Issue/Introduction:
Scenario
For branches that contain multiple ProxySGs deployed in-path, it is possible that a connection can be leaving the company network on one ProxySG, and be entering the network on another ProxySG.
Solution
Connection forwarding is designed to handle asymmetric routing issues, as described here. All the ProxySGs that are in the critical network paths will form a cluster, so that every ProxySG knows the state of every other ProxySG in the same connection forwarding cluster. This feature is typically used in conjunction with ADN, but its application is not limited to WAN optimization deployments. Currently, the connection forwarding tunnel is IPv4 only, but it is capable of handling both IPv4 and IPv6 traffic.
Resolution:
Deployment
2. Determine which ProxySG needs to be in the connection forwarding cluster. This is typically done by network topology inspection.
3. Add all the ProxySG addresses to the connection forwarding cluster:
#(config)connection-forwarding
#(config connection-forwarding)add <ipv4-address-sg1>
#(config connection-forwarding)add <ipv4-address-sg2>
Note that the list of ProxySGs needs to include itself. Currently, the tunnel between the ProxySGs participating in the cluster is IPv4 only. But this should not impact the overall usability since the user traffic can be both IPv4 and IPv6.
4. Enable connection forwarding:
#(config connection-forwarding)enable
5. Enable the desired services. We are using HTTP in this example:
#(config)proxy-services
#(config proxy-services)edit “External HTTP”
#(config External HTTP)intercept transparent 80
6. The blue line illustrated in the following network diagram indicates how the packets are routed through the network. The packets that get forwarded between the ProxySGs are IPv6, although the tunnel indicated in this diagram is IPv4 only.
Network Diagram
