrives and through which the traffic should return.
  
  For static routes, see the Gaia Administration Guide for your version.
  
  For dynamic routes, see the Gaia Advanced Routing Administration Guide for your version.

Traffic Flow Through an SD-WAN Security Gateway With Symmetric Packet Return

Note - The symmetric packet return is available in these Security Gateway versions:

R82 and higher
R81.20 Jumbo Hotfix Accumulator Take 79 and higher
Quantum Spark R81.10.15 and higher

When you enable the Symmetric Packet Return on the SD-WAN Security Gateway:

A request traffic "Client-to-Server" ("C2S") arrives from a Client (through an ISP) to the SD-WAN Security Gateway (in our example, at either interface eth2 or interface eth4).
The SD-WAN Security Gateway passes the request traffic (if the Security Policy allows it) to the internal Server (in our example, through either interface eth1 or interface eth3).
A response traffic "Server-to-Client" ("S2C") from an internal Server arrives at the SD-WAN Security Gateway (in our example, at either interface eth1 or interface eth3).
The SD-WAN Security Gateway passes the response traffic (if the Security Policy allows it) to the Next Hop Gateway.

By default, the SD-WAN Security Gateway always passes the response traffic to the Next Hop Gateway of the original ISP that sent the request traffic.

Based on our example:
- If a request traffic arrived through ISP #1 at the interface eth2, then the Security Gateway sends response traffic through the same interface eth2.
- If a request traffic arrived through ISP #2 at the interface eth4, then the Security Gateway sends response traffic through the same interface eth4.

Follow these steps to enable the Symmetric Packet Return:

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Connect to the command line on the Security Gateway / each Cluster Member.
Log in.

If your default shell is Gaia Clish, then go to the Expert mode:

expert

Modify the $FWDIR/conf/sdwan/sdwan_steering_params.json file:

If the file $FWDIR/conf/sdwan/sdwan_steering_params.json exists, create a backup copy.

Otherwise, create this file.

Run this long command:

if [ -f $FWDIR/conf/sdwan/sdwan_steering_params.json ] ; then echo "Creating the backup ..." ; cp -v $FWDIR/conf/sdwan/sdwan_steering_params.json{,BKP} ; else echo "Creating the file ..." ; touch $FWDIR/conf/sdwan/sdwan_steering_params.json ; stat $FWDIR/conf/sdwan/sdwan_steering_params.json ; fi

Edit the $FWDIR/conf/sdwan/sdwan_steering_params.json file:

vi $FWDIR/conf/sdwan/sdwan_steering_params.json

If this file is empty, then add all these lines.

If this file already contains other configuration parameters, then add this configuration parameter on a new line:

{
    "sdw_default_symmetric_return_value" : true
}

This configuration parameter enables the Symmetric Return feature in the SD-WAN Policy.

Save the changes in the file and exit the editor.

Make sure the value of the kernel parameter "sdw_symmetric_return_enabled" is "1" (this is the default value).

This kernel parameter enables the Symmetric Return feature on the Security Gateway.

Get the current value of the kernel parameter:

fw ctl get int sdw_symmetric_return_enabled

Expected output:

sdw_symmetric_return_enabled = 1

If the current value of the kernel parameter is "1", then go to the next step.

If the current value of the kernel parameter is "0", then configure the value "1" and get the value again:

fw ctl set -f int sdw_symmetric_return_enabled 1

fw ctl get int sdw_symmetric_return_enabled

Restart the SD-WAN Steering process:

sdwan_steering_stop ; sdwan_steering_start

Notes:

Symmetric Packet Return supports SD-WAN interfaces for ISP lines of type Private (for example, MPLS) and of type Public.
Symmetric Packet Return supports inbound traffic to servers behind the Security Gateway that are accessible directly with a Public IP address (without NAT).
Symmetric Packet Return supports inbound traffic to servers behind the Security Gateway that are accessible with a Private IP address behind NAT - a device in front of the Security Gateway performs this NAT.
Symmetric Packet Return supports inbound traffic, also when the Security Gateway performs Inbound HTTPS Inspection for that connection.
Symmetric Packet Return supports inbound traffic to servers behind the Security Gateway that are accessible with a Private IP address behind NAT - the Security Gateway performs this NAT.

The NAT IP address can be one of these:
- The IP address of the external Security Gateway interface - configure the required Static NAT rules.
- An IP address from a NAT Pool that contains IP addresses from a different subnet than the external Security Gateway interface.
  
  The Next Hop Gateway device will need to route this NAT Pool towards the point-to-point Security Gateway interface.
- An IP address from a NAT Pool that contains IP addresses from the same subnet as the external Security Gateway interface.
  
  You must configure:
  - Static NAT rules.
  - Proxy ARP on the Security Gateway:
    - If you configure Manual NAT, then you must follow sk30197 (for Security Gateway) / sk114531 (for Quantum Spark).
    - If you configure Automatic NAT, the Security Gateway performs Proxy ARP automatically.

Limitations in Symmetric Packet Return:

Symmetric Packet Return does not support enabling / disabling of this feature for specific SD-WAN interfaces (on roadmap).
Symmetric Packet Return does not support inbound traffic sent to the Security Gateway itself (and not through the Security Gateway) - HTTPS, SSH, Remote Access VPN (on roadmap).

For such inbound requests, the Security Gateway sends its response based on its routing table.

Possible workaround on the Security Gateway:
1. Configure the IP Reachability Detection feature.
  
  See the Gaia Advanced Routing Administration Guide for your version > Chapter "IP Reachability Detection".
2. Select the configured Monitored IP address in the static default route.
  
  In the route's Gateway, configure such a priority value that:
  1. Users connect first to the Security Gateway through the public IP address of the main ISP (best priority).
  2. If this connection fails, the users connect to the Security Gateway through the public IP address of the another ISP.
  Note - The lower the priority value, the higher the preference.
  
  See the Gaia Administration Guide for your version > Chapter "Network Management" > Section "IPv4 Static Routes".
Symmetric Packet Return supports inbound traffic only in these cases:
- The inbound traffic did not match any SD-WAN rule.
- The inbound traffic matches an SD-WAN rule with the Steering Behavior of type "Overlay - VPN" ("Local Breakout" is not supported).
Symmetric Packet Return does not support traffic that arrives as already encrypted over the Site to Site VPN tunnel.