Asymmetric Routing

Asymmetric routing occurs when the path that a packet takes to its destination is different from the return path.

In network security devices like Cisco ASA firewalls, this can cause issues because stateful firewalls track sessions based on bidirectional traffic.

If the return packet arrives through a different interface, the firewall might drop it because it does not recognize it as part of an existing session.

Routing tables

ASA

R1

R2

Scenario

ASA transmits ICMP Echo request to Gi0/0

R1 forwards it to R2 to access port

R2 sends back ICMP Echo reply to Gi0/0

ASA's G0/1 have not recorded any echo request but received echo reply. Accordingly, it just drops the reply from R2.