Enable TCP sequence number randomization & asymmetric routing relationship?
I have a SonicWALL NSa 2650 connected to a cisco 2960L router which then connects to a cisco 9200L switch.
my PC is connected to the 2960L router.
PC is 192.168.2.150, gateway 192.168.2.254
NSA2650 IP's 192.168.2.254, 192.168.98.1, and is default gateway for network.
9200L is doing SVI, and has 192.168.2.100, and 192.168.98.190 as it's Ip's default route is 192.168.98.1,
192.168.2.0 is VLAN1
192.168.98.0 is VLAN 98
I can ping the 9200L from my PC with no problems.
If I try telnet or SSH, it fails, and if I look in the switch packet monitor, it says "Packet dropped - cache add cleanup drop the pkt"
When I have the "Enable TCP sequence number randomization" option enabled, this continues to fail.
If I disable "Enable TCP sequence number randomization" SSH and Telnet work as expected. However this is considered an insecure practice.
Now from what I can tell My PC is sending packets to the firewall, which is then forwarding them to the 9200L switch. The switch, which is aware of the 192.168.2.0 network, just fires the packet back to my PC, not via the firewall. This seems to be the an asymmetric routing issue, because the path from my PC is not the path to my PC.
However, enabling the asymmetric routing option on the appropriate interfaces doesn't seem to fix this issue on the firewall.
Anyone have a solution to make this work, or do I need to redesign my network?