: ECMP Strict Source Path
Focus
Focus

ECMP Strict Source Path

Table of Contents
End-of-Life (EoL)

ECMP Strict Source Path

Enable ECMP Strict Source Path when ECMP load balancing can interfere with an ISP verifying an expected source IP address.
When you Configure ECMP on a virtual router, IKE and IPSec traffic originating at the firewall by default egresses an interface that the ECMP load-balancing method determines. This can be an issue when the firewall has more than one ISP providing equal-cost paths to the same destination. ISPs typically perform a Reverse Path Forwarding (RPF) check to confirm that the traffic is egressing the same interface on which it arrived. Because ECMP would choose an egress interface based on the load balancing method, that wouldn’t be the interface that the ISP expects and the ISP could block legitimate return traffic.
To avoid this issue, you can now ensure that IKE and IPSec traffic originating at the firewall always egresses the physical interface to which the source IP address of the IPSec tunnel belongs by enabling Strict Source Path.
  1. Select NetworkVirtual Routers and select a virtual router.
  2. Select Router SettingsECMP.
  3. Enable ECMP.
  4. Enable Strict Source Path.
  5. Click OK.
  6. Commit.