An asymmetric traffic path may cause packet drops on the datapath when stateful DFW rules are enabled

Symptoms:

• Applications that rely on real-time traffic (e.g., VoIP, video conferencing) may experience significant performance degradation.
• Intermittent connection timeouts or session termination may occur, affecting applications that rely on persistent connections.
• Packet drops may be observed on the DFW filter.

NSX Data Center.

- Stateful firewalls expect traffic from both directions (inbound and outbound) to pass through the same path to maintain connection state. In asymmetric paths, traffic for a session might return via a different path, and the firewall may drop the packets because it doesn't recognize them as part of the established session.

- Firewalls keep track of sessions by monitoring initial packet flows. With asymmetric routing, the return traffic could bypass the firewall’s state table, causing a session mismatch, which may leads to packet drops

- If the firewall does not see both directions of traffic, it may consider the session idle and close it prematurely. This can lead to intermittent connection timeouts or session termination, affecting applications relying on persistent connections

- Frequent session re-establishment due to packet drops or resets can lead to increased resource consumption on the firewall, potentially affecting its performance and leading to delays in processing other traffic.

Configuring stateful firewall rules is not recommended for asymmetric traffic paths