Asymetric means your flow to a destination is different from the flow back. This oft happens when there is a router to some remote location on the network, which isn't the default gateway. To reach a destination a packet is send to the firewall (being the default gateway in the network) the firewall "knows" about the router on the same network the packet is arriving from. So it send the packet to the router. The return pack however arrives on the router, and this router has a directly connected network for this addres, So it does its job this best its knows how and directly dilivers this packet, bypassing the firewall. This results in a early time-out on the firewall because it sees the syn (first packet) but it misses the syn-ack (first reply), reulting in an age-out over 20 seconds. (TCP here).
So far the theory on asym routing....
To bebug your session:
first set a debug flow filter:
set ff src-ip <IP> dst-ip <IP>
Start the debug
debug flow basic
clear the debug out buffer
clear db
generate your traffic
Stop the debugging
undebug all (or just press the escape key !)
look at the result
get db stream
So this is how you can look in detail how a session is build up or what goes wrong.
There one thing bothering me on your routing table. The default route is on the managment network, Isn't there a connection to the internet or other default gateway?