Skip to content

Grading Checklist

A good response must include:

  • Identifies the root cause as asymmetric routing through independent stateful firewalls
  • Explains that when B initiates to A, the SYN goes through fw-02, but A's reply returns through fw-01
  • Explains that fw-01 drops the SYN-ACK because it has no state entry for the connection (it never saw the SYN)
  • Explains why A-to-B works: A's SYN goes through fw-01, B's reply also returns through fw-01 (or the specific path is symmetric for that direction)
  • Uses traceroute from both hosts to demonstrate the path asymmetry
  • Checks routing tables on both hosts to confirm different default gateways or routes
  • Reviews firewall logs to find evidence of dropped return packets
  • Proposes fix: correct routing so both directions use the same firewall, OR enable firewall state synchronization (e.g., conntrackd, pfsync)
  • Mentions that stateless ACLs would not have this problem (only stateful firewalls are affected)
  • Considers ECMP or redundancy protocol (VRRP/HSRP) as a proper long-term solution
  • Does NOT suggest simply disabling the firewall or making rules stateless as primary fix