asymmetric routes/security concerns/Fortinet

John Kristoff jtk at cymru.com
Fri Jan 7 12:15:09 CST 2011


On Fri, 7 Jan 2011 12:40:32 -0500
Greg Whynott <Greg.Whynott at oicr.on.ca> wrote:

> we have multiple internet connections of which one is a research
> network where many medical institutions and universities are also
> connected to threw out the country.  This research network (ORION)
> also has internet access but is not meant to be used as a primary
> path to the internet by its customers.     Connected to the ORION
> network are many sites we exchange email with daily who also have
> multiple internet connections.   One of these sites is not reachable
> by us.   After investigating,  it was discovered this site is
> dropping our connections as the path back to use would use a
> different interface on the firewall ( a Fortinet device) than that
> which it arrived upon.

Correct me if I'm wrong, I'm not very familiar with ORION, but if it's
like some of the research networks in the U.S. have been built in the
past, ORION is dedicated high speed, low latency network that
interconnects research institutions together.  The way these are often
used is that you localpref routes you learn from ORION participants so
that traffic between each of you goes over the research network.  You'd
typically want this since the performance is good and there is plenty of
capacity available, but it is also paid for, probably through some
research grant, helping to reduce the use and expense of your commercial
transit.

You should be sending your traffic to them via ORION and they
likewise.  However, if that path is down, then it would make sense for
it to go via another route.  Hence, asymmetry may happen.

Are you not sending the traffic via ORION?  If so, then I'd suggest you
both have something to fix.  :-)

John




More information about the NANOG mailing list