Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes
In a typical Branch Office VPN (BOVPN) configuration, the IPSec tunnel establishes and allows bidirectional traffic between the connected networks. In some cases, the tunnel establishes successfully, but traffic flows in only one direction. This issue occurs when routing paths, firewall policies, or downstream device configuration prevent return traffic to the source network. Although the IPSec tunnel remains up, asymmetric traffic flow prevents session completion.
Symptoms
When one‑way traffic occurs across an established BOVPN tunnel, you might observe these symptoms:
- Ping or traffic succeeds in one direction but fails in the reverse direction.
- Applications fail to establish or maintain sessions.
- Session table entries appear incomplete or time out.
- The BOVPN tunnel status shows as connected, but traffic does not pass successfully.
- Bytes that the tunnel transfers increase in only one direction.
- Traffic does not reach the destination network.
Diagnostic Steps
To diagnose one‑way traffic across a BOVPN tunnel, perform these steps:
- On the local Firebox, use the packet capture tool to verify that traffic routes correctly into the BOVPN virtual interface.
- On the remote endpoint, use the packet capture tool to capture traffic on the internal interface and confirm that the traffic reaches the destination network.
- Review traffic from the remote network back to the local network and confirm whether return traffic enters the BOVPN virtual interface.
- Verify routing tables and firewall policies on the remote endpoint and any downstream routers or firewalls to make sure there is a valid return path through the BOVPN tunnel.
- Ping or traffic succeeds in one direction but fails in the reverse direction. For more information, go to:
- Locally-Managed: Run Diagnostic Tasks to Learn More About Log Messages
- Cloud-Managed: Run Network Diagnostic Tasks in Fireware Web UI
Possible Causes and Solutions
| Possible Cause | Solution |
|---|---|
| Return path routing on the remote network is missing or incorrectly configured. |
Add or update static or policy routes on the remote endpoint or downstream router to make sure return traffic returns through the BOVPN tunnel. For more information, go to: Locally-Managed: Routes and Routing Cloud-Managed: About Static Routes and Dynamic Routing |
| Downstream firewall, NAT, or security policies block return traffic. |
Update downstream firewall policies, ACLs, or NAT rules to allow bidirectional traffic between the tunnel networks and prevent asymmetric routing. For more information about NAT, go to: Locally-Managed: NAT (Network Address Translation) Cloud-Managed: About Network Address Translation (NAT) |